@aspect-wallet/sdk 0.1.0

package/dist/recovery/rotation.d.ts

@@ -0,0 +1,26 @@
+/**
+ * Two-step key rotation.
+ * Corresponds to SPEC-013 Section 10.1.
+ *
+ * Step 1: Current owner calls transferOwnership(newOwner) -> sets pendingOwner
+ * Step 2: New owner calls acceptOwnership() -> owner = newOwner
+ */
+import type { Address } from '../types.js';
+import { ApiClient } from '../transport/api.js';
+/**
+ * Key rotation module.
+ * Implements the two-step ownership transfer pattern for security.
+ */
+export declare class KeyRotation {
+    private readonly api;
+    constructor(api: ApiClient);
+    /** Step 1: Current owner initiates transfer to new key */
+    initiateKeyRotation(params: {
+        newOwner: Address;
+    }): Promise<void>;
+    /** Step 2: New owner accepts ownership (must sign from new key) */
+    acceptKeyRotation(): Promise<void>;
+    /** Check if there's a pending ownership transfer */
+    getPendingOwner(walletAddress: Address): Promise<Address | null>;
+}
+//# sourceMappingURL=rotation.d.ts.map

package/dist/recovery/rotation.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"rotation.d.ts","sourceRoot":"","sources":["../../src/recovery/rotation.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,aAAa,CAAC;AAC3C,OAAO,EAAE,SAAS,EAAE,MAAM,qBAAqB,CAAC;AAEhD;;;GAGG;AACH,qBAAa,WAAW;IACV,OAAO,CAAC,QAAQ,CAAC,GAAG;gBAAH,GAAG,EAAE,SAAS;IAE3C,0DAA0D;IACpD,mBAAmB,CAAC,MAAM,EAAE;QAAE,QAAQ,EAAE,OAAO,CAAA;KAAE,GAAG,OAAO,CAAC,IAAI,CAAC;IAIvE,mEAAmE;IAC7D,iBAAiB,IAAI,OAAO,CAAC,IAAI,CAAC;IAIxC,oDAAoD;IAC9C,eAAe,CAAC,aAAa,EAAE,OAAO,GAAG,OAAO,CAAC,OAAO,GAAG,IAAI,CAAC;CAOvE"}

package/dist/recovery/rotation.js

@@ -0,0 +1,31 @@
+/**
+ * Two-step key rotation.
+ * Corresponds to SPEC-013 Section 10.1.
+ *
+ * Step 1: Current owner calls transferOwnership(newOwner) -> sets pendingOwner
+ * Step 2: New owner calls acceptOwnership() -> owner = newOwner
+ */
+/**
+ * Key rotation module.
+ * Implements the two-step ownership transfer pattern for security.
+ */
+export class KeyRotation {
+    api;
+    constructor(api) {
+        this.api = api;
+    }
+    /** Step 1: Current owner initiates transfer to new key */
+    async initiateKeyRotation(params) {
+        await this.api.post('/recovery/rotate/initiate', params);
+    }
+    /** Step 2: New owner accepts ownership (must sign from new key) */
+    async acceptKeyRotation() {
+        await this.api.post('/recovery/rotate/accept', {});
+    }
+    /** Check if there's a pending ownership transfer */
+    async getPendingOwner(walletAddress) {
+        const result = await this.api.get('/recovery/rotate/pending', { wallet: walletAddress });
+        return result.pendingOwner;
+    }
+}
+//# sourceMappingURL=rotation.js.map

package/dist/recovery/rotation.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"rotation.js","sourceRoot":"","sources":["../../src/recovery/rotation.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAKH;;;GAGG;AACH,MAAM,OAAO,WAAW;IACO;IAA7B,YAA6B,GAAc;QAAd,QAAG,GAAH,GAAG,CAAW;IAAG,CAAC;IAE/C,0DAA0D;IAC1D,KAAK,CAAC,mBAAmB,CAAC,MAA6B;QACrD,MAAM,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC,2BAA2B,EAAE,MAAM,CAAC,CAAC;IAC3D,CAAC;IAED,mEAAmE;IACnE,KAAK,CAAC,iBAAiB;QACrB,MAAM,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC,yBAAyB,EAAE,EAAE,CAAC,CAAC;IACrD,CAAC;IAED,oDAAoD;IACpD,KAAK,CAAC,eAAe,CAAC,aAAsB;QAC1C,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,GAAG,CAAC,GAAG,CAC/B,0BAA0B,EAC1B,EAAE,MAAM,EAAE,aAAa,EAAE,CAC1B,CAAC;QACF,OAAO,MAAM,CAAC,YAAY,CAAC;IAC7B,CAAC;CACF"}

