@aztec/wallet-sdk 0.0.1-commit.c7c42ec → 0.0.1-commit.f295ac2

package/dest/providers/extension/index.js

@@ -1,2 +1,4 @@
 export { ExtensionWallet } from './extension_wallet.js';
 export { ExtensionProvider } from './extension_provider.js';
+export * from '../../crypto.js';
+export { WalletMessageType } from '../../types.js';

package/dest/types.d.ts

@@ -0,0 +1,92 @@
+import type { ChainInfo } from '@aztec/aztec.js/account';
+import type { ExportedPublicKey } from './crypto.js';
+/**
+ * Message types for wallet SDK communication.
+ * All types are prefixed with 'aztec-wallet-' for namespacing.
+ */
+export declare enum WalletMessageType {
+    /** Discovery request to find installed wallets */
+    DISCOVERY = "aztec-wallet-discovery",
+    /** Discovery response from a wallet */
+    DISCOVERY_RESPONSE = "aztec-wallet-discovery-response",
+    /** Session disconnected notification (unencrypted control message) */
+    SESSION_DISCONNECTED = "aztec-wallet-session-disconnected",
+    /** Explicit disconnect request from dApp */
+    DISCONNECT = "aztec-wallet-disconnect"
+}
+/**
+ * Information about an installed Aztec wallet
+ */
+export interface WalletInfo {
+    /** Unique identifier for the wallet */
+    id: string;
+    /** Display name of the wallet */
+    name: string;
+    /** URL to the wallet's icon */
+    icon?: string;
+    /** Wallet version */
+    version: string;
+    /** Wallet's ECDH public key for secure channel establishment */
+    publicKey: ExportedPublicKey;
+    /**
+     * Hash of the shared secret for anti-MITM verification.
+     * Both dApp and wallet independently compute this from the ECDH shared secret.
+     * Use {@link hashToEmoji} to convert to a visual representation for user verification.
+     */
+    verificationHash?: string;
+}
+/**
+ * Message format for wallet communication (internal, before encryption)
+ */
+export interface WalletMessage {
+    /** Unique message ID for tracking responses */
+    messageId: string;
+    /** The wallet method to call */
+    type: string;
+    /** Arguments for the method */
+    args: unknown[];
+    /** Chain information */
+    chainInfo: ChainInfo;
+    /** Application ID making the request */
+    appId: string;
+    /** Wallet ID to target a specific wallet */
+    walletId: string;
+}
+/**
+ * Response message from wallet
+ */
+export interface WalletResponse {
+    /** Message ID matching the request */
+    messageId: string;
+    /** Result data (if successful) */
+    result?: unknown;
+    /** Error data (if failed) */
+    error?: unknown;
+    /** Wallet ID that sent the response */
+    walletId: string;
+}
+/**
+ * Discovery message for finding installed wallets (public, unencrypted)
+ */
