@agenticvault/agentic-vault 0.1.0

package/dist/protocols/workflows/sign-permit.js

@@ -0,0 +1,320 @@
+const DEFAULT_SERVICE = 'agentic-vault';
+const CANONICAL_PERMIT_FIELDS = new Set(['owner', 'spender', 'value', 'nonce', 'deadline']);
+/**
+ * EIP-2612 permit signing workflow.
+ *
+ * Security validations:
+ * 1. Canonical EIP-2612 types.Permit field check
+ * 2. Message field presence (value, spender, deadline)
+ * 3. Payload/metadata consistency (message vs top-level args)
+ * 4. Domain validation (verifyingContract, chainId)
+ */
+export async function signPermit(ctx, input) {
+    const service = ctx.service ?? DEFAULT_SERVICE;
+    const token = input.token.toLowerCase();
+    // 0. Guard against non-object domain/types/message (no Zod at workflow boundary)
+    if (!input.domain || typeof input.domain !== 'object') {
+        ctx.auditSink.log({
+            service,
+            action: 'sign_permit',
+            who: ctx.caller,
+            what: 'Invalid domain parameter: must be a non-null object',
+            why: 'Input validation failed',
+            result: 'error',
+            details: { chainId: input.chainId, token },
+        });
+        return { status: 'error', reason: 'domain must be a non-null object' };
+    }
+    if (!input.types || typeof input.types !== 'object') {
+        ctx.auditSink.log({
+            service,
+            action: 'sign_permit',
+            who: ctx.caller,
+            what: 'Invalid types parameter: must be a non-null object',
+            why: 'Input validation failed',
+            result: 'error',
+            details: { chainId: input.chainId, token },
+        });
+        return { status: 'error', reason: 'types must be a non-null object' };
+    }
+    if (!input.message || typeof input.message !== 'object') {
+        ctx.auditSink.log({
+            service,
+            action: 'sign_permit',
+            who: ctx.caller,
+            what: 'Invalid message parameter: must be a non-null object',
+            why: 'Input validation failed',
+            result: 'error',
+            details: { chainId: input.chainId, token },
+        });
+        return { status: 'error', reason: 'message must be a non-null object' };
+    }
+    // 1. Parse value safely
+    let amountWei;
+    try {
+        amountWei = BigInt(input.value);
+    }
+    catch {
+        ctx.auditSink.log({
+            service,
+            action: 'sign_permit',
+            who: ctx.caller,
+            what: `Invalid value parameter for token ${token} on chain ${input.chainId}`,
+            why: 'Input validation: value must be a decimal string',
+            result: 'error',
+            details: { chainId: input.chainId, token },
+        });
+        return { status: 'error', reason: 'Invalid value: must be a decimal string' };
+    }
+    // 2. Evaluate policy
+    const evaluation = ctx.policyEngine.evaluate({
+        chainId: input.chainId,
+        to: token,
+        amountWei,
+        deadline: input.deadline,
+    });
+    if (!evaluation.allowed) {
+        ctx.auditSink.log({
+            service,
+            action: 'sign_permit',
+            who: ctx.caller,
+            what: `Permit signing denied for token ${token} on chain ${input.chainId}`,
+            why: `Policy violations: ${evaluation.violations.join('; ')}`,
+            result: 'denied',
+            details: { chainId: input.chainId, token, spender: input.spender, violations: evaluation.violations },
+        });
+        return {
+            status: 'denied',
+            reason: `Policy denied: ${evaluation.violations.join('; ')}`,
+            violations: evaluation.violations,
+        };
+    }
+    // 3. Validate types.Permit matches canonical EIP-2612 schema
+    const typesPermit = input.types?.Permit;
+    if (!Array.isArray(typesPermit)) {
+        ctx.auditSink.log({
+            service,
+            action: 'sign_permit',
+            who: ctx.caller,
+            what: 'Permit types.Permit is missing or not an array',
+            why: 'Canonical EIP-2612 requires types.Permit definition',
+            result: 'denied',
+            details: { chainId: input.chainId, token },
+        });
+        return {
+            status: 'denied',
+            reason: 'types.Permit must be an array of EIP-712 field definitions',
+        };
+    }
+    const typeFieldNames = new Set(typesPermit
+        .filter((f) => typeof f === 'object' &&
+        f !== null &&
+        typeof f.name === 'string')
+        .map((f) => f.name));
+    const missingTypeFields = [...CANONICAL_PERMIT_FIELDS].filter((f) => !typeFieldNames.has(f));
+    if (missingTypeFields.length > 0) {
+        ctx.auditSink.log({
+            service,
+            action: 'sign_permit',
+            who: ctx.caller,
+            what: `Permit types.Permit missing required fields: ${missingTypeFields.join(', ')}`,
+            why: 'EIP-712 digest only includes fields listed in types; omitting policy-checked fields is a bypass',
+            result: 'denied',
+            details: { chainId: input.chainId, token, missingTypeFields },
+        });
+        return {
+            status: 'denied',
+            reason: `types.Permit must include canonical fields: ${missingTypeFields.join(', ')} missing`,
+        };
+    }
+    // 4. Validate canonical EIP-2612 Permit fields are present in message
+    const message = input.message;
+    if (message.value == null || message.spender == null || message.deadline == null) {
+        ctx.auditSink.log({
+            service,
+            action: 'sign_permit',
+            who: ctx.caller,
+            what: 'Permit message missing required EIP-2612 fields',
+            why: 'Canonical Permit must include value, spender, and deadline',
+            result: 'denied',
+            details: {
+                chainId: input.chainId,
+                token,
+                hasValue: message.value != null,
+                hasSpender: message.spender != null,
+                hasDeadline: message.deadline != null,
+            },
+        });
+        return {
+            status: 'denied',
+            reason: 'Permit message must include value, spender, and deadline fields',
+        };
+    }
+    // 5. Validate message fields match policy-checked args
+    if (String(message.value) !== input.value) {
+        ctx.auditSink.log({
+            service,
+            action: 'sign_permit',
+            who: ctx.caller,