package/dist/recovery/social.d.ts

@@ -0,0 +1,33 @@
+/**
+ * Social recovery via guardians.
+ * Corresponds to SPEC-013 Section 10.2.
+ */
+import type { Address, RecoveryStatus } from '../types.js';
+import { ApiClient } from '../transport/api.js';
+/**
+ * Social recovery module.
+ * Guardians can initiate recovery with timelock protection.
+ * Owner can cancel during timelock period.
+ */
+export declare class SocialRecovery {
+    private readonly api;
+    constructor(api: ApiClient);
+    /** Guardian initiates recovery for a compromised account */
+    initiateRecovery(params: {
+        account: Address;
+        newOwner: Address;
+    }): Promise<void>;
+    /** Guardian approves an ongoing recovery */
+    approveRecovery(params: {
+        account: Address;
+    }): Promise<void>;
+    /** Execute recovery after timelock expires (anyone can call) */
+    executeRecovery(params: {
+        account: Address;
+    }): Promise<void>;
+    /** Owner cancels a malicious recovery during timelock */
+    cancelRecovery(): Promise<void>;
+    /** Get the status of any pending recovery */
+    getStatus(walletAddress: Address): Promise<RecoveryStatus>;
+}
+//# sourceMappingURL=social.d.ts.map

package/dist/recovery/social.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"social.d.ts","sourceRoot":"","sources":["../../src/recovery/social.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,KAAK,EAAE,OAAO,EAAE,cAAc,EAAE,MAAM,aAAa,CAAC;AAC3D,OAAO,EAAE,SAAS,EAAE,MAAM,qBAAqB,CAAC;AAEhD;;;;GAIG;AACH,qBAAa,cAAc;IACb,OAAO,CAAC,QAAQ,CAAC,GAAG;gBAAH,GAAG,EAAE,SAAS;IAE3C,4DAA4D;IACtD,gBAAgB,CAAC,MAAM,EAAE;QAC7B,OAAO,EAAE,OAAO,CAAC;QACjB,QAAQ,EAAE,OAAO,CAAC;KACnB,GAAG,OAAO,CAAC,IAAI,CAAC;IAIjB,4CAA4C;IACtC,eAAe,CAAC,MAAM,EAAE;QAAE,OAAO,EAAE,OAAO,CAAA;KAAE,GAAG,OAAO,CAAC,IAAI,CAAC;IAIlE,gEAAgE;IAC1D,eAAe,CAAC,MAAM,EAAE;QAAE,OAAO,EAAE,OAAO,CAAA;KAAE,GAAG,OAAO,CAAC,IAAI,CAAC;IAIlE,yDAAyD;IACnD,cAAc,IAAI,OAAO,CAAC,IAAI,CAAC;IAIrC,6CAA6C;IACvC,SAAS,CAAC,aAAa,EAAE,OAAO,GAAG,OAAO,CAAC,cAAc,CAAC;CAGjE"}

package/dist/recovery/social.js

@@ -0,0 +1,36 @@
+/**
+ * Social recovery via guardians.
+ * Corresponds to SPEC-013 Section 10.2.
+ */
+/**
+ * Social recovery module.
+ * Guardians can initiate recovery with timelock protection.
+ * Owner can cancel during timelock period.
+ */
+export class SocialRecovery {
+    api;
+    constructor(api) {
+        this.api = api;
+    }
+    /** Guardian initiates recovery for a compromised account */
+    async initiateRecovery(params) {
+        await this.api.post('/recovery/initiate', params);
+    }
+    /** Guardian approves an ongoing recovery */
+    async approveRecovery(params) {
+        await this.api.post('/recovery/approve', params);
+    }
+    /** Execute recovery after timelock expires (anyone can call) */
+    async executeRecovery(params) {
+        await this.api.post('/recovery/execute', params);
+    }
+    /** Owner cancels a malicious recovery during timelock */
+    async cancelRecovery() {
+        await this.api.post('/recovery/cancel', {});
+    }
+    /** Get the status of any pending recovery */
+    async getStatus(walletAddress) {
+        return this.api.get('/recovery/status', { wallet: walletAddress });
+    }
+}
+//# sourceMappingURL=social.js.map

package/dist/recovery/social.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"social.js","sourceRoot":"","sources":["../../src/recovery/social.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAKH;;;;GAIG;AACH,MAAM,OAAO,cAAc;IACI;IAA7B,YAA6B,GAAc;QAAd,QAAG,GAAH,GAAG,CAAW;IAAG,CAAC;IAE/C,4DAA4D;IAC5D,KAAK,CAAC,gBAAgB,CAAC,MAGtB;QACC,MAAM,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC,oBAAoB,EAAE,MAAM,CAAC,CAAC;IACpD,CAAC;IAED,4CAA4C;IAC5C,KAAK,CAAC,eAAe,CAAC,MAA4B;QAChD,MAAM,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC,mBAAmB,EAAE,MAAM,CAAC,CAAC;IACnD,CAAC;IAED,gEAAgE;IAChE,KAAK,CAAC,eAAe,CAAC,MAA4B;QAChD,MAAM,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC,mBAAmB,EAAE,MAAM,CAAC,CAAC;IACnD,CAAC;IAED,yDAAyD;IACzD,KAAK,CAAC,cAAc;QAClB,MAAM,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC,kBAAkB,EAAE,EAAE,CAAC,CAAC;IAC9C,CAAC;IAED,6CAA6C;IAC7C,KAAK,CAAC,SAAS,CAAC,aAAsB;QACpC,OAAO,IAAI,CAAC,GAAG,CAAC,GAAG,CAAiB,kBAAkB,EAAE,EAAE,MAAM,EAAE,aAAa,EAAE,CAAC,CAAC;IACrF,CAAC;CACF"}

