wao 0.27.4 → 0.28.0

package/cjs/collect-body-keys.js

@@ -60,6 +60,40 @@ var getValueByPath = function getValueByPath(obj, path) {
   }
   return value;
 };
+var canArrayBeInHeader = function canArrayBeInHeader(array) {
+  // Empty arrays can be in headers
+  if (array.length === 0) return true;
+
+  // Arrays with objects must go to body
+  if (array.some(function (item) {
+    return (0, _encodeUtils.isPojo)(item);
+  })) return false;
+
+  // Arrays with binary data must go to body
+  if (array.some(function (item) {
+    return (0, _encodeUtils.isBytes)(item) && item.length > 0;
+  })) return false;
+
+  // Arrays with non-ASCII strings must go to body
+  if (array.some(function (item) {
+    return typeof item === "string" && (0, _encodeUtils.hasNonAscii)(item);
+  })) return false;
+
+  // Arrays with nested arrays must go to body (to match original behavior)
+  if (array.some(function (item) {
+    return Array.isArray(item);
+  })) return false;
+
+  // Arrays with nested arrays that have objects must go to body
+  if (array.some(function (item) {
+    return Array.isArray(item) && item.some(function (subItem) {
+      return (0, _encodeUtils.isPojo)(subItem);
+    });
+  })) return false;
+
+  // Simple arrays of primitives can stay in headers
+  return true;
+};
 
 // Array analysis helper
 var analyzeArray = function analyzeArray(array) {
@@ -140,7 +174,10 @@ var BodyKeyCollector = /*#__PURE__*/function () {
         if (this.isSpecialDataBodyField(key, value, objKeys)) {
           this.keys.push(key);
         } else if (Array.isArray(value) && value.length > 0) {
-          this.processRootArray(key, value);
+          // Check if array can stay in header
+          if (!canArrayBeInHeader(value)) {
+            this.processRootArray(key, value);
+          }
         } else if ((0, _encodeUtils.isPojo)(value)) {
           this.processRootNestedObject(key, value);
         } else if (this.needsBodyKey(key, value)) {
@@ -329,7 +366,10 @@ var BodyKeyCollector = /*#__PURE__*/function () {
             this.processArrayInTraversal(value, fullPath, nestedPaths, analysis);
             if (analysis.hasNonObjects) {
               hasSimpleFields = true;
-              this.keys.push(fullPath);
+              // Only add to keys if array can't be in header
+              if (!canArrayBeInHeader(value)) {
+                this.keys.push(fullPath);
+              }
             }
           } else {
             hasSimpleFields = true;

package/cjs/encode.js

@@ -365,32 +365,34 @@ function handleSingleBodyKeyOptimization(_x5, _x6, _x7, _x8) {
 } // Step 11: Sort body keys
 function _handleSingleBodyKeyOptimization() {
   _handleSingleBodyKeyOptimization = _asyncToGenerator(/*#__PURE__*/_regeneratorRuntime().mark(function _callee5(obj, bodyKeys, headers, headerTypes) {
-    var singleKey, value, otherFieldsAreEmpty, bodyBuffer, bodyArrayBuffer, contentDigest, base64;
+    var singleKey, value, contentToHash, bodyContent, bodyBuffer, encoder, encoded, contentDigest, base64;
     return _regeneratorRuntime().wrap(function _callee5$(_context5) {
       while (1) switch (_context5.prev = _context5.next) {
         case 0:
           if (!(bodyKeys.length === 1)) {
-            _context5.next = 15;
+            _context5.next = 14;
             break;
           }
           singleKey = bodyKeys[0];
-          value = (0, _encodeUtils.getValueByPath)(obj, singleKey);
-          otherFieldsAreEmpty = Object.entries(obj).every(function (_ref11) {
-            var _ref12 = _slicedToArray(_ref11, 2),
-              key = _ref12[0],
-              val = _ref12[1];
-            if (key === singleKey) return true;
-            return (0, _encodeUtils.isEmpty)(val);
-          });
-          if (!(otherFieldsAreEmpty && (0, _encodeUtils.isBytes)(value) && value.length > 0)) {
-            _context5.next = 15;
+          value = (0, _encodeUtils.getValueByPath)(obj, singleKey); // Apply optimization for binary data OR strings with newlines
+          if (!((0, _encodeUtils.isBytes)(value) && value.length > 0 || typeof value === "string" && value.includes("\n"))) {
+            _context5.next = 14;
             break;
           }
-          bodyBuffer = (0, _encodeUtils.toBuffer)(value);
-          bodyArrayBuffer = bodyBuffer.buffer.slice(bodyBuffer.byteOffset, bodyBuffer.byteOffset + bodyBuffer.byteLength);
-          _context5.next = 9;
-          return (0, _encodeUtils.sha256)(bodyArrayBuffer);
-        case 9:
+          bodyContent = value;
+          if ((0, _encodeUtils.isBytes)(value)) {
+            bodyBuffer = (0, _encodeUtils.toBuffer)(value);
+            contentToHash = bodyBuffer.buffer.slice(bodyBuffer.byteOffset, bodyBuffer.byteOffset + bodyBuffer.byteLength);
+          } else {
+            // For strings, encode to UTF-8 for hashing
+            encoder = new TextEncoder();
+            encoded = encoder.encode(value);
+            contentToHash = encoded.buffer;
+            bodyContent = value;
+          }
+          _context5.next = 8;
+          return (0, _encodeUtils.sha256)(contentToHash);
+        case 8:
           contentDigest = _context5.sent;
           base64 = _base64url["default"].toBase64(_base64url["default"].encode(contentDigest));
           headers["content-digest"] = "sha-256=:".concat(base64, ":");
@@ -402,11 +404,11 @@ function _handleSingleBodyKeyOptimization() {
           }
           return _context5.abrupt("return", {
             headers: headers,
-            body: value
+            body: bodyContent
           });
-        case 15:
+        case 14:
           return _context5.abrupt("return", null);
-        case 16:
+        case 15:
         case "end":
           return _context5.stop();
       }
@@ -782,13 +784,10 @@ function processObjectFields(value, bodyKey, sortedBodyKeys) {
 function createObjectBodyPart(bodyKey, value, allTypes, fieldLines, binaryFields, headers, sortedBodyKeys) {
   var isInline = bodyKey === "body" && headers["inline-body-key"] === "body";
   var lines = [];
-  if (isInline) {
-    lines.push("content-disposition: inline");
-  } else {
-    lines.push("content-disposition: form-data;name=\"".concat(bodyKey, "\""));
-  }
   if (isInline) {
     var orderedLines = [];
+
+    // For inline mode: fields first, then headers
     var _iterator3 = _createForOfIteratorHelper(fieldLines),
       _step3;
     try {
@@ -821,7 +820,9 @@ function createObjectBodyPart(bodyKey, value, allTypes, fieldLines, binaryFields
     });
     if (binaryFieldsForInline.length > 0) {
       var parts = [];
+      // Join all text lines first
       parts.push(Buffer.from(orderedLines.join("\r\n")));
+      // Then add binary fields
       var _iterator4 = _createForOfIteratorHelper(binaryFieldsForInline),
         _step4;
       try {
@@ -841,17 +842,10 @@ function createObjectBodyPart(bodyKey, value, allTypes, fieldLines, binaryFields
       var fullBody = Buffer.concat(parts);
       return new Blob([fullBody]);
     } else {
-      var isLastBodyPart = sortedBodyKeys.indexOf(bodyKey) === sortedBodyKeys.length - 1;
-      var hasOnlyTypes = allTypes.length > 0 && fieldLines.length === 0;
-      if (isLastBodyPart && hasOnlyTypes) {
-        return new Blob([orderedLines.join("\r\n")]);
-      } else if (fieldLines.length === 0) {
-        return new Blob([orderedLines.join("\r\n")]);
-      } else {
-        return new Blob([orderedLines.join("\r\n") + "\r\n"]);
-      }
+      return new Blob([orderedLines.join("\r\n") + "\r\n"]);
     }
   } else {
+    // Non-inline mode remains the same
     var _orderedLines3 = [];
     if (allTypes.length > 0) {
       _orderedLines3.push("ao-types: ".concat(allTypes.sort().join(", ")));
@@ -1189,6 +1183,7 @@ function _encode() {
       singleBodyKeyResult,
       sortedBodyKeys,
       hasSpecialDataBody,
+      bodyValue,
       bodyParts,
       boundary,
       body,
@@ -1284,12 +1279,17 @@ function _encode() {
         case 41:
           // Step 11: Sort body keys
           sortedBodyKeys = sortBodyKeys(bodyKeys); // Step 12: Check for special data/body case
-          hasSpecialDataBody = checkSpecialDataBodyCase(obj, sortedBodyKeys);
-          headers["body-keys"] = sortedBodyKeys.map(function (k) {
-            return "\"".concat(k, "\"");
-          }).join(", ");
-          if (!hasSpecialDataBody) {
-            if (sortedBodyKeys.includes("body") && sortedBodyKeys.length === 1) {
+          hasSpecialDataBody = checkSpecialDataBodyCase(obj, sortedBodyKeys); // Only add body-keys header if there are actual body keys
+          if (sortedBodyKeys.length > 0) {
+            headers["body-keys"] = sortedBodyKeys.map(function (k) {
+              return "\"".concat(k, "\"");
+            }).join(", ");
+          }
+
+          // Special case: single body key named "body" containing an object
+          if (!hasSpecialDataBody && sortedBodyKeys.length === 1 && sortedBodyKeys[0] === "body") {
+            bodyValue = obj.body;
+            if ((0, _encodeUtils.isPojo)(bodyValue)) {
               headers["inline-body-key"] = "body";
             }
           }
@@ -1298,16 +1298,25 @@ function _encode() {
           }
 
