@arkade-os/sdk 0.4.23 → 0.4.25

package/dist/esm/contracts/handlers/default.js

@@ -1,6 +1,7 @@
 import { hex } from "@scure/base";
 import { DefaultVtxo } from '../../script/default.js';
-import { isCsvSpendable, sequenceToTimelock, timelockToSequence, } from './helpers.js';
+import { isCsvSpendable } from './helpers.js';
+import { sequenceToTimelock, timelockToSequence } from '../../utils/timelock.js';
 import { normalizeToDescriptor, extractPubKey, } from '../../identity/descriptor.js';
 /**
  * Extract pubkey bytes from a descriptor or hex string.

package/dist/esm/contracts/handlers/delegate.js

@@ -1,7 +1,8 @@
 import { hex } from "@scure/base";
 import { DelegateVtxo } from '../../script/delegate.js';
 import { DefaultVtxo } from '../../script/default.js';
-import { isCsvSpendable, sequenceToTimelock, timelockToSequence, } from './helpers.js';
+import { isCsvSpendable } from './helpers.js';
+import { sequenceToTimelock, timelockToSequence } from '../../utils/timelock.js';
 /**
  * Handler for delegate wallet virtual outputs.
  *

package/dist/esm/contracts/handlers/helpers.js

@@ -1,4 +1,4 @@
-import * as bip68 from "bip68";
+import { sequenceToTimelock } from '../../utils/timelock.js';
 import { isDescriptor, extractPubKey } from '../../identity/descriptor.js';
 /**
  * Extract raw hex pubkey from a value that may be a descriptor or raw hex.
@@ -16,27 +16,6 @@ function extractRawPubKey(value) {
         return undefined;
     }
 }
-/**
- * Convert RelativeTimelock to BIP68 sequence number.
- */
-export function timelockToSequence(timelock) {
-    return bip68.encode(timelock.type === "blocks"
-        ? { blocks: Number(timelock.value) }
-        : { seconds: Number(timelock.value) });
-}
-/**
- * Convert BIP68 sequence number back to RelativeTimelock.
- */
-export function sequenceToTimelock(sequence) {
-    const decoded = bip68.decode(sequence);
-    if ("blocks" in decoded && decoded.blocks !== undefined) {
-        return { type: "blocks", value: BigInt(decoded.blocks) };
-    }
-    if ("seconds" in decoded && decoded.seconds !== undefined) {
-        return { type: "seconds", value: BigInt(decoded.seconds) };
-    }
-    throw new Error(`Invalid BIP68 sequence: ${sequence}`);
-}
 /**
  * Resolve wallet's role from explicit role or by matching descriptor/pubkey.
  */

package/dist/esm/contracts/handlers/vhtlc.js

@@ -1,6 +1,7 @@
 import { hex } from "@scure/base";
 import { VHTLC } from '../../script/vhtlc.js';
-import { isCltvSatisfied, isCsvSpendable, resolveRole, sequenceToTimelock, timelockToSequence, } from './helpers.js';
+import { isCltvSatisfied, isCsvSpendable, resolveRole } from './helpers.js';
+import { sequenceToTimelock, timelockToSequence } from '../../utils/timelock.js';
 /**
  * Handler for Virtual Hash Time Lock Contract (VHTLC).
  *