+            what: `Permit payload mismatch: message.value (${String(message.value)}) !== args.value (${input.value})`,
+            why: 'Payload/metadata consistency check failed',
+            result: 'denied',
+            details: { chainId: input.chainId, token, messageValue: String(message.value), argsValue: input.value },
+        });
+        return {
+            status: 'denied',
+            reason: 'Payload mismatch: message.value does not match value',
+        };
+    }
+    if (String(message.spender).toLowerCase() !== input.spender.toLowerCase()) {
+        ctx.auditSink.log({
+            service,
+            action: 'sign_permit',
+            who: ctx.caller,
+            what: `Permit payload mismatch: message.spender (${String(message.spender)}) !== args.spender (${input.spender})`,
+            why: 'Payload/metadata consistency check failed',
+            result: 'denied',
+            details: { chainId: input.chainId, token, messageSpender: String(message.spender), argsSpender: input.spender },
+        });
+        return {
+            status: 'denied',
+            reason: 'Payload mismatch: message.spender does not match spender',
+        };
+    }
+    if (String(message.deadline) !== String(input.deadline)) {
+        ctx.auditSink.log({
+            service,
+            action: 'sign_permit',
+            who: ctx.caller,
+            what: `Permit payload mismatch: message.deadline (${String(message.deadline)}) !== args.deadline (${input.deadline})`,
+            why: 'Payload/metadata consistency check failed',
+            result: 'denied',
+            details: { chainId: input.chainId, token, messageDeadline: String(message.deadline), argsDeadline: input.deadline },
+        });
+        return {
+            status: 'denied',
+            reason: 'Payload mismatch: message.deadline does not match deadline',
+        };
+    }
+    // 6. Validate EIP-712 domain
+    const domain = input.domain;
+    if (!domain.verifyingContract || !domain.chainId) {
+        ctx.auditSink.log({
+            service,
+            action: 'sign_permit',
+            who: ctx.caller,
+            what: 'Permit domain missing required fields',
+            why: 'Domain must include verifyingContract and chainId for replay protection',
+            result: 'denied',
+            details: {
+                chainId: input.chainId,
+                token,
+                hasVerifyingContract: !!domain.verifyingContract,
+                hasChainId: domain.chainId != null,
+            },
+        });
+        return {
+            status: 'denied',
+            reason: 'Permit domain must include verifyingContract and chainId',
+        };
+    }
+    if (domain.verifyingContract.toLowerCase() !== token) {
+        ctx.auditSink.log({
+            service,
+            action: 'sign_permit',
+            who: ctx.caller,
+            what: `Permit payload mismatch: domain.verifyingContract (${domain.verifyingContract}) !== token (${token})`,
+            why: 'Payload/metadata consistency check failed',
+            result: 'denied',
+            details: { chainId: input.chainId, token, domainContract: domain.verifyingContract },
+        });
+        return {
+            status: 'denied',
+            reason: 'Payload mismatch: domain.verifyingContract does not match token',
+        };
+    }
+    if (domain.chainId !== input.chainId) {
+        ctx.auditSink.log({
+            service,
+            action: 'sign_permit',
+            who: ctx.caller,
+            what: `Permit payload mismatch: domain.chainId (${domain.chainId}) !== args.chainId (${input.chainId})`,
+            why: 'Payload/metadata consistency check failed',
+            result: 'denied',
+            details: { argsChainId: input.chainId, domainChainId: domain.chainId },
+        });
+        return {
+            status: 'denied',
+            reason: 'Payload mismatch: domain.chainId does not match chainId',
+        };
+    }
+    // 7. Dry-run: return validation result without signing
+    if (ctx.dryRun) {
+        ctx.auditSink.log({
+            service,
+            action: 'sign_permit',
+            who: ctx.caller,
+            what: `Dry-run approved permit for token ${token} on chain ${input.chainId}`,
+            why: 'Permit validation passed (dry-run)',
+            result: 'approved',
+            details: { chainId: input.chainId, token, spender: input.spender, dryRun: true },
+        });
+        return {
+            status: 'dry-run-approved',
+            details: {
+                chainId: input.chainId,
+                token,
+                spender: input.spender,
+                value: input.value,
+                deadline: input.deadline,
+            },
+        };
+    }
+    // 8. Sign
+    if (!ctx.signer) {
+        ctx.auditSink.log({
+            service,
+            action: 'sign_permit',
+            who: ctx.caller,
+            what: 'Signer not available for permit signing',
+            why: 'Configuration error: signer is required when dryRun is not enabled',
+            result: 'error',
+        });
+        return { status: 'error', reason: 'Signer is required when dryRun is not enabled' };
+    }
+    try {
+        const sig = await ctx.signer.signTypedData({
+            domain: input.domain,
+            types: input.types,
+            primaryType: 'Permit',
+            message: input.message,
+        });
+        ctx.auditSink.log({
+            service,
+            action: 'sign_permit',
+            who: ctx.caller,
+            what: `Signed permit for token ${token} on chain ${input.chainId}`,
+            why: 'Permit signing approved by policy',
+            result: 'approved',
+            details: { chainId: input.chainId, token, spender: input.spender },
+        });
+        return {
+            status: 'approved',
+            data: JSON.stringify(sig),
+        };
+    }
+    catch (error) {
+        const msg = error instanceof Error ? error.message : String(error);
+        ctx.auditSink.log({
+            service,
+            action: 'sign_permit',
+            who: ctx.caller,
+            what: `Failed to sign permit for token ${token}`,
+            why: 'Signing error',
+            result: 'error',
+            details: { error: msg },
+        });
+        return { status: 'error', reason: `Signing error: ${msg}` };
+    }
+}
+//# sourceMappingURL=sign-permit.js.map