           // Step 13: Build body parts for each body key
-          bodyParts = buildBodyParts(obj, sortedBodyKeys, headers, hasSpecialDataBody); // Step 14: Generate multipart boundary
-          _context8.next = 49;
-          return generateBoundary(bodyParts);
+          bodyParts = buildBodyParts(obj, sortedBodyKeys, headers, hasSpecialDataBody); // If no body parts were created, return headers only
+          if (!(bodyParts.length === 0)) {
+            _context8.next = 49;
+            break;
+          }
+          return _context8.abrupt("return", {
+            headers: headers,
+            body: undefined
+          });
         case 49:
+          _context8.next = 51;
+          return generateBoundary(bodyParts);
+        case 51:
           boundary = _context8.sent;
           // Step 15: Assemble final multipart body
           body = assembleMultipartBody(bodyParts, boundary); // Step 16: Calculate content digest
-          _context8.next = 53;
+          _context8.next = 55;
           return calculateContentDigest(body);
-        case 53:
+        case 55:
           _yield$calculateConte = _context8.sent;
           contentDigest = _yield$calculateConte.digest;
           byteLength = _yield$calculateConte.byteLength;
@@ -1319,7 +1328,7 @@ function _encode() {
             headers: headers,
             body: body
           });
-        case 58:
+        case 60:
         case "end":
           return _context8.stop();
       }

