@aztec/foundation 4.0.0-nightly.20250907 → 4.0.0-nightly.20260107

package/dest/config/network_name.d.ts

@@ -1,3 +1,3 @@
-export type NetworkNames = 'local' | 'testnet-ignition' | 'alpha-testnet' | 'testnet';
+export type NetworkNames = 'local' | 'staging-ignition' | 'staging-public' | 'testnet' | 'mainnet' | 'next-net' | 'devnet';
 export declare function getActiveNetworkName(name?: string): NetworkNames;
-//# sourceMappingURL=network_name.d.ts.map
+//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoibmV0d29ya19uYW1lLmQudHMiLCJzb3VyY2VSb290IjoiIiwic291cmNlcyI6WyIuLi8uLi9zcmMvY29uZmlnL25ldHdvcmtfbmFtZS50cyJdLCJuYW1lcyI6W10sIm1hcHBpbmdzIjoiQUFBQSxNQUFNLE1BQU0sWUFBWSxHQUNwQixPQUFPLEdBQ1Asa0JBQWtCLEdBQ2xCLGdCQUFnQixHQUNoQixTQUFTLEdBQ1QsU0FBUyxHQUNULFVBQVUsR0FDVixRQUFRLENBQUM7QUFFYix3QkFBZ0Isb0JBQW9CLENBQUMsSUFBSSxDQUFDLEVBQUUsTUFBTSxHQUFHLFlBQVksQ0FrQmhFIn0=

package/dest/config/network_name.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"network_name.d.ts","sourceRoot":"","sources":["../../src/config/network_name.ts"],"names":[],"mappings":"AAAA,MAAM,MAAM,YAAY,GAAG,OAAO,GAAG,kBAAkB,GAAG,eAAe,GAAG,SAAS,CAAC;AAEtF,wBAAgB,oBAAoB,CAAC,IAAI,CAAC,EAAE,MAAM,GAAG,YAAY,CAUhE"}
+{"version":3,"file":"network_name.d.ts","sourceRoot":"","sources":["../../src/config/network_name.ts"],"names":[],"mappings":"AAAA,MAAM,MAAM,YAAY,GACpB,OAAO,GACP,kBAAkB,GAClB,gBAAgB,GAChB,SAAS,GACT,SAAS,GACT,UAAU,GACV,QAAQ,CAAC;AAEb,wBAAgB,oBAAoB,CAAC,IAAI,CAAC,EAAE,MAAM,GAAG,YAAY,CAkBhE"}

package/dest/config/network_name.js

@@ -2,10 +2,18 @@ export function getActiveNetworkName(name) {
     const network = name || process.env.NETWORK;
     if (!network || network === '' || network === 'local') {
         return 'local';
-    } else if (network === 'testnet-ignition') {
+    } else if (network === 'staging-ignition') {
         return network;
-    } else if (network === 'alpha-testnet' || network === 'testnet') {
+    } else if (network === 'staging-public') {
         return network;
+    } else if (network === 'testnet' || network === 'alpha-testnet') {
+        return 'testnet';
+    } else if (network === 'mainnet') {
+        return 'mainnet';
+    } else if (network === 'next-net') {
+        return 'next-net';
+    } else if (network === 'devnet') {
+        return 'devnet';
     }
     throw new Error(`Unknown network: ${network}`);
 }

package/dest/config/secret_value.d.ts

@@ -25,4 +25,4 @@ export declare class SecretValue<T> {
      */
     static schema<O>(valueSchema: ZodType<O, any, any>): ZodType<SecretValue<O>, any, any>;
 }
-//# sourceMappingURL=secret_value.d.ts.map
+//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoic2VjcmV0X3ZhbHVlLmQudHMiLCJzb3VyY2VSb290IjoiIiwic291cmNlcyI6WyIuLi8uLi9zcmMvY29uZmlnL3NlY3JldF92YWx1ZS50cyJdLCJuYW1lcyI6W10sIm1hcHBpbmdzIjoiQUFBQSxPQUFPLEVBQUUsT0FBTyxFQUFFLE1BQU0sTUFBTSxDQUFDO0FBQy9CLE9BQU8sS0FBSyxFQUFFLE9BQU8sRUFBRSxNQUFNLEtBQUssQ0FBQztBQUVuQzs7R0FFRztBQUNILHFCQUFhLFdBQVcsQ0FBQyxDQUFDOztJQU10QixPQUFPLENBQUMsUUFBUSxDQUFDLGFBQWE7SUFGaEMsWUFDRSxLQUFLLEVBQUUsQ0FBQyxFQUNTLGFBQWEsU0FBZSxFQUc5QztJQUVEOztPQUVHO0lBQ0ksUUFBUSxJQUFJLENBQUMsQ0FFbkI7SUFFRDs7T0FFRztJQUNJLFFBQVEsSUFBSSxNQUFNLENBRXhCO0lBRUQ7O09BRUc7SUFDSSxNQUFNLElBQUksTUFBTSxDQUV0QjtJQUVNLENBQUMsT0FBTyxDQUFDLE1BQU0sQ0FBQyxXQUV0QjtJQUVEOztPQUVHO0lBQ0gsTUFBTSxDQUFDLE1BQU0sQ0FBQyxDQUFDLEVBQUUsV0FBVyxFQUFFLE9BQU8sQ0FBQyxDQUFDLEVBQUUsR0FBRyxFQUFFLEdBQUcsQ0FBQyxHQUFHLE9BQU8sQ0FBQyxXQUFXLENBQUMsQ0FBQyxDQUFDLEVBQUUsR0FBRyxFQUFFLEdBQUcsQ0FBQyxDQUVyRjtDQUNGIn0=