+export interface DiscoveryRequest {
+    /** Message type for discovery */
+    type: WalletMessageType.DISCOVERY;
+    /** Request ID */
+    requestId: string;
+    /** Chain information to check if wallet supports this network */
+    chainInfo: ChainInfo;
+    /** dApp's ECDH public key for deriving shared secret */
+    publicKey: ExportedPublicKey;
+}
+/**
+ * Discovery response from a wallet (public, unencrypted)
+ */
+export interface DiscoveryResponse {
+    /** Message type for discovery response */
+    type: WalletMessageType.DISCOVERY_RESPONSE;
+    /** Request ID matching the discovery request */
+    requestId: string;
+    /** Wallet information */
+    walletInfo: WalletInfo;
+}
+//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoidHlwZXMuZC50cyIsInNvdXJjZVJvb3QiOiIiLCJzb3VyY2VzIjpbIi4uL3NyYy90eXBlcy50cyJdLCJuYW1lcyI6W10sIm1hcHBpbmdzIjoiQUFBQSxPQUFPLEtBQUssRUFBRSxTQUFTLEVBQUUsTUFBTSx5QkFBeUIsQ0FBQztBQUV6RCxPQUFPLEtBQUssRUFBRSxpQkFBaUIsRUFBRSxNQUFNLGFBQWEsQ0FBQztBQUVyRDs7O0dBR0c7QUFDSCxvQkFBWSxpQkFBaUI7SUFDM0Isa0RBQWtEO0lBQ2xELFNBQVMsMkJBQTJCO0lBQ3BDLHVDQUF1QztJQUN2QyxrQkFBa0Isb0NBQW9DO0lBQ3RELHNFQUFzRTtJQUN0RSxvQkFBb0Isc0NBQXNDO0lBQzFELDRDQUE0QztJQUM1QyxVQUFVLDRCQUE0QjtDQUN2QztBQUVEOztHQUVHO0FBQ0gsTUFBTSxXQUFXLFVBQVU7SUFDekIsdUNBQXVDO0lBQ3ZDLEVBQUUsRUFBRSxNQUFNLENBQUM7SUFDWCxpQ0FBaUM7SUFDakMsSUFBSSxFQUFFLE1BQU0sQ0FBQztJQUNiLCtCQUErQjtJQUMvQixJQUFJLENBQUMsRUFBRSxNQUFNLENBQUM7SUFDZCxxQkFBcUI7SUFDckIsT0FBTyxFQUFFLE1BQU0sQ0FBQztJQUNoQixnRUFBZ0U7SUFDaEUsU0FBUyxFQUFFLGlCQUFpQixDQUFDO0lBQzdCOzs7O09BSUc7SUFDSCxnQkFBZ0IsQ0FBQyxFQUFFLE1BQU0sQ0FBQztDQUMzQjtBQUVEOztHQUVHO0FBQ0gsTUFBTSxXQUFXLGFBQWE7SUFDNUIsK0NBQStDO0lBQy9DLFNBQVMsRUFBRSxNQUFNLENBQUM7SUFDbEIsZ0NBQWdDO0lBQ2hDLElBQUksRUFBRSxNQUFNLENBQUM7SUFDYiwrQkFBK0I7SUFDL0IsSUFBSSxFQUFFLE9BQU8sRUFBRSxDQUFDO0lBQ2hCLHdCQUF3QjtJQUN4QixTQUFTLEVBQUUsU0FBUyxDQUFDO0lBQ3JCLHdDQUF3QztJQUN4QyxLQUFLLEVBQUUsTUFBTSxDQUFDO0lBQ2QsNENBQTRDO0lBQzVDLFFBQVEsRUFBRSxNQUFNLENBQUM7Q0FDbEI7QUFFRDs7R0FFRztBQUNILE1BQU0sV0FBVyxjQUFjO0lBQzdCLHNDQUFzQztJQUN0QyxTQUFTLEVBQUUsTUFBTSxDQUFDO0lBQ2xCLGtDQUFrQztJQUNsQyxNQUFNLENBQUMsRUFBRSxPQUFPLENBQUM7SUFDakIsNkJBQTZCO0lBQzdCLEtBQUssQ0FBQyxFQUFFLE9BQU8sQ0FBQztJQUNoQix1Q0FBdUM7SUFDdkMsUUFBUSxFQUFFLE1BQU0sQ0FBQztDQUNsQjtBQUVEOztHQUVHO0FBQ0gsTUFBTSxXQUFXLGdCQUFnQjtJQUMvQixpQ0FBaUM7SUFDakMsSUFBSSxFQUFFLGlCQUFpQixDQUFDLFNBQVMsQ0FBQztJQUNsQyxpQkFBaUI7SUFDakIsU0FBUyxFQUFFLE1BQU0sQ0FBQztJQUNsQixpRUFBaUU7SUFDakUsU0FBUyxFQUFFLFNBQVMsQ0FBQztJQUNyQix3REFBd0Q7SUFDeEQsU0FBUyxFQUFFLGlCQUFpQixDQUFDO0NBQzlCO0FBRUQ7O0dBRUc7QUFDSCxNQUFNLFdBQVcsaUJBQWlCO0lBQ2hDLDBDQUEwQztJQUMxQyxJQUFJLEVBQUUsaUJBQWlCLENBQUMsa0JBQWtCLENBQUM7SUFDM0MsZ0RBQWdEO0lBQ2hELFNBQVMsRUFBRSxNQUFNLENBQUM7SUFDbEIseUJBQXlCO0lBQ3pCLFVBQVUsRUFBRSxVQUFVLENBQUM7Q0FDeEIifQ==

