Internal agent bug fixes 2 (#1373)

* fix: correct pollTransaction off-by-one and requestAirdrop error path

* fix: add parentheses to fix operator precedence in parseSuccessful

* fix: multiple spec.ts correctness issues

* fix: advance WASM parser offset on skipped custom sections

* fix: federation server domain validation and URL mutation

* fix: clone URL in stream() to prevent mutation of shared builder state

* fix: store original operation for restore path in buildWithOp

* fix: include port in SERVER_TIME_MAP key to prevent cross-port collision

* fix: handle Err variant in funcResToNative for Result types

* fix: refactor AccountResponse constructor for type-safe property assignment

* add transactions field to Api.AccountRecord and AccountResponse

* add range checks for U32 and I32 values in Spec class

---------

Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: Ryang-21

CHANGELOG.md

@@ -6,6 +6,35 @@ A breaking change will get clearly marked in this log.
 
 ## Unreleased
 
+### Fixed
+* `RpcServer.pollTransaction` off-by-one: the polling loop used `<` instead of `<=`, causing one fewer attempt than configured([#1373](https://github.com/stellar/js-stellar-sdk/pull/1373)).
+* `requestAirdrop` error path: fixed incorrect property access (`error.response.detail` instead of `error.response.data.detail`) when checking for `createAccountAlreadyExist` ([#1373](https://github.com/stellar/js-stellar-sdk/pull/1373)).
+* Operator precedence bug in `parseSuccessful`: `sim.results?.length ?? 0 > 0` was parsed as `?? (0 > 0)`, causing simulation results and state changes to never be included in the parsed response ([#1373](https://github.com/stellar/js-stellar-sdk/pull/1373)).
+* `Spec.typeRef` now properly handles `scSpecTypeResult` by returning the JSON schema for the `okType`, instead of silently breaking out of the switch ([#1373](https://github.com/stellar/js-stellar-sdk/pull/1373)).
+* `structToJsonSchema` now places `additionalProperties: false` on the schema object itself rather than incorrectly nesting it inside `properties` ([#1373](https://github.com/stellar/js-stellar-sdk/pull/1373)).
+* Fixed bigint-to-U32/I32 conversion in `Spec` using `Number(val)` instead of `val as number` (a no-op for bigints) ([#1373](https://github.com/stellar/js-stellar-sdk/pull/1373)).
+* Fixed missing template literal `$` in two `Spec` error messages that were not interpolated ([#1373](https://github.com/stellar/js-stellar-sdk/pull/1373)).
+* WASM custom section parser: when a section was skipped (invalid name length), the offset was not advanced, causing an infinite loop or incorrect parsing of subsequent sections ([#1373](https://github.com/stellar/js-stellar-sdk/pull/1373)).
+* `FederationServer.resolve` now validates domains per RFC 1035, rejecting malformed domains. Port numbers are also accepted in the domain ([#1373](https://github.com/stellar/js-stellar-sdk/pull/1373)).
+* `FederationServer` URL mutation: `resolveAddress`, `resolveAccountId`, and `resolveTransactionId` mutated the shared `serverURL` by appending query params on each call. Fixed by cloning the URL before modifying ([#1373](https://github.com/stellar/js-stellar-sdk/pull/1373)).
+* `CallBuilder.stream()` URL mutation: `stream()` mutated the shared `this.url` by adding query params, corrupting the builder for subsequent calls. Fixed by cloning the URL ([#1373](https://github.com/stellar/js-stellar-sdk/pull/1373)).
+* `AssembledTransaction` restore path: when `buildWithOp` was used and automatic state restoration was needed, the rebuild incorrectly reconstructed the operation via `contract.call()` instead of reusing the original operation ([#1373](https://github.com/stellar/js-stellar-sdk/pull/1373)).
+* `SERVER_TIME_MAP` port collision: the Horizon time-sync cache keyed entries by hostname only, so two servers on different ports of the same host shared a cache entry. Fixed by including the port in the key ([#1373](https://github.com/stellar/js-stellar-sdk/pull/1373)).
+* `Spec.funcResToNative` now correctly returns an `Err` instance when a contract function with a `Result` return type returns an error, instead of throwing while decoding it as the `Ok` type ([#1373](https://github.com/stellar/js-stellar-sdk/pull/1373)).
+* SEP-10: `verifyChallengeTxSigners` now rejects challenges signed only by the server and `client_domain` key with no actual client signer, instead of returning an empty signers list ([#1372](https://github.com/stellar/js-stellar-sdk/pull/1372)).
+* `getAssetBalance` used incorrect flag bitmask constants (`AuthRequiredFlag`, `AuthRevocableFlag`, `AuthClawbackEnabledFlag`) which are account-level flags, not trustline-level flags. Replaced with the correct trustline flag bitmasks (`0x1`, `0x2`, `0x4`) ([#1372](https://github.com/stellar/js-stellar-sdk/pull/1372)).
+* `AssembledTransaction.simulate` did not clear `this.built` before re-simulating after a state restoration rebuild, causing it to assemble stale transaction data ([#1372](https://github.com/stellar/js-stellar-sdk/pull/1372)).
+* `AssembledTransaction.signAndSend` mutated the shared `this.options.submit` flag to prevent double submission. Replaced with a wrapper around `signTransaction` that injects `submit: false` without mutating shared state ([#1372](https://github.com/stellar/js-stellar-sdk/pull/1372)).
+* Fetch HTTP client: async request interceptors were not awaited — the synchronous `try/catch` loop passed unresolved promise objects as the config. Replaced with a proper `.then()` chain matching Axios interceptor semantics ([#1372](https://github.com/stellar/js-stellar-sdk/pull/1372)).
+
+### Added
+* `AccountResponse` constructor now uses explicit field-by-field assignment instead of `Object.entries` dynamic assignment for type safety ([#1373](https://github.com/stellar/js-stellar-sdk/pull/1373)).
+* Added `transactions` collection to `Api.AccountRecord` and `AccountResponse` ([#1373](https://github.com/stellar/js-stellar-sdk/pull/1373)).
+* Added range checks for U32/I32 values in `Spec`: bigint values are now validated against min/max bounds before conversion, throwing a `RangeError` instead of silently truncating ([#1373](https://github.com/stellar/js-stellar-sdk/pull/1373)).
+
+### Deprecated
+* `BalanceResponse.revocable` is deprecated in favor of `authorizedToMaintainLiabilities`, which correctly reflects the trustline flag semantics ([#1372](https://github.com/stellar/js-stellar-sdk/pull/1372)).
+
 