package/dist/security/freeze.d.ts

@@ -0,0 +1,34 @@
+/**
+ * Emergency account freeze.
+ * Corresponds to SPEC-013 Section 11.1.
+ *
+ * On freeze:
+ * - Revokes ALL session keys
+ * - Sets account to frozen state on-chain
+ * - Suspends all pending paymaster approvals
+ * - Alerts all guardians via watchtower
+ *
+ * Unfreeze requires MFA (Tier 3 or Tier 4).
+ */
+import { ApiClient } from '../transport/api.js';
+/**
+ * Emergency freeze/unfreeze for compromised accounts.
+ */
+export declare class FreezeManager {
+    private readonly api;
+    constructor(api: ApiClient);
+    /**
+     * Freeze the account from any device with owner access.
+     * Immediately revokes all session keys and blocks operations.
+     */
+    freeze(params: {
+        reason: string;
+    }): Promise<void>;
+    /**
+     * Unfreeze the account (requires MFA -- Tier 3 or Tier 4).
+     */
+    unfreeze(): Promise<void>;
+    /** Check if the account is currently frozen */
+    isFrozen(walletAddress: string): Promise<boolean>;
+}
+//# sourceMappingURL=freeze.d.ts.map

package/dist/security/freeze.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"freeze.d.ts","sourceRoot":"","sources":["../../src/security/freeze.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAEH,OAAO,EAAE,SAAS,EAAE,MAAM,qBAAqB,CAAC;AAEhD;;GAEG;AACH,qBAAa,aAAa;IACZ,OAAO,CAAC,QAAQ,CAAC,GAAG;gBAAH,GAAG,EAAE,SAAS;IAE3C;;;OAGG;IACG,MAAM,CAAC,MAAM,EAAE;QAAE,MAAM,EAAE,MAAM,CAAA;KAAE,GAAG,OAAO,CAAC,IAAI,CAAC;IAIvD;;OAEG;IACG,QAAQ,IAAI,OAAO,CAAC,IAAI,CAAC;IAI/B,+CAA+C;IACzC,QAAQ,CAAC,aAAa,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC;CAMxD"}

package/dist/security/freeze.js

@@ -0,0 +1,42 @@
+/**
+ * Emergency account freeze.
+ * Corresponds to SPEC-013 Section 11.1.
+ *
+ * On freeze:
+ * - Revokes ALL session keys
+ * - Sets account to frozen state on-chain
+ * - Suspends all pending paymaster approvals
+ * - Alerts all guardians via watchtower
+ *
+ * Unfreeze requires MFA (Tier 3 or Tier 4).
+ */
+/**
+ * Emergency freeze/unfreeze for compromised accounts.
+ */
+export class FreezeManager {
+    api;
+    constructor(api) {
+        this.api = api;
+    }
+    /**
+     * Freeze the account from any device with owner access.
+     * Immediately revokes all session keys and blocks operations.
+     */
+    async freeze(params) {
+        await this.api.post('/security/freeze', params);
+    }
+    /**
+     * Unfreeze the account (requires MFA -- Tier 3 or Tier 4).
+     */
+    async unfreeze() {
+        await this.api.post('/security/unfreeze', {});
+    }
+    /** Check if the account is currently frozen */
+    async isFrozen(walletAddress) {
+        const result = await this.api.get(`/security/freeze/status`, {
+            wallet: walletAddress,
+        });
+        return result.frozen;
+    }
+}
+//# sourceMappingURL=freeze.js.map

package/dist/security/freeze.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"freeze.js","sourceRoot":"","sources":["../../src/security/freeze.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAIH;;GAEG;AACH,MAAM,OAAO,aAAa;IACK;IAA7B,YAA6B,GAAc;QAAd,QAAG,GAAH,GAAG,CAAW;IAAG,CAAC;IAE/C;;;OAGG;IACH,KAAK,CAAC,MAAM,CAAC,MAA0B;QACrC,MAAM,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC,kBAAkB,EAAE,MAAM,CAAC,CAAC;IAClD,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,QAAQ;QACZ,MAAM,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC,oBAAoB,EAAE,EAAE,CAAC,CAAC;IAChD,CAAC;IAED,+CAA+C;IAC/C,KAAK,CAAC,QAAQ,CAAC,aAAqB;QAClC,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,GAAG,CAAC,GAAG,CAAsB,yBAAyB,EAAE;YAChF,MAAM,EAAE,aAAa;SACtB,CAAC,CAAC;QACH,OAAO,MAAM,CAAC,MAAM,CAAC;IACvB,CAAC;CACF"}

package/dist/security/revoke.d.ts

@@ -0,0 +1,27 @@
+/**
+ * Bulk session key revocation.
+ * Corresponds to SPEC-013 Section 11.2.
+ */
+import { ApiClient } from '../transport/api.js';
+/**
+ * Bulk session key revocation for emergency response.
+ */
+export declare class RevokeManager {
+    private readonly api;
+    constructor(api: ApiClient);
+    /**
+     * Revoke ALL session keys at once.
+     * Sends batch UserOp: uninstallValidation for all session moduleIds.
+     */
+    revokeAllSessionKeys(): Promise<void>;
+    /**
+     * Revoke session keys matching specific criteria.
+     */
+    revokeSessionKeys(params: {
+        expiredOnly?: boolean;
+        olderThan?: number;
+    }): Promise<{
+        revokedCount: number;
+    }>;
+}
+//# sourceMappingURL=revoke.d.ts.map