package/dest/types.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../src/types.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,yBAAyB,CAAC;AAEzD,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,aAAa,CAAC;AAErD;;;GAGG;AACH,oBAAY,iBAAiB;IAC3B,kDAAkD;IAClD,SAAS,2BAA2B;IACpC,uCAAuC;IACvC,kBAAkB,oCAAoC;IACtD,sEAAsE;IACtE,oBAAoB,sCAAsC;IAC1D,4CAA4C;IAC5C,UAAU,4BAA4B;CACvC;AAED;;GAEG;AACH,MAAM,WAAW,UAAU;IACzB,uCAAuC;IACvC,EAAE,EAAE,MAAM,CAAC;IACX,iCAAiC;IACjC,IAAI,EAAE,MAAM,CAAC;IACb,+BAA+B;IAC/B,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,qBAAqB;IACrB,OAAO,EAAE,MAAM,CAAC;IAChB,gEAAgE;IAChE,SAAS,EAAE,iBAAiB,CAAC;IAC7B;;;;OAIG;IACH,gBAAgB,CAAC,EAAE,MAAM,CAAC;CAC3B;AAED;;GAEG;AACH,MAAM,WAAW,aAAa;IAC5B,+CAA+C;IAC/C,SAAS,EAAE,MAAM,CAAC;IAClB,gCAAgC;IAChC,IAAI,EAAE,MAAM,CAAC;IACb,+BAA+B;IAC/B,IAAI,EAAE,OAAO,EAAE,CAAC;IAChB,wBAAwB;IACxB,SAAS,EAAE,SAAS,CAAC;IACrB,wCAAwC;IACxC,KAAK,EAAE,MAAM,CAAC;IACd,4CAA4C;IAC5C,QAAQ,EAAE,MAAM,CAAC;CAClB;AAED;;GAEG;AACH,MAAM,WAAW,cAAc;IAC7B,sCAAsC;IACtC,SAAS,EAAE,MAAM,CAAC;IAClB,kCAAkC;IAClC,MAAM,CAAC,EAAE,OAAO,CAAC;IACjB,6BAA6B;IAC7B,KAAK,CAAC,EAAE,OAAO,CAAC;IAChB,uCAAuC;IACvC,QAAQ,EAAE,MAAM,CAAC;CAClB;AAED;;GAEG;AACH,MAAM,WAAW,gBAAgB;IAC/B,iCAAiC;IACjC,IAAI,EAAE,iBAAiB,CAAC,SAAS,CAAC;IAClC,iBAAiB;IACjB,SAAS,EAAE,MAAM,CAAC;IAClB,iEAAiE;IACjE,SAAS,EAAE,SAAS,CAAC;IACrB,wDAAwD;IACxD,SAAS,EAAE,iBAAiB,CAAC;CAC9B;AAED;;GAEG;AACH,MAAM,WAAW,iBAAiB;IAChC,0CAA0C;IAC1C,IAAI,EAAE,iBAAiB,CAAC,kBAAkB,CAAC;IAC3C,gDAAgD;IAChD,SAAS,EAAE,MAAM,CAAC;IAClB,yBAAyB;IACzB,UAAU,EAAE,UAAU,CAAC;CACxB"}

package/dest/types.js

@@ -0,0 +1,10 @@
+/**
+ * Message types for wallet SDK communication.
+ * All types are prefixed with 'aztec-wallet-' for namespacing.
+ */ export var WalletMessageType = /*#__PURE__*/ function(WalletMessageType) {
+    /** Discovery request to find installed wallets */ WalletMessageType["DISCOVERY"] = "aztec-wallet-discovery";
+    /** Discovery response from a wallet */ WalletMessageType["DISCOVERY_RESPONSE"] = "aztec-wallet-discovery-response";
+    /** Session disconnected notification (unencrypted control message) */ WalletMessageType["SESSION_DISCONNECTED"] = "aztec-wallet-session-disconnected";
+    /** Explicit disconnect request from dApp */ WalletMessageType["DISCONNECT"] = "aztec-wallet-disconnect";
+    return WalletMessageType;
+}({});

