client: allow injecting a custom *http.Client (SSRF-guardable)

NewClient hardcoded its *http.Client, so a server-side caller making requests to an attacker-influenced baseURL (a tenant's prime_endpoint) had no way to attach an SSRF policy — the transport followed redirects and dialed any resolved IP, reachable being the cloud metadata service. Add NewClientWithHTTPClient + NewDragonchainSDKWithHTTPClient so callers can supply a client whose transport enforces a dial-time resolved-IP guard and redirect policy. Existing constructors delegate with the prior default (30s timeout), so this is backward compatible — the guard itself lives in the consuming server (e.g. brill-api/pkg/prime), not in this client lib.
add GetInterchain: trace a transaction/block to validator blocks + interchain anchors
2026-06-04 12:32:33 -04:00 · 2026-06-02 14:12:49 -04:00 · 2026-05-29 17:08:47 -04:00
5 changed files with 103 additions and 16 deletions
--- a/block/block.go
+++ b/block/block.go
@@ -25,3 +25,16 @@ func (bc *BlockClient) Get(ctx context.Context, blockID string) (*models.Block,
 	}
 	return &resp, nil
 }
+
+// GetInterchain traces a block to the validator (verification) blocks that
+// validated it and the public-chain interchain anchors those validator blocks
+// were bundled into.
+func (bc *BlockClient) GetInterchain(ctx context.Context, blockID string) (*models.InterchainTrace, error) {
+	var resp models.InterchainTrace
+	path := fmt.Sprintf("/api/v1/block/%s/interchain", blockID)
+	err := bc.client.Get(ctx, path, &resp)
+	if err != nil {
+		return nil, err
+	}
+	return &resp, nil
+}
--- a/client/client.go
+++ b/client/client.go
@@ -23,14 +23,23 @@ type Client struct {
 }

 func NewClient(publicID, authKeyID, authKey, baseURL string) *Client {
+	return NewClientWithHTTPClient(publicID, authKeyID, authKey, baseURL, nil)
+}
+
+// NewClientWithHTTPClient is like NewClient but uses a caller-supplied
+// *http.Client — e.g. one whose transport is SSRF-guarded, or one with a
+// non-default timeout. A nil hc falls back to the package default (30s
+// timeout, default transport), so existing callers are unaffected.
+func NewClientWithHTTPClient(publicID, authKeyID, authKey, baseURL string, hc *http.Client) *Client {
+	if hc == nil {
+		hc = &http.Client{Timeout: 30 * time.Second}
+	}
 	return &Client{
 		publicID:   publicID,
 		authKeyID:  authKeyID,
 		authKey:    authKey,
 		baseURL:    strings.TrimSuffix(baseURL, "/"),
-		httpClient: &http.Client{
-			Timeout: 30 * time.Second,
-		},
+		httpClient: hc,
 	}
 }

--- a/dragonchain.go
+++ b/dragonchain.go
@@ -50,6 +50,8 @@
 package sdk

 import (
+	"net/http"
+
 	"git.dragonchain.com/dragonchain/prime-sdk-go/block"
 	"git.dragonchain.com/dragonchain/prime-sdk-go/client"
 	"git.dragonchain.com/dragonchain/prime-sdk-go/contract"
@@ -80,7 +82,15 @@ type DragonchainSDK struct {
 // Returns a configured SDK client ready to make API calls.
 // All API methods on the returned client require a context.Context parameter.
 func NewDragonchainSDK(publicID, authKeyID, authKey, baseURL string) *DragonchainSDK {
-	c := client.NewClient(publicID, authKeyID, authKey, baseURL)
+	return NewDragonchainSDKWithHTTPClient(publicID, authKeyID, authKey, baseURL, nil)
+}
+
+// NewDragonchainSDKWithHTTPClient is like NewDragonchainSDK but routes every
+// request through the caller-supplied *http.Client. Pass a client whose
+// transport enforces an SSRF policy (guarded dialer + redirect checks) when
+// the baseURL is attacker-influenced. A nil hc falls back to the SDK default.
+func NewDragonchainSDKWithHTTPClient(publicID, authKeyID, authKey, baseURL string, hc *http.Client) *DragonchainSDK {
+	c := client.NewClientWithHTTPClient(publicID, authKeyID, authKey, baseURL, hc)
 	return &DragonchainSDK{
 		client:          c,
 		Transaction:     transaction.NewTransactionClient(c),
--- a/models/models.go
+++ b/models/models.go
@@ -122,17 +122,22 @@ type SmartContractExecutionInfo struct {