package/dist/protocols/workflows/sign-permit.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"sign-permit.js","sourceRoot":"","sources":["../../../src/protocols/workflows/sign-permit.ts"],"names":[],"mappings":"AAaA,MAAM,eAAe,GAAG,eAAe,CAAC;AACxC,MAAM,uBAAuB,GAAG,IAAI,GAAG,CAAC,CAAC,OAAO,EAAE,SAAS,EAAE,OAAO,EAAE,OAAO,EAAE,UAAU,CAAC,CAAC,CAAC;AAE5F;;;;;;;;GAQG;AACH,MAAM,CAAC,KAAK,UAAU,UAAU,CAC9B,GAAoB,EACpB,KAAsB;IAEtB,MAAM,OAAO,GAAG,GAAG,CAAC,OAAO,IAAI,eAAe,CAAC;IAC/C,MAAM,KAAK,GAAG,KAAK,CAAC,KAAK,CAAC,WAAW,EAAmB,CAAC;IAEzD,iFAAiF;IACjF,IAAI,CAAC,KAAK,CAAC,MAAM,IAAI,OAAO,KAAK,CAAC,MAAM,KAAK,QAAQ,EAAE,CAAC;QACtD,GAAG,CAAC,SAAS,CAAC,GAAG,CAAC;YAChB,OAAO;YACP,MAAM,EAAE,aAAa;YACrB,GAAG,EAAE,GAAG,CAAC,MAAM;YACf,IAAI,EAAE,qDAAqD;YAC3D,GAAG,EAAE,yBAAyB;YAC9B,MAAM,EAAE,OAAO;YACf,OAAO,EAAE,EAAE,OAAO,EAAE,KAAK,CAAC,OAAO,EAAE,KAAK,EAAE;SAC3C,CAAC,CAAC;QACH,OAAO,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,EAAE,kCAAkC,EAAE,CAAC;IACzE,CAAC;IACD,IAAI,CAAC,KAAK,CAAC,KAAK,IAAI,OAAO,KAAK,CAAC,KAAK,KAAK,QAAQ,EAAE,CAAC;QACpD,GAAG,CAAC,SAAS,CAAC,GAAG,CAAC;YAChB,OAAO;YACP,MAAM,EAAE,aAAa;YACrB,GAAG,EAAE,GAAG,CAAC,MAAM;YACf,IAAI,EAAE,oDAAoD;YAC1D,GAAG,EAAE,yBAAyB;YAC9B,MAAM,EAAE,OAAO;YACf,OAAO,EAAE,EAAE,OAAO,EAAE,KAAK,CAAC,OAAO,EAAE,KAAK,EAAE;SAC3C,CAAC,CAAC;QACH,OAAO,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,EAAE,iCAAiC,EAAE,CAAC;IACxE,CAAC;IACD,IAAI,CAAC,KAAK,CAAC,OAAO,IAAI,OAAO,KAAK,CAAC,OAAO,KAAK,QAAQ,EAAE,CAAC;QACxD,GAAG,CAAC,SAAS,CAAC,GAAG,CAAC;YAChB,OAAO;YACP,MAAM,EAAE,aAAa;YACrB,GAAG,EAAE,GAAG,CAAC,MAAM;YACf,IAAI,EAAE,sDAAsD;YAC5D,GAAG,EAAE,yBAAyB;YAC9B,MAAM,EAAE,OAAO;YACf,OAAO,EAAE,EAAE,OAAO,EAAE,KAAK,CAAC,OAAO,EAAE,KAAK,EAAE;SAC3C,CAAC,CAAC;QACH,OAAO,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,EAAE,mCAAmC,EAAE,CAAC;IAC1E,CAAC;IAED,wBAAwB;IACxB,IAAI,SAAiB,CAAC;IACtB,IAAI,CAAC;QACH,SAAS,GAAG,MAAM,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC;IAClC,CAAC;IAAC,MAAM,CAAC;QACP,GAAG,CAAC,SAAS,CAAC,GAAG,CAAC;YAChB,OAAO;YACP,MAAM,EAAE,aAAa;YACrB,GAAG,EAAE,GAAG,CAAC,MAAM;YACf,IAAI,EAAE,qCAAqC,KAAK,aAAa,KAAK,CAAC,OAAO,EAAE;YAC5E,GAAG,EAAE,kDAAkD;YACvD,MAAM,EAAE,OAAO;YACf,OAAO,EAAE,EAAE,OAAO,EAAE,KAAK,CAAC,OAAO,EAAE,KAAK,EAAE;SAC3C,CAAC,CAAC;QACH,OAAO,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,EAAE,yCAAyC,EAAE,CAAC;IAChF,CAAC;IAED,qBAAqB;IACrB,MAAM,UAAU,GAAG,GAAG,CAAC,YAAY,CAAC,QAAQ,CAAC;QAC3C,OAAO,EAAE,KAAK,CAAC,OAAO;QACtB,EAAE,EAAE,KAAK;QACT,SAAS;QACT,QAAQ,EAAE,KAAK,CAAC,QAAQ;KACzB,CAAC,CAAC;IAEH,IAAI,CAAC,UAAU,CAAC,OAAO,EAAE,CAAC;QACxB,GAAG,CAAC,SAAS,CAAC,GAAG,CAAC;YAChB,OAAO;YACP,MAAM,EAAE,aAAa;YACrB,GAAG,EAAE,GAAG,CAAC,MAAM;YACf,IAAI,EAAE,mCAAmC,KAAK,aAAa,KAAK,CAAC,OAAO,EAAE;YAC1E,GAAG,EAAE,sBAAsB,UAAU,CAAC,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE;YAC7D,MAAM,EAAE,QAAQ;YAChB,OAAO,EAAE,EAAE,OAAO,EAAE,KAAK,CAAC,OAAO,EAAE,KAAK,EAAE,OAAO,EAAE,KAAK,CAAC,OAAO,EAAE,UAAU,EAAE,UAAU,CAAC,UAAU,EAAE;SACtG,CAAC,CAAC;QACH,OAAO;YACL,MAAM,EAAE,QAAQ;YAChB,MAAM,EAAE,kBAAkB,UAAU,CAAC,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE;YAC5D,UAAU,EAAE,UAAU,CAAC,UAAU;SAClC,CAAC;IACJ,CAAC;IAED,6DAA6D;IAC7D,MAAM,WAAW,GAAI,KAAK,CAAC,KAAiC,EAAE,MAAM,CAAC;IACrE,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,WAAW,CAAC,EAAE,CAAC;QAChC,GAAG,CAAC,SAAS,CAAC,GAAG,CAAC;YAChB,OAAO;YACP,MAAM,EAAE,aAAa;YACrB,GAAG,EAAE,GAAG,CAAC,MAAM;YACf,IAAI,EAAE,gDAAgD;YACtD,GAAG,EAAE,qDAAqD;YAC1D,MAAM,EAAE,QAAQ;YAChB,OAAO,EAAE,EAAE,OAAO,EAAE,KAAK,CAAC,OAAO,EAAE,KAAK,EAAE;SAC3C,CAAC,CAAC;QACH,OAAO;YACL,MAAM,EAAE,QAAQ;YAChB,MAAM,EAAE,4DAA4D;SACrE,CAAC;IACJ,CAAC;IAED,MAAM,cAAc,GAAG,IAAI,GAAG,CAC5B,WAAW;SACR,MAAM,CACL,CAAC,CAAU,EAAyB,EAAE,CACpC,OAAO,CAAC,KAAK,QAAQ;QACrB,CAAC,KAAK,IAAI;QACV,OAAQ,CAA6B,CAAC,IAAI,KAAK,QAAQ,CAC1D;SACA,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,CACtB,CAAC;IACF,MAAM,iBAAiB,GAAG,CAAC,GAAG,uBAAuB,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,cAAc,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC;IAC7F,IAAI,iBAAiB,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACjC,GAAG,CAAC,SAAS,CAAC,GAAG,CAAC;YAChB,OAAO;YACP,MAAM,EAAE,aAAa;YACrB,GAAG,EAAE,GAAG,CAAC,MAAM;YACf,IAAI,EAAE,gDAAgD,iBAAiB,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE;YACpF,GAAG,EAAE,iGAAiG;YACtG,MAAM,EAAE,QAAQ;YAChB,OAAO,EAAE,EAAE,OAAO,EAAE,KAAK,CAAC,OAAO,EAAE,KAAK,EAAE,iBAAiB,EAAE;SAC9D,CAAC,CAAC;QACH,OAAO;YACL,MAAM,EAAE,QAAQ;YAChB,MAAM,EAAE,+CAA+C,iBAAiB,CAAC,IAAI,CAAC,IAAI,CAAC,UAAU;SAC9F,CAAC;IACJ,CAAC;IAED,sEAAsE;IACtE,MAAM,OAAO,GAAG,KAAK,CAAC,OAAO,CAAC;IAC9B,IAAI,OAAO,CAAC,KAAK,IAAI,IAAI,IAAI,OAAO,CAAC,OAAO,IAAI,IAAI,IAAI,OAAO,CAAC,QAAQ,IAAI,IAAI,EAAE,CAAC;QACjF,GAAG,CAAC,SAAS,CAAC,GAAG,CAAC;YAChB,OAAO;YACP,MAAM,EAAE,aAAa;YACrB,GAAG,EAAE,GAAG,CAAC,MAAM;YACf,IAAI,EAAE,iDAAiD;YACvD,GAAG,EAAE,4DAA4D;YACjE,MAAM,EAAE,QAAQ;YAChB,OAAO,EAAE;gBACP,OAAO,EAAE,KAAK,CAAC,OAAO;gBACtB,KAAK;gBACL,QAAQ,EAAE,OAAO,CAAC,KAAK,IAAI,IAAI;gBAC/B,UAAU,EAAE,OAAO,CAAC,OAAO,IAAI,IAAI;gBACnC,WAAW,EAAE,OAAO,CAAC,QAAQ,IAAI,IAAI;aACtC;SACF,CAAC,CAAC;QACH,OAAO;YACL,MAAM,EAAE,QAAQ;YAChB,MAAM,EAAE,iEAAiE;SAC1E,CAAC;IACJ,CAAC;IAED,uDAAuD;IACvD,IAAI,MAAM,CAAC,OAAO,CAAC,KAAK,CAAC,KAAK,KAAK,CAAC,KAAK,EAAE,CAAC;QAC1C,GAAG,CAAC,SAAS,CAAC,GAAG,CAAC;YAChB,OAAO;YACP,MAAM,EAAE,aAAa;YACrB,GAAG,EAAE,GAAG,CAAC,MAAM;YACf,IAAI,EAAE,2CAA2C,MAAM,CAAC,OAAO,CAAC,KAAK,CAAC,qBAAqB,KAAK,CAAC,KAAK,GAAG;YACzG,GAAG,EAAE,2CAA2C;YAChD,MAAM,EAAE,QAAQ;YAChB,OAAO,EAAE,EAAE,OAAO,EAAE,KAAK,CAAC,OAAO,EAAE,KAAK,EAAE,YAAY,EAAE,MAAM,CAAC,OAAO,CAAC,KAAK,CAAC,EAAE,SAAS,EAAE,KAAK,CAAC,KAAK,EAAE;SACxG,CAAC,CAAC;QACH,OAAO;YACL,MAAM,EAAE,QAAQ;YAChB,MAAM,EAAE,sDAAsD;SAC/D,CAAC;IACJ,CAAC;IAED,IAAI,MAAM,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC,WAAW,EAAE,KAAK,KAAK,CAAC,OAAO,CAAC,WAAW,EAAE,EAAE,CAAC;QAC1E,GAAG,CAAC,SAAS,CAAC,GAAG,CAAC;YAChB,OAAO;YACP,MAAM,EAAE,aAAa;YACrB,GAAG,EAAE,GAAG,CAAC,MAAM;YACf,IAAI,EAAE,6CAA6C,MAAM,CAAC,OAAO,CAAC,OAAO,CAAC,uBAAuB,KAAK,CAAC,OAAO,GAAG;YACjH,GAAG,EAAE,2CAA2C;YAChD,MAAM,EAAE,QAAQ;YAChB,OAAO,EAAE,EAAE,OAAO,EAAE,KAAK,CAAC,OAAO,EAAE,KAAK,EAAE,cAAc,EAAE,MAAM,CAAC,OAAO,CAAC,OAAO,CAAC,EAAE,WAAW,EAAE,KAAK,CAAC,OAAO,EAAE;SAChH,CAAC,CAAC;QACH,OAAO;YACL,MAAM,EAAE,QAAQ;YAChB,MAAM,EAAE,0DAA0D;SACnE,CAAC;IACJ,CAAC;IAED,IAAI,MAAM,CAAC,OAAO,CAAC,QAAQ,CAAC,KAAK,MAAM,CAAC,KAAK,CAAC,QAAQ,CAAC,EAAE,CAAC;QACxD,GAAG,CAAC,SAAS,CAAC,GAAG,CAAC;YAChB,OAAO;YACP,MAAM,EAAE,aAAa;YACrB,GAAG,EAAE,GAAG,CAAC,MAAM;YACf,IAAI,EAAE,8CAA8C,MAAM,CAAC,OAAO,CAAC,QAAQ,CAAC,wBAAwB,KAAK,CAAC,QAAQ,GAAG;YACrH,GAAG,EAAE,2CAA2C;YAChD,MAAM,EAAE,QAAQ;YAChB,OAAO,EAAE,EAAE,OAAO,EAAE,KAAK,CAAC,OAAO,EAAE,KAAK,EAAE,eAAe,EAAE,MAAM,CAAC,OAAO,CAAC,QAAQ,CAAC,EAAE,YAAY,EAAE,KAAK,CAAC,QAAQ,EAAE;SACpH,CAAC,CAAC;QACH,OAAO;YACL,MAAM,EAAE,QAAQ;YAChB,MAAM,EAAE,4DAA4D;SACrE,CAAC;IACJ,CAAC;IAED,6BAA6B;IAC7B,MAAM,MAAM,GAAG,KAAK,CAAC,MAA0D,CAAC;IAEhF,IAAI,CAAC,MAAM,CAAC,iBAAiB,IAAI,CAAC,MAAM,CAAC,OAAO,EAAE,CAAC;QACjD,GAAG,CAAC,SAAS,CAAC,GAAG,CAAC;YAChB,OAAO;YACP,MAAM,EAAE,aAAa;YACrB,GAAG,EAAE,GAAG,CAAC,MAAM;YACf,IAAI,EAAE,uCAAuC;YAC7C,GAAG,EAAE,yEAAyE;YAC9E,MAAM,EAAE,QAAQ;YAChB,OAAO,EAAE;gBACP,OAAO,EAAE,KAAK,CAAC,OAAO;gBACtB,KAAK;gBACL,oBAAoB,EAAE,CAAC,CAAC,MAAM,CAAC,iBAAiB;gBAChD,UAAU,EAAE,MAAM,CAAC,OAAO,IAAI,IAAI;aACnC;SACF,CAAC,CAAC;QACH,OAAO;YACL,MAAM,EAAE,QAAQ;YAChB,MAAM,EAAE,0DAA0D;SACnE,CAAC;IACJ,CAAC;IAED,IAAI,MAAM,CAAC,iBAAiB,CAAC,WAAW,EAAE,KAAK,KAAK,EAAE,CAAC;QACrD,GAAG,CAAC,SAAS,CAAC,GAAG,CAAC;YAChB,OAAO;YACP,MAAM,EAAE,aAAa;YACrB,GAAG,EAAE,GAAG,CAAC,MAAM;YACf,IAAI,EAAE,sDAAsD,MAAM,CAAC,iBAAiB,gBAAgB,KAAK,GAAG;YAC5G,GAAG,EAAE,2CAA2C;YAChD,MAAM,EAAE,QAAQ;YAChB,OAAO,EAAE,EAAE,OAAO,EAAE,KAAK,CAAC,OAAO,EAAE,KAAK,EAAE,cAAc,EAAE,MAAM,CAAC,iBAAiB,EAAE;SACrF,CAAC,CAAC;QACH,OAAO;YACL,MAAM,EAAE,QAAQ;YAChB,MAAM,EAAE,iEAAiE;SAC1E,CAAC;IACJ,CAAC;IAED,IAAI,MAAM,CAAC,OAAO,KAAK,KAAK,CAAC,OAAO,EAAE,CAAC;QACrC,GAAG,CAAC,SAAS,CAAC,GAAG,CAAC;YAChB,OAAO;YACP,MAAM,EAAE,aAAa;YACrB,GAAG,EAAE,GAAG,CAAC,MAAM;YACf,IAAI,EAAE,4CAA4C,MAAM,CAAC,OAAO,uBAAuB,KAAK,CAAC,OAAO,GAAG;YACvG,GAAG,EAAE,2CAA2C;YAChD,MAAM,EAAE,QAAQ;YAChB,OAAO,EAAE,EAAE,WAAW,EAAE,KAAK,CAAC,OAAO,EAAE,aAAa,EAAE,MAAM,CAAC,OAAO,EAAE;SACvE,CAAC,CAAC;QACH,OAAO;YACL,MAAM,EAAE,QAAQ;YAChB,MAAM,EAAE,yDAAyD;SAClE,CAAC;IACJ,CAAC;IAED,uDAAuD;IACvD,IAAI,GAAG,CAAC,MAAM,EAAE,CAAC;QACf,GAAG,CAAC,SAAS,CAAC,GAAG,CAAC;YAChB,OAAO;YACP,MAAM,EAAE,aAAa;YACrB,GAAG,EAAE,GAAG,CAAC,MAAM;YACf,IAAI,EAAE,qCAAqC,KAAK,aAAa,KAAK,CAAC,OAAO,EAAE;YAC5E,GAAG,EAAE,oCAAoC;YACzC,MAAM,EAAE,UAAU;YAClB,OAAO,EAAE,EAAE,OAAO,EAAE,KAAK,CAAC,OAAO,EAAE,KAAK,EAAE,OAAO,EAAE,KAAK,CAAC,OAAO,EAAE,MAAM,EAAE,IAAI,EAAE;SACjF,CAAC,CAAC;QACH,OAAO;YACL,MAAM,EAAE,kBAAkB;YAC1B,OAAO,EAAE;gBACP,OAAO,EAAE,KAAK,CAAC,OAAO;gBACtB,KAAK;gBACL,OAAO,EAAE,KAAK,CAAC,OAAO;gBACtB,KAAK,EAAE,KAAK,CAAC,KAAK;gBAClB,QAAQ,EAAE,KAAK,CAAC,QAAQ;aACzB;SACF,CAAC;IACJ,CAAC;IAED,UAAU;IACV,IAAI,CAAC,GAAG,CAAC,MAAM,EAAE,CAAC;QAChB,GAAG,CAAC,SAAS,CAAC,GAAG,CAAC;YAChB,OAAO;YACP,MAAM,EAAE,aAAa;YACrB,GAAG,EAAE,GAAG,CAAC,MAAM;YACf,IAAI,EAAE,yCAAyC;YAC/C,GAAG,EAAE,oEAAoE;YACzE,MAAM,EAAE,OAAO;SAChB,CAAC,CAAC;QACH,OAAO,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,EAAE,+CAA+C,EAAE,CAAC;IACtF,CAAC;IAED,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,MAAM,GAAG,CAAC,MAAM,CAAC,aAAa,CAAC;YACzC,MAAM,EAAE,KAAK,CAAC,MAAM;YACpB,KAAK,EAAE,KAAK,CAAC,KAAK;YAClB,WAAW,EAAE,QAAQ;YACrB,OAAO,EAAE,KAAK,CAAC,OAAO;SACvB,CAAC,CAAC;QAEH,GAAG,CAAC,SAAS,CAAC,GAAG,CAAC;YAChB,OAAO;YACP,MAAM,EAAE,aAAa;YACrB,GAAG,EAAE,GAAG,CAAC,MAAM;YACf,IAAI,EAAE,2BAA2B,KAAK,aAAa,KAAK,CAAC,OAAO,EAAE;YAClE,GAAG,EAAE,mCAAmC;YACxC,MAAM,EAAE,UAAU;YAClB,OAAO,EAAE,EAAE,OAAO,EAAE,KAAK,CAAC,OAAO,EAAE,KAAK,EAAE,OAAO,EAAE,KAAK,CAAC,OAAO,EAAE;SACnE,CAAC,CAAC;QAEH,OAAO;YACL,MAAM,EAAE,UAAU;YAClB,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC;SAC1B,CAAC;IACJ,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,MAAM,GAAG,GAAG,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;QACnE,GAAG,CAAC,SAAS,CAAC,GAAG,CAAC;YAChB,OAAO;YACP,MAAM,EAAE,aAAa;YACrB,GAAG,EAAE,GAAG,CAAC,MAAM;YACf,IAAI,EAAE,mCAAmC,KAAK,EAAE;YAChD,GAAG,EAAE,eAAe;YACpB,MAAM,EAAE,OAAO;YACf,OAAO,EAAE,EAAE,KAAK,EAAE,GAAG,EAAE;SACxB,CAAC,CAAC;QACH,OAAO,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,EAAE,kBAAkB,GAAG,EAAE,EAAE,CAAC;IAC9D,CAAC;AACH,CAAC"}

