@agenticprimitives/connect-auth 0.1.0-alpha.2

package/dist/methods/siwe.js

@@ -0,0 +1,207 @@
+// Sign-In with Ethereum (EIP-4361) message build + verify.
+//
+// Build is a string template. Verify parses the message, computes EIP-191
+// digest, recovers signer address, and asserts it matches the address in
+// the message.
+import { secp256k1 } from '@noble/curves/secp256k1';
+import { keccak_256 } from '@noble/hashes/sha3';
+/** Build an EIP-4361 message string from structured input. */
+export function buildMessage(input) {
+    const issuedAt = input.issuedAt ?? new Date().toISOString();
+    const lines = [
+        `${input.domain} wants you to sign in with your Ethereum account:`,
+        input.address,
+        '',
+    ];
+    if (input.statement) {
+        lines.push(input.statement);
+        lines.push('');
+    }
+    lines.push(`URI: ${input.uri}`);
+    lines.push(`Version: 1`);
+    lines.push(`Chain ID: ${input.chainId}`);
+    lines.push(`Nonce: ${input.nonce}`);
+    lines.push(`Issued At: ${issuedAt}`);
+    if (input.expirationTime) {
+        lines.push(`Expiration Time: ${input.expirationTime}`);
+    }
+    return lines.join('\n');
+}
+/**
+ * Parse a SIWE message into its fields. Strict: rejects messages that don't
+ * match the EIP-4361 shape we produce. We deliberately don't accept every
+ * valid SIWE message variant — only what we generate.
+ */
+export function parseMessage(text) {
+    const lines = text.split('\n');
+    if (lines.length < 7) {
+        throw new Error('SIWE parse: message too short');
+    }
+    const domainMatch = lines[0]?.match(/^(.+) wants you to sign in with your Ethereum account:$/);
+    if (!domainMatch)
+        throw new Error('SIWE parse: missing/malformed domain line');
+    const domain = domainMatch[1];
+    const address = lines[1];
+    if (!/^0x[0-9a-fA-F]{40}$/.test(address))
+        throw new Error('SIWE parse: malformed address');
+    if (lines[2] !== '')
+        throw new Error('SIWE parse: missing blank line after address');
+    let i = 3;
+    let statement = null;
+    // Statement is optional and ends with a blank line if present
+    if (lines[i] && !lines[i].startsWith('URI: ')) {
+        statement = lines[i] ?? null;
+        i++;
+        if (lines[i] !== '')
+            throw new Error('SIWE parse: missing blank line after statement');
+        i++;
+    }
+    const required = ['URI: ', 'Version: ', 'Chain ID: ', 'Nonce: ', 'Issued At: '];
+    const fields = {};
+    for (const prefix of required) {
+        const line = lines[i++];
+        if (!line || !line.startsWith(prefix)) {
+            throw new Error(`SIWE parse: expected line starting with "${prefix}"`);
+        }
+        fields[prefix.replace(/[:\s]/g, '').toLowerCase()] = line.slice(prefix.length).trim();
+    }
+    let expirationTime = null;
+    if (lines[i] && lines[i].startsWith('Expiration Time: ')) {
+        expirationTime = lines[i].slice('Expiration Time: '.length).trim();
+    }
+    return {
+        domain,
+        address,
+        statement,
+        uri: fields.uri,
+        version: fields.version,
+        chainId: Number(fields.chainid),
+        nonce: fields.nonce,
+        issuedAt: fields.issuedat,
+        expirationTime,
+    };
+}
+function eip191Digest(message) {
+    const bytes = new TextEncoder().encode(message);
+    const prefix = new TextEncoder().encode(`\x19Ethereum Signed Message:\n${bytes.length}`);
+    const combined = new Uint8Array(prefix.length + bytes.length);
+    combined.set(prefix, 0);
+    combined.set(bytes, prefix.length);
+    return keccak_256(combined);
+}
+function recoverAddress(digest, sigHex) {
+    const sig = sigHex.startsWith('0x') ? sigHex.slice(2) : sigHex;
+    if (sig.length !== 130)
+        throw new Error('SIWE verify: signature must be 65 bytes');
+    const r = BigInt('0x' + sig.slice(0, 64));
+    const s = BigInt('0x' + sig.slice(64, 128));
+    const v = parseInt(sig.slice(128, 130), 16);
+    const recovery = v >= 27 ? v - 27 : v;
+    const signature = new secp256k1.Signature(r, s).addRecoveryBit(recovery);
+    const pub = signature.recoverPublicKey(digest).toRawBytes(false);
+    const hash = keccak_256(pub.slice(1));
+    let hex = '0x';
+    for (const b of hash.slice(12))
+        hex += b.toString(16).padStart(2, '0');
+    return hex;
+}
+/**
+ * Pure parse-and-validate — checks version, domain, nonce, expiration,
+ * and computes the EIP-191 digest. Does NOT verify the signature.
+ *
+ * Used by `verify` (ECDSA path) and `verifyOnchain` (ERC-1271/6492 path).
+ * Splitting this out lets callers verify signatures against a contract
+ * (e.g. `UniversalSignatureValidator`) without re-implementing the SIWE
+ * field validation.
+ */
+export function parseAndValidate(message, opts) {
+    let parsed;
+    try {
+        parsed = parseMessage(message);
+    }
+    catch (e) {
+        return { ok: false, reason: e instanceof Error ? e.message : 'parse error' };
+    }
+    if (parsed.version !== '1')
+        return { ok: false, reason: 'SIWE version not 1' };
+    if (opts?.allowedDomains && !opts.allowedDomains.includes(parsed.domain)) {
+        return { ok: false, reason: `domain "${parsed.domain}" not allowed` };
+    }
+    if (opts?.expectedNonce && opts.expectedNonce !== parsed.nonce) {
+        return { ok: false, reason: 'nonce mismatch' };
+    }
+    const nowMs = (opts?.now ?? Date.now)();
+    if (parsed.expirationTime) {
+        const exp = Date.parse(parsed.expirationTime);
+        if (Number.isNaN(exp) || exp < nowMs) {
+            return { ok: false, reason: 'message expired' };
+        }
+    }
+    const issued = Date.parse(parsed.issuedAt);
+    if (Number.isNaN(issued))
+        return { ok: false, reason: 'issuedAt unparseable' };
+    if (issued > nowMs + 60_000)
+        return { ok: false, reason: 'issuedAt is in the future' };
+    return { ok: true, parsed, digest: eip191Digest(message) };
+}
+/**
+ * Verify a SIWE message via a caller-supplied async signature verifier
+ * (typically `verifyUserSignature` from `./verify-signature`, which calls
+ * the on-chain `UniversalSignatureValidator`).
+ *
+ * Per spec 130 and the `demo-a2a is signer-agnostic` doctrine: when the
+ * SIWE `address` is a smart account, this is how we verify — the
+ * validator dispatches between ECDSA / ERC-1271 / ERC-6492 on-chain,
+ * supporting EOA-owned, passkey-owned, and counterfactual accounts
+ * without the caller branching on signer type.
+ */
+export async function verifyOnchain(message, signature, signatureVerifier, opts) {
+    const pre = parseAndValidate(message, opts);
+    if (!pre.ok)
+        return pre;
+    // Render digest as 0x-hex for the verifier API.
+    let hexDigest = '0x';
+    for (const b of pre.digest)
+        hexDigest += b.toString(16).padStart(2, '0');
+    let valid;
+    try {
+        valid = await signatureVerifier({
+            signer: pre.parsed.address,
+            hash: hexDigest,
+            signature,
+        });
+    }
+    catch (e) {
+        return { ok: false, reason: e instanceof Error ? e.message : 'verifier threw' };
+    }
+    if (!valid) {
+        return { ok: false, reason: 'on-chain signature verification rejected' };
+    }
+    return { ok: true, address: pre.parsed.address, parsed: pre.parsed };
+}
+/**
+ * Legacy ECDSA-only SIWE verifier. Recovers the signer address from the
+ * 65-byte signature and compares against the message's `address` field.
+ *
+ * Prefer `verifyOnchain` for new code — it goes through the universal
+ * validator and works for both EOA-owned and smart-account-owned
+ * (passkey, multisig, etc.) signers. Kept here for backward compat with
+ * the existing `verify` tests and the EOA-only siwe verifier path.
+ */
+export function verify(message, signature, opts) {
+    const pre = parseAndValidate(message, opts);
+    if (!pre.ok)
+        return pre;
+    let recovered;
+    try {
+        recovered = recoverAddress(pre.digest, signature);
+    }
+    catch (e) {
+        return { ok: false, reason: e instanceof Error ? e.message : 'signature recovery failed' };
+    }
+    if (recovered.toLowerCase() !== pre.parsed.address.toLowerCase()) {
+        return { ok: false, reason: 'recovered signer does not match message address' };
+    }
+    return { ok: true, address: pre.parsed.address, parsed: pre.parsed };
+}
+//# sourceMappingURL=siwe.js.map