package/dist/esm/contracts/vtxoOwnership.js

@@ -0,0 +1,69 @@
+/**
+ * Tier 1 helpers that enforce VTXO ownership at call sites that already know
+ * the intended contract script. Address-keyed repositories may still hand back
+ * legacy duplicate rows under the wrong bucket; these helpers gate reads and
+ * writes so a wrong-script row never wins.
+ *
+ * `script` is the authoritative ownership key. Equality is strict: a missing
+ * or empty `vtxo.script` never matches.
+ */
+export function vtxoOutpoint(vtxo) {
+    return `${vtxo.txid}:${vtxo.vout}`;
+}
+export function isVtxoForScript(vtxo, script) {
+    return !!vtxo.script && vtxo.script === script;
+}
+export function filterVtxosForScript(vtxos, script) {
+    return vtxos.filter((v) => isVtxoForScript(v, script));
+}
+/**
+ * Background/indexer sync flavour: drop wrong-script rows and log enough
+ * context to identify each rejection. Returns only matching rows so the
+ * caller can keep going.
+ */
+export function warnAndFilterVtxosForScript(vtxos, script, context) {
+    const matches = [];
+    const rejected = [];
+    for (const v of vtxos) {
+        if (isVtxoForScript(v, script)) {
+            matches.push(v);
+        }
+        else {
+            rejected.push(`${vtxoOutpoint(v)}(script=${v.script ?? ""})`);
+        }
+    }
+    if (rejected.length > 0) {
+        console.warn(`${context}: dropped ${rejected.length} wrong-script VTXO(s) for script ${script}: ${rejected.join(", ")}`);
+    }
+    return matches;
+}
+/**
+ * User-initiated transaction/signing flavour: throw before persisting or
+ * signing inconsistent ownership state. Silently skipping here would hide a
+ * serious bug in the wallet's spend path.
+ */
+export function validateVtxosForScript(vtxos, script, context) {
+    const mismatches = vtxos.filter((v) => !isVtxoForScript(v, script));
+    if (mismatches.length === 0)
+        return;
+    const detail = mismatches
+        .map((v) => `${vtxoOutpoint(v)}(script=${v.script ?? ""})`)
+        .join(", ");
+    throw new Error(`${context}: refusing to persist ${mismatches.length} VTXO(s) whose script does not match ${script}: ${detail}`);
+}
+/**
+ * Tier 2 dispatch helpers: route to script-scoped repository methods when
+ * available, falling back to Tier 1 address-based filtering otherwise.
+ */
+export async function getVtxosForContract(repo, contract) {
+    return repo.getVtxosForScript
+        ? repo.getVtxosForScript(contract.script)
+        : filterVtxosForScript(await repo.getVtxos(contract.address), contract.script);
+}
+export async function saveVtxosForContract(repo, contract, vtxos) {
+    if (repo.saveVtxosForScript) {
+        return repo.saveVtxosForScript({ script: contract.script, address: contract.address }, vtxos);
+    }
+    validateVtxosForScript(vtxos, contract.script, "saveVtxosForContract");
+    return repo.saveVtxos(contract.address, vtxos);
+}

package/dist/esm/index.js

@@ -42,7 +42,7 @@ export * from './arkfee/index.js';
 export * as asset from './extension/asset/index.js';
 // Contracts
 import { ContractManager, ContractWatcher, contractHandlers, DefaultContractHandler, DelegateContractHandler, VHTLCContractHandler, encodeArkContract, decodeArkContract, contractFromArkContract, contractFromArkContractWithAddress, isArkContract, } from './contracts/index.js';
-import { timelockToSequence, sequenceToTimelock, } from './contracts/handlers/helpers.js';
+import { timelockToSequence, sequenceToTimelock } from './utils/timelock.js';
 import { closeDatabase, openDatabase } from './repositories/indexedDB/manager.js';
 import { WalletMessageHandler, WalletNotInitializedError, ReadonlyWalletError, DelegatorNotConfiguredError, } from './wallet/serviceWorker/wallet-message-handler.js';
 import { MESSAGE_BUS_NOT_INITIALIZED, MessageBusNotInitializedError, ServiceWorkerTimeoutError, } from './worker/errors.js';

package/dist/esm/repositories/inMemory/walletRepository.js

@@ -1,3 +1,4 @@
+import { isVtxoForScript } from '../../contracts/vtxoOwnership.js';
 /**
  * In-memory implementation of WalletRepository.
  * Data is ephemeral and scoped to the instance.
@@ -21,6 +22,40 @@ export class InMemoryWalletRepository {
     async deleteVtxos(address) {
         this.vtxosByAddress.delete(address);
     }
+    async getVtxosForScript(script) {
+        const allMatches = [];
+        for (const bucket of this.vtxosByAddress.values()) {
+            for (const vtxo of bucket) {
+                if (isVtxoForScript(vtxo, script)) {
+                    allMatches.push(vtxo);
+                }
+            }
+        }
+        // Dedup by outpoint (last-write-wins across address buckets)
+        return mergeByKey([], allMatches, (item) => `${item.txid}:${item.vout}`);
+    }
+    async saveVtxosForScript(key, vtxos) {
+        if (!key.address) {
+            throw new Error("InMemoryWalletRepository requires an address");
+        }
+        for (const vtxo of vtxos) {
+            if (!isVtxoForScript(vtxo, key.script)) {
+                throw new Error(`VTXO ${vtxo.txid}:${vtxo.vout} script mismatch: expected ${key.script}, got ${vtxo.script}`);
+            }
+        }
+        return this.saveVtxos(key.address, vtxos);
+    }
+    async deleteVtxosForScript(script) {
+        for (const [address, bucket] of this.vtxosByAddress.entries()) {
+            const next = bucket.filter((v) => !isVtxoForScript(v, script));
+            if (next.length === 0) {
+                this.vtxosByAddress.delete(address);
+            }
+            else {
+                this.vtxosByAddress.set(address, next);
+            }
+        }
+    }
     async getUtxos(address) {
         return this.utxosByAddress.get(address) ?? [];
     }