package/dist/protocols/workflows/types.d.ts

@@ -0,0 +1,79 @@
+/** Caller identity for audit trail */
+export type WorkflowCaller = 'mcp-client' | 'cli' | 'sdk' | 'openclaw';
+/** Audit sink interface — consumers inject their own implementation */
+export interface AuditSink {
+    log(entry: {
+        service: string;
+        action: string;
+        who: string;
+        what: string;
+        why: string;
+        result: 'approved' | 'denied' | 'error';
+        details?: Record<string, unknown>;
+    }): unknown;
+}
+/** Minimal signer interface for workflows */
+export interface WorkflowSigner {
+    getAddress(): Promise<`0x${string}`>;
+    signTransaction(tx: Record<string, unknown>): Promise<`0x${string}`>;
+    signTypedData(params: Record<string, unknown>): Promise<{
+        v: number;
+        r: `0x${string}`;
+        s: `0x${string}`;
+    }>;
+    healthCheck(): Promise<void>;
+}
+/** Decoded intent from protocol dispatcher */
+export interface WorkflowDecodedIntent {
+    protocol: string;
+    chainId: number;
+    to: `0x${string}`;
+    selector?: `0x${string}`;
+    action?: string;
+    args?: Record<string, unknown>;
+    reason?: string;
+}
+/** Minimal policy engine interface for workflows */
+export interface WorkflowPolicyEngine {
+    evaluate(request: {
+        chainId: number;
+        to: `0x${string}`;
+        selector?: `0x${string}`;
+        amountWei?: bigint;
+        deadline?: number;
+        intent?: WorkflowDecodedIntent;
+    }): {
+        allowed: boolean;
+        violations: string[];
+    };
+}
+/** Protocol dispatcher interface for calldata decoding */
+export interface WorkflowDispatcher {
+    dispatch(chainId: number, to: `0x${string}`, data: `0x${string}`): WorkflowDecodedIntent;
+}
+/** Full context for workflow execution */
+export interface WorkflowContext {
+    signer?: WorkflowSigner;
+    policyEngine: WorkflowPolicyEngine;
+    auditSink: AuditSink;
+    dispatcher?: WorkflowDispatcher;
+    caller: WorkflowCaller;
+    service?: string;
+    dryRun?: boolean;
+}
+/** Discriminated union for workflow results */
+export type WorkflowResult = {
+    status: 'approved';
+    data: string;
+    details?: Record<string, unknown>;
+} | {
+    status: 'dry-run-approved';
+    details: Record<string, unknown>;
+} | {
+    status: 'denied';
+    reason: string;
+    violations?: string[];
+} | {
+    status: 'error';
+    reason: string;
+};

package/dist/protocols/workflows/types.js

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=types.js.map

package/dist/protocols/workflows/types.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.js","sourceRoot":"","sources":["../../../src/protocols/workflows/types.ts"],"names":[],"mappings":""}

package/dist/provider/factory.d.ts

@@ -0,0 +1,12 @@
+import type { SigningProvider } from '../core/signing-provider.js';
+export interface AwsKmsSigningProviderConfig {
+    provider: 'aws-kms';
+    keyId: string;
+    region: string;
+}
+export type SigningProviderConfig = AwsKmsSigningProviderConfig;
+/**
+ * Factory function to create a SigningProvider from config.
+ * Currently supports 'aws-kms'. Extensible for future providers.
+ */
+export declare function createSigningProvider(config: SigningProviderConfig): SigningProvider;

package/dist/provider/factory.js

@@ -0,0 +1,19 @@
+import { AwsKmsClient } from '../providers/aws-kms/aws-kms-client.js';
+import { AwsKmsProvider } from '../providers/aws-kms/aws-kms-provider.js';
+/**
+ * Factory function to create a SigningProvider from config.
+ * Currently supports 'aws-kms'. Extensible for future providers.
+ */
+export function createSigningProvider(config) {
+    switch (config.provider) {
+        case 'aws-kms': {
+            const kmsClient = new AwsKmsClient({ region: config.region });
+            return new AwsKmsProvider(kmsClient, { keyId: config.keyId });
+        }
+        default: {
+            const _exhaustive = config.provider;
+            throw new Error(`Unknown provider: ${_exhaustive}`);
+        }
+    }
+}
+//# sourceMappingURL=factory.js.map

package/dist/provider/factory.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"factory.js","sourceRoot":"","sources":["../../src/provider/factory.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,YAAY,EAAE,MAAM,wCAAwC,CAAC;AACtE,OAAO,EAAE,cAAc,EAAE,MAAM,0CAA0C,CAAC;AAU1E;;;GAGG;AACH,MAAM,UAAU,qBAAqB,CAAC,MAA6B;IACjE,QAAQ,MAAM,CAAC,QAAQ,EAAE,CAAC;QACxB,KAAK,SAAS,CAAC,CAAC,CAAC;YACf,MAAM,SAAS,GAAG,IAAI,YAAY,CAAC,EAAE,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,CAAC,CAAC;YAC9D,OAAO,IAAI,cAAc,CAAC,SAAS,EAAE,EAAE,KAAK,EAAE,MAAM,CAAC,KAAK,EAAE,CAAC,CAAC;QAChE,CAAC;QACD,OAAO,CAAC,CAAC,CAAC;YACR,MAAM,WAAW,GAAU,MAAM,CAAC,QAAQ,CAAC;YAC3C,MAAM,IAAI,KAAK,CAAC,qBAAqB,WAAqB,EAAE,CAAC,CAAC;QAChE,CAAC;IACH,CAAC;AACH,CAAC"}

package/dist/providers/aws-kms/aws-kms-client.d.ts

@@ -0,0 +1,19 @@
+export interface KmsKeyMetadata {
+    keySpec: string;
+    keyUsage: string;
+    keyState: string;
+}
+export interface IKmsClient {
+    signDigest(keyId: string, digest: Uint8Array): Promise<Uint8Array>;
+    getPublicKey(keyId: string): Promise<Uint8Array>;
+    describeKey(keyId: string): Promise<KmsKeyMetadata>;
+}
+export declare class AwsKmsClient implements IKmsClient {
+    private client;
+    constructor(config: {
+        region: string;
+    });
+    signDigest(keyId: string, digest: Uint8Array): Promise<Uint8Array>;
+    getPublicKey(keyId: string): Promise<Uint8Array>;
+    describeKey(keyId: string): Promise<KmsKeyMetadata>;
+}