package/dest/config/secret_value.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"secret_value.d.ts","sourceRoot":"","sources":["../../src/config/secret_value.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,OAAO,EAAE,MAAM,MAAM,CAAC;AAC/B,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,KAAK,CAAC;AAEnC;;GAEG;AACH,qBAAa,WAAW,CAAC,CAAC;;IAMtB,OAAO,CAAC,QAAQ,CAAC,aAAa;gBAD9B,KAAK,EAAE,CAAC,EACS,aAAa,SAAe;IAK/C;;OAEG;IACI,QAAQ,IAAI,CAAC;IAIpB;;OAEG;IACI,QAAQ,IAAI,MAAM;IAIzB;;OAEG;IACI,MAAM,IAAI,MAAM;IAIhB,CAAC,OAAO,CAAC,MAAM,CAAC;IAIvB;;OAEG;IACH,MAAM,CAAC,MAAM,CAAC,CAAC,EAAE,WAAW,EAAE,OAAO,CAAC,CAAC,EAAE,GAAG,EAAE,GAAG,CAAC,GAAG,OAAO,CAAC,WAAW,CAAC,CAAC,CAAC,EAAE,GAAG,EAAE,GAAG,CAAC;CAGvF"}
+{"version":3,"file":"secret_value.d.ts","sourceRoot":"","sources":["../../src/config/secret_value.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,OAAO,EAAE,MAAM,MAAM,CAAC;AAC/B,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,KAAK,CAAC;AAEnC;;GAEG;AACH,qBAAa,WAAW,CAAC,CAAC;;IAMtB,OAAO,CAAC,QAAQ,CAAC,aAAa;IAFhC,YACE,KAAK,EAAE,CAAC,EACS,aAAa,SAAe,EAG9C;IAED;;OAEG;IACI,QAAQ,IAAI,CAAC,CAEnB;IAED;;OAEG;IACI,QAAQ,IAAI,MAAM,CAExB;IAED;;OAEG;IACI,MAAM,IAAI,MAAM,CAEtB;IAEM,CAAC,OAAO,CAAC,MAAM,CAAC,WAEtB;IAED;;OAEG;IACH,MAAM,CAAC,MAAM,CAAC,CAAC,EAAE,WAAW,EAAE,OAAO,CAAC,CAAC,EAAE,GAAG,EAAE,GAAG,CAAC,GAAG,OAAO,CAAC,WAAW,CAAC,CAAC,CAAC,EAAE,GAAG,EAAE,GAAG,CAAC,CAErF;CACF"}

package/dest/config/secret_value.js

@@ -1,4 +1,6 @@
+var _computedKey;
 import { inspect } from 'util';
+_computedKey = inspect.custom;
 /**
  * A class wrapping a secret value to protect it from accidently being leaked in logs
  */ export class SecretValue {
@@ -23,7 +25,7 @@ import { inspect } from 'util';
    */ toJSON() {
         return this.redactedValue;
     }
-    [inspect.custom]() {
+    [_computedKey]() {
         return this.toString();
     }
     /**

package/dest/crypto/aes128/index.d.ts

@@ -29,4 +29,4 @@ export declare class Aes128 {
      */
     decryptBufferCBC(data: Uint8Array, iv: Uint8Array, key: Uint8Array): Promise<Buffer<ArrayBufferLike>>;
 }
-//# sourceMappingURL=index.d.ts.map
+//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiaW5kZXguZC50cyIsInNvdXJjZVJvb3QiOiIiLCJzb3VyY2VzIjpbIi4uLy4uLy4uL3NyYy9jcnlwdG8vYWVzMTI4L2luZGV4LnRzIl0sIm5hbWVzIjpbXSwibWFwcGluZ3MiOiJBQUVBLE9BQU8sRUFBRSxNQUFNLEVBQUUsTUFBTSxRQUFRLENBQUM7QUFFaEM7O0dBRUc7QUFDSCxxQkFBYSxNQUFNO0lBQ2pCOzs7Ozs7T0FNRztJQUNVLGdCQUFnQixDQUFDLElBQUksRUFBRSxVQUFVLEVBQUUsRUFBRSxFQUFFLFVBQVUsRUFBRSxHQUFHLEVBQUUsVUFBVSxnQ0FrQjlFO0lBRUQ7Ozs7Ozs7T0FPRztJQUNVLDJCQUEyQixDQUFDLElBQUksRUFBRSxVQUFVLEVBQUUsRUFBRSxFQUFFLFVBQVUsRUFBRSxHQUFHLEVBQUUsVUFBVSxHQUFHLE9BQU8sQ0FBQyxNQUFNLENBQUMsQ0FVM0c7SUFFRDs7Ozs7O09BTUc7SUFDVSxnQkFBZ0IsQ0FBQyxJQUFJLEVBQUUsVUFBVSxFQUFFLEVBQUUsRUFBRSxVQUFVLEVBQUUsR0FBRyxFQUFFLFVBQVUsb0NBSTlFO0NBQ0YifQ==