 ## [v15.0.1](https://github.com/stellar/js-stellar-sdk/compare/v15.0.0...v15.0.1)
 

src/contract/assembled_transaction.ts

@@ -268,6 +268,12 @@ export class AssembledTransaction<T> {
    */
   public raw?: TransactionBuilder;
 
+  /**
+   * Stores the original operation from `buildWithOp` for reuse during
+   * automatic state restoration rebuilds.
+   */
+  private originalOp?: xdr.Operation;
+
   /**
    * The Transaction as it was built with `raw.build()` right before
    * simulation. Once this is set, modifying `raw` will have no effect unless
@@ -590,6 +596,7 @@ export class AssembledTransaction<T> {
     options: AssembledTransactionOptions<T>,
   ): Promise<AssembledTransaction<T>> {
     const tx = new AssembledTransaction(options);
+    tx.originalOp = operation;
     const account = await getAccount(options, tx.server);
     tx.raw = new TransactionBuilder(account, {
       fee: options.fee ?? BASE_FEE,
@@ -650,14 +657,17 @@ export class AssembledTransaction<T> {
       );
       if (result.status === Api.GetTransactionStatus.SUCCESS) {
         // need to rebuild the transaction with bumped account sequence number
-        const contract = new Contract(this.options.contractId);
+        const op = this.originalOp
+          ? this.originalOp
+          : new Contract(this.options.contractId).call(
+              this.options.method,
+              ...(this.options.args ?? []),
+            );
         this.raw = new TransactionBuilder(account, {
           fee: this.options.fee ?? BASE_FEE,
           networkPassphrase: this.options.networkPassphrase,
         })
-          .addOperation(
-            contract.call(this.options.method, ...(this.options.args ?? [])),
-          )
+          .addOperation(op)
           .setTimeout(this.options.timeoutInSeconds ?? DEFAULT_TIMEOUT);
         delete this.built;
         await this.simulate();