package/dist/methods/siwe.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"siwe.js","sourceRoot":"","sources":["../../src/methods/siwe.ts"],"names":[],"mappings":"AAAA,2DAA2D;AAC3D,EAAE;AACF,0EAA0E;AAC1E,yEAAyE;AACzE,eAAe;AAEf,OAAO,EAAE,SAAS,EAAE,MAAM,yBAAyB,CAAC;AACpD,OAAO,EAAE,UAAU,EAAE,MAAM,oBAAoB,CAAC;AA0BhD,8DAA8D;AAC9D,MAAM,UAAU,YAAY,CAAC,KAAuB;IAClD,MAAM,QAAQ,GAAG,KAAK,CAAC,QAAQ,IAAI,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC;IAC5D,MAAM,KAAK,GAAa;QACtB,GAAG,KAAK,CAAC,MAAM,mDAAmD;QAClE,KAAK,CAAC,OAAO;QACb,EAAE;KACH,CAAC;IACF,IAAI,KAAK,CAAC,SAAS,EAAE,CAAC;QACpB,KAAK,CAAC,IAAI,CAAC,KAAK,CAAC,SAAS,CAAC,CAAC;QAC5B,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACjB,CAAC;IACD,KAAK,CAAC,IAAI,CAAC,QAAQ,KAAK,CAAC,GAAG,EAAE,CAAC,CAAC;IAChC,KAAK,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC;IACzB,KAAK,CAAC,IAAI,CAAC,aAAa,KAAK,CAAC,OAAO,EAAE,CAAC,CAAC;IACzC,KAAK,CAAC,IAAI,CAAC,UAAU,KAAK,CAAC,KAAK,EAAE,CAAC,CAAC;IACpC,KAAK,CAAC,IAAI,CAAC,cAAc,QAAQ,EAAE,CAAC,CAAC;IACrC,IAAI,KAAK,CAAC,cAAc,EAAE,CAAC;QACzB,KAAK,CAAC,IAAI,CAAC,oBAAoB,KAAK,CAAC,cAAc,EAAE,CAAC,CAAC;IACzD,CAAC;IACD,OAAO,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;AAC1B,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,YAAY,CAAC,IAAY;IACvC,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;IAC/B,IAAI,KAAK,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACrB,MAAM,IAAI,KAAK,CAAC,+BAA+B,CAAC,CAAC;IACnD,CAAC;IACD,MAAM,WAAW,GAAG,KAAK,CAAC,CAAC,CAAC,EAAE,KAAK,CAAC,yDAAyD,CAAC,CAAC;IAC/F,IAAI,CAAC,WAAW;QAAE,MAAM,IAAI,KAAK,CAAC,2CAA2C,CAAC,CAAC;IAC/E,MAAM,MAAM,GAAG,WAAW,CAAC,CAAC,CAAE,CAAC;IAC/B,MAAM,OAAO,GAAG,KAAK,CAAC,CAAC,CAAY,CAAC;IACpC,IAAI,CAAC,qBAAqB,CAAC,IAAI,CAAC,OAAO,CAAC;QAAE,MAAM,IAAI,KAAK,CAAC,+BAA+B,CAAC,CAAC;IAC3F,IAAI,KAAK,CAAC,CAAC,CAAC,KAAK,EAAE;QAAE,MAAM,IAAI,KAAK,CAAC,8CAA8C,CAAC,CAAC;IAErF,IAAI,CAAC,GAAG,CAAC,CAAC;IACV,IAAI,SAAS,GAAkB,IAAI,CAAC;IACpC,8DAA8D;IAC9D,IAAI,KAAK,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAE,CAAC,UAAU,CAAC,OAAO,CAAC,EAAE,CAAC;QAC/C,SAAS,GAAG,KAAK,CAAC,CAAC,CAAC,IAAI,IAAI,CAAC;QAC7B,CAAC,EAAE,CAAC;QACJ,IAAI,KAAK,CAAC,CAAC,CAAC,KAAK,EAAE;YAAE,MAAM,IAAI,KAAK,CAAC,gDAAgD,CAAC,CAAC;QACvF,CAAC,EAAE,CAAC;IACN,CAAC;IACD,MAAM,QAAQ,GAAG,CAAC,OAAO,EAAE,WAAW,EAAE,YAAY,EAAE,SAAS,EAAE,aAAa,CAAC,CAAC;IAChF,MAAM,MAAM,GAA2B,EAAE,CAAC;IAC1C,KAAK,MAAM,MAAM,IAAI,QAAQ,EAAE,CAAC;QAC9B,MAAM,IAAI,GAAG,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC;QACxB,IAAI,CAAC,IAAI,IAAI,CAAC,IAAI,CAAC,UAAU,CAAC,MAAM,CAAC,EAAE,CAAC;YACtC,MAAM,IAAI,KAAK,CAAC,4CAA4C,MAAM,GAAG,CAAC,CAAC;QACzE,CAAC;QACD,MAAM,CAAC,MAAM,CAAC,OAAO,CAAC,QAAQ,EAAE,EAAE,CAAC,CAAC,WAAW,EAAE,CAAC,GAAG,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,IAAI,EAAE,CAAC;IACxF,CAAC;IACD,IAAI,cAAc,GAAkB,IAAI,CAAC;IACzC,IAAI,KAAK,CAAC,CAAC,CAAC,IAAI,KAAK,CAAC,CAAC,CAAE,CAAC,UAAU,CAAC,mBAAmB,CAAC,EAAE,CAAC;QAC1D,cAAc,GAAG,KAAK,CAAC,CAAC,CAAE,CAAC,KAAK,CAAC,mBAAmB,CAAC,MAAM,CAAC,CAAC,IAAI,EAAE,CAAC;IACtE,CAAC;IACD,OAAO;QACL,MAAM;QACN,OAAO;QACP,SAAS;QACT,GAAG,EAAE,MAAM,CAAC,GAAI;QAChB,OAAO,EAAE,MAAM,CAAC,OAAQ;QACxB,OAAO,EAAE,MAAM,CAAC,MAAM,CAAC,OAAO,CAAC;QAC/B,KAAK,EAAE,MAAM,CAAC,KAAM;QACpB,QAAQ,EAAE,MAAM,CAAC,QAAS;QAC1B,cAAc;KACf,CAAC;AACJ,CAAC;AAED,SAAS,YAAY,CAAC,OAAe;IACnC,MAAM,KAAK,GAAG,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;IAChD,MAAM,MAAM,GAAG,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,iCAAiC,KAAK,CAAC,MAAM,EAAE,CAAC,CAAC;IACzF,MAAM,QAAQ,GAAG,IAAI,UAAU,CAAC,MAAM,CAAC,MAAM,GAAG,KAAK,CAAC,MAAM,CAAC,CAAC;IAC9D,QAAQ,CAAC,GAAG,CAAC,MAAM,EAAE,CAAC,CAAC,CAAC;IACxB,QAAQ,CAAC,GAAG,CAAC,KAAK,EAAE,MAAM,CAAC,MAAM,CAAC,CAAC;IACnC,OAAO,UAAU,CAAC,QAAQ,CAAC,CAAC;AAC9B,CAAC;AAED,SAAS,cAAc,CAAC,MAAkB,EAAE,MAAW;IACrD,MAAM,GAAG,GAAG,MAAM,CAAC,UAAU,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC;IAC/D,IAAI,GAAG,CAAC,MAAM,KAAK,GAAG;QAAE,MAAM,IAAI,KAAK,CAAC,yCAAyC,CAAC,CAAC;IACnF,MAAM,CAAC,GAAG,MAAM,CAAC,IAAI,GAAG,GAAG,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC;IAC1C,MAAM,CAAC,GAAG,MAAM,CAAC,IAAI,GAAG,GAAG,CAAC,KAAK,CAAC,EAAE,EAAE,GAAG,CAAC,CAAC,CAAC;IAC5C,MAAM,CAAC,GAAG,QAAQ,CAAC,GAAG,CAAC,KAAK,CAAC,GAAG,EAAE,GAAG,CAAC,EAAE,EAAE,CAAC,CAAC;IAC5C,MAAM,QAAQ,GAAG,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC,CAAC,GAAG,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC;IACtC,MAAM,SAAS,GAAG,IAAI,SAAS,CAAC,SAAS,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,cAAc,CAAC,QAAQ,CAAC,CAAC;IACzE,MAAM,GAAG,GAAG,SAAS,CAAC,gBAAgB,CAAC,MAAM,CAAC,CAAC,UAAU,CAAC,KAAK,CAAC,CAAC;IACjE,MAAM,IAAI,GAAG,UAAU,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC;IACtC,IAAI,GAAG,GAAG,IAAI,CAAC;IACf,KAAK,MAAM,CAAC,IAAI,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC;QAAE,GAAG,IAAI,CAAC,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC;IACvE,OAAO,GAAc,CAAC;AACxB,CAAC;AAYD;;;;;;;;GAQG;AACH,MAAM,UAAU,gBAAgB,CAC9B,OAAe,EACf,IAAgF;IAEhF,IAAI,MAAkB,CAAC;IACvB,IAAI,CAAC;QACH,MAAM,GAAG,YAAY,CAAC,OAAO,CAAC,CAAC;IACjC,CAAC;IAAC,OAAO,CAAC,EAAE,CAAC;QACX,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,CAAC,YAAY,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,aAAa,EAAE,CAAC;IAC/E,CAAC;IACD,IAAI,MAAM,CAAC,OAAO,KAAK,GAAG;QAAE,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,oBAAoB,EAAE,CAAC;IAE/E,IAAI,IAAI,EAAE,cAAc,IAAI,CAAC,IAAI,CAAC,cAAc,CAAC,QAAQ,CAAC,MAAM,CAAC,MAAM,CAAC,EAAE,CAAC;QACzE,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,WAAW,MAAM,CAAC,MAAM,eAAe,EAAE,CAAC;IACxE,CAAC;IACD,IAAI,IAAI,EAAE,aAAa,IAAI,IAAI,CAAC,aAAa,KAAK,MAAM,CAAC,KAAK,EAAE,CAAC;QAC/D,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,gBAAgB,EAAE,CAAC;IACjD,CAAC;IAED,MAAM,KAAK,GAAG,CAAC,IAAI,EAAE,GAAG,IAAI,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC;IACxC,IAAI,MAAM,CAAC,cAAc,EAAE,CAAC;QAC1B,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,cAAc,CAAC,CAAC;QAC9C,IAAI,MAAM,CAAC,KAAK,CAAC,GAAG,CAAC,IAAI,GAAG,GAAG,KAAK,EAAE,CAAC;YACrC,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,iBAAiB,EAAE,CAAC;QAClD,CAAC;IACH,CAAC;IACD,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC;IAC3C,IAAI,MAAM,CAAC,KAAK,CAAC,MAAM,CAAC;QAAE,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,sBAAsB,EAAE,CAAC;IAC/E,IAAI,MAAM,GAAG,KAAK,GAAG,MAAM;QAAE,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,2BAA2B,EAAE,CAAC;IAEvF,OAAO,EAAE,EAAE,EAAE,IAAI,EAAE,MAAM,EAAE,MAAM,EAAE,YAAY,CAAC,OAAO,CAAC,EAAE,CAAC;AAC7D,CAAC;AAED;;;;;;;;;;GAUG;AACH,MAAM,CAAC,KAAK,UAAU,aAAa,CACjC,OAAe,EACf,SAAc,EACd,iBAIsB,EACtB,IAAgF;IAEhF,MAAM,GAAG,GAAG,gBAAgB,CAAC,OAAO,EAAE,IAAI,CAAC,CAAC;IAC5C,IAAI,CAAC,GAAG,CAAC,EAAE;QAAE,OAAO,GAAG,CAAC;IAExB,gDAAgD;IAChD,IAAI,SAAS,GAAG,IAAI,CAAC;IACrB,KAAK,MAAM,CAAC,IAAI,GAAG,CAAC,MAAM;QAAE,SAAS,IAAI,CAAC,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC;IAEzE,IAAI,KAAc,CAAC;IACnB,IAAI,CAAC;QACH,KAAK,GAAG,MAAM,iBAAiB,CAAC;YAC9B,MAAM,EAAE,GAAG,CAAC,MAAM,CAAC,OAAO;YAC1B,IAAI,EAAE,SAAgB;YACtB,SAAS;SACV,CAAC,CAAC;IACL,CAAC;IAAC,OAAO,CAAC,EAAE,CAAC;QACX,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,CAAC,YAAY,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,gBAAgB,EAAE,CAAC;IAClF,CAAC;IACD,IAAI,CAAC,KAAK,EAAE,CAAC;QACX,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,0CAA0C,EAAE,CAAC;IAC3E,CAAC;IACD,OAAO,EAAE,EAAE,EAAE,IAAI,EAAE,OAAO,EAAE,GAAG,CAAC,MAAM,CAAC,OAAO,EAAE,MAAM,EAAE,GAAG,CAAC,MAAM,EAAE,CAAC;AACvE,CAAC;AAED;;;;;;;;GAQG;AACH,MAAM,UAAU,MAAM,CACpB,OAAe,EACf,SAAc,EACd,IAAgF;IAEhF,MAAM,GAAG,GAAG,gBAAgB,CAAC,OAAO,EAAE,IAAI,CAAC,CAAC;IAC5C,IAAI,CAAC,GAAG,CAAC,EAAE;QAAE,OAAO,GAAG,CAAC;IAExB,IAAI,SAAkB,CAAC;IACvB,IAAI,CAAC;QACH,SAAS,GAAG,cAAc,CAAC,GAAG,CAAC,MAAM,EAAE,SAAS,CAAC,CAAC;IACpD,CAAC;IAAC,OAAO,CAAC,EAAE,CAAC;QACX,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,CAAC,YAAY,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,2BAA2B,EAAE,CAAC;IAC7F,CAAC;IACD,IAAI,SAAS,CAAC,WAAW,EAAE,KAAK,GAAG,CAAC,MAAM,CAAC,OAAO,CAAC,WAAW,EAAE,EAAE,CAAC;QACjE,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,iDAAiD,EAAE,CAAC;IAClF,CAAC;IACD,OAAO,EAAE,EAAE,EAAE,IAAI,EAAE,OAAO,EAAE,GAAG,CAAC,MAAM,CAAC,OAAO,EAAE,MAAM,EAAE,GAAG,CAAC,MAAM,EAAE,CAAC;AACvE,CAAC"}