package/dest/crypto/aes128/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/crypto/aes128/index.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,MAAM,EAAE,MAAM,QAAQ,CAAC;AAEhC;;GAEG;AACH,qBAAa,MAAM;IACjB;;;;;;OAMG;IACU,gBAAgB,CAAC,IAAI,EAAE,UAAU,EAAE,EAAE,EAAE,UAAU,EAAE,GAAG,EAAE,UAAU;IAe/E;;;;;;;OAOG;IACU,2BAA2B,CAAC,IAAI,EAAE,UAAU,EAAE,EAAE,EAAE,UAAU,EAAE,GAAG,EAAE,UAAU,GAAG,OAAO,CAAC,MAAM,CAAC;IAQ5G;;;;;;OAMG;IACU,gBAAgB,CAAC,IAAI,EAAE,UAAU,EAAE,EAAE,EAAE,UAAU,EAAE,GAAG,EAAE,UAAU;CAKhF"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/crypto/aes128/index.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,MAAM,EAAE,MAAM,QAAQ,CAAC;AAEhC;;GAEG;AACH,qBAAa,MAAM;IACjB;;;;;;OAMG;IACU,gBAAgB,CAAC,IAAI,EAAE,UAAU,EAAE,EAAE,EAAE,UAAU,EAAE,GAAG,EAAE,UAAU,gCAkB9E;IAED;;;;;;;OAOG;IACU,2BAA2B,CAAC,IAAI,EAAE,UAAU,EAAE,EAAE,EAAE,UAAU,EAAE,GAAG,EAAE,UAAU,GAAG,OAAO,CAAC,MAAM,CAAC,CAU3G;IAED;;;;;;OAMG;IACU,gBAAgB,CAAC,IAAI,EAAE,UAAU,EAAE,EAAE,EAAE,UAAU,EAAE,GAAG,EAAE,UAAU,oCAI9E;CACF"}

package/dest/crypto/aes128/index.js

@@ -1,4 +1,4 @@
-import { BarretenbergSync, RawBuffer } from '@aztec/bb.js';
+import { BarretenbergSync } from '@aztec/bb.js';
 import { Buffer } from 'buffer';
 /**
  * AES-128-CBC encryption/decryption.
@@ -20,8 +20,15 @@ import { Buffer } from 'buffer';
             data,
             paddingBuffer
         ]);
-        const api = await BarretenbergSync.initSingleton(process.env.BB_WASM_PATH);
-        return Buffer.from(api.aesEncryptBufferCbc(new RawBuffer(input), new RawBuffer(iv), new RawBuffer(key), input.length));
+        await BarretenbergSync.initSingleton();
+        const api = BarretenbergSync.getSingleton();
+        const response = api.aesEncrypt({
+            plaintext: input,
+            iv,
+            key,
+            length: input.length
+        });
+        return Buffer.from(response.ciphertext);
     }
     /**
    * Decrypt a buffer using AES-128-CBC.
@@ -31,9 +38,15 @@ import { Buffer } from 'buffer';
    * @param key - Key to decrypt with.
    * @returns Decrypted data.
    */ async decryptBufferCBCKeepPadding(data, iv, key) {
-        const api = await BarretenbergSync.initSingleton(process.env.BB_WASM_PATH);
-        const paddedBuffer = Buffer.from(api.aesDecryptBufferCbc(new RawBuffer(data), new RawBuffer(iv), new RawBuffer(key), data.length));
-        return paddedBuffer;
+        await BarretenbergSync.initSingleton();
+        const api = BarretenbergSync.getSingleton();
+        const response = api.aesDecrypt({
+            ciphertext: data,
+            iv,
+            key,
+            length: data.length
+        });
+        return Buffer.from(response.plaintext);
     }
     /**
    * Decrypt a buffer using AES-128-CBC.