package/dist/providers/aws-kms/aws-kms-client.js

@@ -0,0 +1,47 @@
+import { DescribeKeyCommand, GetPublicKeyCommand, KMSClient, SignCommand, } from '@aws-sdk/client-kms';
+import { parseDerPublicKey } from '../../evm-signer.util.js';
+export class AwsKmsClient {
+    client;
+    constructor(config) {
+        const clientConfig = { region: config.region };
+        this.client = new KMSClient(clientConfig);
+    }
+    async signDigest(keyId, digest) {
+        if (digest.length !== 32) {
+            throw new Error(`Digest must be 32 bytes, got ${digest.length}`);
+        }
+        const command = new SignCommand({
+            KeyId: keyId,
+            Message: digest,
+            SigningAlgorithm: 'ECDSA_SHA_256',
+            MessageType: 'DIGEST',
+        });
+        const response = await this.client.send(command);
+        if (!response.Signature) {
+            throw new Error('KMS Sign response missing Signature');
+        }
+        return new Uint8Array(response.Signature);
+    }
+    async getPublicKey(keyId) {
+        const command = new GetPublicKeyCommand({ KeyId: keyId });
+        const response = await this.client.send(command);
+        if (!response.PublicKey) {
+            throw new Error('KMS GetPublicKey response missing PublicKey');
+        }
+        const derBytes = new Uint8Array(response.PublicKey);
+        return parseDerPublicKey(derBytes);
+    }
+    async describeKey(keyId) {
+        const command = new DescribeKeyCommand({ KeyId: keyId });
+        const response = await this.client.send(command);
+        if (!response.KeyMetadata) {
+            throw new Error('KMS DescribeKey response missing KeyMetadata');
+        }
+        return {
+            keySpec: response.KeyMetadata.KeySpec ?? 'UNKNOWN',
+            keyUsage: response.KeyMetadata.KeyUsage ?? 'UNKNOWN',
+            keyState: response.KeyMetadata.KeyState ?? 'UNKNOWN',
+        };
+    }
+}
+//# sourceMappingURL=aws-kms-client.js.map

package/dist/providers/aws-kms/aws-kms-client.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"aws-kms-client.js","sourceRoot":"","sources":["../../../src/providers/aws-kms/aws-kms-client.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,kBAAkB,EAClB,mBAAmB,EACnB,SAAS,EAET,WAAW,GACZ,MAAM,qBAAqB,CAAC;AAC7B,OAAO,EAAE,iBAAiB,EAAE,MAAM,0BAA0B,CAAC;AAc7D,MAAM,OAAO,YAAY;IACf,MAAM,CAAY;IAE1B,YAAY,MAA0B;QACpC,MAAM,YAAY,GAAoB,EAAE,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,CAAC;QAChE,IAAI,CAAC,MAAM,GAAG,IAAI,SAAS,CAAC,YAAY,CAAC,CAAC;IAC5C,CAAC;IAED,KAAK,CAAC,UAAU,CAAC,KAAa,EAAE,MAAkB;QAChD,IAAI,MAAM,CAAC,MAAM,KAAK,EAAE,EAAE,CAAC;YACzB,MAAM,IAAI,KAAK,CAAC,gCAAgC,MAAM,CAAC,MAAM,EAAE,CAAC,CAAC;QACnE,CAAC;QAED,MAAM,OAAO,GAAG,IAAI,WAAW,CAAC;YAC9B,KAAK,EAAE,KAAK;YACZ,OAAO,EAAE,MAAM;YACf,gBAAgB,EAAE,eAAe;YACjC,WAAW,EAAE,QAAQ;SACtB,CAAC,CAAC;QAEH,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;QAEjD,IAAI,CAAC,QAAQ,CAAC,SAAS,EAAE,CAAC;YACxB,MAAM,IAAI,KAAK,CAAC,qCAAqC,CAAC,CAAC;QACzD,CAAC;QAED,OAAO,IAAI,UAAU,CAAC,QAAQ,CAAC,SAAS,CAAC,CAAC;IAC5C,CAAC;IAED,KAAK,CAAC,YAAY,CAAC,KAAa;QAC9B,MAAM,OAAO,GAAG,IAAI,mBAAmB,CAAC,EAAE,KAAK,EAAE,KAAK,EAAE,CAAC,CAAC;QAC1D,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;QAEjD,IAAI,CAAC,QAAQ,CAAC,SAAS,EAAE,CAAC;YACxB,MAAM,IAAI,KAAK,CAAC,6CAA6C,CAAC,CAAC;QACjE,CAAC;QAED,MAAM,QAAQ,GAAG,IAAI,UAAU,CAAC,QAAQ,CAAC,SAAS,CAAC,CAAC;QACpD,OAAO,iBAAiB,CAAC,QAAQ,CAAC,CAAC;IACrC,CAAC;IAED,KAAK,CAAC,WAAW,CAAC,KAAa;QAC7B,MAAM,OAAO,GAAG,IAAI,kBAAkB,CAAC,EAAE,KAAK,EAAE,KAAK,EAAE,CAAC,CAAC;QACzD,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;QAEjD,IAAI,CAAC,QAAQ,CAAC,WAAW,EAAE,CAAC;YAC1B,MAAM,IAAI,KAAK,CAAC,8CAA8C,CAAC,CAAC;QAClE,CAAC;QAED,OAAO;YACL,OAAO,EAAE,QAAQ,CAAC,WAAW,CAAC,OAAO,IAAI,SAAS;YAClD,QAAQ,EAAE,QAAQ,CAAC,WAAW,CAAC,QAAQ,IAAI,SAAS;YACpD,QAAQ,EAAE,QAAQ,CAAC,WAAW,CAAC,QAAQ,IAAI,SAAS;SACrD,CAAC;IACJ,CAAC;CACF"}

package/dist/providers/aws-kms/aws-kms-provider.d.ts

@@ -0,0 +1,17 @@
+import type { SigningProvider, SignatureBlob, PublicKeyBlob } from '../../core/signing-provider.js';
+import type { IKmsClient } from './aws-kms-client.js';
+export interface AwsKmsProviderConfig {
+    keyId: string;
+}
+/**
+ * AWS KMS implementation of SigningProvider.
+ * Key is bound at construction time (no keyId per call).
+ */
+export declare class AwsKmsProvider implements SigningProvider {
+    private readonly keyId;
+    private readonly kmsClient;
+    constructor(kmsClient: IKmsClient, config: AwsKmsProviderConfig);
+    signDigest(digest: Uint8Array): Promise<SignatureBlob>;
+    getPublicKey(): Promise<PublicKeyBlob>;
+    healthCheck(): Promise<void>;
+}