src/contract/spec.ts

@@ -7,7 +7,7 @@ import {
   Contract,
   scValToBigInt,
 } from "@stellar/stellar-base";
-import { Ok } from "./rust_result";
+import { Ok, Err } from "./rust_result";
 import { processSpecEntryStream } from "./utils";
 import { specFromWasm } from "./wasm_spec_parser";
 
@@ -277,8 +277,8 @@ function typeRef(typeDef: xdr.ScSpecTypeDef): JSONSchema7 {
       return typeRef(opt.valueType());
     }
     case xdr.ScSpecType.scSpecTypeResult().value: {
-      // throw new Error('Result type not supported');
-      break;
+      const result = typeDef.result();
+      return typeRef(result.okType());
     }
     case xdr.ScSpecType.scSpecTypeVec().value: {
       const arr = typeDef.vec();
@@ -368,11 +368,11 @@ function structToJsonSchema(udt: xdr.ScSpecUdtStructV0): object {
   }
   const description = udt.doc().toString();
   const { properties, required }: any = argsAndRequired(fields);
-  properties.additionalProperties = false;
   return {
     description,
     properties,
     required,
+    additionalProperties: false,
     type: "object",
   };
 }
@@ -623,6 +623,9 @@ export class Spec {
     }
     const output = outputs[0];
     if (output.switch().value === xdr.ScSpecType.scSpecTypeResult().value) {
+      if (val.switch().value === xdr.ScValType.scvError().value) {
+        return new Err({ message: val.error().toXDR("base64") });
+      }
       return new Ok(this.scValToNative(val, output.result().okType()));
     }
     return this.scValToNative(val, output);
@@ -802,9 +805,22 @@ export class Spec {
       case "bigint": {
         switch (value) {
           case xdr.ScSpecType.scSpecTypeU32().value:
-            return xdr.ScVal.scvU32(val as number);
+            if (
+              BigInt(val) < BigInt(xdr.Uint32.MIN_VALUE) ||
+              BigInt(val) > BigInt(xdr.Uint32.MAX_VALUE)
+            ) {
+              throw new RangeError(`Value ${val} is out of range for U32`);
+            }
+            return xdr.ScVal.scvU32(Number(val));
           case xdr.ScSpecType.scSpecTypeI32().value:
-            return xdr.ScVal.scvI32(val as number);
+            if (
+              // TODO: remove the `-` cast on the min value once js-xdr fixes the issue where it treats the min value as unsigned
+              BigInt(val) < -BigInt(xdr.Int32.MIN_VALUE) ||
+              BigInt(val) > BigInt(xdr.Int32.MAX_VALUE)
+            ) {
+              throw new RangeError(`Value ${val} is out of range for I32`);
+            }
+            return xdr.ScVal.scvI32(Number(val));
           case xdr.ScSpecType.scSpecTypeU64().value:
           case xdr.ScSpecType.scSpecTypeI64().value:
           case xdr.ScSpecType.scSpecTypeU128().value:
@@ -1102,12 +1118,12 @@ export class Spec {
     }
     const name = vec[0].sym().toString();
     if (vec[0].switch().value !== xdr.ScValType.scvSymbol().value) {
-      throw new Error(`{vec[0]} is not a symbol`);
+      throw new Error(`${vec[0]} is not a symbol`);
     }
     const entry = udt.cases().find(findCase(name));
     if (!entry) {
       throw new Error(
-        `failed to find entry ${name} in union {udt.name().toString()}`,
+        `failed to find entry ${name} in union ${udt.name().toString()}`,
       );
     }
     const res: Union<any> = { tag: name };

src/contract/utils.ts

@@ -153,24 +153,24 @@ export function parseWasmCustomSections(
       // Custom section
       const nameLen = readVarUint32();
 