package/dest/crypto/bls/bn254_keystore.d.ts

@@ -0,0 +1,296 @@
+import { z } from 'zod';
+/**
+ * BN254 Keystore Format
+ *
+ * Implements encryption and decryption of keystores for BN254 BLS private keys
+ * using PBKDF2 and AES-128-CTR. This format is inspired by EIP-2335 but adapted
+ * for BN254 keys rather than BLS12-381.
+ *
+ * @see https://eips.ethereum.org/EIPS/eip-2335
+ */
+/**
+ * Zod schema for validating BN254 keystore structure
+ */
+declare const bn254KeystoreSchema: z.ZodObject<{
+    crypto: z.ZodObject<{
+        kdf: z.ZodObject<{
+            function: z.ZodLiteral<"pbkdf2">;
+            params: z.ZodObject<{
+                dklen: z.ZodNumber;
+                c: z.ZodNumber;
+                prf: z.ZodString;
+                salt: z.ZodString;
+            }, "strip", z.ZodTypeAny, {
+                dklen: number;
+                c: number;
+                prf: string;
+                salt: string;
+            }, {
+                dklen: number;
+                c: number;
+                prf: string;
+                salt: string;
+            }>;
+            message: z.ZodString;
+        }, "strip", z.ZodTypeAny, {
+            function: "pbkdf2";
+            params: {
+                dklen: number;
+                c: number;
+                prf: string;
+                salt: string;
+            };
+            message: string;
+        }, {
+            function: "pbkdf2";
+            params: {
+                dklen: number;
+                c: number;
+                prf: string;
+                salt: string;
+            };
+            message: string;
+        }>;
+        checksum: z.ZodObject<{
+            function: z.ZodLiteral<"sha256">;
+            params: z.ZodObject<{}, "strip", z.ZodTypeAny, {}, {}>;
+            message: z.ZodString;
+        }, "strip", z.ZodTypeAny, {
+            function: "sha256";
+            params: {};
+            message: string;
+        }, {
+            function: "sha256";
+            params: {};
+            message: string;
+        }>;
+        cipher: z.ZodObject<{
+            function: z.ZodLiteral<"aes-128-ctr">;
+            params: z.ZodObject<{
+                iv: z.ZodString;
+            }, "strip", z.ZodTypeAny, {
+                iv: string;
+            }, {
+                iv: string;
+            }>;
+            message: z.ZodString;
+        }, "strip", z.ZodTypeAny, {
+            function: "aes-128-ctr";
+            params: {
+                iv: string;
+            };
+            message: string;
+        }, {
+            function: "aes-128-ctr";
+            params: {
+                iv: string;
+            };
+            message: string;
+        }>;
+    }, "strip", z.ZodTypeAny, {
+        kdf: {
+            function: "pbkdf2";
+            params: {
+                dklen: number;
+                c: number;
+                prf: string;
+                salt: string;
+            };
+            message: string;
+        };
+        checksum: {
+            function: "sha256";
+            params: {};
+            message: string;
+        };
+        cipher: {
+            function: "aes-128-ctr";
+            params: {
+                iv: string;
+            };
+            message: string;
+        };
+    }, {
+        kdf: {
+            function: "pbkdf2";
+            params: {
+                dklen: number;
+                c: number;
+                prf: string;
+                salt: string;
+            };
+            message: string;
+        };
+        checksum: {
+            function: "sha256";
+            params: {};
+            message: string;
+        };
+        cipher: {
+            function: "aes-128-ctr";
+            params: {
+                iv: string;
+            };
+            message: string;
+        };
+    }>;
+    description: z.ZodOptional<z.ZodString>;
+    pubkey: z.ZodString;
+    path: z.ZodString;
+    uuid: z.ZodString;
+    version: z.ZodNumber;
+}, "strip", z.ZodTypeAny, {
+    crypto: {
+        kdf: {
+            function: "pbkdf2";
+            params: {
+                dklen: number;
+                c: number;
+                prf: string;
+                salt: string;
+            };
+            message: string;
+        };
+        checksum: {
+            function: "sha256";
+            params: {};
+            message: string;
+        };
+        cipher: {
+            function: "aes-128-ctr";
+            params: {
+                iv: string;
+            };
+            message: string;
+        };
+    };
+    description?: string | undefined;
+    pubkey: string;
+    path: string;
+    uuid: string;
+    version: number;
+}, {
+    crypto: {
+        kdf: {
+            function: "pbkdf2";
+            params: {
+                dklen: number;
+                c: number;
+                prf: string;
+                salt: string;
+            };
+            message: string;
+        };
+        checksum: {
+            function: "sha256";
+            params: {};
+            message: string;
+        };
+        cipher: {
+            function: "aes-128-ctr";
+            params: {
+                iv: string;
+            };
+            message: string;
+        };
+    };
+    description?: string | undefined;
+    pubkey: string;
+    path: string;
+    uuid: string;
+    version: number;
+}>;
+/**
+ * Error thrown when BN254 keystore operations fail
+ */
+export declare class Bn254KeystoreError extends Error {
+    cause?: Error | undefined;
+    constructor(message: string, cause?: Error | undefined);