package/dist/security/revoke.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"revoke.d.ts","sourceRoot":"","sources":["../../src/security/revoke.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,EAAE,SAAS,EAAE,MAAM,qBAAqB,CAAC;AAEhD;;GAEG;AACH,qBAAa,aAAa;IACZ,OAAO,CAAC,QAAQ,CAAC,GAAG;gBAAH,GAAG,EAAE,SAAS;IAE3C;;;OAGG;IACG,oBAAoB,IAAI,OAAO,CAAC,IAAI,CAAC;IAI3C;;OAEG;IACG,iBAAiB,CAAC,MAAM,EAAE;QAC9B,WAAW,CAAC,EAAE,OAAO,CAAC;QACtB,SAAS,CAAC,EAAE,MAAM,CAAC;KACpB,GAAG,OAAO,CAAC;QAAE,YAAY,EAAE,MAAM,CAAA;KAAE,CAAC;CAGtC"}

package/dist/security/revoke.js

@@ -0,0 +1,27 @@
+/**
+ * Bulk session key revocation.
+ * Corresponds to SPEC-013 Section 11.2.
+ */
+/**
+ * Bulk session key revocation for emergency response.
+ */
+export class RevokeManager {
+    api;
+    constructor(api) {
+        this.api = api;
+    }
+    /**
+     * Revoke ALL session keys at once.
+     * Sends batch UserOp: uninstallValidation for all session moduleIds.
+     */
+    async revokeAllSessionKeys() {
+        await this.api.post('/security/revoke/all-sessions', {});
+    }
+    /**
+     * Revoke session keys matching specific criteria.
+     */
+    async revokeSessionKeys(params) {
+        return this.api.post('/security/revoke/sessions', params);
+    }
+}
+//# sourceMappingURL=revoke.js.map

package/dist/security/revoke.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"revoke.js","sourceRoot":"","sources":["../../src/security/revoke.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAIH;;GAEG;AACH,MAAM,OAAO,aAAa;IACK;IAA7B,YAA6B,GAAc;QAAd,QAAG,GAAH,GAAG,CAAW;IAAG,CAAC;IAE/C;;;OAGG;IACH,KAAK,CAAC,oBAAoB;QACxB,MAAM,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC,+BAA+B,EAAE,EAAE,CAAC,CAAC;IAC3D,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,iBAAiB,CAAC,MAGvB;QACC,OAAO,IAAI,CAAC,GAAG,CAAC,IAAI,CAA2B,2BAA2B,EAAE,MAAM,CAAC,CAAC;IACtF,CAAC;CACF"}

package/dist/security/watchtower.d.ts

@@ -0,0 +1,34 @@
+/**
+ * Watchtower alert subscriptions.
+ * Corresponds to SPEC-013 Section 11.3.
+ */
+import type { Address, WatchtowerSubscription, WatchtowerAlertType } from '../types.js';
+import { ApiClient } from '../transport/api.js';
+interface WatchtowerAlert {
+    id: string;
+    type: WatchtowerAlertType;
+    account: Address;
+    timestamp: number;
+    details: Record<string, unknown>;
+}
+/**
+ * Watchtower service client.
+ * Subscribe to security alerts and get notifications for suspicious activity.
+ */
+export declare class WatchtowerClient {
+    private readonly api;
+    constructor(api: ApiClient);
+    /**
+     * Subscribe to security alerts for an account.
+     * Alerts are sent via email and/or webhook.
+     */
+    subscribe(subscription: WatchtowerSubscription): Promise<void>;
+    /** Unsubscribe from watchtower alerts */
+    unsubscribe(account: Address): Promise<void>;
+    /** Get recent security alerts for an account */
+    getAlerts(account: Address): Promise<WatchtowerAlert[]>;
+    /** Get the current subscription for an account */
+    getSubscription(account: Address): Promise<WatchtowerSubscription | null>;
+}
+export {};
+//# sourceMappingURL=watchtower.d.ts.map

package/dist/security/watchtower.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"watchtower.d.ts","sourceRoot":"","sources":["../../src/security/watchtower.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,KAAK,EAAE,OAAO,EAAE,sBAAsB,EAAE,mBAAmB,EAAE,MAAM,aAAa,CAAC;AACxF,OAAO,EAAE,SAAS,EAAE,MAAM,qBAAqB,CAAC;AAEhD,UAAU,eAAe;IACvB,EAAE,EAAE,MAAM,CAAC;IACX,IAAI,EAAE,mBAAmB,CAAC;IAC1B,OAAO,EAAE,OAAO,CAAC;IACjB,SAAS,EAAE,MAAM,CAAC;IAClB,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;CAClC;AAED;;;GAGG;AACH,qBAAa,gBAAgB;IACf,OAAO,CAAC,QAAQ,CAAC,GAAG;gBAAH,GAAG,EAAE,SAAS;IAE3C;;;OAGG;IACG,SAAS,CAAC,YAAY,EAAE,sBAAsB,GAAG,OAAO,CAAC,IAAI,CAAC;IAIpE,yCAAyC;IACnC,WAAW,CAAC,OAAO,EAAE,OAAO,GAAG,OAAO,CAAC,IAAI,CAAC;IAIlD,gDAAgD;IAC1C,SAAS,CAAC,OAAO,EAAE,OAAO,GAAG,OAAO,CAAC,eAAe,EAAE,CAAC;IAM7D,kDAAkD;IAC5C,eAAe,CAAC,OAAO,EAAE,OAAO,GAAG,OAAO,CAAC,sBAAsB,GAAG,IAAI,CAAC;CAKhF"}