package/dist/esm/repositories/indexedDB/walletRepository.js

@@ -3,6 +3,7 @@ import { closeDatabase, openDatabase } from './manager.js';
 import { initDatabase } from './schema.js';
 import { scriptFromArkAddress } from '../scriptFromAddress.js';
 import { DEFAULT_DB_NAME } from '../../worker/browser/utils.js';
+import { isVtxoForScript } from '../../contracts/vtxoOwnership.js';
 /**
  * IndexedDB-based implementation of WalletRepository.
  */
@@ -141,6 +142,85 @@ export class IndexedDBWalletRepository {
             throw error;
         }
     }
+    async getVtxosForScript(script) {
+        try {
+            const db = await this.getDB();
+            return new Promise((resolve, reject) => {
+                const transaction = db.transaction([STORE_VTXOS], "readonly");
+                const store = transaction.objectStore(STORE_VTXOS);
+                const index = store.index("script");
+                const request = index.getAll(script);
+                request.onerror = () => reject(request.error);
+                request.onsuccess = () => {
+                    const results = request.result || [];
+                    try {
+                        // Defensive filter: only rows whose script matches.
+                        const matching = results.filter((r) => r.script === script);
+                        // Dedup same outpoint rows across address buckets.
+                        // Work on raw rows so the address field is available
+                        // for the canonicality tiebreaker.
+                        const byOutpoint = new Map();
+                        for (const row of matching) {
+                            const outpoint = `${row.txid}:${row.vout}`;
+                            const existing = byOutpoint.get(outpoint);
+                            if (!existing) {
+                                byOutpoint.set(outpoint, row);
+                                continue;
+                            }
+                            if (shouldReplaceVtxo(existing, row)) {
+                                byOutpoint.set(outpoint, row);
+                            }
+                        }
+                        resolve(Array.from(byOutpoint.values()).map(deserializeVtxoWithBackfill));
+                    }
+                    catch (err) {
+                        reject(err);
+                    }
+                };
+            });
+        }
+        catch (error) {
+            console.error(`Failed to get VTXOs for script ${script}:`, error);
+            throw error;
+        }
+    }
+    async saveVtxosForScript(key, vtxos) {
+        if (!key.address) {
+            throw new Error("IndexedDBWalletRepository requires an address");
+        }
+        for (const vtxo of vtxos) {
+            if (!isVtxoForScript(vtxo, key.script)) {
+                throw new Error(`VTXO ${vtxo.txid}:${vtxo.vout} script mismatch: expected ${key.script}, got ${vtxo.script}`);
+            }
+        }
+        return this.saveVtxos(key.address, vtxos);
+    }
+    async deleteVtxosForScript(script) {
+        try {
+            const db = await this.getDB();
+            return new Promise((resolve, reject) => {
+                const transaction = db.transaction([STORE_VTXOS], "readwrite");
+                const store = transaction.objectStore(STORE_VTXOS);
+                const index = store.index("script");
+                const request = index.openCursor(IDBKeyRange.only(script));
+                request.onerror = () => reject(request.error);
+                request.onsuccess = () => {
+                    const cursor = request.result;
+                    if (cursor) {
+                        cursor.delete();
+                        cursor.continue();
+                    }
+                    else {
+                        resolve();
+                    }
+                };
+            });
+        }
+        catch (error) {
+            console.error(`Failed to clear VTXOs for script ${script}:`, error);
+            throw error;
+        }
+    }
     async getUtxos(address) {
         try {
             const db = await this.getDB();
@@ -351,3 +431,40 @@ function deserializeVtxoWithBackfill(o) {
     }
     return deserializeVtxo(o);
 }
+function isCanonicalRow(row) {
+    try {
+        return scriptFromArkAddress(row.address) === row.script;
+    }
+    catch {
+        return false;
+    }
+}
+function shouldReplaceVtxo(existing, incoming) {
+    const existingCanonical = isCanonicalRow(existing);
+    const incomingCanonical = isCanonicalRow(incoming);
+    if (incomingCanonical && !existingCanonical)
+        return true;
+    if (existingCanonical && !incomingCanonical)
+        return false;
+    // Tie on canonicality, check lifecycle completeness
+    const existingWeight = getLifecycleWeight(existing);
+    const incomingWeight = getLifecycleWeight(incoming);
+    if (incomingWeight > existingWeight)
+        return true;
+    if (existingWeight > incomingWeight)
+        return false;
+    // Tie on weight, stable sort by address
+    return incoming.address < existing.address;
+}
+function getLifecycleWeight(v) {
+    let weight = 0;
+    if (v.isSpent !== undefined)
+        weight += 1;
+    if (v.spentBy)
+        weight += 2;
+    if (v.settledBy)
+        weight += 2;
+    if (v.arkTxId)
+        weight += 2;
+    return weight;
+}