package/cjs/id.js

@@ -0,0 +1,234 @@
+"use strict";
+
+Object.defineProperty(exports, "__esModule", {
+  value: true
+});
+exports.extractCommitmentIds = extractCommitmentIds;
+exports.generateCommitmentId = generateCommitmentId;
+exports.generateHmacCommitmentId = generateHmacCommitmentId;
+exports.generateRsaCommitmentId = generateRsaCommitmentId;
+exports.parseStructuredFieldDictionary = parseStructuredFieldDictionary;
+exports.verifyCommitmentId = verifyCommitmentId;
+var _fastSha = require("fast-sha256");
+function _toConsumableArray(r) { return _arrayWithoutHoles(r) || _iterableToArray(r) || _unsupportedIterableToArray(r) || _nonIterableSpread(); }
+function _nonIterableSpread() { throw new TypeError("Invalid attempt to spread non-iterable instance.\nIn order to be iterable, non-array objects must have a [Symbol.iterator]() method."); }
+function _iterableToArray(r) { if ("undefined" != typeof Symbol && null != r[Symbol.iterator] || null != r["@@iterator"]) return Array.from(r); }
+function _arrayWithoutHoles(r) { if (Array.isArray(r)) return _arrayLikeToArray(r); }
+function _slicedToArray(r, e) { return _arrayWithHoles(r) || _iterableToArrayLimit(r, e) || _unsupportedIterableToArray(r, e) || _nonIterableRest(); }
+function _nonIterableRest() { throw new TypeError("Invalid attempt to destructure non-iterable instance.\nIn order to be iterable, non-array objects must have a [Symbol.iterator]() method."); }
+function _unsupportedIterableToArray(r, a) { if (r) { if ("string" == typeof r) return _arrayLikeToArray(r, a); var t = {}.toString.call(r).slice(8, -1); return "Object" === t && r.constructor && (t = r.constructor.name), "Map" === t || "Set" === t ? Array.from(r) : "Arguments" === t || /^(?:Ui|I)nt(?:8|16|32)(?:Clamped)?Array$/.test(t) ? _arrayLikeToArray(r, a) : void 0; } }
+function _arrayLikeToArray(r, a) { (null == a || a > r.length) && (a = r.length); for (var e = 0, n = Array(a); e < a; e++) n[e] = r[e]; return n; }
+function _iterableToArrayLimit(r, l) { var t = null == r ? null : "undefined" != typeof Symbol && r[Symbol.iterator] || r["@@iterator"]; if (null != t) { var e, n, i, u, a = [], f = !0, o = !1; try { if (i = (t = t.call(r)).next, 0 === l) { if (Object(t) !== t) return; f = !1; } else for (; !(f = (e = i.call(t)).done) && (a.push(e.value), a.length !== l); f = !0); } catch (r) { o = !0, n = r; } finally { try { if (!f && null != t["return"] && (u = t["return"](), Object(u) !== u)) return; } finally { if (o) throw n; } } return a; } }
+function _arrayWithHoles(r) { if (Array.isArray(r)) return r; }
+/**
+ * Parse structured field dictionary format
+ * Handles both complex format: name=(components);params
+ * and simple format: name=:value:
+ */
+function parseStructuredFieldDictionary(input) {
+  // Try complex format first
+  var match = input.match(/([^=]+)=\((.*?)\);(.*)$/);
+  if (match) {
+    var name = match[1];
+    var components = match[2].split(" ");
+    var params = {};
+    var paramPairs = match[3].split(";").filter(function (p) {
+      return p;
+    });
+    paramPairs.forEach(function (pair) {
+      var _pair$split = pair.split("="),
+        _pair$split2 = _slicedToArray(_pair$split, 2),
+        key = _pair$split2[0],
+        value = _pair$split2[1];
+      if (key && value) {
+        params[key] = value.replace(/"/g, "");
+      }
+    });
+    return {
+      name: name,
+      components: components,
+      params: params
+    };
+  }
+
+  // Try simple format
+  var simpleMatch = input.match(/([^=]+)=:([^:]+):/);
+  if (simpleMatch) {
+    return {
+      name: simpleMatch[1],
+      value: simpleMatch[2]
+    };
+  }
+  return null;
+}
+
+/**
+ * Convert base64url string to base64
+ */
+function base64urlToBase64(str) {
+  return str.replace(/-/g, "+").replace(/_/g, "/");
+}
+
+/**
+ * Convert Uint8Array to base64url string
+ */
+function uint8ArrayToBase64url(bytes) {
+  // Convert to base64
+  var binary = "";
+  for (var i = 0; i < bytes.length; i++) {
+    binary += String.fromCharCode(bytes[i]);
+  }
+  var base64 = btoa(binary);
+
+  // Convert to base64url
+  return base64.replace(/\+/g, "-").replace(/\//g, "_").replace(/=/g, "");
+}
+
+/**
+ * Generate commitment ID for RSA-PSS and ECDSA signatures
+ * The ID is the SHA256 hash of the raw signature bytes
+ *
+ * @param {Object} commitment - The commitment object containing signature
+ * @returns {string} The commitment ID in base64url format
+ */
+function generateRsaCommitmentId(commitment) {
+  // Extract the base64 signature from structured field format
+  // Format: "signature-name=:BASE64_SIGNATURE:"
+  var match = commitment.signature.match(/^[^=]+=:([^:]+):/);
+  if (!match) {
+    throw new Error("Invalid signature format");
+  }
+  var signatureBase64 = match[1];
+  // Convert base64 to Uint8Array
+  var signatureBinary = Uint8Array.from(atob(signatureBase64), function (c) {
+    return c.charCodeAt(0);
+  });
+
+  // SHA256 hash of the raw signature
+  var hashResult = (0, _fastSha.hash)(signatureBinary);
+  var id = uint8ArrayToBase64url(hashResult);
+  return id;
+}
+
+/**
+ * Generate HMAC commitment ID for HyperBEAM messages
+ * The ID is deterministic based on message content only
+ *
+ * The Erlang implementation sorts components WITH @ prefix included,
+ * then removes @ from derived components in the signature base.
+ *
+ * @param {Object} message - The message with signature and signature-input
+ * @returns {string} The commitment ID in base64url format
+ */
+function generateHmacCommitmentId(message) {
+  // Parse signature-input to get components
+  var parsed = parseStructuredFieldDictionary(message["signature-input"]);
+  if (!parsed || !parsed.components) {
+    throw new Error("Failed to parse signature-input");
+  }
+
+  // Sort components AS-IS (with quotes and @ prefix)
+  var sortedComponents = _toConsumableArray(parsed.components).sort();
+
+  // Build signature base in sorted order
+  var lines = [];
+  sortedComponents.forEach(function (component) {
+    var cleanComponent = component.replace(/"/g, "");
+    var fieldName = cleanComponent;
+    var value;
+
+    // For derived components (starting with @), remove @ in the signature base
+    if (cleanComponent.startsWith("@")) {
+      fieldName = cleanComponent.substring(1);
+      value = message[fieldName];
+    } else {
+      value = message[cleanComponent];
+    }
+    if (value === undefined || value === null) {
+      value = "";
+    } else if (typeof value === "number") {
+      value = value.toString();
+    }
+    lines.push("\"".concat(fieldName, "\": ").concat(value));
+  });
+
+  // Add signature-params line with sorted components (keeping @ prefix)
+  var paramsComponents = sortedComponents.join(" ");
+  lines.push("\"@signature-params\": (".concat(paramsComponents, ");alg=\"hmac-sha256\";keyid=\"ao\""));
+  var signatureBase = lines.join("\n");
+
+  // Generate HMAC with key "ao"
+  // Convert string to Uint8Array
+  var messageBytes = new TextEncoder().encode(signatureBase);
+  var keyBytes = new TextEncoder().encode("ao");
+  var hmacResult = (0, _fastSha.hmac)(keyBytes, messageBytes);
+  return uint8ArrayToBase64url(hmacResult);
+}
+
+/**
+ * Generate commitment ID based on the algorithm type
+ *
+ * @param {Object} commitment - The commitment object containing alg, signature, etc.
+ * @param {Object} fullMessage - The full message (required for HMAC)
+ * @returns {string} The commitment ID in base64url format
+ */
+function generateCommitmentId(commitment) {
+  var fullMessage = arguments.length > 1 && arguments[1] !== undefined ? arguments[1] : null;
+  switch (commitment.alg) {
+    case "rsa-pss-sha512":
+    case "ecdsa-p256-sha256":
+      return generateRsaCommitmentId(commitment);
+    case "hmac-sha256":
+      if (!fullMessage) {
+        throw new Error("HMAC commitment IDs require full message context");
+      }
+      return generateHmacCommitmentId(fullMessage);
+    default:
+      throw new Error("Unsupported algorithm: ".concat(commitment.alg));
+  }
+}
+
+/**
+ * Extract all commitment IDs from a HyperBEAM message
+ *
+ * @param {Object} message - The message with commitments
+ * @returns {Object} Map of commitment IDs to their types
+ */
+function extractCommitmentIds(message) {
+  var ids = {};
+  if (!message.commitments) {
+    return ids;
+  }
+  for (var _i = 0, _Object$entries = Object.entries(message.commitments); _i < _Object$entries.length; _i++) {
+    var _Object$entries$_i = _slicedToArray(_Object$entries[_i], 2),
+      id = _Object$entries$_i[0],
+      commitment = _Object$entries$_i[1];
+    ids[id] = {
+      alg: commitment.alg,
+      committer: commitment.committer,
+      device: commitment["commitment-device"]
+    };
+  }
+  return ids;
+}
+
+/**
+ * Verify a commitment ID matches the expected value
+ *
+ * @param {Object} commitment - The commitment object
+ * @param {string} expectedId - The expected commitment ID
+ * @param {Object} fullMessage - The full message (required for HMAC)
+ * @returns {boolean} True if the ID matches
+ */
+function verifyCommitmentId(commitment, expectedId) {
+  var fullMessage = arguments.length > 2 && arguments[2] !== undefined ? arguments[2] : null;
+  try {
+    var calculatedId = generateCommitmentId(commitment, fullMessage);
+    return calculatedId === expectedId;
+  } catch (error) {
+    console.error("Error verifying commitment ID:", error);
+    return false;
+  }
+}
+
+// Export all functions