package/dist/salt.d.ts

@@ -0,0 +1,22 @@
+export declare function deriveSaltFromLabel(label: string): bigint;
+export interface DeriveSaltFromEmailOpts {
+    /**
+     * **Required (H7-B.10).** Per-deployment secret mixed into the salt so
+     * the user's SA address is not a public function of their email alone.
+     *
+     * Source it from a deployment env var / KMS-managed secret. Do NOT
+     * hardcode. Rotating this value rotates every Google-derived salt
+     * irreversibly (existing accounts stay at the old address; new accounts
+     * derive a new one) — treat it as a long-lived crypto credential.
+     */
+    secret: string;
+}
+/**
+ * H7-B.10 — mix a per-deployment `secret` into the keccak preimage. The
+ * positional legacy form `deriveSaltFromEmail(email, rotation)` is gone;
+ * callers MUST pass `{ secret }` as the third arg.
+ *
+ * Closure: PKG-CONNECT-AUTH-002 / EXT-030.
+ */
+export declare function deriveSaltFromEmail(email: string, rotation: number, opts: DeriveSaltFromEmailOpts): bigint;
+//# sourceMappingURL=salt.d.ts.map

package/dist/salt.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"salt.d.ts","sourceRoot":"","sources":["../src/salt.ts"],"names":[],"mappings":"AA4BA,wBAAgB,mBAAmB,CAAC,KAAK,EAAE,MAAM,GAAG,MAAM,CAKzD;AAED,MAAM,WAAW,uBAAuB;IACtC;;;;;;;;OAQG;IACH,MAAM,EAAE,MAAM,CAAC;CAChB;AAED;;;;;;GAMG;AACH,wBAAgB,mBAAmB,CACjC,KAAK,EAAE,MAAM,EACb,QAAQ,EAAE,MAAM,EAChB,IAAI,EAAE,uBAAuB,GAC5B,MAAM,CAeR"}

package/dist/salt.js

@@ -0,0 +1,54 @@
+// Salt derivation for deterministic ERC-4337 smart-account addressing.
+// Per spec 200 §4 (updated by H7-B.10 / PKG-CONNECT-AUTH-002 / EXT-030):
+//   Passkey: BigInt(keccak256(label).slice(0, 18))                     → 8-byte salt
+//   Google:  BigInt(keccak256(`${email}:${rotation}:${secret}`).slice(0, 18))
+//
+// **Why the secret matters (H7-B.10 / PKG-CONNECT-AUTH-002 closure):**
+// the legacy `deriveSaltFromEmail(email, rotation)` made the canonical Smart
+// Agent address a public deterministic function of the user's email — so
+// anyone in possession of the email could pre-compute the SA address. That:
+//   - lets adversaries pre-deploy / front-run target addresses,
+//   - cross-correlates a user across every service / chain that adopts the
+//     same package by hashing the same email,
+//   - contradicts ADR-0010 (the SA address IS the canonical identity, not a
+//     queryable derivative of a side-channel identifier).
+// Mixing in a per-deployment secret breaks the public-function relation:
+// the salt is still deterministic for the deployer (so address derivation
+// stays reproducible), but external parties cannot enumerate addresses
+// from emails alone.
+import { keccak_256 } from '@noble/hashes/sha3';
+function keccakHex(input) {
+    const hash = keccak_256(new TextEncoder().encode(input));
+    let hex = '0x';
+    for (const b of hash)
+        hex += b.toString(16).padStart(2, '0');
+    return hex;
+}
+export function deriveSaltFromLabel(label) {
+    if (typeof label !== 'string' || label.length === 0) {
+        throw new Error('deriveSaltFromLabel: label must be a non-empty string');
+    }
+    return BigInt(keccakHex(label).slice(0, 18));
+}
+/**
+ * H7-B.10 — mix a per-deployment `secret` into the keccak preimage. The
+ * positional legacy form `deriveSaltFromEmail(email, rotation)` is gone;
+ * callers MUST pass `{ secret }` as the third arg.
+ *
+ * Closure: PKG-CONNECT-AUTH-002 / EXT-030.
+ */
+export function deriveSaltFromEmail(email, rotation, opts) {
+    if (typeof email !== 'string' || email.length === 0) {
+        throw new Error('deriveSaltFromEmail: email must be a non-empty string');
+    }
+    if (!Number.isInteger(rotation) || rotation < 0) {
+        throw new Error('deriveSaltFromEmail: rotation must be a non-negative integer');
+    }
+    if (!opts || typeof opts.secret !== 'string' || opts.secret.length < 16) {
+        throw new Error('deriveSaltFromEmail: { secret } is required (H7-B.10 / PKG-CONNECT-AUTH-002 closure) — ' +
+            'pass a per-deployment secret (≥ 16 chars) so the SA address is not a public function ' +
+            'of the user\'s email. Source from a deployment env var / KMS-managed secret.');
+    }
+    return BigInt(keccakHex(`${email}:${rotation}:${opts.secret}`).slice(0, 18));
+}
+//# sourceMappingURL=salt.js.map