-      if (nameLen === 0 || offset + nameLen > start + sectionLength) continue;
-
-      const nameBytes = read(nameLen);
-      const payload = read(sectionLength - (offset - start));
-
-      try {
-        const name = new TextDecoder("utf-8", { fatal: true }).decode(
-          nameBytes,
-        );
-        if (payload.length > 0) {
-          sections.set(name, (sections.get(name) || []).concat(payload));
+      if (nameLen > 0 && offset + nameLen <= start + sectionLength) {
+        const nameBytes = read(nameLen);
+        const payload = read(sectionLength - (offset - start));
+
+        try {
+          const name = new TextDecoder("utf-8", { fatal: true }).decode(
+            nameBytes,
+          );
+          if (payload.length > 0) {
+            sections.set(name, (sections.get(name) || []).concat(payload));
+          }
+        } catch {
+          /* Invalid UTF-8 */
         }
-      } catch {
-        /* Invalid UTF-8 */
       }
-    } else {
-      offset += sectionLength; // Skip other sections
     }
+    // Always advance to end of section
+    offset = start + sectionLength;
   }
 
   return sections;

src/federation/server.ts

@@ -90,6 +90,17 @@ export class FederationServer {
     if (addressParts.length !== 2 || !domain) {
       return Promise.reject(new Error("Invalid Stellar address"));
     }
+
+    // Validate domain per RFC 1035 (as required by SEP-0002): each dot-separated
+    // label must start with a letter, end with a letter or digit, and contain only
+    // letters, digits, or hyphens.
+    if (
+      !/^(?:[A-Za-z](?:[A-Za-z0-9-]*[A-Za-z0-9])?\.)*[A-Za-z](?:[A-Za-z0-9-]*[A-Za-z0-9])?(?::\d+)?$/.test(
+        domain,
+      )
+    ) {
+      return Promise.reject(new Error("Invalid domain in Stellar address"));
+    }
     const federationServer = await FederationServer.createForDomain(
       domain,
       opts,
@@ -174,7 +185,9 @@ export class FederationServer {
       }
       stellarAddress = `${address}*${this.domain}`;
     }
-    const url = this.serverURL.query({ type: "name", q: stellarAddress });
+    const url = this.serverURL
+      .clone()
+      .query({ type: "name", q: stellarAddress });
     return this._sendRequest(url);
   }
 
@@ -188,7 +201,7 @@ export class FederationServer {
    * @throws {BadResponseError} Will throw an error if the server query fails with an improper response.
    */
   public async resolveAccountId(accountId: string): Promise<Api.Record> {
-    const url = this.serverURL.query({ type: "id", q: accountId });
+    const url = this.serverURL.clone().query({ type: "id", q: accountId });
     return this._sendRequest(url);
   }
 
@@ -204,7 +217,9 @@ export class FederationServer {
   public async resolveTransactionId(
     transactionId: string,
   ): Promise<Api.Record> {
-    const url = this.serverURL.query({ type: "txid", q: transactionId });
+    const url = this.serverURL
+      .clone()
+      .query({ type: "txid", q: transactionId });
     return this._sendRequest(url);
   }
 

src/horizon/account_response.ts

@@ -47,15 +47,38 @@ export class AccountResponse {
   public readonly operations!: ServerApi.CallCollectionFunction<ServerApi.OperationRecord>;
   public readonly payments!: ServerApi.CallCollectionFunction<ServerApi.PaymentOperationRecord>;
   public readonly trades!: ServerApi.CallCollectionFunction<ServerApi.TradeRecord>;
+  public readonly transactions!: ServerApi.CallCollectionFunction<ServerApi.TransactionRecord>;
   private readonly _baseAccount: BaseAccount;
 