package/dist/esm/repositories/realm/walletRepository.js

@@ -1,5 +1,6 @@
 import { serializeVtxo, serializeUtxo, deserializeVtxo, deserializeUtxo, serializeAssets, deserializeAssets, } from '../serialization.js';
 import { scriptFromArkAddress } from '../scriptFromAddress.js';
+import { isVtxoForScript } from '../../contracts/vtxoOwnership.js';
 /**
  * Realm-based implementation of WalletRepository.
  *
@@ -85,6 +86,33 @@ export class RealmWalletRepository {
             this.realm.delete(toDelete);
         });
     }
+    async getVtxosForScript(script) {
+        await this.ensureInit();
+        const results = this.realm
+            .objects("ArkVtxo")
+            .filtered("script == $0", script);
+        return [...results].map(vtxoObjectToDomain);
+    }
+    async saveVtxosForScript(key, vtxos) {
+        if (!key.address) {
+            throw new Error("RealmWalletRepository requires an address");
+        }
+        for (const vtxo of vtxos) {
+            if (!isVtxoForScript(vtxo, key.script)) {
+                throw new Error(`VTXO ${vtxo.txid}:${vtxo.vout} script mismatch: expected ${key.script}, got ${vtxo.script}`);
+            }
+        }
+        return this.saveVtxos(key.address, vtxos);
+    }
+    async deleteVtxosForScript(script) {
+        await this.ensureInit();
+        this.realm.write(() => {
+            const toDelete = this.realm
+                .objects("ArkVtxo")
+                .filtered("script == $0", script);
+            this.realm.delete(toDelete);
+        });
+    }
     // ── UTXO management ────────────────────────────────────────────────
     async getUtxos(address) {
         await this.ensureInit();

package/dist/esm/repositories/sqlite/walletRepository.js

@@ -1,5 +1,6 @@
 import { serializeVtxo, serializeUtxo, deserializeVtxo, deserializeUtxo, serializeAssets, deserializeAssets, } from '../serialization.js';
 import { scriptFromArkAddress } from '../scriptFromAddress.js';
+import { isVtxoForScript } from '../../contracts/vtxoOwnership.js';
 /**
  * SQLite-based implementation of WalletRepository.
  *
@@ -242,6 +243,28 @@ export class SQLiteWalletRepository {
         await this.ensureInit();
         await this.db.run(`DELETE FROM ${this.tables.vtxos} WHERE address = ?`, [address]);
     }
+    async getVtxosForScript(script) {
+        await this.ensureInit();
+        const rows = await this.db.all(`SELECT * FROM ${this.tables.vtxos} WHERE script = ?`, [script]);
+        return rows.map(vtxoRowToDomain);
+    }
+    async saveVtxosForScript(key, vtxos) {
+        if (!key.address) {
+            throw new Error("SQLiteWalletRepository requires an address");
+        }
+        for (const vtxo of vtxos) {
+            if (!isVtxoForScript(vtxo, key.script)) {
+                throw new Error(`VTXO ${vtxo.txid}:${vtxo.vout} script mismatch: expected ${key.script}, got ${vtxo.script}`);
+            }
+        }
+        return this.saveVtxos(key.address, vtxos);
+    }
+    async deleteVtxosForScript(script) {
+        await this.ensureInit();
+        await this.db.run(`DELETE FROM ${this.tables.vtxos} WHERE script = ?`, [
+            script,
+        ]);
+    }
     // ── UTXO management ────────────────────────────────────────────────
     async getUtxos(address) {
         await this.ensureInit();