package/package.json

@@ -1,11 +1,13 @@
 {
   "name": "@aztec/wallet-sdk",
   "homepage": "https://github.com/AztecProtocol/aztec-packages/tree/master/yarn-project/wallet-sdk",
-  "version": "0.0.1-commit.c7c42ec",
+  "version": "0.0.1-commit.f295ac2",
   "type": "module",
   "exports": {
     "./base-wallet": "./dest/base-wallet/index.js",
     "./providers/extension": "./dest/providers/extension/index.js",
+    "./crypto": "./dest/crypto.js",
+    "./types": "./dest/types.js",
     "./manager": "./dest/manager/index.js"
   },
   "typedocOptions": {
@@ -62,19 +64,19 @@
     ]
   },
   "dependencies": {
-    "@aztec/aztec.js": "0.0.1-commit.c7c42ec",
-    "@aztec/constants": "0.0.1-commit.c7c42ec",
-    "@aztec/entrypoints": "0.0.1-commit.c7c42ec",
-    "@aztec/foundation": "0.0.1-commit.c7c42ec",
-    "@aztec/pxe": "0.0.1-commit.c7c42ec",
-    "@aztec/stdlib": "0.0.1-commit.c7c42ec"
+    "@aztec/aztec.js": "0.0.1-commit.f295ac2",
+    "@aztec/constants": "0.0.1-commit.f295ac2",
+    "@aztec/entrypoints": "0.0.1-commit.f295ac2",
+    "@aztec/foundation": "0.0.1-commit.f295ac2",
+    "@aztec/pxe": "0.0.1-commit.f295ac2",
+    "@aztec/stdlib": "0.0.1-commit.f295ac2"
   },
   "devDependencies": {
-    "@aztec/noir-contracts.js": "0.0.1-commit.c7c42ec",
+    "@aztec/noir-contracts.js": "0.0.1-commit.f295ac2",
     "@jest/globals": "^30.0.0",
     "@types/jest": "^30.0.0",
     "@types/node": "^22.15.17",
-    "@typescript/native-preview": "7.0.0-dev.20251126.1",
+    "@typescript/native-preview": "7.0.0-dev.20260113.1",
     "jest": "^30.0.0",
     "jest-mock-extended": "^4.0.0",
     "resolve-typescript-plugin": "^2.0.1",

package/src/base-wallet/base_wallet.ts

@@ -4,7 +4,6 @@ import type { FeePaymentMethod } from '@aztec/aztec.js/fee';
 import type {
   Aliased,
   BatchResults,
-  BatchableMethods,
   BatchedMethod,
   PrivateEvent,
   PrivateEventFilter,
@@ -34,14 +33,13 @@ import {
 import type { AuthWitness } from '@aztec/stdlib/auth-witness';
 import type { AztecAddress } from '@aztec/stdlib/aztec-address';
 import {
-  type ContractClassMetadata,
   type ContractInstanceWithAddress,
-  type ContractMetadata,
   computePartialAddress,
   getContractClassFromArtifact,
 } from '@aztec/stdlib/contract';
 import { SimulationError } from '@aztec/stdlib/errors';
 import { Gas, GasSettings } from '@aztec/stdlib/gas';
+import { siloNullifier } from '@aztec/stdlib/hash';
 import type { AztecNode } from '@aztec/stdlib/interfaces/client';
 import type {
   TxExecutionRequest,
@@ -76,7 +74,7 @@ export type FeeOptions = {
 export abstract class BaseWallet implements Wallet {
   protected log = createLogger('wallet-sdk:base_wallet');
 
-  protected baseFeePadding = 0.5;
+  protected minFeePadding = 0.5;
   protected cancellableTransactions = false;
 