package/cjs/send.js

@@ -46,6 +46,8 @@ function _send() {
       while (1) switch (_context2.prev = _context2.next) {
         case 0:
           fetchImpl = _args2.length > 1 && _args2[1] !== undefined ? _args2[1] : fetch;
+          // IMPORTANT: Use the URL from signedMsg.url, NOT from any path header
+          // This ensures we send to the correct URL even if path header is different
           fetchOptions = {
             method: signedMsg.method,
             headers: signedMsg.headers,
@@ -54,6 +56,8 @@ function _send() {
           if (signedMsg.body !== undefined && signedMsg.method !== "GET" && signedMsg.method !== "HEAD") {
             fetchOptions.body = signedMsg.body;
           }
+
+          // Use the URL as provided, ignoring any path header
           _context2.next = 5;
           return fetchImpl(signedMsg.url, fetchOptions);
         case 5:

package/cjs/signer-utils.js

@@ -4,6 +4,7 @@ function _typeof(o) { "@babel/helpers - typeof"; return _typeof = "function" ==
 Object.defineProperty(exports, "__esModule", {
   value: true
 });
+exports.extractPublicKeyFromHeaders = extractPublicKeyFromHeaders;
 exports.send = send;
 exports.toHttpSigner = void 0;
 exports.verify = verify;