package/dist/security/watchtower.js

@@ -0,0 +1,38 @@
+/**
+ * Watchtower alert subscriptions.
+ * Corresponds to SPEC-013 Section 11.3.
+ */
+/**
+ * Watchtower service client.
+ * Subscribe to security alerts and get notifications for suspicious activity.
+ */
+export class WatchtowerClient {
+    api;
+    constructor(api) {
+        this.api = api;
+    }
+    /**
+     * Subscribe to security alerts for an account.
+     * Alerts are sent via email and/or webhook.
+     */
+    async subscribe(subscription) {
+        await this.api.post('/security/watchtower/subscribe', subscription);
+    }
+    /** Unsubscribe from watchtower alerts */
+    async unsubscribe(account) {
+        await this.api.delete(`/security/watchtower/${account}`);
+    }
+    /** Get recent security alerts for an account */
+    async getAlerts(account) {
+        return this.api.get('/security/watchtower/alerts', {
+            account,
+        });
+    }
+    /** Get the current subscription for an account */
+    async getSubscription(account) {
+        return this.api.get('/security/watchtower/subscription', {
+            account,
+        });
+    }
+}
+//# sourceMappingURL=watchtower.js.map

package/dist/security/watchtower.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"watchtower.js","sourceRoot":"","sources":["../../src/security/watchtower.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAaH;;;GAGG;AACH,MAAM,OAAO,gBAAgB;IACE;IAA7B,YAA6B,GAAc;QAAd,QAAG,GAAH,GAAG,CAAW;IAAG,CAAC;IAE/C;;;OAGG;IACH,KAAK,CAAC,SAAS,CAAC,YAAoC;QAClD,MAAM,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC,gCAAgC,EAAE,YAAY,CAAC,CAAC;IACtE,CAAC;IAED,yCAAyC;IACzC,KAAK,CAAC,WAAW,CAAC,OAAgB;QAChC,MAAM,IAAI,CAAC,GAAG,CAAC,MAAM,CAAC,wBAAwB,OAAO,EAAE,CAAC,CAAC;IAC3D,CAAC;IAED,gDAAgD;IAChD,KAAK,CAAC,SAAS,CAAC,OAAgB;QAC9B,OAAO,IAAI,CAAC,GAAG,CAAC,GAAG,CAAoB,6BAA6B,EAAE;YACpE,OAAO;SACR,CAAC,CAAC;IACL,CAAC;IAED,kDAAkD;IAClD,KAAK,CAAC,eAAe,CAAC,OAAgB;QACpC,OAAO,IAAI,CAAC,GAAG,CAAC,GAAG,CAAgC,mCAAmC,EAAE;YACtF,OAAO;SACR,CAAC,CAAC;IACL,CAAC;CACF"}

package/dist/session-keys/manager.d.ts

@@ -0,0 +1,40 @@
+/**
+ * Session key lifecycle management.
+ * Corresponds to SPEC-013 Section 9.
+ */
+import type { Address, SessionKeyInfo, SessionKeyPermissions, SessionKeyStatus, ExecutionResult, CallRequest } from '../types.js';
+import { ApiClient } from '../transport/api.js';
+import { SessionKeyTemplates } from './templates.js';
+/**
+ * Manages session key creation, installation, execution, and revocation.
+ * Session keys are ephemeral keys with scoped permissions enforced on-chain.
+ */
+export declare class SessionKeyManager {
+    private readonly api;
+    /** Pre-built permission templates */
+    readonly templates: typeof SessionKeyTemplates;
+    constructor(api: ApiClient);
+    /**
+     * Create and install a new session key with specified permissions.
+     * Generates an ephemeral keypair, installs validation module on-chain.
+     */
+    create(params: {
+        permissions: SessionKeyPermissions;
+    }): Promise<SessionKeyInfo>;
+    /**
+     * Execute a call using an active session key.
+     * The session key signs automatically -- no user interaction needed.
+     * All permission hooks are checked on-chain.
+     */
+    execute(moduleId: number, call: CallRequest): Promise<ExecutionResult>;
+    /** List all active session keys for a wallet */
+    list(walletAddress: Address): Promise<SessionKeyInfo[]>;
+    /** Get the status of a specific session key */
+    getStatus(moduleId: number): Promise<SessionKeyStatus>;
+    /**
+     * Revoke a session key (owner signs uninstall UserOp).
+     * The session key is immediately invalidated on-chain.
+     */
+    revoke(moduleId: number): Promise<void>;
+}
+//# sourceMappingURL=manager.d.ts.map