+}
+export type Bn254Keystore = z.infer<typeof bn254KeystoreSchema>;
+/**
+ * The JSON structure of a BN254 keystore file.
+ * @deprecated Use the inferred type from bn254KeystoreSchema instead
+ */
+export interface Bn254KeystoreInterface {
+    crypto: {
+        kdf: {
+            function: 'pbkdf2';
+            params: {
+                dklen: number;
+                c: number;
+                prf: string;
+                salt: string;
+            };
+            message: string;
+        };
+        checksum: {
+            function: 'sha256';
+            params: Record<string, never>;
+            message: string;
+        };
+        cipher: {
+            function: 'aes-128-ctr';
+            params: {
+                iv: string;
+            };
+            message: string;
+        };
+    };
+    description: string;
+    pubkey: string;
+    path: string;
+    uuid: string;
+    version: number;
+}
+/**
+ * Creates a BN254 keystore object for a BN254 BLS private key.
+ *
+ * Uses PBKDF2 with SHA-256 for key derivation and AES-128-CTR for encryption,
+ * following the EIP-2335 specification format.
+ *
+ * @param password - Password for encrypting the private key
+ * @param privateKeyHex - Private key as 0x-prefixed hex string (32 bytes)
+ * @param pubkeyHex - Public key as hex string (compressed or uncompressed)
+ * @param derivationPath - BIP-44 style derivation path (e.g., "m/12381/3600/0/0/0")
+ * @returns BN254 keystore object ready to be serialized to JSON
+ * @throws Error if private key is not 32-byte hex
+ */
+export declare function createBn254Keystore(password: string, privateKeyHex: string, pubkeyHex: string, derivationPath: string): Bn254Keystore;
+/**
+ * Loads and validates a BN254 keystore file.
+ *
+ * @param filePath - Path to the BN254 keystore JSON file
+ * @returns Validated keystore object
+ * @throws Bn254KeystoreError if file cannot be read or validated
+ */
+export declare function loadBn254Keystore(filePath: string): Bn254Keystore;
+/**
+ * Decrypts a BN254 BLS private key from a keystore file.
+ *
+ * @param filePath - Path to the BN254 keystore JSON file
+ * @param password - Password to decrypt the keystore
+ * @returns Decrypted private key as 0x-prefixed hex string (32 bytes)
+ * @throws Bn254KeystoreError if decryption fails or checksum is invalid
+ */
+export declare function decryptBn254Keystore(filePath: string, password: string): string;
+/**
+ * Decrypts a BN254 BLS private key from a keystore object.
+ *
+ * @param keystore - BN254 keystore object
+ * @param password - Password to decrypt the keystore
+ * @returns Decrypted private key as 0x-prefixed hex string (32 bytes)
+ * @throws Bn254KeystoreError if decryption fails or checksum is invalid
+ */
+export declare function decryptBn254KeystoreFromObject(keystore: Bn254Keystore, password: string): string;
+/**
+ * Validates that a decrypted private key matches the public key in the keystore.
+ *
+ * @param privateKeyHex - Decrypted private key (0x-prefixed)
+ * @param expectedPubkey - Expected public key from keystore
+ * @param computePublicKey - Function to compute public key from private key
+ * @returns true if keys match, false otherwise
+ */
+export declare function verifyBn254Keypair(privateKeyHex: string, expectedPubkey: string, computePublicKey: (privateKey: string) => string): boolean;
+export {};
+//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiYm4yNTRfa2V5c3RvcmUuZC50cyIsInNvdXJjZVJvb3QiOiIiLCJzb3VyY2VzIjpbIi4uLy4uLy4uL3NyYy9jcnlwdG8vYmxzL2JuMjU0X2tleXN0b3JlLnRzIl0sIm5hbWVzIjpbXSwibWFwcGluZ3MiOiJBQUlBLE9BQU8sRUFBRSxDQUFDLEVBQUUsTUFBTSxLQUFLLENBQUM7QUFFeEI7Ozs7Ozs7O0dBUUc7QUFFSDs7R0FFRztBQUNILFFBQUEsTUFBTSxtQkFBbUI7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7O0VBOEJ2QixDQUFDO0FBRUg7O0dBRUc7QUFDSCxxQkFBYSxrQkFBbUIsU0FBUSxLQUFLO0lBR3pCLEtBQUssQ0FBQztJQUZ4QixZQUNFLE9BQU8sRUFBRSxNQUFNLEVBQ0MsS0FBSyxDQUFDLG1CQUFPLEVBSTlCO0NBQ0Y7QUFFRCxNQUFNLE1BQU0sYUFBYSxHQUFHLENBQUMsQ0FBQyxLQUFLLENBQUMsT0FBTyxtQkFBbUIsQ0FBQyxDQUFDO0FBRWhFOzs7R0FHRztBQUNILE1BQU0sV0FBVyxzQkFBc0I7SUFDckMsTUFBTSxFQUFFO1FBQ04sR0FBRyxFQUFFO1lBQ0gsUUFBUSxFQUFFLFFBQVEsQ0FBQztZQUNuQixNQUFNLEVBQUU7Z0JBQ04sS0FBSyxFQUFFLE1BQU0sQ0FBQztnQkFDZCxDQUFDLEVBQUUsTUFBTSxDQUFDO2dCQUNWLEdBQUcsRUFBRSxNQUFNLENBQUM7Z0JBQ1osSUFBSSxFQUFFLE1BQU0sQ0FBQzthQUNkLENBQUM7WUFDRixPQUFPLEVBQUUsTUFBTSxDQUFDO1NBQ2pCLENBQUM7UUFDRixRQUFRLEVBQUU7WUFDUixRQUFRLEVBQUUsUUFBUSxDQUFDO1lBQ25CLE1BQU0sRUFBRSxNQUFNLENBQUMsTUFBTSxFQUFFLEtBQUssQ0FBQyxDQUFDO1lBQzlCLE9BQU8sRUFBRSxNQUFNLENBQUM7U0FDakIsQ0FBQztRQUNGLE1BQU0sRUFBRTtZQUNOLFFBQVEsRUFBRSxhQUFhLENBQUM7WUFDeEIsTUFBTSxFQUFFO2dCQUNOLEVBQUUsRUFBRSxNQUFNLENBQUM7YUFDWixDQUFDO1lBQ0YsT0FBTyxFQUFFLE1BQU0sQ0FBQztTQUNqQixDQUFDO0tBQ0gsQ0FBQztJQUNGLFdBQVcsRUFBRSxNQUFNLENBQUM7SUFDcEIsTUFBTSxFQUFFLE1BQU0sQ0FBQztJQUNmLElBQUksRUFBRSxNQUFNLENBQUM7SUFDYixJQUFJLEVBQUUsTUFBTSxDQUFDO0lBQ2IsT0FBTyxFQUFFLE1BQU0sQ0FBQztDQUNqQjtBQUVEOzs7Ozs7Ozs7Ozs7R0FZRztBQUNILHdCQUFnQixtQkFBbUIsQ0FDakMsUUFBUSxFQUFFLE1BQU0sRUFDaEIsYUFBYSxFQUFFLE1BQU0sRUFDckIsU0FBUyxFQUFFLE1BQU0sRUFDakIsY0FBYyxFQUFFLE1BQU0sR0FDckIsYUFBYSxDQThDZjtBQUVEOzs7Ozs7R0FNRztBQUNILHdCQUFnQixpQkFBaUIsQ0FBQyxRQUFRLEVBQUUsTUFBTSxHQUFHLGFBQWEsQ0FnQmpFO0FBRUQ7Ozs7Ozs7R0FPRztBQUNILHdCQUFnQixvQkFBb0IsQ0FBQyxRQUFRLEVBQUUsTUFBTSxFQUFFLFFBQVEsRUFBRSxNQUFNLEdBQUcsTUFBTSxDQUcvRTtBQUVEOzs7Ozs7O0dBT0c7QUFDSCx3QkFBZ0IsOEJBQThCLENBQUMsUUFBUSxFQUFFLGFBQWEsRUFBRSxRQUFRLEVBQUUsTUFBTSxHQUFHLE1BQU0sQ0FpRGhHO0FBRUQ7Ozs7Ozs7R0FPRztBQUNILHdCQUFnQixrQkFBa0IsQ0FDaEMsYUFBYSxFQUFFLE1BQU0sRUFDckIsY0FBYyxFQUFFLE1BQU0sRUFDdEIsZ0JBQWdCLEVBQUUsQ0FBQyxVQUFVLEVBQUUsTUFBTSxLQUFLLE1BQU0sR0FDL0MsT0FBTyxDQVNUIn0=