package/cjs/signer.js

@@ -30,7 +30,9 @@ var joinUrl = function joinUrl(_ref) {
   if (path.startsWith("http://") || path.startsWith("https://")) {
     return path;
   }
-  return url.endsWith("/") ? url.slice(0, -1) + path : url + path;
+  // Ensure path starts with /
+  var normalizedPath = path.startsWith("/") ? path : "/" + path;
+  return url.endsWith("/") ? url.slice(0, -1) + normalizedPath : url + normalizedPath;
 };
 function signer(config) {
   var signer = config.signer,
@@ -41,15 +43,46 @@ function signer(config) {
   }
   return /*#__PURE__*/function () {
     var _sign = _asyncToGenerator(/*#__PURE__*/_regeneratorRuntime().mark(function _callee(fields) {
-      var _fields$path, path, _fields$method, method, restFields, aoFields, encoded, headersObj, body, _url, bodySize, lowercaseHeaders, _i, _Object$entries, _Object$entries$_i, key, value, signingFields, signedRequest, finalHeaders, _i2, _Object$entries2, _Object$entries2$_i, _key, _value, result;
+      var _ref2,
+        _ref2$path,
+        _path,
+        _fields$path,
+        path,
+        _fields$method,
+        method,
+        restFields,
+        aoFields,
+        encoded,
+        headersObj,
+        body,
+        _url,
+        bodySize,
+        lowercaseHeaders,
+        _i,
+        _Object$entries,
+        _Object$entries$_i,
+        key,
+        value,
+        bodyKeys,
+        signingFields,
+        signedRequest,
+        finalHeaders,
+        _i2,
+        _Object$entries2,
+        _Object$entries2$_i,
+        _key,
+        _value,
+        result,
+        _args = arguments;
       return _regeneratorRuntime().wrap(function _callee$(_context) {
         while (1) switch (_context.prev = _context.next) {
           case 0:
+            _ref2 = _args.length > 1 && _args[1] !== undefined ? _args[1] : {}, _ref2$path = _ref2.path, _path = _ref2$path === void 0 ? false : _ref2$path;
             _fields$path = fields.path, path = _fields$path === void 0 ? "/relay/process" : _fields$path, _fields$method = fields.method, method = _fields$method === void 0 ? "POST" : _fields$method, restFields = _objectWithoutProperties(fields, _excluded);
             aoFields = _objectSpread({}, restFields);
-            _context.next = 4;
+            _context.next = 5;
             return (0, _encode.enc)(aoFields);
-          case 4:
+          case 5:
             encoded = _context.sent;
             headersObj = encoded ? encoded.headers : {};
             body = encoded ? encoded.body : undefined;
@@ -57,6 +90,7 @@ function signer(config) {
               url: url,
               path: path
             });
+            headersObj["path"] = path;
             if (body && !headersObj["content-length"]) {
               bodySize = body.size || body.byteLength || 0;
               if (bodySize > 0) {
@@ -68,14 +102,27 @@ function signer(config) {
               _Object$entries$_i = _slicedToArray(_Object$entries[_i], 2), key = _Object$entries$_i[0], value = _Object$entries$_i[1];
               lowercaseHeaders[key.toLowerCase()] = value;
             }
+            if (lowercaseHeaders.path && /^\//.test(lowercaseHeaders.path)) {
+              //const sp = lowercaseHeaders.path.split("/")
+              //lowercaseHeaders.path = sp.slice(sp.length - 1).join("/")
+            }
+            // Parse body-keys if present
+            bodyKeys = headersObj["body-keys"] ? headersObj["body-keys"].replace(/"/g, "").split(",").map(function (k) {
+              return k.trim();
+            }) : []; // Collect fields to sign from headers
             signingFields = Object.keys(lowercaseHeaders).filter(function (key) {
-              return key !== "body-keys";
-            });
+              return key !== "body-keys" && key !== "path" && !bodyKeys.includes(key);
+            } // Also exclude fields that are in body-keys
+            ); // Always include @path in the signature
+            //if (!signingFields.includes("path")) signingFields.push("path")
+
+            if (_path) signingFields.push("path");
+            // Ensure we have at least one field to sign
             if (signingFields.length === 0 && !body) {
               lowercaseHeaders["content-length"] = "0";
               signingFields.push("content-length");
             }
-            _context.next = 15;
+            _context.next = 20;
             return (0, _send.toHttpSigner)(signer)({
               request: {
                 url: _url,
@@ -84,7 +131,7 @@ function signer(config) {
               },
               fields: signingFields
             });
-          case 15:
+          case 20:
             signedRequest = _context.sent;
             finalHeaders = {};
             for (_i2 = 0, _Object$entries2 = Object.entries(headersObj); _i2 < _Object$entries2.length; _i2++) {
@@ -103,7 +150,7 @@ function signer(config) {
             };
             if (body) result.body = body;
             return _context.abrupt("return", result);
-          case 24:
+          case 29:
           case "end":
             return _context.stop();
         }
@@ -114,4 +161,6 @@ function signer(config) {
     }
     return sign;
   }();
-}
+}
+
+// stack / simple-pay / patch / hyperbeam / hyperbeam-aos / scheduler / cron

package/cjs/utils.js

@@ -3,16 +3,30 @@
 Object.defineProperty(exports, "__esModule", {
   value: true
 });
-exports.isData = exports.isCheckComplete = exports.getTagVal = exports.getTag = exports.dirname = exports.checkTag = exports.buildTags = exports.allChecked = exports.action = void 0;
+exports.getTagVal = exports.getTag = exports.dirname = exports.checkTag = exports.buildTags = exports.allChecked = exports.action = void 0;
+Object.defineProperty(exports, "hmacid", {
+  enumerable: true,
+  get: function get() {
+    return _id.generateHmacCommitmentId;
+  }
+});
+exports.isData = exports.isCheckComplete = void 0;
 exports.isJSON = isJSON;
 exports.optServer = exports.optAO = exports.mergeOut = exports.mergeChecks = exports.ltags = exports.jsonToStr = exports.isRegExp = exports.isOutComplete = exports.isLocalhost = void 0;
 exports.parseSignatureInput = parseSignatureInput;
+Object.defineProperty(exports, "rsaid", {
+  enumerable: true,
+  get: function get() {
+    return _id.generateRsaCommitmentId;
+  }
+});
 exports.tags = exports.tagEq = exports.tag = exports.srcs = exports.searchTag = void 0;
 exports.toANS104Request = toANS104Request;
 exports.toAddr = toAddr;
 exports.wait = exports.validAddress = exports.udl = exports.toGraphObj = void 0;
 var _graphql = require("graphql");
 var _fastSha = _interopRequireDefault(require("fast-sha256"));
+var _id = require("./id.js");
 var _ramda = require("ramda");
 function _interopRequireDefault(e) { return e && e.__esModule ? e : { "default": e }; }
 function _slicedToArray(r, e) { return _arrayWithHoles(r) || _iterableToArrayLimit(r, e) || _unsupportedIterableToArray(r, e) || _nonIterableRest(); }

package/esm/collect-body-keys.js

@@ -49,6 +49,35 @@ const getValueByPath = (obj, path) => {
   return value
 }
 
+const canArrayBeInHeader = array => {
+  // Empty arrays can be in headers
+  if (array.length === 0) return true
+
+  // Arrays with objects must go to body
+  if (array.some(item => isPojo(item))) return false
+
+  // Arrays with binary data must go to body
+  if (array.some(item => isBytes(item) && item.length > 0)) return false
+
+  // Arrays with non-ASCII strings must go to body
+  if (array.some(item => typeof item === "string" && hasNonAscii(item)))
+    return false
+
+  // Arrays with nested arrays must go to body (to match original behavior)
+  if (array.some(item => Array.isArray(item))) return false
+
+  // Arrays with nested arrays that have objects must go to body
+  if (
+    array.some(
+      item => Array.isArray(item) && item.some(subItem => isPojo(subItem))
+    )
+  )
+    return false
+
+  // Simple arrays of primitives can stay in headers
+  return true
+}
+
 // Array analysis helper
 const analyzeArray = array => {
   const analysis = {
@@ -115,7 +144,10 @@ class BodyKeyCollector {
       if (this.isSpecialDataBodyField(key, value, objKeys)) {
         this.keys.push(key)
       } else if (Array.isArray(value) && value.length > 0) {
-        this.processRootArray(key, value)
+        // Check if array can stay in header
+        if (!canArrayBeInHeader(value)) {
+          this.processRootArray(key, value)
+        }
       } else if (isPojo(value)) {
         this.processRootNestedObject(key, value)
       } else if (this.needsBodyKey(key, value)) {
@@ -302,7 +334,10 @@ class BodyKeyCollector {
 
           if (analysis.hasNonObjects) {
             hasSimpleFields = true
-            this.keys.push(fullPath)
+            // Only add to keys if array can't be in header
+            if (!canArrayBeInHeader(value)) {
+              this.keys.push(fullPath)
+            }
           }
         } else {
           hasSimpleFields = true

package/esm/encode.js

@@ -293,19 +293,29 @@ async function handleSingleBodyKeyOptimization(
     const singleKey = bodyKeys[0]
     const value = getValueByPath(obj, singleKey)
 