package/dist/salt.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"salt.js","sourceRoot":"","sources":["../src/salt.ts"],"names":[],"mappings":"AAAA,uEAAuE;AACvE,yEAAyE;AACzE,qFAAqF;AACrF,8EAA8E;AAC9E,EAAE;AACF,uEAAuE;AACvE,6EAA6E;AAC7E,yEAAyE;AACzE,4EAA4E;AAC5E,gEAAgE;AAChE,2EAA2E;AAC3E,8CAA8C;AAC9C,4EAA4E;AAC5E,0DAA0D;AAC1D,yEAAyE;AACzE,0EAA0E;AAC1E,uEAAuE;AACvE,qBAAqB;AAErB,OAAO,EAAE,UAAU,EAAE,MAAM,oBAAoB,CAAC;AAEhD,SAAS,SAAS,CAAC,KAAa;IAC9B,MAAM,IAAI,GAAG,UAAU,CAAC,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC;IACzD,IAAI,GAAG,GAAG,IAAI,CAAC;IACf,KAAK,MAAM,CAAC,IAAI,IAAI;QAAE,GAAG,IAAI,CAAC,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC;IAC7D,OAAO,GAAG,CAAC;AACb,CAAC;AAED,MAAM,UAAU,mBAAmB,CAAC,KAAa;IAC/C,IAAI,OAAO,KAAK,KAAK,QAAQ,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACpD,MAAM,IAAI,KAAK,CAAC,uDAAuD,CAAC,CAAC;IAC3E,CAAC;IACD,OAAO,MAAM,CAAC,SAAS,CAAC,KAAK,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC;AAC/C,CAAC;AAeD;;;;;;GAMG;AACH,MAAM,UAAU,mBAAmB,CACjC,KAAa,EACb,QAAgB,EAChB,IAA6B;IAE7B,IAAI,OAAO,KAAK,KAAK,QAAQ,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACpD,MAAM,IAAI,KAAK,CAAC,uDAAuD,CAAC,CAAC;IAC3E,CAAC;IACD,IAAI,CAAC,MAAM,CAAC,SAAS,CAAC,QAAQ,CAAC,IAAI,QAAQ,GAAG,CAAC,EAAE,CAAC;QAChD,MAAM,IAAI,KAAK,CAAC,8DAA8D,CAAC,CAAC;IAClF,CAAC;IACD,IAAI,CAAC,IAAI,IAAI,OAAO,IAAI,CAAC,MAAM,KAAK,QAAQ,IAAI,IAAI,CAAC,MAAM,CAAC,MAAM,GAAG,EAAE,EAAE,CAAC;QACxE,MAAM,IAAI,KAAK,CACb,yFAAyF;YACvF,uFAAuF;YACvF,8EAA8E,CACjF,CAAC;IACJ,CAAC;IACD,OAAO,MAAM,CAAC,SAAS,CAAC,GAAG,KAAK,IAAI,QAAQ,IAAI,IAAI,CAAC,MAAM,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC;AAC/E,CAAC"}

package/dist/sessions.d.ts

@@ -0,0 +1,15 @@
+import type { JwtClaims } from './types';
+export declare const SESSION_COOKIE = "agentic-session";
+export declare const SESSION_TTL_SECONDS = 86400;
+/**
+ * Mint a JWT session cookie value from claims. Adds iat/exp automatically.
+ * Signs with the leftmost key in SESSION_JWT_SECRETS.
+ */
+export declare function mintSession(claims: Omit<JwtClaims, 'iat' | 'exp'>): string;
+/**
+ * Verify a JWT cookie value. Returns claims if valid + not expired, else null.
+ * Tries every kid in SESSION_JWT_SECRETS — rotation-safe.
+ * Constant-time comparison; no info-leak on which key matched.
+ */
+export declare function verifySession(cookieValue: string): JwtClaims | null;
+//# sourceMappingURL=sessions.d.ts.map

package/dist/sessions.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"sessions.d.ts","sourceRoot":"","sources":["../src/sessions.ts"],"names":[],"mappings":"AASA,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,SAAS,CAAC;AAEzC,eAAO,MAAM,cAAc,oBAAoB,CAAC;AAChD,eAAO,MAAM,mBAAmB,QAAS,CAAC;AAyE1C;;;GAGG;AACH,wBAAgB,WAAW,CAAC,MAAM,EAAE,IAAI,CAAC,SAAS,EAAE,KAAK,GAAG,KAAK,CAAC,GAAG,MAAM,CAW1E;AAED;;;;GAIG;AACH,wBAAgB,aAAa,CAAC,WAAW,EAAE,MAAM,GAAG,SAAS,GAAG,IAAI,CA2CnE"}