package/dist/providers/aws-kms/aws-kms-provider.js

@@ -0,0 +1,40 @@
+/**
+ * AWS KMS implementation of SigningProvider.
+ * Key is bound at construction time (no keyId per call).
+ */
+export class AwsKmsProvider {
+    keyId;
+    kmsClient;
+    constructor(kmsClient, config) {
+        this.kmsClient = kmsClient;
+        this.keyId = config.keyId;
+    }
+    async signDigest(digest) {
+        const bytes = await this.kmsClient.signDigest(this.keyId, digest);
+        return {
+            bytes,
+            encoding: 'der',
+            algorithm: 'secp256k1',
+        };
+    }
+    async getPublicKey() {
+        const bytes = await this.kmsClient.getPublicKey(this.keyId);
+        return {
+            bytes,
+            algorithm: 'secp256k1',
+        };
+    }
+    async healthCheck() {
+        const metadata = await this.kmsClient.describeKey(this.keyId);
+        if (metadata.keySpec !== 'ECC_SECG_P256K1') {
+            throw new Error(`KMS key has invalid KeySpec: ${metadata.keySpec}, expected ECC_SECG_P256K1`);
+        }
+        if (metadata.keyUsage !== 'SIGN_VERIFY') {
+            throw new Error(`KMS key has invalid KeyUsage: ${metadata.keyUsage}, expected SIGN_VERIFY`);
+        }
+        if (metadata.keyState !== 'Enabled') {
+            throw new Error(`KMS key is not enabled: ${metadata.keyState}`);
+        }
+    }
+}
+//# sourceMappingURL=aws-kms-provider.js.map

package/dist/providers/aws-kms/aws-kms-provider.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"aws-kms-provider.js","sourceRoot":"","sources":["../../../src/providers/aws-kms/aws-kms-provider.ts"],"names":[],"mappings":"AAOA;;;GAGG;AACH,MAAM,OAAO,cAAc;IACR,KAAK,CAAS;IACd,SAAS,CAAa;IAEvC,YAAY,SAAqB,EAAE,MAA4B;QAC7D,IAAI,CAAC,SAAS,GAAG,SAAS,CAAC;QAC3B,IAAI,CAAC,KAAK,GAAG,MAAM,CAAC,KAAK,CAAC;IAC5B,CAAC;IAED,KAAK,CAAC,UAAU,CAAC,MAAkB;QACjC,MAAM,KAAK,GAAG,MAAM,IAAI,CAAC,SAAS,CAAC,UAAU,CAAC,IAAI,CAAC,KAAK,EAAE,MAAM,CAAC,CAAC;QAClE,OAAO;YACL,KAAK;YACL,QAAQ,EAAE,KAAK;YACf,SAAS,EAAE,WAAW;SACvB,CAAC;IACJ,CAAC;IAED,KAAK,CAAC,YAAY;QAChB,MAAM,KAAK,GAAG,MAAM,IAAI,CAAC,SAAS,CAAC,YAAY,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QAC5D,OAAO;YACL,KAAK;YACL,SAAS,EAAE,WAAW;SACvB,CAAC;IACJ,CAAC;IAED,KAAK,CAAC,WAAW;QACf,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,SAAS,CAAC,WAAW,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QAE9D,IAAI,QAAQ,CAAC,OAAO,KAAK,iBAAiB,EAAE,CAAC;YAC3C,MAAM,IAAI,KAAK,CACb,gCAAgC,QAAQ,CAAC,OAAO,4BAA4B,CAC7E,CAAC;QACJ,CAAC;QACD,IAAI,QAAQ,CAAC,QAAQ,KAAK,aAAa,EAAE,CAAC;YACxC,MAAM,IAAI,KAAK,CACb,iCAAiC,QAAQ,CAAC,QAAQ,wBAAwB,CAC3E,CAAC;QACJ,CAAC;QACD,IAAI,QAAQ,CAAC,QAAQ,KAAK,SAAS,EAAE,CAAC;YACpC,MAAM,IAAI,KAAK,CACb,2BAA2B,QAAQ,CAAC,QAAQ,EAAE,CAC/C,CAAC;QACJ,CAAC;IACH,CAAC;CACF"}

package/dist/providers/aws-kms/index.d.ts

@@ -0,0 +1,3 @@
+export { AwsKmsClient, type IKmsClient, type KmsKeyMetadata } from './aws-kms-client.js';
+export { AwsKmsProvider, type AwsKmsProviderConfig } from './aws-kms-provider.js';
+export { KmsSignerAdapter, type KmsSignerConfig } from './kms-signer-adapter.js';

package/dist/providers/aws-kms/index.js

@@ -0,0 +1,4 @@
+export { AwsKmsClient } from './aws-kms-client.js';
+export { AwsKmsProvider } from './aws-kms-provider.js';
+export { KmsSignerAdapter } from './kms-signer-adapter.js';
+//# sourceMappingURL=index.js.map

package/dist/providers/aws-kms/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../src/providers/aws-kms/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,YAAY,EAAwC,MAAM,qBAAqB,CAAC;AACzF,OAAO,EAAE,cAAc,EAA6B,MAAM,uBAAuB,CAAC;AAClF,OAAO,EAAE,gBAAgB,EAAwB,MAAM,yBAAyB,CAAC"}

package/dist/providers/aws-kms/kms-signer-adapter.d.ts

@@ -0,0 +1,41 @@
+import { type Address, type Hex, type TransactionSerializable } from 'viem';
+import type { IKmsClient } from './aws-kms-client.js';
+import type { SignTypedDataParams, SignatureComponents, SignerAdapter } from '../../types.js';
+export interface KmsSignerConfig {
+    keyId: string;
+    region: string;
+    expectedAddress?: Address;
+}
+export declare class KmsSignerAdapter implements SignerAdapter {
+    private readonly keyId;
+    private readonly expectedAddress?;
+    private readonly kmsClient;
+    private addressPromise;
+    constructor(kmsClient: IKmsClient, config: KmsSignerConfig);
+    /**
+     * Get the Ethereum address derived from the KMS public key.
+     * Uses promise memoization to avoid concurrent GetPublicKey calls during cold start.
+     */
+    getAddress(): Promise<Address>;
+    /**
+     * Sign a transaction: serialize -> keccak256 -> KMS sign -> DER decode -> assemble signed tx.
+     */
+    signTransaction(tx: TransactionSerializable): Promise<Hex>;
+    /**
+     * Sign EIP-712 typed data. Returns {v, r, s} for permit-style calls.
+     * v = yParity + 27 (legacy recovery id format expected by EIP-2612 selfPermit).
+     */
+    signTypedData(params: SignTypedDataParams): Promise<SignatureComponents>;
+    /**
+     * Health check: verify KMS key is configured correctly and address matches expectations.
+     */
+    healthCheck(): Promise<void>;
+    /**
+     * Internal: sign a 32-byte digest via KMS and resolve the recovery parameter.
+     */
+    private signDigestAndRecover;
+    /**
+     * Internal: derive address from KMS public key.
+     */
+    private deriveAddress;
+}