-    const otherFieldsAreEmpty = Object.entries(obj).every(([key, val]) => {
-      if (key === singleKey) return true
-      return isEmpty(val)
-    })
-
-    if (otherFieldsAreEmpty && isBytes(value) && value.length > 0) {
-      const bodyBuffer = toBuffer(value)
-      const bodyArrayBuffer = bodyBuffer.buffer.slice(
-        bodyBuffer.byteOffset,
-        bodyBuffer.byteOffset + bodyBuffer.byteLength
-      )
+    // Apply optimization for binary data OR strings with newlines
+    if (
+      (isBytes(value) && value.length > 0) ||
+      (typeof value === "string" && value.includes("\n"))
+    ) {
+      let contentToHash
+      let bodyContent = value
+
+      if (isBytes(value)) {
+        const bodyBuffer = toBuffer(value)
+        contentToHash = bodyBuffer.buffer.slice(
+          bodyBuffer.byteOffset,
+          bodyBuffer.byteOffset + bodyBuffer.byteLength
+        )
+      } else {
+        // For strings, encode to UTF-8 for hashing
+        const encoder = new TextEncoder()
+        const encoded = encoder.encode(value)
+        contentToHash = encoded.buffer
+        bodyContent = value
+      }
 
-      const contentDigest = await sha256(bodyArrayBuffer)
+      const contentDigest = await sha256(contentToHash)
       const base64 = base64url.toBase64(base64url.encode(contentDigest))
       headers["content-digest"] = `sha-256=:${base64}:`
 
@@ -317,7 +327,7 @@ async function handleSingleBodyKeyOptimization(
         headers["ao-types"] = headerTypes.sort().join(", ")
       }
 
-      return { headers, body: value }
+      return { headers, body: bodyContent }
     }
   }
 
@@ -736,17 +746,14 @@ function createObjectBodyPart(
   const isInline = bodyKey === "body" && headers["inline-body-key"] === "body"
   const lines = []
 
-  if (isInline) {
-    lines.push(`content-disposition: inline`)
-  } else {
-    lines.push(`content-disposition: form-data;name="${bodyKey}"`)
-  }
-
   if (isInline) {
     const orderedLines = []
+
+    // For inline mode: fields first, then headers
     for (const line of fieldLines) {
       orderedLines.push(line)
     }
+
     if (allTypes.length > 0) {
       orderedLines.push(`ao-types: ${allTypes.sort().join(", ")}`)
     }
@@ -763,7 +770,9 @@ function createObjectBodyPart(
 
     if (binaryFieldsForInline.length > 0) {
       const parts = []
+      // Join all text lines first
       parts.push(Buffer.from(orderedLines.join("\r\n")))
+      // Then add binary fields
       for (const { key, buffer } of binaryFieldsForInline) {
         parts.push(Buffer.from(`\r\n${key}: `))
         parts.push(buffer)
@@ -772,18 +781,10 @@ function createObjectBodyPart(
       const fullBody = Buffer.concat(parts)
       return new Blob([fullBody])
     } else {
-      const isLastBodyPart =
-        sortedBodyKeys.indexOf(bodyKey) === sortedBodyKeys.length - 1
-      const hasOnlyTypes = allTypes.length > 0 && fieldLines.length === 0
-      if (isLastBodyPart && hasOnlyTypes) {
-        return new Blob([orderedLines.join("\r\n")])
-      } else if (fieldLines.length === 0) {
-        return new Blob([orderedLines.join("\r\n")])
-      } else {
-        return new Blob([orderedLines.join("\r\n") + "\r\n"])
-      }
+      return new Blob([orderedLines.join("\r\n") + "\r\n"])
     }
   } else {
+    // Non-inline mode remains the same
     const orderedLines = []
     if (allTypes.length > 0) {
       orderedLines.push(`ao-types: ${allTypes.sort().join(", ")}`)
@@ -1162,10 +1163,19 @@ async function encode(obj = {}) {
   // Step 12: Check for special data/body case
   const hasSpecialDataBody = checkSpecialDataBodyCase(obj, sortedBodyKeys)
 
-  headers["body-keys"] = sortedBodyKeys.map(k => `"${k}"`).join(", ")
+  // Only add body-keys header if there are actual body keys
+  if (sortedBodyKeys.length > 0) {
+    headers["body-keys"] = sortedBodyKeys.map(k => `"${k}"`).join(", ")
+  }
 
-  if (!hasSpecialDataBody) {
-    if (sortedBodyKeys.includes("body") && sortedBodyKeys.length === 1) {
+  // Special case: single body key named "body" containing an object
+  if (
+    !hasSpecialDataBody &&
+    sortedBodyKeys.length === 1 &&
+    sortedBodyKeys[0] === "body"
+  ) {
+    const bodyValue = obj.body
+    if (isPojo(bodyValue)) {
       headers["inline-body-key"] = "body"
     }
   }
@@ -1182,6 +1192,11 @@ async function encode(obj = {}) {
     hasSpecialDataBody
   )
 