package/dist/esm/script/base.js

@@ -1,9 +1,9 @@
 import { Script, Address, p2tr, taprootListToTree, TAPROOT_UNSPENDABLE_KEY, } from "@scure/btc-signer";
-import * as bip68 from "bip68";
 import { TAP_LEAF_VERSION } from "@scure/btc-signer/payment.js";
 import { PSBTOutput } from "@scure/btc-signer/psbt.js";
 import { hex } from "@scure/base";
 import { ArkAddress } from './address.js';
+import { timelockToSequence } from '../utils/timelock.js';
 import { CLTVMultisigTapscript, ConditionCSVMultisigTapscript, CSVMultisigTapscript, } from './tapscript.js';
 export const TapTreeCoder = PSBTOutput.tapTree[2];
 export function scriptFromTapLeafScript(leaf) {
@@ -125,19 +125,19 @@ export class VtxoScript {
         const paths = [];
         for (const leaf of this.leaves) {
             try {
-                const tapscript = CSVMultisigTapscript.decode(scriptFromTapLeafScript(leaf));
-                paths.push(tapscript);
-                continue;
-            }
-            catch (e) {
-                try {
-                    const tapscript = ConditionCSVMultisigTapscript.decode(scriptFromTapLeafScript(leaf));
-                    paths.push(tapscript);
+                const script = scriptFromTapLeafScript(leaf);
+                if (CSVMultisigTapscript.isScriptValid(script) === true) {
+                    const tapScript = CSVMultisigTapscript.decode(script);
+                    paths.push(tapScript);
                 }
-                catch (e) {
-                    continue;
+                else if (ConditionCSVMultisigTapscript.isScriptValid(script) === true) {
+                    const tapScript = ConditionCSVMultisigTapscript.decode(script);
+                    paths.push(tapScript);
                 }
             }
+            catch (e) {
+                console.debug("Failed to decode script", e);
+            }
         }
         return paths;
     }
@@ -167,9 +167,7 @@ export function getSequence(tapLeafScript) {
         const script = scriptWithLeafVersion.subarray(0, scriptWithLeafVersion.length - 1);
         try {
             const params = CSVMultisigTapscript.decode(script).params;
-            sequence = bip68.encode(params.timelock.type === "blocks"
-                ? { blocks: Number(params.timelock.value) }
-                : { seconds: Number(params.timelock.value) });
+            sequence = timelockToSequence(params.timelock);
         }
         catch {
             const params = CLTVMultisigTapscript.decode(script).params;