package/dist/session-keys/manager.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"manager.d.ts","sourceRoot":"","sources":["../../src/session-keys/manager.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,KAAK,EACV,OAAO,EAEP,cAAc,EACd,qBAAqB,EACrB,gBAAgB,EAChB,eAAe,EACf,WAAW,EACZ,MAAM,aAAa,CAAC;AACrB,OAAO,EAAE,SAAS,EAAE,MAAM,qBAAqB,CAAC;AAChD,OAAO,EAAE,mBAAmB,EAAE,MAAM,gBAAgB,CAAC;AAErD;;;GAGG;AACH,qBAAa,iBAAiB;IAIhB,OAAO,CAAC,QAAQ,CAAC,GAAG;IAHhC,qCAAqC;IACrC,QAAQ,CAAC,SAAS,6BAAuB;gBAEZ,GAAG,EAAE,SAAS;IAE3C;;;OAGG;IACG,MAAM,CAAC,MAAM,EAAE;QAAE,WAAW,EAAE,qBAAqB,CAAA;KAAE,GAAG,OAAO,CAAC,cAAc,CAAC;IAMrF;;;;OAIG;IACG,OAAO,CACX,QAAQ,EAAE,MAAM,EAChB,IAAI,EAAE,WAAW,GAChB,OAAO,CAAC,eAAe,CAAC;IAQ3B,gDAAgD;IAC1C,IAAI,CAAC,aAAa,EAAE,OAAO,GAAG,OAAO,CAAC,cAAc,EAAE,CAAC;IAI7D,+CAA+C;IACzC,SAAS,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,gBAAgB,CAAC;IAI5D;;;OAGG;IACG,MAAM,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;CAG9C"}

package/dist/session-keys/manager.js

@@ -0,0 +1,65 @@
+/**
+ * Session key lifecycle management.
+ * Corresponds to SPEC-013 Section 9.
+ */
+import { SessionKeyTemplates } from './templates.js';
+/**
+ * Manages session key creation, installation, execution, and revocation.
+ * Session keys are ephemeral keys with scoped permissions enforced on-chain.
+ */
+export class SessionKeyManager {
+    api;
+    /** Pre-built permission templates */
+    templates = SessionKeyTemplates;
+    constructor(api) {
+        this.api = api;
+    }
+    /**
+     * Create and install a new session key with specified permissions.
+     * Generates an ephemeral keypair, installs validation module on-chain.
+     */
+    async create(params) {
+        return this.api.post('/session-keys', {
+            permissions: serialisePermissions(params.permissions),
+        });
+    }
+    /**
+     * Execute a call using an active session key.
+     * The session key signs automatically -- no user interaction needed.
+     * All permission hooks are checked on-chain.
+     */
+    async execute(moduleId, call) {
+        return this.api.post(`/session-keys/${moduleId}/execute`, {
+            target: call.target,
+            value: call.value.toString(),
+            data: call.data,
+        });
+    }
+    /** List all active session keys for a wallet */
+    async list(walletAddress) {
+        return this.api.get('/session-keys', { wallet: walletAddress });
+    }
+    /** Get the status of a specific session key */
+    async getStatus(moduleId) {
+        return this.api.get(`/session-keys/${moduleId}`);
+    }
+    /**
+     * Revoke a session key (owner signs uninstall UserOp).
+     * The session key is immediately invalidated on-chain.
+     */
+    async revoke(moduleId) {
+        await this.api.delete(`/session-keys/${moduleId}`);
+    }
+}
+function serialisePermissions(perms) {
+    return {
+        allowlist: perms.allowlist,
+        spendLimit: {
+            perTx: perms.spendLimit.perTx.toString(),
+            cumulative: perms.spendLimit.cumulative.toString(),
+        },
+        timeRange: perms.timeRange,
+        requiredPaymaster: perms.requiredPaymaster,
+    };
+}
+//# sourceMappingURL=manager.js.map