+  // If no body parts were created, return headers only
+  if (bodyParts.length === 0) {
+    return { headers, body: undefined }
+  }
+
   // Step 14: Generate multipart boundary
   const boundary = await generateBoundary(bodyParts)
 

package/esm/id.js

@@ -0,0 +1,222 @@
+import { hash, hmac } from "fast-sha256"
+
+/**
+ * Parse structured field dictionary format
+ * Handles both complex format: name=(components);params
+ * and simple format: name=:value:
+ */
+function parseStructuredFieldDictionary(input) {
+  // Try complex format first
+  const match = input.match(/([^=]+)=\((.*?)\);(.*)$/)
+  if (match) {
+    const name = match[1]
+    const components = match[2].split(" ")
+    const params = {}
+
+    const paramPairs = match[3].split(";").filter(p => p)
+    paramPairs.forEach(pair => {
+      const [key, value] = pair.split("=")
+      if (key && value) {
+        params[key] = value.replace(/"/g, "")
+      }
+    })
+
+    return { name, components, params }
+  }
+
+  // Try simple format
+  const simpleMatch = input.match(/([^=]+)=:([^:]+):/)
+  if (simpleMatch) {
+    return { name: simpleMatch[1], value: simpleMatch[2] }
+  }
+
+  return null
+}
+
+/**
+ * Convert base64url string to base64
+ */
+function base64urlToBase64(str) {
+  return str.replace(/-/g, "+").replace(/_/g, "/")
+}
+
+/**
+ * Convert Uint8Array to base64url string
+ */
+function uint8ArrayToBase64url(bytes) {
+  // Convert to base64
+  let binary = ""
+  for (let i = 0; i < bytes.length; i++) {
+    binary += String.fromCharCode(bytes[i])
+  }
+  const base64 = btoa(binary)
+
+  // Convert to base64url
+  return base64.replace(/\+/g, "-").replace(/\//g, "_").replace(/=/g, "")
+}
+
+/**
+ * Generate commitment ID for RSA-PSS and ECDSA signatures
+ * The ID is the SHA256 hash of the raw signature bytes
+ *
+ * @param {Object} commitment - The commitment object containing signature
+ * @returns {string} The commitment ID in base64url format
+ */
+function generateRsaCommitmentId(commitment) {
+  // Extract the base64 signature from structured field format
+  // Format: "signature-name=:BASE64_SIGNATURE:"
+  const match = commitment.signature.match(/^[^=]+=:([^:]+):/)
+  if (!match) {
+    throw new Error("Invalid signature format")
+  }
+
+  const signatureBase64 = match[1]
+  // Convert base64 to Uint8Array
+  const signatureBinary = Uint8Array.from(atob(signatureBase64), c =>
+    c.charCodeAt(0)
+  )
+
+  // SHA256 hash of the raw signature
+  const hashResult = hash(signatureBinary)
+  const id = uint8ArrayToBase64url(hashResult)
+
+  return id
+}
+
+/**
+ * Generate HMAC commitment ID for HyperBEAM messages
+ * The ID is deterministic based on message content only
+ *
+ * The Erlang implementation sorts components WITH @ prefix included,
+ * then removes @ from derived components in the signature base.
+ *
+ * @param {Object} message - The message with signature and signature-input
+ * @returns {string} The commitment ID in base64url format
+ */
+function generateHmacCommitmentId(message) {
+  // Parse signature-input to get components
+  const parsed = parseStructuredFieldDictionary(message["signature-input"])
+  if (!parsed || !parsed.components) {
+    throw new Error("Failed to parse signature-input")
+  }
+
+  // Sort components AS-IS (with quotes and @ prefix)
+  const sortedComponents = [...parsed.components].sort()
+
+  // Build signature base in sorted order
+  const lines = []
+
+  sortedComponents.forEach(component => {
+    const cleanComponent = component.replace(/"/g, "")
+    let fieldName = cleanComponent
+    let value
+
+    // For derived components (starting with @), remove @ in the signature base
+    if (cleanComponent.startsWith("@")) {
+      fieldName = cleanComponent.substring(1)
+      value = message[fieldName]
+    } else {
+      value = message[cleanComponent]
+    }
+
+    if (value === undefined || value === null) {
+      value = ""
+    } else if (typeof value === "number") {
+      value = value.toString()
+    }
+
+    lines.push(`"${fieldName}": ${value}`)
+  })
+
+  // Add signature-params line with sorted components (keeping @ prefix)
+  const paramsComponents = sortedComponents.join(" ")
+  lines.push(
+    `"@signature-params": (${paramsComponents});alg="hmac-sha256";keyid="ao"`
+  )
+
+  const signatureBase = lines.join("\n")
+
+  // Generate HMAC with key "ao"
+  // Convert string to Uint8Array
+  const messageBytes = new TextEncoder().encode(signatureBase)
+  const keyBytes = new TextEncoder().encode("ao")
+
+  const hmacResult = hmac(keyBytes, messageBytes)
+  return uint8ArrayToBase64url(hmacResult)
+}
+
+/**
+ * Generate commitment ID based on the algorithm type
+ *
+ * @param {Object} commitment - The commitment object containing alg, signature, etc.
+ * @param {Object} fullMessage - The full message (required for HMAC)
+ * @returns {string} The commitment ID in base64url format
+ */
+function generateCommitmentId(commitment, fullMessage = null) {
+  switch (commitment.alg) {
+    case "rsa-pss-sha512":
+    case "ecdsa-p256-sha256":
+      return generateRsaCommitmentId(commitment)
+
+    case "hmac-sha256":
+      if (!fullMessage) {
+        throw new Error("HMAC commitment IDs require full message context")
+      }
+      return generateHmacCommitmentId(fullMessage)
+
+    default:
+      throw new Error(`Unsupported algorithm: ${commitment.alg}`)
+  }
+}
+
+/**
+ * Extract all commitment IDs from a HyperBEAM message
+ *
+ * @param {Object} message - The message with commitments
+ * @returns {Object} Map of commitment IDs to their types
+ */
+function extractCommitmentIds(message) {
+  const ids = {}
+
+  if (!message.commitments) {
+    return ids
+  }
+
+  for (const [id, commitment] of Object.entries(message.commitments)) {
+    ids[id] = {
+      alg: commitment.alg,
+      committer: commitment.committer,
+      device: commitment["commitment-device"],
+    }
+  }
+
+  return ids
+}
+
+/**
+ * Verify a commitment ID matches the expected value
+ *
+ * @param {Object} commitment - The commitment object
+ * @param {string} expectedId - The expected commitment ID
+ * @param {Object} fullMessage - The full message (required for HMAC)
+ * @returns {boolean} True if the ID matches
+ */
+function verifyCommitmentId(commitment, expectedId, fullMessage = null) {
+  try {
+    const calculatedId = generateCommitmentId(commitment, fullMessage)
+    return calculatedId === expectedId
+  } catch (error) {
+    console.error("Error verifying commitment ID:", error)
+    return false
+  }
+}
+
+// Export all functions
+export {
+  generateCommitmentId,
+  generateRsaCommitmentId,
+  generateHmacCommitmentId,
+  extractCommitmentIds,
+  verifyCommitmentId,
+  parseStructuredFieldDictionary,
+}