   // Protected because we want to force wallets to instantiate their own PXE.
@@ -132,9 +130,7 @@ export abstract class BaseWallet implements Wallet {
     return account.createAuthWit(messageHashOrIntent);
   }
 
-  public async batch<const T extends readonly BatchedMethod<keyof BatchableMethods>[]>(
-    methods: T,
-  ): Promise<BatchResults<T>> {
+  public async batch<const T extends readonly BatchedMethod[]>(methods: T): Promise<BatchResults<T>> {
     const results: any[] = [];
     for (const method of methods) {
       const { name, args } = method;
@@ -165,7 +161,7 @@ export abstract class BaseWallet implements Wallet {
     gasSettings?: Partial<FieldsOf<GasSettings>>,
   ): Promise<FeeOptions> {
     const maxFeesPerGas =
-      gasSettings?.maxFeesPerGas ?? (await this.aztecNode.getCurrentBaseFees()).mul(1 + this.baseFeePadding);
+      gasSettings?.maxFeesPerGas ?? (await this.aztecNode.getCurrentMinFees()).mul(1 + this.minFeePadding);
     let accountFeePaymentMethodOptions;
     // The transaction does not include a fee payment method, so we set the flag
     // for the account to use its fee juice balance
@@ -227,7 +223,7 @@ export abstract class BaseWallet implements Wallet {
     artifact?: ContractArtifact,
     secretKey?: Fr,
   ): Promise<ContractInstanceWithAddress> {
-    const { contractInstance: existingInstance } = await this.pxe.getContractMetadata(instance.address);
+    const existingInstance = await this.pxe.getContractInstance(instance.address);
 
     if (existingInstance) {
       // Instance already registered in the wallet
@@ -244,13 +240,12 @@ export abstract class BaseWallet implements Wallet {
       // Instance not registered yet
       if (!artifact) {
         // Try to get the artifact from the wallet's contract class storage
-        const classMetadata = await this.pxe.getContractClassMetadata(instance.currentContractClassId, true);
-        if (!classMetadata.artifact) {
+        artifact = await this.pxe.getContractArtifact(instance.currentContractClassId);
+        if (!artifact) {
           throw new Error(
             `Cannot register contract at ${instance.address.toString()}: artifact is required but not provided, and wallet does not have the artifact for contract class ${instance.currentContractClassId.toString()}`,
           );
         }
-        artifact = classMetadata.artifact;
       }
       await this.pxe.registerContract({ artifact, instance });
     }
@@ -315,13 +310,6 @@ export abstract class BaseWallet implements Wallet {
     return this.pxe.simulateUtility(call, authwits);
   }
 
-  getContractClassMetadata(id: Fr, includeArtifact: boolean = false): Promise<ContractClassMetadata> {
-    return this.pxe.getContractClassMetadata(id, includeArtifact);
-  }
-  getContractMetadata(address: AztecAddress): Promise<ContractMetadata> {
-    return this.pxe.getContractMetadata(address);
-  }
-
   getTxReceipt(txHash: TxHash): Promise<TxReceipt> {
     return this.aztecNode.getTxReceipt(txHash);
   }
@@ -345,4 +333,37 @@ export abstract class BaseWallet implements Wallet {
 