package/dest/crypto/bls/bn254_keystore.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"bn254_keystore.d.ts","sourceRoot":"","sources":["../../../src/crypto/bls/bn254_keystore.ts"],"names":[],"mappings":"AAIA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AAExB;;;;;;;;GAQG;AAEH;;GAEG;AACH,QAAA,MAAM,mBAAmB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;EA8BvB,CAAC;AAEH;;GAEG;AACH,qBAAa,kBAAmB,SAAQ,KAAK;IAGzB,KAAK,CAAC;IAFxB,YACE,OAAO,EAAE,MAAM,EACC,KAAK,CAAC,mBAAO,EAI9B;CACF;AAED,MAAM,MAAM,aAAa,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,mBAAmB,CAAC,CAAC;AAEhE;;;GAGG;AACH,MAAM,WAAW,sBAAsB;IACrC,MAAM,EAAE;QACN,GAAG,EAAE;YACH,QAAQ,EAAE,QAAQ,CAAC;YACnB,MAAM,EAAE;gBACN,KAAK,EAAE,MAAM,CAAC;gBACd,CAAC,EAAE,MAAM,CAAC;gBACV,GAAG,EAAE,MAAM,CAAC;gBACZ,IAAI,EAAE,MAAM,CAAC;aACd,CAAC;YACF,OAAO,EAAE,MAAM,CAAC;SACjB,CAAC;QACF,QAAQ,EAAE;YACR,QAAQ,EAAE,QAAQ,CAAC;YACnB,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,KAAK,CAAC,CAAC;YAC9B,OAAO,EAAE,MAAM,CAAC;SACjB,CAAC;QACF,MAAM,EAAE;YACN,QAAQ,EAAE,aAAa,CAAC;YACxB,MAAM,EAAE;gBACN,EAAE,EAAE,MAAM,CAAC;aACZ,CAAC;YACF,OAAO,EAAE,MAAM,CAAC;SACjB,CAAC;KACH,CAAC;IACF,WAAW,EAAE,MAAM,CAAC;IACpB,MAAM,EAAE,MAAM,CAAC;IACf,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,EAAE,MAAM,CAAC;IACb,OAAO,EAAE,MAAM,CAAC;CACjB;AAED;;;;;;;;;;;;GAYG;AACH,wBAAgB,mBAAmB,CACjC,QAAQ,EAAE,MAAM,EAChB,aAAa,EAAE,MAAM,EACrB,SAAS,EAAE,MAAM,EACjB,cAAc,EAAE,MAAM,GACrB,aAAa,CA8Cf;AAED;;;;;;GAMG;AACH,wBAAgB,iBAAiB,CAAC,QAAQ,EAAE,MAAM,GAAG,aAAa,CAgBjE;AAED;;;;;;;GAOG;AACH,wBAAgB,oBAAoB,CAAC,QAAQ,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,GAAG,MAAM,CAG/E;AAED;;;;;;;GAOG;AACH,wBAAgB,8BAA8B,CAAC,QAAQ,EAAE,aAAa,EAAE,QAAQ,EAAE,MAAM,GAAG,MAAM,CAiDhG;AAED;;;;;;;GAOG;AACH,wBAAgB,kBAAkB,CAChC,aAAa,EAAE,MAAM,EACrB,cAAc,EAAE,MAAM,EACtB,gBAAgB,EAAE,CAAC,UAAU,EAAE,MAAM,KAAK,MAAM,GAC/C,OAAO,CAST"}