package/dist/esm/script/tapscript.js

@@ -1,6 +1,6 @@
-import * as bip68 from "bip68";
 import { Script, ScriptNum, p2tr_ms } from "@scure/btc-signer";
 import { hex } from "@scure/base";
+import { sequenceToTimelock, timelockToSequence } from '../utils/timelock.js';
 const MinimalScriptNum = ScriptNum(undefined, true);
 export var TapscriptType;
 (function (TapscriptType) {
@@ -234,9 +234,7 @@ export var CSVMultisigTapscript;
                 throw new Error(`Invalid pubkey length: expected 32, got ${pubkey.length}`);
             }
         }
-        const sequence = MinimalScriptNum.encode(BigInt(bip68.encode(params.timelock.type === "blocks"
-            ? { blocks: Number(params.timelock.value) }
-            : { seconds: Number(params.timelock.value) })));
+        const sequence = MinimalScriptNum.encode(BigInt(timelockToSequence(params.timelock)));
         const asm = [
             sequence.length === 1 ? sequence[0] : sequence,
             "CHECKSEQUENCEVERIFY",
@@ -259,17 +257,12 @@ export var CSVMultisigTapscript;
         if (script.length === 0) {
             throw new Error("Failed to decode: script is empty");
         }
-        const asm = Script.decode(script);
-        if (asm.length < 3) {
-            throw new Error(`Invalid script: too short (expected at least 3)`);
+        const isValid = isScriptValid(script);
+        if (isValid instanceof Error) {
+            throw isValid;
         }
+        const asm = Script.decode(script);
         const sequence = asm[0];
-        if (typeof sequence === "string") {
-            throw new Error("Invalid script: expected sequence number");
-        }
-        if (asm[1] !== "CHECKSEQUENCEVERIFY" || asm[2] !== "DROP") {
-            throw new Error("Invalid script: expected CHECKSEQUENCEVERIFY DROP");
-        }
         const multisigScript = new Uint8Array(Script.encode(asm.slice(3)));
         let multisig;
         try {
@@ -285,10 +278,7 @@ export var CSVMultisigTapscript;
         else {
             sequenceNum = Number(MinimalScriptNum.decode(sequence));
         }
-        const decodedTimelock = bip68.decode(sequenceNum);
-        const timelock = decodedTimelock.blocks !== undefined
-            ? { type: "blocks", value: BigInt(decodedTimelock.blocks) }
-            : { type: "seconds", value: BigInt(decodedTimelock.seconds) };
+        const timelock = sequenceToTimelock(sequenceNum);
         const reconstructed = encode({
             timelock,
             ...multisig.params,
@@ -311,6 +301,21 @@ export var CSVMultisigTapscript;
         return tapscript.type === TapscriptType.CSVMultisig;
     }
     CSVMultisigTapscript.is = is;
+    function isScriptValid(script) {
+        const asm = Script.decode(script);
+        if (asm.length < 3) {
+            return new Error(`Invalid script: too short (expected at least 3)`);
+        }
+        const sequence = asm[0];
+        if (typeof sequence === "string") {
+            return new Error("Invalid script: expected sequence number");
+        }
+        if (asm[1] !== "CHECKSEQUENCEVERIFY" || asm[2] !== "DROP") {
+            return new Error("Invalid script: expected CHECKSEQUENCEVERIFY DROP");
+        }
+        return true;
+    }
+    CSVMultisigTapscript.isScriptValid = isScriptValid;
 })(CSVMultisigTapscript || (CSVMultisigTapscript = {}));
 /**
  * Combines a condition script with an exit closure. The resulting script requires
@@ -345,18 +350,14 @@ export var ConditionCSVMultisigTapscript;
         if (script.length === 0) {
             throw new Error("Failed to decode: script is empty");
         }
-        const asm = Script.decode(script);
-        if (asm.length < 1) {
-            throw new Error(`Invalid script: too short (expected at least 1)`);
-        }
-        let verifyIndex = -1;
-        for (let i = asm.length - 1; i >= 0; i--) {
-            if (asm[i] === "VERIFY") {
-                verifyIndex = i;
-            }
+        const isValid = isScriptValid(script);
+        if (isValid instanceof Error) {
+            throw isValid;
         }
+        const asm = Script.decode(script);
+        let verifyIndex = getVerifyIndex(asm);
         if (verifyIndex === -1) {
-            throw new Error("Invalid script: missing VERIFY operation");
+            throw Error("Invalid script: missing VERIFY operation");
         }
         const conditionScript = new Uint8Array(Script.encode(asm.slice(0, verifyIndex)));
         const csvMultisigScript = new Uint8Array(Script.encode(asm.slice(verifyIndex + 1)));
@@ -389,6 +390,28 @@ export var ConditionCSVMultisigTapscript;
         return tapscript.type === TapscriptType.ConditionCSVMultisig;