     return decodedEvents;
   }
+
+  async getContractMetadata(address: AztecAddress) {
+    const instance = await this.pxe.getContractInstance(address);
+    const initNullifier = await siloNullifier(address, address.toField());
+    const publiclyRegisteredContract = await this.aztecNode.getContract(address);
+    const [initNullifierMembershipWitness, publiclyRegisteredContractClass] = await Promise.all([
+      this.aztecNode.getNullifierMembershipWitness('latest', initNullifier),
+      publiclyRegisteredContract
+        ? this.aztecNode.getContractClass(
+            publiclyRegisteredContract.currentContractClassId || instance?.currentContractClassId,
+          )
+        : undefined,
+    ]);
+    const isContractUpdated =
+      publiclyRegisteredContract &&
+      !publiclyRegisteredContract.currentContractClassId.equals(publiclyRegisteredContract.originalContractClassId);
+    return {
+      instance: instance ?? undefined,
+      isContractInitialized: !!initNullifierMembershipWitness,
+      isContractPublished: !!publiclyRegisteredContract,
+      isContractClassPubliclyRegistered: !!publiclyRegisteredContractClass,
+      isContractUpdated: !!isContractUpdated,
+      updatedContractClassId: isContractUpdated ? publiclyRegisteredContract.currentContractClassId : undefined,
+    };
+  }
+
+  async getContractClassMetadata(id: Fr) {
+    const publiclyRegisteredContractClass = await this.aztecNode.getContractClass(id);
+    return {
+      isArtifactRegistered: !!(await this.pxe.getContractArtifact(id)),
+      isContractClassPubliclyRegistered: !!publiclyRegisteredContractClass,
+    };
+  }
 }