package/dest/crypto/bls/bn254_keystore.js

@@ -0,0 +1,218 @@
+import { randomBytes } from '@aztec/foundation/crypto/random';
+import { createCipheriv, createDecipheriv, createHash, pbkdf2Sync, randomUUID } from 'crypto';
+import { readFileSync } from 'fs';
+import { z } from 'zod';
+/**
+ * BN254 Keystore Format
+ *
+ * Implements encryption and decryption of keystores for BN254 BLS private keys
+ * using PBKDF2 and AES-128-CTR. This format is inspired by EIP-2335 but adapted
+ * for BN254 keys rather than BLS12-381.
+ *
+ * @see https://eips.ethereum.org/EIPS/eip-2335
+ */ /**
+ * Zod schema for validating BN254 keystore structure
+ */ const bn254KeystoreSchema = z.object({
+    crypto: z.object({
+        kdf: z.object({
+            function: z.literal('pbkdf2'),
+            params: z.object({
+                dklen: z.number(),
+                c: z.number(),
+                prf: z.string(),
+                salt: z.string()
+            }),
+            message: z.string()
+        }),
+        checksum: z.object({
+            function: z.literal('sha256'),
+            params: z.object({}),
+            message: z.string()
+        }),
+        cipher: z.object({
+            function: z.literal('aes-128-ctr'),
+            params: z.object({
+                iv: z.string()
+            }),
+            message: z.string()
+        })
+    }),
+    description: z.string().optional(),
+    pubkey: z.string(),
+    path: z.string(),
+    uuid: z.string(),
+    version: z.number()
+});
+/**
+ * Error thrown when BN254 keystore operations fail
+ */ export class Bn254KeystoreError extends Error {
+    cause;
+    constructor(message, cause){
+        super(message), this.cause = cause;
+        this.name = 'Bn254KeystoreError';
+    }
+}
+/**
+ * Creates a BN254 keystore object for a BN254 BLS private key.
+ *
+ * Uses PBKDF2 with SHA-256 for key derivation and AES-128-CTR for encryption,
+ * following the EIP-2335 specification format.
+ *
+ * @param password - Password for encrypting the private key
+ * @param privateKeyHex - Private key as 0x-prefixed hex string (32 bytes)
+ * @param pubkeyHex - Public key as hex string (compressed or uncompressed)
+ * @param derivationPath - BIP-44 style derivation path (e.g., "m/12381/3600/0/0/0")
+ * @returns BN254 keystore object ready to be serialized to JSON
+ * @throws Error if private key is not 32-byte hex
+ */ export function createBn254Keystore(password, privateKeyHex, pubkeyHex, derivationPath) {
+    const ensureHex = (hex)=>hex.replace(/^0x/i, '');
+    const privHex = ensureHex(privateKeyHex);
+    if (!/^[0-9a-fA-F]{64}$/.test(privHex)) {
+        throw new Error('BLS private key must be 32-byte hex');
+    }
+    const salt = randomBytes(32);
+    const iv = randomBytes(16);
+    const dk = pbkdf2Sync(Buffer.from(password.normalize('NFKD'), 'utf8'), salt, 262144, 32, 'sha256');
+    const cipherKey = dk.subarray(0, 16);
+    const cipher = createCipheriv('aes-128-ctr', cipherKey, iv);
+    const plaintext = Buffer.from(privHex, 'hex');
+    const ciphertext = Buffer.concat([
+        cipher.update(plaintext),
+        cipher.final()
+    ]);
+    const checksum = createHash('sha256').update(Buffer.concat([
+        dk.subarray(16, 32),
+        ciphertext
+    ])).digest();
+    const uuid = randomUUID();
+    return {
+        crypto: {
+            kdf: {
+                function: 'pbkdf2',
+                params: {
+                    dklen: 32,
+                    c: 262144,
+                    prf: 'hmac-sha256',
+                    salt: salt.toString('hex')
+                },
+                message: ''
+            },
+            checksum: {
+                function: 'sha256',
+                params: {},
+                message: checksum.toString('hex')
+            },
+            cipher: {
+                function: 'aes-128-ctr',
+                params: {
+                    iv: iv.toString('hex')
+                },
+                message: ciphertext.toString('hex')
+            }
+        },
+        description: ensureHex(pubkeyHex),
+        pubkey: pubkeyHex,
+        path: derivationPath ?? '',
+        uuid,
+        version: 4
+    };
+}
+/**
+ * Loads and validates a BN254 keystore file.
+ *
+ * @param filePath - Path to the BN254 keystore JSON file
+ * @returns Validated keystore object
+ * @throws Bn254KeystoreError if file cannot be read or validated
+ */ export function loadBn254Keystore(filePath) {
+    try {
+        const content = readFileSync(filePath, 'utf-8');
+        const json = JSON.parse(content);
+        return bn254KeystoreSchema.parse(json);
+    } catch (error) {
+        if (error instanceof SyntaxError) {
+            throw new Bn254KeystoreError(`Invalid JSON in keystore file: ${filePath}`, error);
+        }
+        if (error && typeof error === 'object' && 'issues' in error) {
+            const issues = error.issues ?? [];
+            const message = issues.map((e)=>`${e.message} at ${e.path?.join('.') ?? 'root'}`).join('; ');
+            throw new Bn254KeystoreError(`Invalid BN254 keystore format: ${message}`);
+        }
+        throw new Bn254KeystoreError(`Failed to load keystore from ${filePath}: ${String(error)}`, error);
+    }
+}
+/**
+ * Decrypts a BN254 BLS private key from a keystore file.
+ *
+ * @param filePath - Path to the BN254 keystore JSON file
+ * @param password - Password to decrypt the keystore
+ * @returns Decrypted private key as 0x-prefixed hex string (32 bytes)
+ * @throws Bn254KeystoreError if decryption fails or checksum is invalid
+ */ export function decryptBn254Keystore(filePath, password) {
+    const keystore = loadBn254Keystore(filePath);
+    return decryptBn254KeystoreFromObject(keystore, password);
+}
+/**
+ * Decrypts a BN254 BLS private key from a keystore object.
+ *
+ * @param keystore - BN254 keystore object
+ * @param password - Password to decrypt the keystore
+ * @returns Decrypted private key as 0x-prefixed hex string (32 bytes)
+ * @throws Bn254KeystoreError if decryption fails or checksum is invalid
+ */ export function decryptBn254KeystoreFromObject(keystore, password) {
+    try {
+        const { crypto } = keystore;
+        // Only support PBKDF2 + AES-128-CTR (as per our implementation)
+        if (crypto.kdf.function !== 'pbkdf2') {
+            throw new Bn254KeystoreError(`Unsupported KDF function: ${crypto.kdf.function}`);
+        }
+        if (crypto.cipher.function !== 'aes-128-ctr') {
+            throw new Bn254KeystoreError(`Unsupported cipher function: ${crypto.cipher.function}`);
+        }
+        // Derive decryption key using PBKDF2
+        const salt = Buffer.from(crypto.kdf.params.salt, 'hex');
+        const dk = pbkdf2Sync(Buffer.from(password.normalize('NFKD'), 'utf8'), salt, crypto.kdf.params.c, crypto.kdf.params.dklen, 'sha256');
+        const cipherKey = dk.subarray(0, 16);
+        const checksumKey = dk.subarray(16, 32);
+        // Decrypt the ciphertext
+        const iv = Buffer.from(crypto.cipher.params.iv, 'hex');
+        const ciphertext = Buffer.from(crypto.cipher.message, 'hex');
+        const decipher = createDecipheriv('aes-128-ctr', cipherKey, iv);
+        const decrypted = Buffer.concat([
+            decipher.update(ciphertext),
+            decipher.final()
+        ]);
+        // Verify checksum
+        const computedChecksum = createHash('sha256').update(Buffer.concat([
+            checksumKey,
+            ciphertext
+        ])).digest();
+        const expectedChecksum = Buffer.from(crypto.checksum.message, 'hex');
+        if (!computedChecksum.equals(expectedChecksum)) {
+            throw new Bn254KeystoreError('Checksum verification failed - incorrect password or corrupted keystore');
+        }
+        // Return as 0x-prefixed hex
+        return '0x' + decrypted.toString('hex');
+    } catch (error) {
+        if (error instanceof Bn254KeystoreError) {
+            throw error;
+        }
+        throw new Bn254KeystoreError(`Failed to decrypt keystore: ${String(error)}`, error);
+    }
+}
+/**
+ * Validates that a decrypted private key matches the public key in the keystore.
+ *
+ * @param privateKeyHex - Decrypted private key (0x-prefixed)
+ * @param expectedPubkey - Expected public key from keystore
+ * @param computePublicKey - Function to compute public key from private key
+ * @returns true if keys match, false otherwise
+ */ export function verifyBn254Keypair(privateKeyHex, expectedPubkey, computePublicKey) {
+    try {
+        const computedPubkey = computePublicKey(privateKeyHex);
+        const normalizedExpected = expectedPubkey.toLowerCase().replace(/^0x/i, '');
+        const normalizedComputed = computedPubkey.toLowerCase().replace(/^0x/i, '');
+        return normalizedExpected === normalizedComputed;
+    } catch  {
+        return false;
+    }
+}