package/dist/sessions.js

@@ -0,0 +1,143 @@
+// JWT sessions (HS256) with key rotation.
+//
+// Cookie value is a JWT: base64url(header).base64url(payload).base64url(hmac).
+// Multiple signing secrets are supported via SESSION_JWT_SECRETS=kid:hex,kid:hex.
+// The leftmost key signs; all keys can verify (rotation).
+import { hmac } from '@noble/hashes/hmac';
+import { sha256 } from '@noble/hashes/sha256';
+import { hexToBytes } from 'viem';
+export const SESSION_COOKIE = 'agentic-session';
+export const SESSION_TTL_SECONDS = 86_400; // 24h
+const JWT_HEADER = { alg: 'HS256', typ: 'JWT' };
+function loadKeys() {
+    const env = process.env.SESSION_JWT_SECRETS;
+    if (!env) {
+        throw new Error('connect-auth: SESSION_JWT_SECRETS is required (format: kid1:hex,kid2:hex). Generate one: openssl rand -hex 32');
+    }
+    const out = [];
+    for (const piece of env.split(',')) {
+        const trimmed = piece.trim();
+        if (!trimmed)
+            continue;
+        const idx = trimmed.indexOf(':');
+        if (idx <= 0) {
+            throw new Error(`connect-auth: malformed SESSION_JWT_SECRETS entry "${trimmed}" (expected "kid:hex")`);
+        }
+        const kid = trimmed.slice(0, idx);
+        let hex = trimmed.slice(idx + 1);
+        if (!hex.startsWith('0x'))
+            hex = '0x' + hex;
+        const secret = hexToBytes(hex);
+        if (secret.length < 16) {
+            throw new Error(`connect-auth: SESSION_JWT_SECRETS key "${kid}" too short (need ≥ 16 bytes)`);
+        }
+        out.push({ kid, secret });
+    }
+    if (out.length === 0) {
+        throw new Error('connect-auth: SESSION_JWT_SECRETS resolved to zero usable keys');
+    }
+    return out;
+}
+function base64urlEncode(bytes) {
+    const data = typeof bytes === 'string' ? new TextEncoder().encode(bytes) : bytes;
+    let s = '';
+    // Manual base64 then url-safe replace
+    if (typeof Buffer !== 'undefined') {
+        s = Buffer.from(data).toString('base64');
+    }
+    else {
+        // Browser path — not used by sessions but kept for parity
+        let bin = '';
+        for (const b of data)
+            bin += String.fromCharCode(b);
+        s = btoa(bin);
+    }
+    return s.replace(/\+/g, '-').replace(/\//g, '_').replace(/=+$/, '');
+}
+function base64urlDecode(s) {
+    let padded = s.replace(/-/g, '+').replace(/_/g, '/');
+    while (padded.length % 4)
+        padded += '=';
+    if (typeof Buffer !== 'undefined') {
+        return new Uint8Array(Buffer.from(padded, 'base64'));
+    }
+    const bin = atob(padded);
+    const out = new Uint8Array(bin.length);
+    for (let i = 0; i < bin.length; i++)
+        out[i] = bin.charCodeAt(i);
+    return out;
+}
+function constantTimeEqual(a, b) {
+    if (a.length !== b.length)
+        return false;
+    let diff = 0;
+    for (let i = 0; i < a.length; i++)
+        diff |= (a[i] ?? 0) ^ (b[i] ?? 0);
+    return diff === 0;
+}
+/**
+ * Mint a JWT session cookie value from claims. Adds iat/exp automatically.
+ * Signs with the leftmost key in SESSION_JWT_SECRETS.
+ */
+export function mintSession(claims) {
+    const keys = loadKeys();
+    const signer = keys[0];
+    const now = Math.floor(Date.now() / 1000);
+    const payload = { ...claims, iat: now, exp: now + SESSION_TTL_SECONDS };
+    const header = { ...JWT_HEADER, kid: signer.kid };
+    const headerEnc = base64urlEncode(JSON.stringify(header));
+    const payloadEnc = base64urlEncode(JSON.stringify(payload));
+    const signingInput = `${headerEnc}.${payloadEnc}`;
+    const sig = hmac(sha256, signer.secret, new TextEncoder().encode(signingInput));
+    return `${signingInput}.${base64urlEncode(sig)}`;
+}
+/**
+ * Verify a JWT cookie value. Returns claims if valid + not expired, else null.
+ * Tries every kid in SESSION_JWT_SECRETS — rotation-safe.
+ * Constant-time comparison; no info-leak on which key matched.
+ */
+export function verifySession(cookieValue) {
+    if (!cookieValue)
+        return null;
+    const parts = cookieValue.split('.');
+    if (parts.length !== 3)
+        return null;
+    const [headerEnc, payloadEnc, sigEnc] = parts;
+    let header;
+    let claims;
+    try {
+        header = JSON.parse(new TextDecoder().decode(base64urlDecode(headerEnc)));
+        claims = JSON.parse(new TextDecoder().decode(base64urlDecode(payloadEnc)));
+    }
+    catch {
+        return null;
+    }
+    if (header.alg !== 'HS256')
+        return null;
+    const presentedSig = base64urlDecode(sigEnc);
+    const signingInput = `${headerEnc}.${payloadEnc}`;
+    let keys;
+    try {
+        keys = loadKeys();
+    }
+    catch {
+        return null;
+    }
+    // Prefer the kid in the header, but try all keys for rotation tolerance.
+    const ordered = header.kid ? [...keys.filter((k) => k.kid === header.kid), ...keys.filter((k) => k.kid !== header.kid)] : keys;
+    let ok = false;
+    for (const k of ordered) {
+        const expected = hmac(sha256, k.secret, new TextEncoder().encode(signingInput));
+        if (constantTimeEqual(expected, presentedSig)) {
+            ok = true;
+            break;
+        }
+    }
+    if (!ok)
+        return null;
+    const now = Math.floor(Date.now() / 1000);
+    if (typeof claims.exp !== 'number' || claims.exp < now)
+        return null;
+    return claims;
+}
+//# sourceMappingURL=sessions.js.map