package/src/crypto.ts

@@ -0,0 +1,375 @@
+/**
+ * Cryptographic utilities for secure wallet communication.
+ *
+ * This module provides ECDH key exchange and AES-GCM encryption primitives
+ * for establishing secure communication channels between dApps and wallet extensions.
+ *
+ * The crypto flow:
+ * 1. Both parties generate ECDH key pairs using {@link generateKeyPair}
+ * 2. Public keys are exchanged (exported via {@link exportPublicKey}, imported via {@link importPublicKey})
+ * 3. Both parties derive the same shared secret using {@link deriveSharedKey}
+ * 4. Messages are encrypted/decrypted using {@link encrypt} and {@link decrypt}
+ *
+ * @example
+ * ```typescript
+ * // Party A
+ * const keyPairA = await generateKeyPair();
+ * const publicKeyA = await exportPublicKey(keyPairA.publicKey);
+ *
+ * // Party B
+ * const keyPairB = await generateKeyPair();
+ * const publicKeyB = await exportPublicKey(keyPairB.publicKey);
+ *
+ * // Exchange public keys, then derive shared secret
+ * const importedB = await importPublicKey(publicKeyB);
+ * const sharedKeyA = await deriveSharedKey(keyPairA.privateKey, importedB);
+ *
+ * // Encrypt and decrypt
+ * const encrypted = await encrypt(sharedKeyA, { message: 'hello' });
+ * const decrypted = await decrypt(sharedKeyB, encrypted);
+ * ```
+ *
+ * @packageDocumentation
+ */
+import { jsonStringify } from '@aztec/foundation/json-rpc';
+
+/**
+ * Exported public key in JWK format for transmission over untrusted channels.
+ *
+ * Contains only the public components of an ECDH P-256 key, safe to share.
+ */
+export interface ExportedPublicKey {
+  /** Key type - always "EC" for elliptic curve */
+  kty: string;
+  /** Curve name - always "P-256" */
+  crv: string;
+  /** X coordinate (base64url encoded) */
+  x: string;
+  /** Y coordinate (base64url encoded) */
+  y: string;
+}
+
+/**
+ * Encrypted message payload containing ciphertext and initialization vector.
+ *
+ * Both fields are base64-encoded for safe transmission as JSON.
+ */
+export interface EncryptedPayload {
+  /** Initialization vector (base64 encoded, 12 bytes) */
+  iv: string;
+  /** Ciphertext (base64 encoded) */
+  ciphertext: string;
+}
+
+/**
+ * ECDH key pair for secure communication.
+ *
+ * The private key should never be exported or transmitted.
+ * The public key can be exported via {@link exportPublicKey} for exchange.
+ */
+export interface SecureKeyPair {
+  /** Public key - safe to share */
+  publicKey: CryptoKey;
+  /** Private key - keep secret, used for key derivation */
+  privateKey: CryptoKey;
+}
+
+/**
+ * Generates an ECDH P-256 key pair for key exchange.
+ *
+ * The generated key pair can be used to derive a shared secret with another
+ * party's public key using {@link deriveSharedKey}.
+ *
+ * @returns A new ECDH key pair
+ *
+ * @example
+ * ```typescript
+ * const keyPair = await generateKeyPair();
+ * const publicKey = await exportPublicKey(keyPair.publicKey);
+ * // Send publicKey to the other party
+ * ```
+ */
+export async function generateKeyPair(): Promise<SecureKeyPair> {
+  const keyPair = await crypto.subtle.generateKey(
+    {
+      name: 'ECDH',
+      namedCurve: 'P-256',
+    },
+    true, // extractable (needed to export public key)
+    ['deriveKey'],
+  );
+  return {
+    publicKey: keyPair.publicKey,
+    privateKey: keyPair.privateKey,
+  };
+}
+
+/**
+ * Exports a public key to JWK format for transmission.
+ *
+ * The exported key contains only public components and is safe to transmit
+ * over untrusted channels.
+ *
+ * @param publicKey - The CryptoKey public key to export
+ * @returns The public key in JWK format
+ *
+ * @example
+ * ```typescript
+ * const keyPair = await generateKeyPair();
+ * const exported = await exportPublicKey(keyPair.publicKey);
+ * // exported can be JSON serialized and sent to another party
+ * ```
+ */
+export async function exportPublicKey(publicKey: CryptoKey): Promise<ExportedPublicKey> {
+  const jwk = await crypto.subtle.exportKey('jwk', publicKey);
+  return {
+    kty: jwk.kty!,
+    crv: jwk.crv!,
+    x: jwk.x!,
+    y: jwk.y!,
+  };
+}
+
+/**
+ * Imports a public key from JWK format.
+ *
+ * Used to import the other party's public key for deriving a shared secret.
+ *
+ * @param exported - The public key in JWK format
+ * @returns A CryptoKey that can be used with {@link deriveSharedKey}
+ *
+ * @example
+ * ```typescript
+ * // Receive exported public key from other party
+ * const theirPublicKey = await importPublicKey(receivedPublicKey);
+ * const sharedKey = await deriveSharedKey(myPrivateKey, theirPublicKey);
+ * ```
+ */
+export function importPublicKey(exported: ExportedPublicKey): Promise<CryptoKey> {
+  return crypto.subtle.importKey(