package/esm/send.js

@@ -9,6 +9,8 @@ const {
 } = httpbis
 
 export async function send(signedMsg, fetchImpl = fetch) {
+  // IMPORTANT: Use the URL from signedMsg.url, NOT from any path header
+  // This ensures we send to the correct URL even if path header is different
   const fetchOptions = {
     method: signedMsg.method,
     headers: signedMsg.headers,
@@ -21,8 +23,9 @@ export async function send(signedMsg, fetchImpl = fetch) {
   ) {
     fetchOptions.body = signedMsg.body
   }
-  const response = await fetchImpl(signedMsg.url, fetchOptions)
 
+  // Use the URL as provided, ignoring any path header
+  const response = await fetchImpl(signedMsg.url, fetchOptions)
   if (response.status >= 400) {
     throw new Error(`${response.status}: ${await response.text()}`)
   }
@@ -90,10 +93,8 @@ export const toHttpSigner = signer => {
 
       signatureBaseArray.push(['"@signature-params"', [signatureInput]])
       signatureBase = formatSignatureBase(signatureBaseArray)
-
       return new TextEncoder().encode(signatureBase)
     }
-
     const result = await signer(create, "httpsig")
 
     if (!createCalled) {

package/esm/signer-utils.js

@@ -207,7 +207,7 @@ export async function verify(signedMessage, publicKey) {
  * @param {string} [signatureName] - Optional signature name to look for
  * @returns {Buffer|null} Public key buffer or null
  */
-function extractPublicKeyFromHeaders(headers, signatureName) {
+export function extractPublicKeyFromHeaders(headers, signatureName) {
   const signatureInput =
     headers["signature-input"] || headers["Signature-Input"]
   if (!signatureInput) return null

package/esm/signer.js

@@ -5,7 +5,11 @@ const joinUrl = ({ url, path }) => {
   if (path.startsWith("http://") || path.startsWith("https://")) {
     return path
   }
-  return url.endsWith("/") ? url.slice(0, -1) + path : url + path
+  // Ensure path starts with /
+  const normalizedPath = path.startsWith("/") ? path : "/" + path
+  return url.endsWith("/")
+    ? url.slice(0, -1) + normalizedPath
+    : url + normalizedPath
 }
 
 export function signer(config) {
@@ -15,7 +19,7 @@ export function signer(config) {
     throw new Error("Signer is required for mainnet mode")
   }
 
-  return async function sign(fields) {
+  return async function sign(fields, { path: _path = false } = {}) {
     const { path = "/relay/process", method = "POST", ...restFields } = fields
     const aoFields = { ...restFields }
     const encoded = await enc(aoFields)
@@ -24,6 +28,8 @@ export function signer(config) {
 
     const _url = joinUrl({ url, path })
 
+    headersObj["path"] = path
+
     if (body && !headersObj["content-length"]) {
       const bodySize = body.size || body.byteLength || 0
       if (bodySize > 0) {
@@ -35,21 +41,39 @@ export function signer(config) {
     for (const [key, value] of Object.entries(headersObj)) {
       lowercaseHeaders[key.toLowerCase()] = value
     }
-
+    if (lowercaseHeaders.path && /^\//.test(lowercaseHeaders.path)) {
+      //const sp = lowercaseHeaders.path.split("/")
+      //lowercaseHeaders.path = sp.slice(sp.length - 1).join("/")
+    }
+    // Parse body-keys if present
+    const bodyKeys = headersObj["body-keys"]
+      ? headersObj["body-keys"]
+          .replace(/"/g, "")
+          .split(",")
+          .map(k => k.trim())
+      : []
+
+    // Collect fields to sign from headers
     const signingFields = Object.keys(lowercaseHeaders).filter(
-      key => key !== "body-keys"
+      key => key !== "body-keys" && key !== "path" && !bodyKeys.includes(key) // Also exclude fields that are in body-keys
     )
-
+    // Always include @path in the signature
+    //if (!signingFields.includes("path")) signingFields.push("path")
+    if (_path) signingFields.push("path")
+    // Ensure we have at least one field to sign
     if (signingFields.length === 0 && !body) {
       lowercaseHeaders["content-length"] = "0"
       signingFields.push("content-length")
     }
 
     const signedRequest = await toHttpSigner(signer)({
-      request: { url: _url, method, headers: lowercaseHeaders },
+      request: {
+        url: _url,
+        method,
+        headers: lowercaseHeaders,
+      },
       fields: signingFields,
     })
-
     const finalHeaders = {}
 
     for (const [key, value] of Object.entries(headersObj)) {
@@ -62,7 +86,6 @@ export function signer(config) {
     if (headersObj["body-keys"]) {
       finalHeaders["body-keys"] = headersObj["body-keys"]
     }
-
     const result = { url: _url, method, headers: finalHeaders }
 
     if (body) result.body = body
@@ -70,3 +93,5 @@ export function signer(config) {
     return result
   }
 }
+
+// stack / simple-pay / patch / hyperbeam / hyperbeam-aos / scheduler / cron

package/esm/utils.js

@@ -1,5 +1,12 @@
 import { graphql, parse, validate, buildSchema } from "graphql"
 import sha256 from "fast-sha256"
+import {
+  generateCommitmentId,
+  generateRsaCommitmentId,
+  generateHmacCommitmentId,
+  verifyCommitmentId,
+} from "./id.js"
+export { generateRsaCommitmentId as rsaid, generateHmacCommitmentId as hmacid }
 import {
   clone,
   is,

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "wao",
-  "version": "0.27.4",
+  "version": "0.28.0",
   "bin": {
     "wao": "./cjs/cli.js",
     "wao-esm": "./esm/cli.js"