package/dist/session-keys/manager.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"manager.js","sourceRoot":"","sources":["../../src/session-keys/manager.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAYH,OAAO,EAAE,mBAAmB,EAAE,MAAM,gBAAgB,CAAC;AAErD;;;GAGG;AACH,MAAM,OAAO,iBAAiB;IAIC;IAH7B,qCAAqC;IAC5B,SAAS,GAAG,mBAAmB,CAAC;IAEzC,YAA6B,GAAc;QAAd,QAAG,GAAH,GAAG,CAAW;IAAG,CAAC;IAE/C;;;OAGG;IACH,KAAK,CAAC,MAAM,CAAC,MAA8C;QACzD,OAAO,IAAI,CAAC,GAAG,CAAC,IAAI,CAAiB,eAAe,EAAE;YACpD,WAAW,EAAE,oBAAoB,CAAC,MAAM,CAAC,WAAW,CAAC;SACtD,CAAC,CAAC;IACL,CAAC;IAED;;;;OAIG;IACH,KAAK,CAAC,OAAO,CACX,QAAgB,EAChB,IAAiB;QAEjB,OAAO,IAAI,CAAC,GAAG,CAAC,IAAI,CAAkB,iBAAiB,QAAQ,UAAU,EAAE;YACzE,MAAM,EAAE,IAAI,CAAC,MAAM;YACnB,KAAK,EAAE,IAAI,CAAC,KAAK,CAAC,QAAQ,EAAE;YAC5B,IAAI,EAAE,IAAI,CAAC,IAAI;SAChB,CAAC,CAAC;IACL,CAAC;IAED,gDAAgD;IAChD,KAAK,CAAC,IAAI,CAAC,aAAsB;QAC/B,OAAO,IAAI,CAAC,GAAG,CAAC,GAAG,CAAmB,eAAe,EAAE,EAAE,MAAM,EAAE,aAAa,EAAE,CAAC,CAAC;IACpF,CAAC;IAED,+CAA+C;IAC/C,KAAK,CAAC,SAAS,CAAC,QAAgB;QAC9B,OAAO,IAAI,CAAC,GAAG,CAAC,GAAG,CAAmB,iBAAiB,QAAQ,EAAE,CAAC,CAAC;IACrE,CAAC;IAED;;;OAGG;IACH,KAAK,CAAC,MAAM,CAAC,QAAgB;QAC3B,MAAM,IAAI,CAAC,GAAG,CAAC,MAAM,CAAC,iBAAiB,QAAQ,EAAE,CAAC,CAAC;IACrD,CAAC;CACF;AAED,SAAS,oBAAoB,CAAC,KAA4B;IACxD,OAAO;QACL,SAAS,EAAE,KAAK,CAAC,SAAS;QAC1B,UAAU,EAAE;YACV,KAAK,EAAE,KAAK,CAAC,UAAU,CAAC,KAAK,CAAC,QAAQ,EAAE;YACxC,UAAU,EAAE,KAAK,CAAC,UAAU,CAAC,UAAU,CAAC,QAAQ,EAAE;SACnD;QACD,SAAS,EAAE,KAAK,CAAC,SAAS;QAC1B,iBAAiB,EAAE,KAAK,CAAC,iBAAiB;KAC3C,CAAC;AACJ,CAAC"}

package/dist/session-keys/permissions.d.ts

@@ -0,0 +1,44 @@
+/**
+ * Permission template builder for session keys.
+ * Corresponds to SPEC-013 Section 9.1-9.2.
+ */
+import type { Address, Hex, SessionKeyPermissions } from '../types.js';
+/**
+ * Fluent builder for constructing session key permission sets.
+ *
+ * @example
+ * ```ts
+ * const perms = new PermissionBuilder()
+ *   .allowContract(gameContract, ['0x12345678', '0xabcdef01'])
+ *   .setSpendLimit({ perTx: 0n, cumulative: 0n })
+ *   .setTimeRange({ duration: 4 * 3600 })
+ *   .requirePaymaster(paymasterAddress)
+ *   .build();
+ * ```
+ */
+export declare class PermissionBuilder {
+    private allowlist;
+    private spendLimit;
+    private timeRange;
+    private paymaster?;
+    /** Allow specific function selectors on a target contract */
+    allowContract(target: Address, selectors: Hex[]): this;
+    /** Allow all functions on a target contract (wildcard selector) */
+    allowContractWildcard(target: Address): this;
+    /** Set native token (ETH) spend limits */
+    setSpendLimit(limits: {
+        perTx: bigint;
+        cumulative: bigint;
+    }): this;
+    /** Set the valid time range by start and end timestamps */
+    setTimeRange(params: {
+        validAfter?: number;
+        validUntil?: number;
+        duration?: number;
+    }): this;
+    /** Require a specific paymaster for all operations */
+    requirePaymaster(paymaster: Address): this;
+    /** Build the permission set */
+    build(): SessionKeyPermissions;
+}
+//# sourceMappingURL=permissions.d.ts.map

package/dist/session-keys/permissions.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"permissions.d.ts","sourceRoot":"","sources":["../../src/session-keys/permissions.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,KAAK,EAAE,OAAO,EAAE,GAAG,EAAE,qBAAqB,EAAE,MAAM,aAAa,CAAC;AAEvE;;;;;;;;;;;;GAYG;AACH,qBAAa,iBAAiB;IAC5B,OAAO,CAAC,SAAS,CAAiD;IAClE,OAAO,CAAC,UAAU,CAAiC;IACnD,OAAO,CAAC,SAAS,CAAoC;IACrD,OAAO,CAAC,SAAS,CAAC,CAAU;IAE5B,6DAA6D;IAC7D,aAAa,CAAC,MAAM,EAAE,OAAO,EAAE,SAAS,EAAE,GAAG,EAAE,GAAG,IAAI;IAOtD,mEAAmE;IACnE,qBAAqB,CAAC,MAAM,EAAE,OAAO,GAAG,IAAI;IAK5C,0CAA0C;IAC1C,aAAa,CAAC,MAAM,EAAE;QAAE,KAAK,EAAE,MAAM,CAAC;QAAC,UAAU,EAAE,MAAM,CAAA;KAAE,GAAG,IAAI;IAKlE,2DAA2D;IAC3D,YAAY,CAAC,MAAM,EAAE;QAAE,UAAU,CAAC,EAAE,MAAM,CAAC;QAAC,UAAU,CAAC,EAAE,MAAM,CAAC;QAAC,QAAQ,CAAC,EAAE,MAAM,CAAA;KAAE,GAAG,IAAI;IAQ3F,sDAAsD;IACtD,gBAAgB,CAAC,SAAS,EAAE,OAAO,GAAG,IAAI;IAK1C,+BAA+B;IAC/B,KAAK,IAAI,qBAAqB;CAQ/B"}