     }
     ConditionCSVMultisigTapscript.is = is;
+    function getVerifyIndex(asm) {
+        let verifyIndex = -1;
+        for (let i = asm.length - 1; i >= 0; i--) {
+            if (asm[i] === "VERIFY") {
+                verifyIndex = i;
+                return verifyIndex;
+            }
+        }
+        return verifyIndex;
+    }
+    function isScriptValid(script) {
+        const asm = Script.decode(script);
+        if (asm.length < 1) {
+            return new Error(`Invalid script: too short (expected at least 1)`);
+        }
+        let verifyIndex = getVerifyIndex(asm);
+        if (verifyIndex === -1) {
+            return new Error("Invalid script: missing VERIFY operation");
+        }
+        return true;
+    }
+    ConditionCSVMultisigTapscript.isScriptValid = isScriptValid;
 })(ConditionCSVMultisigTapscript || (ConditionCSVMultisigTapscript = {}));
 /**
  * Combines a condition script with a forfeit closure. The resulting script requires
@@ -423,18 +446,14 @@ export var ConditionMultisigTapscript;
         if (script.length === 0) {
             throw new Error("Failed to decode: script is empty");
         }
-        const asm = Script.decode(script);
-        if (asm.length < 1) {
-            throw new Error(`Invalid script: too short (expected at least 1)`);
-        }
-        let verifyIndex = -1;
-        for (let i = asm.length - 1; i >= 0; i--) {
-            if (asm[i] === "VERIFY") {
-                verifyIndex = i;
-            }
+        const isValid = isScriptValid(script);
+        if (isValid instanceof Error) {
+            throw isValid;
         }
+        const asm = Script.decode(script);
+        let verifyIndex = getVerifyIndex(asm);
         if (verifyIndex === -1) {
-            throw new Error("Invalid script: missing VERIFY operation");
+            throw Error("Invalid script: missing VERIFY operation");
         }
         const conditionScript = new Uint8Array(Script.encode(asm.slice(0, verifyIndex)));
         const multisigScript = new Uint8Array(Script.encode(asm.slice(verifyIndex + 1)));
@@ -467,6 +486,28 @@ export var ConditionMultisigTapscript;
         return tapscript.type === TapscriptType.ConditionMultisig;
     }
     ConditionMultisigTapscript.is = is;
+    function getVerifyIndex(asm) {
+        let verifyIndex = -1;
+        for (let i = asm.length - 1; i >= 0; i--) {
+            if (asm[i] === "VERIFY") {
+                verifyIndex = i;
+                return verifyIndex;
+            }
+        }
+        return verifyIndex;
+    }
+    function isScriptValid(script) {
+        const asm = Script.decode(script);
+        if (asm.length < 1) {
+            return new Error(`Invalid script: too short (expected at least 1)`);
+        }
+        let verifyIndex = getVerifyIndex(asm);
+        if (verifyIndex === -1) {
+            return new Error("Invalid script: missing VERIFY operation");
+        }
+        return true;
+    }
+    ConditionMultisigTapscript.isScriptValid = isScriptValid;
 })(ConditionMultisigTapscript || (ConditionMultisigTapscript = {}));
 /**
  * Implements an absolute timelock (CLTV) script combined with a forfeit closure.
@@ -507,10 +548,11 @@ export var CLTVMultisigTapscript;
         if (script.length === 0) {
             throw new Error("Failed to decode: script is empty");
         }
-        const asm = Script.decode(script);
-        if (asm.length < 3) {
-            throw new Error(`Invalid script: too short (expected at least 3)`);
+        const isValid = isScriptValid(script);
+        if (isValid instanceof Error) {
+            throw isValid;
         }
+        const asm = Script.decode(script);
         const locktime = asm[0];
         if (typeof locktime === "string") {
             throw new Error("Invalid script: expected locktime number");
@@ -555,4 +597,19 @@ export var CLTVMultisigTapscript;
         return tapscript.type === TapscriptType.CLTVMultisig;
     }
     CLTVMultisigTapscript.is = is;
+    function isScriptValid(script) {
+        const asm = Script.decode(script);
+        if (asm.length < 3) {
+            return new Error(`Invalid script: too short (expected at least 3)`);
+        }
+        const locktime = asm[0];
+        if (typeof locktime === "string") {
+            return new Error("Invalid script: expected locktime as number or bytes");
+        }
+        if (asm[1] !== "CHECKLOCKTIMEVERIFY" || asm[2] !== "DROP") {
+            return new Error("Invalid script: expected CHECKLOCKTIMEVERIFY DROP");
+        }
+        return true;
+    }
+    CLTVMultisigTapscript.isScriptValid = isScriptValid;
 })(CLTVMultisigTapscript || (CLTVMultisigTapscript = {}));