package/dist/sessions.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"sessions.js","sourceRoot":"","sources":["../src/sessions.ts"],"names":[],"mappings":"AAAA,0CAA0C;AAC1C,EAAE;AACF,+EAA+E;AAC/E,kFAAkF;AAClF,0DAA0D;AAE1D,OAAO,EAAE,IAAI,EAAE,MAAM,oBAAoB,CAAC;AAC1C,OAAO,EAAE,MAAM,EAAE,MAAM,sBAAsB,CAAC;AAC9C,OAAO,EAAE,UAAU,EAAE,MAAM,MAAM,CAAC;AAGlC,MAAM,CAAC,MAAM,cAAc,GAAG,iBAAiB,CAAC;AAChD,MAAM,CAAC,MAAM,mBAAmB,GAAG,MAAM,CAAC,CAAC,MAAM;AAEjD,MAAM,UAAU,GAAG,EAAE,GAAG,EAAE,OAAO,EAAE,GAAG,EAAE,KAAK,EAAE,CAAC;AAOhD,SAAS,QAAQ;IACf,MAAM,GAAG,GAAG,OAAO,CAAC,GAAG,CAAC,mBAAmB,CAAC;IAC5C,IAAI,CAAC,GAAG,EAAE,CAAC;QACT,MAAM,IAAI,KAAK,CACb,+GAA+G,CAChH,CAAC;IACJ,CAAC;IACD,MAAM,GAAG,GAAiB,EAAE,CAAC;IAC7B,KAAK,MAAM,KAAK,IAAI,GAAG,CAAC,KAAK,CAAC,GAAG,CAAC,EAAE,CAAC;QACnC,MAAM,OAAO,GAAG,KAAK,CAAC,IAAI,EAAE,CAAC;QAC7B,IAAI,CAAC,OAAO;YAAE,SAAS;QACvB,MAAM,GAAG,GAAG,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;QACjC,IAAI,GAAG,IAAI,CAAC,EAAE,CAAC;YACb,MAAM,IAAI,KAAK,CAAC,sDAAsD,OAAO,wBAAwB,CAAC,CAAC;QACzG,CAAC;QACD,MAAM,GAAG,GAAG,OAAO,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC;QAClC,IAAI,GAAG,GAAG,OAAO,CAAC,KAAK,CAAC,GAAG,GAAG,CAAC,CAAC,CAAC;QACjC,IAAI,CAAC,GAAG,CAAC,UAAU,CAAC,IAAI,CAAC;YAAE,GAAG,GAAG,IAAI,GAAG,GAAG,CAAC;QAC5C,MAAM,MAAM,GAAG,UAAU,CAAC,GAAoB,CAAC,CAAC;QAChD,IAAI,MAAM,CAAC,MAAM,GAAG,EAAE,EAAE,CAAC;YACvB,MAAM,IAAI,KAAK,CAAC,0CAA0C,GAAG,+BAA+B,CAAC,CAAC;QAChG,CAAC;QACD,GAAG,CAAC,IAAI,CAAC,EAAE,GAAG,EAAE,MAAM,EAAE,CAAC,CAAC;IAC5B,CAAC;IACD,IAAI,GAAG,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACrB,MAAM,IAAI,KAAK,CAAC,gEAAgE,CAAC,CAAC;IACpF,CAAC;IACD,OAAO,GAAG,CAAC;AACb,CAAC;AAED,SAAS,eAAe,CAAC,KAA0B;IACjD,MAAM,IAAI,GAAG,OAAO,KAAK,KAAK,QAAQ,CAAC,CAAC,CAAC,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC;IACjF,IAAI,CAAC,GAAG,EAAE,CAAC;IACX,sCAAsC;IACtC,IAAI,OAAO,MAAM,KAAK,WAAW,EAAE,CAAC;QAClC,CAAC,GAAG,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;IAC3C,CAAC;SAAM,CAAC;QACN,0DAA0D;QAC1D,IAAI,GAAG,GAAG,EAAE,CAAC;QACb,KAAK,MAAM,CAAC,IAAI,IAAI;YAAE,GAAG,IAAI,MAAM,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;QACpD,CAAC,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC;IAChB,CAAC;IACD,OAAO,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC;AACtE,CAAC;AAED,SAAS,eAAe,CAAC,CAAS;IAChC,IAAI,MAAM,GAAG,CAAC,CAAC,OAAO,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC;IACrD,OAAO,MAAM,CAAC,MAAM,GAAG,CAAC;QAAE,MAAM,IAAI,GAAG,CAAC;IACxC,IAAI,OAAO,MAAM,KAAK,WAAW,EAAE,CAAC;QAClC,OAAO,IAAI,UAAU,CAAC,MAAM,CAAC,IAAI,CAAC,MAAM,EAAE,QAAQ,CAAC,CAAC,CAAC;IACvD,CAAC;IACD,MAAM,GAAG,GAAG,IAAI,CAAC,MAAM,CAAC,CAAC;IACzB,MAAM,GAAG,GAAG,IAAI,UAAU,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;IACvC,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,GAAG,CAAC,MAAM,EAAE,CAAC,EAAE;QAAE,GAAG,CAAC,CAAC,CAAC,GAAG,GAAG,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC;IAChE,OAAO,GAAG,CAAC;AACb,CAAC;AAED,SAAS,iBAAiB,CAAC,CAAa,EAAE,CAAa;IACrD,IAAI,CAAC,CAAC,MAAM,KAAK,CAAC,CAAC,MAAM;QAAE,OAAO,KAAK,CAAC;IACxC,IAAI,IAAI,GAAG,CAAC,CAAC;IACb,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,CAAC,CAAC,MAAM,EAAE,CAAC,EAAE;QAAE,IAAI,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC;IACrE,OAAO,IAAI,KAAK,CAAC,CAAC;AACpB,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,WAAW,CAAC,MAAsC;IAChE,MAAM,IAAI,GAAG,QAAQ,EAAE,CAAC;IACxB,MAAM,MAAM,GAAG,IAAI,CAAC,CAAC,CAAE,CAAC;IACxB,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;IAC1C,MAAM,OAAO,GAAc,EAAE,GAAG,MAAM,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,GAAG,mBAAmB,EAAE,CAAC;IACnF,MAAM,MAAM,GAAG,EAAE,GAAG,UAAU,EAAE,GAAG,EAAE,MAAM,CAAC,GAAG,EAAE,CAAC;IAClD,MAAM,SAAS,GAAG,eAAe,CAAC,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,CAAC,CAAC;IAC1D,MAAM,UAAU,GAAG,eAAe,CAAC,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC,CAAC,CAAC;IAC5D,MAAM,YAAY,GAAG,GAAG,SAAS,IAAI,UAAU,EAAE,CAAC;IAClD,MAAM,GAAG,GAAG,IAAI,CAAC,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,YAAY,CAAC,CAAC,CAAC;IAChF,OAAO,GAAG,YAAY,IAAI,eAAe,CAAC,GAAG,CAAC,EAAE,CAAC;AACnD,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,aAAa,CAAC,WAAmB;IAC/C,IAAI,CAAC,WAAW;QAAE,OAAO,IAAI,CAAC;IAC9B,MAAM,KAAK,GAAG,WAAW,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IACrC,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,IAAI,CAAC;IACpC,MAAM,CAAC,SAAS,EAAE,UAAU,EAAE,MAAM,CAAC,GAAG,KAAiC,CAAC;IAE1E,IAAI,MAAsC,CAAC;IAC3C,IAAI,MAAiB,CAAC;IACtB,IAAI,CAAC;QACH,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,eAAe,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC;QAC1E,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,eAAe,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC;IAC7E,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;IACD,IAAI,MAAM,CAAC,GAAG,KAAK,OAAO;QAAE,OAAO,IAAI,CAAC;IAExC,MAAM,YAAY,GAAG,eAAe,CAAC,MAAM,CAAC,CAAC;IAC7C,MAAM,YAAY,GAAG,GAAG,SAAS,IAAI,UAAU,EAAE,CAAC;IAElD,IAAI,IAAkB,CAAC;IACvB,IAAI,CAAC;QACH,IAAI,GAAG,QAAQ,EAAE,CAAC;IACpB,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;IAED,yEAAyE;IACzE,MAAM,OAAO,GAAG,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,IAAI,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,GAAG,KAAK,MAAM,CAAC,GAAG,CAAC,EAAE,GAAG,IAAI,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,GAAG,KAAK,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC;IAE/H,IAAI,EAAE,GAAG,KAAK,CAAC;IACf,KAAK,MAAM,CAAC,IAAI,OAAO,EAAE,CAAC;QACxB,MAAM,QAAQ,GAAG,IAAI,CAAC,MAAM,EAAE,CAAC,CAAC,MAAM,EAAE,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,YAAY,CAAC,CAAC,CAAC;QAChF,IAAI,iBAAiB,CAAC,QAAQ,EAAE,YAAY,CAAC,EAAE,CAAC;YAC9C,EAAE,GAAG,IAAI,CAAC;YACV,MAAM;QACR,CAAC;IACH,CAAC;IACD,IAAI,CAAC,EAAE;QAAE,OAAO,IAAI,CAAC;IAErB,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;IAC1C,IAAI,OAAO,MAAM,CAAC,GAAG,KAAK,QAAQ,IAAI,MAAM,CAAC,GAAG,GAAG,GAAG;QAAE,OAAO,IAAI,CAAC;IAEpE,OAAO,MAAM,CAAC;AAChB,CAAC"}