package/dest/crypto/bls/index.d.ts

@@ -0,0 +1,13 @@
+import type { Hex } from '@aztec/foundation/string';
+export declare function deriveBlsPrivateKey(mnemonic: string | undefined, ikm: string | undefined, path: string): Hex<32>;
+/**
+ * Deterministically derive a BN254 BLS private key from mnemonic and derivation path.
+ * Returns a 0x-prefixed 32-byte hex string representing an Fr in [1, r-1].
+ */
+export declare function deriveBlsKeyFromMnemonic(mnemonic: string, derivationPath: string, passphrase?: string): string;
+/**
+ * Deterministically derive a BN254 BLS private key from input keying material (IKM) and derivation path.
+ * Returns a 0x-prefixed 32-byte hex string representing an Fr in [1, r-1].
+ */
+export declare function deriveBlsKeyFromEntropy(ikm: string, derivationPath: string): string;
+//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiaW5kZXguZC50cyIsInNvdXJjZVJvb3QiOiIiLCJzb3VyY2VzIjpbIi4uLy4uLy4uL3NyYy9jcnlwdG8vYmxzL2luZGV4LnRzIl0sIm5hbWVzIjpbXSwibWFwcGluZ3MiOiJBQUNBLE9BQU8sS0FBSyxFQUFFLEdBQUcsRUFBRSxNQUFNLDBCQUEwQixDQUFDO0FBUXBELHdCQUFnQixtQkFBbUIsQ0FBQyxRQUFRLEVBQUUsTUFBTSxHQUFHLFNBQVMsRUFBRSxHQUFHLEVBQUUsTUFBTSxHQUFHLFNBQVMsRUFBRSxJQUFJLEVBQUUsTUFBTSxHQUFHLEdBQUcsQ0FBQyxFQUFFLENBQUMsQ0FRaEg7QUFFRDs7O0dBR0c7QUFDSCx3QkFBZ0Isd0JBQXdCLENBQUMsUUFBUSxFQUFFLE1BQU0sRUFBRSxjQUFjLEVBQUUsTUFBTSxFQUFFLFVBQVUsU0FBSyxHQUFHLE1BQU0sQ0FLMUc7QUFFRDs7O0dBR0c7QUFDSCx3QkFBZ0IsdUJBQXVCLENBQUMsR0FBRyxFQUFFLE1BQU0sRUFBRSxjQUFjLEVBQUUsTUFBTSxHQUFHLE1BQU0sQ0FLbkYifQ==

package/dest/crypto/bls/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/crypto/bls/index.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,GAAG,EAAE,MAAM,0BAA0B,CAAC;AAQpD,wBAAgB,mBAAmB,CAAC,QAAQ,EAAE,MAAM,GAAG,SAAS,EAAE,GAAG,EAAE,MAAM,GAAG,SAAS,EAAE,IAAI,EAAE,MAAM,GAAG,GAAG,CAAC,EAAE,CAAC,CAQhH;AAED;;;GAGG;AACH,wBAAgB,wBAAwB,CAAC,QAAQ,EAAE,MAAM,EAAE,cAAc,EAAE,MAAM,EAAE,UAAU,SAAK,GAAG,MAAM,CAK1G;AAED;;;GAGG;AACH,wBAAgB,uBAAuB,CAAC,GAAG,EAAE,MAAM,EAAE,cAAc,EAAE,MAAM,GAAG,MAAM,CAKnF"}