package/dist/session-keys/permissions.js

@@ -0,0 +1,63 @@
+/**
+ * Permission template builder for session keys.
+ * Corresponds to SPEC-013 Section 9.1-9.2.
+ */
+/**
+ * Fluent builder for constructing session key permission sets.
+ *
+ * @example
+ * ```ts
+ * const perms = new PermissionBuilder()
+ *   .allowContract(gameContract, ['0x12345678', '0xabcdef01'])
+ *   .setSpendLimit({ perTx: 0n, cumulative: 0n })
+ *   .setTimeRange({ duration: 4 * 3600 })
+ *   .requirePaymaster(paymasterAddress)
+ *   .build();
+ * ```
+ */
+export class PermissionBuilder {
+    allowlist = [];
+    spendLimit = { perTx: 0n, cumulative: 0n };
+    timeRange = { validAfter: 0, validUntil: 0 };
+    paymaster;
+    /** Allow specific function selectors on a target contract */
+    allowContract(target, selectors) {
+        for (const selector of selectors) {
+            this.allowlist.push({ target, selector });
+        }
+        return this;
+    }
+    /** Allow all functions on a target contract (wildcard selector) */
+    allowContractWildcard(target) {
+        this.allowlist.push({ target, selector: '0xffffffff' });
+        return this;
+    }
+    /** Set native token (ETH) spend limits */
+    setSpendLimit(limits) {
+        this.spendLimit = limits;
+        return this;
+    }
+    /** Set the valid time range by start and end timestamps */
+    setTimeRange(params) {
+        const now = Math.floor(Date.now() / 1000);
+        this.timeRange.validAfter = params.validAfter ?? now;
+        this.timeRange.validUntil =
+            params.validUntil ?? (params.duration ? now + params.duration : 0);
+        return this;
+    }
+    /** Require a specific paymaster for all operations */
+    requirePaymaster(paymaster) {
+        this.paymaster = paymaster;
+        return this;
+    }
+    /** Build the permission set */
+    build() {
+        return {
+            allowlist: this.allowlist,
+            spendLimit: this.spendLimit,
+            timeRange: this.timeRange,
+            requiredPaymaster: this.paymaster,
+        };
+    }
+}
+//# sourceMappingURL=permissions.js.map

package/dist/session-keys/permissions.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"permissions.js","sourceRoot":"","sources":["../../src/session-keys/permissions.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAIH;;;;;;;;;;;;GAYG;AACH,MAAM,OAAO,iBAAiB;IACpB,SAAS,GAA8C,EAAE,CAAC;IAC1D,UAAU,GAAG,EAAE,KAAK,EAAE,EAAE,EAAE,UAAU,EAAE,EAAE,EAAE,CAAC;IAC3C,SAAS,GAAG,EAAE,UAAU,EAAE,CAAC,EAAE,UAAU,EAAE,CAAC,EAAE,CAAC;IAC7C,SAAS,CAAW;IAE5B,6DAA6D;IAC7D,aAAa,CAAC,MAAe,EAAE,SAAgB;QAC7C,KAAK,MAAM,QAAQ,IAAI,SAAS,EAAE,CAAC;YACjC,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,EAAE,MAAM,EAAE,QAAQ,EAAE,CAAC,CAAC;QAC5C,CAAC;QACD,OAAO,IAAI,CAAC;IACd,CAAC;IAED,mEAAmE;IACnE,qBAAqB,CAAC,MAAe;QACnC,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,EAAE,MAAM,EAAE,QAAQ,EAAE,YAAY,EAAE,CAAC,CAAC;QACxD,OAAO,IAAI,CAAC;IACd,CAAC;IAED,0CAA0C;IAC1C,aAAa,CAAC,MAA6C;QACzD,IAAI,CAAC,UAAU,GAAG,MAAM,CAAC;QACzB,OAAO,IAAI,CAAC;IACd,CAAC;IAED,2DAA2D;IAC3D,YAAY,CAAC,MAAuE;QAClF,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;QAC1C,IAAI,CAAC,SAAS,CAAC,UAAU,GAAG,MAAM,CAAC,UAAU,IAAI,GAAG,CAAC;QACrD,IAAI,CAAC,SAAS,CAAC,UAAU;YACvB,MAAM,CAAC,UAAU,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,CAAC,GAAG,GAAG,MAAM,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;QACrE,OAAO,IAAI,CAAC;IACd,CAAC;IAED,sDAAsD;IACtD,gBAAgB,CAAC,SAAkB;QACjC,IAAI,CAAC,SAAS,GAAG,SAAS,CAAC;QAC3B,OAAO,IAAI,CAAC;IACd,CAAC;IAED,+BAA+B;IAC/B,KAAK;QACH,OAAO;YACL,SAAS,EAAE,IAAI,CAAC,SAAS;YACzB,UAAU,EAAE,IAAI,CAAC,UAAU;YAC3B,SAAS,EAAE,IAAI,CAAC,SAAS;YACzB,iBAAiB,EAAE,IAAI,CAAC,SAAS;SAClC,CAAC;IACJ,CAAC;CACF"}