 type Block struct {
 	Version      string      `json:"version"`
-	ID           string     `json:"block_id"`
-	Timestamp    string     `json:"timestamp"`
-	PrevID       string     `json:"prev_id"`
-	PrevProof    string     `json:"prev_proof"`
+	Header       BlockHeader `json:"header"`
 	Transactions []string    `json:"transactions"`
 	Proof        BlockProof  `json:"proof"`
 }

+type BlockHeader struct {
+	BlockId   string `json:"blockId"`
+	DcId      string `json:"dcId"`
+	PrevId    string `json:"prevId"`
+	PrevProof string `json:"prevProof"`
+	Timestamp string `json:"timestamp"`
+}
+
 type BlockProof struct {
-	Scheme string `json:"scheme"`
 	Proof  string `json:"proof"`
+	Scheme string `json:"scheme,omitempty"`
 	Nonce  int64  `json:"nonce,omitempty"`
 }

@@ -165,3 +170,39 @@ type ListResponse struct {
 	Items      []interface{} `json:"items"`
 	TotalCount int           `json:"total_count"`
 }
+
+// VerificationBlock is a validator's verification of a prime block.
+type VerificationBlock struct {
+	Version           string `json:"version"`
+	PrimeChainId      string `json:"primeChainId"`
+	PrimeBlockId      string `json:"primeBlockId"`
+	Timestamp         string `json:"timestamp"`
+	VerifierPublicKey string `json:"verifierPublicKey"`
+	VerifierSignature string `json:"verifierSignature"`
+}
+
+// InterchainTransaction is an anchor broadcast to a public blockchain (e.g. ETH
+// or BTC) that bundles one or more validator blocks. ValidatorBlocks holds the
+// prime block ids covered; CoveredPrimeChainIds the prime chains they belong to.
+type InterchainTransaction struct {
+	Id                   int      `json:"id"`
+	Version              string   `json:"version"`
+	Timestamp            string   `json:"timestamp"`
+	ChainId              string   `json:"chainId"`
+	TransHash            string   `json:"transHash"`
+	BlockId              string   `json:"blockId"`
+	ValidatorBlocks      []string `json:"validatorBlocks"`
+	ValidatorBlockhash   string   `json:"validatorBlockhash"`
+	Signature            string   `json:"signature"`
+	CoveredPrimeChainIds []string `json:"coveredPrimeChainIds"`
+}
+
+// InterchainTrace links a prime block to the validator (verification) blocks
+// that validated it and the public-chain interchain anchors those validator
+// blocks were bundled into. Returned by Transaction.GetInterchain and
+// Block.GetInterchain.
+type InterchainTrace struct {
+	BlockId                string                  `json:"blockId"`
+	ValidatorBlocks        []VerificationBlock     `json:"validatorBlocks"`
+	InterchainTransactions []InterchainTransaction `json:"interchainTransactions"`
+}
--- a/transaction/transaction.go
+++ b/transaction/transaction.go
@@ -52,6 +52,20 @@ func (tc *TransactionClient) Get(ctx context.Context, transactionID string) (*mo
 	return &resp, nil
 }

+// GetInterchain traces a transaction to the validator (verification) blocks that
+// validated its prime block and the public-chain interchain anchors those
+// validator blocks were bundled into. If the transaction is still pending (not
+// yet in a block) the trace's slices are empty.
+func (tc *TransactionClient) GetInterchain(ctx context.Context, transactionID string) (*models.InterchainTrace, error) {
+	var resp models.InterchainTrace
+	path := fmt.Sprintf("/api/v1/transaction/%s/interchain", transactionID)
+	err := tc.client.Get(ctx, path, &resp)
+	if err != nil {
+		return nil, err
+	}
+	return &resp, nil
+}
+
 func (tc *TransactionClient) List(ctx context.Context) (*models.ListTransactionsResponse, error) {
 	var resp models.ListTransactionsResponse
 	path := "/api/v1/transaction/"