package/dist/types.d.ts

@@ -0,0 +1,61 @@
+import type { Address, Hex } from '@agenticprimitives/types';
+export type { Address, Hex };
+export type AuthMethod = 'passkey' | 'siwe' | 'google';
+export interface JwtClaims {
+    sub: string;
+    walletAddress: Address | null;
+    smartAccountAddress: Address;
+    name: string;
+    email: string | null;
+    via: AuthMethod;
+    kind: 'session' | 'session-grant';
+    iat: number;
+    exp: number;
+}
+export interface AuthenticatedUser {
+    id: string;
+    walletAddress: Address | null;
+    smartAccountAddress: Address | null;
+    name: string;
+    email: string | null;
+    via: AuthMethod;
+}
+export interface TypedDataDomain {
+    name?: string;
+    version?: string;
+    chainId?: number;
+    verifyingContract?: Address;
+    salt?: Hex;
+}
+export type TypedDataTypes = Record<string, Array<{
+    name: string;
+    type: string;
+}>>;
+export interface Signer {
+    readonly address: Address;
+    signMessage(msg: string | {
+        raw: Hex;
+    }): Promise<Hex>;
+    signTypedData(args: {
+        domain: TypedDataDomain;
+        types: TypedDataTypes;
+        primaryType: string;
+        message: Record<string, unknown>;
+    }): Promise<Hex>;
+}
+export interface PasskeyAssertion {
+    authenticatorData: Hex;
+    clientDataJSON: Hex;
+    signature: Hex;
+}
+export interface PasskeySigner extends Signer {
+    readonly credentialId: string;
+    assert(challenge: Hex): Promise<PasskeyAssertion>;
+}
+export interface EOASigner extends Signer {
+}
+export interface KMSSigner extends Signer {
+    readonly keyId: string;
+    readonly provider: 'local-aes' | 'aws-kms' | 'gcp-kms';
+}
+//# sourceMappingURL=types.d.ts.map

package/dist/types.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../src/types.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAE,OAAO,EAAE,GAAG,EAAE,MAAM,0BAA0B,CAAC;AAE7D,YAAY,EAAE,OAAO,EAAE,GAAG,EAAE,CAAC;AAE7B,MAAM,MAAM,UAAU,GAAG,SAAS,GAAG,MAAM,GAAG,QAAQ,CAAC;AAEvD,MAAM,WAAW,SAAS;IACxB,GAAG,EAAE,MAAM,CAAC;IACZ,aAAa,EAAE,OAAO,GAAG,IAAI,CAAC;IAC9B,mBAAmB,EAAE,OAAO,CAAC;IAC7B,IAAI,EAAE,MAAM,CAAC;IACb,KAAK,EAAE,MAAM,GAAG,IAAI,CAAC;IACrB,GAAG,EAAE,UAAU,CAAC;IAChB,IAAI,EAAE,SAAS,GAAG,eAAe,CAAC;IAClC,GAAG,EAAE,MAAM,CAAC;IACZ,GAAG,EAAE,MAAM,CAAC;CACb;AAED,MAAM,WAAW,iBAAiB;IAChC,EAAE,EAAE,MAAM,CAAC;IACX,aAAa,EAAE,OAAO,GAAG,IAAI,CAAC;IAC9B,mBAAmB,EAAE,OAAO,GAAG,IAAI,CAAC;IACpC,IAAI,EAAE,MAAM,CAAC;IACb,KAAK,EAAE,MAAM,GAAG,IAAI,CAAC;IACrB,GAAG,EAAE,UAAU,CAAC;CACjB;AAED,MAAM,WAAW,eAAe;IAC9B,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,iBAAiB,CAAC,EAAE,OAAO,CAAC;IAC5B,IAAI,CAAC,EAAE,GAAG,CAAC;CACZ;AAED,MAAM,MAAM,cAAc,GAAG,MAAM,CAAC,MAAM,EAAE,KAAK,CAAC;IAAE,IAAI,EAAE,MAAM,CAAC;IAAC,IAAI,EAAE,MAAM,CAAA;CAAE,CAAC,CAAC,CAAC;AAEnF,MAAM,WAAW,MAAM;IACrB,QAAQ,CAAC,OAAO,EAAE,OAAO,CAAC;IAC1B,WAAW,CAAC,GAAG,EAAE,MAAM,GAAG;QAAE,GAAG,EAAE,GAAG,CAAA;KAAE,GAAG,OAAO,CAAC,GAAG,CAAC,CAAC;IACtD,aAAa,CAAC,IAAI,EAAE;QAClB,MAAM,EAAE,eAAe,CAAC;QACxB,KAAK,EAAE,cAAc,CAAC;QACtB,WAAW,EAAE,MAAM,CAAC;QACpB,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;KAClC,GAAG,OAAO,CAAC,GAAG,CAAC,CAAC;CAClB;AAED,MAAM,WAAW,gBAAgB;IAC/B,iBAAiB,EAAE,GAAG,CAAC;IACvB,cAAc,EAAE,GAAG,CAAC;IACpB,SAAS,EAAE,GAAG,CAAC;CAChB;AAED,MAAM,WAAW,aAAc,SAAQ,MAAM;IAC3C,QAAQ,CAAC,YAAY,EAAE,MAAM,CAAC;IAC9B,MAAM,CAAC,SAAS,EAAE,GAAG,GAAG,OAAO,CAAC,gBAAgB,CAAC,CAAC;CACnD;AAED,MAAM,WAAW,SAAU,SAAQ,MAAM;CAExC;AAED,MAAM,WAAW,SAAU,SAAQ,MAAM;IACvC,QAAQ,CAAC,KAAK,EAAE,MAAM,CAAC;IACvB,QAAQ,CAAC,QAAQ,EAAE,WAAW,GAAG,SAAS,GAAG,SAAS,CAAC;CACxD"}

package/dist/types.js

@@ -0,0 +1,3 @@
+// Shared types for @agenticprimitives/connect-auth.
+export {};
+//# sourceMappingURL=types.js.map

package/dist/types.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.js","sourceRoot":"","sources":["../src/types.ts"],"names":[],"mappings":"AAAA,oDAAoD"}