   constructor(response: ServerApi.AccountRecord) {
     this._baseAccount = new BaseAccount(response.account_id, response.sequence);
     // Extract response fields
-    // TODO: do it in type-safe manner.
-    Object.entries(response).forEach(([key, value]) => {
-      (this as any)[key] = value;
-    });
+    this.effects = response.effects;
+    this.offers = response.offers;
+    this.operations = response.operations;
+    this.payments = response.payments;
+    this.trades = response.trades;
+    this.data = response.data;
+    this.transactions = response.transactions;
+    this.id = response.id;
+    this.paging_token = response.paging_token;
+    this.account_id = response.account_id;
+    this.sequence = response.sequence;
+    this.sequence_ledger = response.sequence_ledger;
+    this.sequence_time = response.sequence_time;
+    this.subentry_count = response.subentry_count;
+    this.home_domain = response.home_domain;
+    this.inflation_destination = response.inflation_destination;
+    this.last_modified_ledger = response.last_modified_ledger;
+    this.last_modified_time = response.last_modified_time;
+    this.thresholds = response.thresholds;
+    this.flags = response.flags;
+    this.balances = response.balances;
+    this.signers = response.signers;
+    this.data_attr = response.data_attr;
+    this.sponsor = response.sponsor;
+    this.num_sponsoring = response.num_sponsoring;
+    this.num_sponsored = response.num_sponsored;
   }
 
   /**

src/horizon/call_builder.ts

@@ -126,8 +126,9 @@ export class CallBuilder<
 
     this.checkFilter();
 
-    this.url.setQuery("X-Client-Name", "js-stellar-sdk");
-    this.url.setQuery("X-Client-Version", version);
+    const streamUrl = this.url.clone();
+    streamUrl.setQuery("X-Client-Name", "js-stellar-sdk");
+    streamUrl.setQuery("X-Client-Version", version);
 
     // Extract custom app headers from httpClient defaults and add as query params
     // (EventSource doesn't support custom headers, so we use query params)
@@ -145,7 +146,7 @@ export class CallBuilder<
           value = headers[name];
         }
         if (value) {
-          this.url.setQuery(name, value);
+          streamUrl.setQuery(name, value);
         }
       });
     }
@@ -171,7 +172,7 @@ export class CallBuilder<
 
     const createEventSource = (): EventSource => {
       try {
-        es = new EventSource(this.url.toString());
+        es = new EventSource(streamUrl.toString());
       } catch (err) {
         if (options.onerror) {
           options.onerror(err as MessageEvent);
@@ -208,7 +209,7 @@ export class CallBuilder<
           ? this._parseRecord(JSON.parse(message.data))
           : message;
         if (result.paging_token) {
-          this.url.setQuery("cursor", result.paging_token);
+          streamUrl.setQuery("cursor", result.paging_token);
         }
         clearTimeout(timeout);
         createTimeout();

src/horizon/horizon_axios_client.ts

@@ -43,7 +43,10 @@ export function createHttpClient(headers?: Record<string, string>): HttpClient {
   });
 
   httpClient.interceptors.response.use((response) => {
-    const hostname = URI(response.config.url!).hostname();
+    const uri = URI(response.config.url!);
+    const hostname = uri.port()
+      ? `${uri.hostname()}:${uri.port()}`
+      : uri.hostname();
     let serverTime = 0;
     if (response.headers instanceof Headers) {
       const dateHeader = response.headers.get("date");

src/horizon/server.ts

@@ -155,7 +155,10 @@ export class HorizonServer {
     _isRetry: boolean = false,
   ): Promise<HorizonServer.Timebounds> {
     // httpClient instead of this.ledgers so we can get at them headers
-    const currentTime = getCurrentServerTime(this.serverURL.hostname());
+    const serverKey = this.serverURL.port()
+      ? `${this.serverURL.hostname()}:${this.serverURL.port()}`
+      : this.serverURL.hostname();
+    const currentTime = getCurrentServerTime(serverKey);
 
     if (currentTime) {
       return {

src/horizon/server_api.ts

@@ -116,6 +116,7 @@ export namespace ServerApi {
     sponsor?: string;
     num_sponsoring: number;
     num_sponsored: number;
+    transactions: CallCollectionFunction<TransactionRecord>;
     effects: CallCollectionFunction<EffectRecord>;
     offers: CallCollectionFunction<OfferRecord>;
     operations: CallCollectionFunction<OperationRecord>;