+    'jwk',
+    {
+      kty: exported.kty,
+      crv: exported.crv,
+      x: exported.x,
+      y: exported.y,
+    },
+    {
+      name: 'ECDH',
+      namedCurve: 'P-256',
+    },
+    false,
+    [],
+  );
+}
+
+/**
+ * Derives a shared AES-256-GCM key from ECDH key exchange.
+ *
+ * Both parties will derive the same shared key when using their own private key
+ * and the other party's public key. This is the core of ECDH key agreement.
+ *
+ * @param privateKey - Your ECDH private key
+ * @param publicKey - The other party's ECDH public key
+ * @returns An AES-256-GCM key for encryption/decryption
+ *
+ * @example
+ * ```typescript
+ * // Both parties derive the same key
+ * const sharedKeyA = await deriveSharedKey(privateKeyA, publicKeyB);
+ * const sharedKeyB = await deriveSharedKey(privateKeyB, publicKeyA);
+ * // sharedKeyA and sharedKeyB are equivalent
+ * ```
+ */
+export function deriveSharedKey(privateKey: CryptoKey, publicKey: CryptoKey): Promise<CryptoKey> {
+  return crypto.subtle.deriveKey(
+    {
+      name: 'ECDH',
+      public: publicKey,
+    },
+    privateKey,
+    {
+      name: 'AES-GCM',
+      length: 256,
+    },
+    true, // extractable - needed for hashing
+    ['encrypt', 'decrypt'],
+  );
+}
+
+/**
+ * Encrypts data using AES-256-GCM.
+ *
+ * The data is JSON serialized before encryption. A random 12-byte IV is
+ * generated for each encryption operation.
+ *
+ * AES-GCM provides both confidentiality and authenticity - any tampering
+ * with the ciphertext will cause decryption to fail.
+ *
+ * @param key - The AES-GCM key (from {@link deriveSharedKey})
+ * @param data - The data to encrypt (will be JSON serialized)
+ * @returns The encrypted payload with IV and ciphertext
+ *
+ * @example
+ * ```typescript
+ * const encrypted = await encrypt(sharedKey, { action: 'transfer', amount: 100 });
+ * // encrypted.iv and encrypted.ciphertext are base64 strings
+ * ```
+ */
+export async function encrypt(key: CryptoKey, data: unknown): Promise<EncryptedPayload> {
+  const iv = crypto.getRandomValues(new Uint8Array(12));
+  const encoded = new TextEncoder().encode(jsonStringify(data));
+
+  const ciphertext = await crypto.subtle.encrypt({ name: 'AES-GCM', iv }, key, encoded);
+
+  return {
+    iv: arrayBufferToBase64(iv),
+    ciphertext: arrayBufferToBase64(ciphertext),
+  };
+}
+
+/**
+ * Decrypts data using AES-256-GCM.
+ *
+ * The decrypted data is JSON parsed before returning.
+ *
+ * @typeParam T - The expected type of the decrypted data
+ * @param key - The AES-GCM key (from {@link deriveSharedKey})
+ * @param payload - The encrypted payload from {@link encrypt}
+ * @returns The decrypted and parsed data
+ *
+ * @throws Error if decryption fails (wrong key or tampered ciphertext)
+ *
+ * @example
+ * ```typescript
+ * const decrypted = await decrypt<{ action: string; amount: number }>(sharedKey, encrypted);
+ * console.log(decrypted.action); // 'transfer'
+ * ```
+ */
+export async function decrypt<T = unknown>(key: CryptoKey, payload: EncryptedPayload): Promise<T> {
+  const iv = base64ToArrayBuffer(payload.iv);
+  const ciphertext = base64ToArrayBuffer(payload.ciphertext);
+
+  const decrypted = await crypto.subtle.decrypt({ name: 'AES-GCM', iv }, key, ciphertext);
+
+  const decoded = new TextDecoder().decode(decrypted);
+  return JSON.parse(decoded) as T;
+}
+
+/**
+ * Converts ArrayBuffer to base64 string.
+ * @internal
+ */
+function arrayBufferToBase64(buffer: ArrayBuffer | Uint8Array): string {
+  const bytes = buffer instanceof Uint8Array ? buffer : new Uint8Array(buffer);
+  let binary = '';
+  for (let i = 0; i < bytes.byteLength; i++) {
+    binary += String.fromCharCode(bytes[i]);
+  }
+  return btoa(binary);
+}
+
+/**
+ * Converts base64 string to ArrayBuffer.
+ * @internal
+ */
+function base64ToArrayBuffer(base64: string): ArrayBuffer {
+  const binary = atob(base64);
+  const bytes = new Uint8Array(binary.length);
+  for (let i = 0; i < binary.length; i++) {
+    bytes[i] = binary.charCodeAt(i);
+  }
+  return bytes.buffer;
+}
+
+/**
+ * Emoji alphabet for visual verification of shared secrets.
+ * 32 distinct, easily recognizable emojis for anti-spoofing verification.
+ * @internal
+ */
+const EMOJI_ALPHABET = [
+  '🔵',
+  '🟢',
+  '🔴',
+  '🟡',
+  '🟣',
+  '🟠',
+  '⚫',
+  '⚪',
+  '🌟',
+  '🌙',
+  '☀️',
+  '🌈',
+  '🔥',
+  '💧',
+  '🌸',
+  '🍀',
+  '🦋',
+  '🐬',
+  '🦊',
+  '🐼',
+  '🦁',
+  '🐯',
+  '🐸',
+  '🦉',
+  '🎵',
+  '🎨',
+  '🎯',
+  '🎲',
+  '🔔',
+  '💎',
+  '🔑',
+  '🏆',
+];
+
+/**
+ * Hashes a shared AES key to a hex string for verification.
+ *
+ * This extracts the raw key material and hashes it with SHA-256,
+ * returning the first 16 bytes as a hex string.
+ *
+ * @param sharedKey - The AES-GCM shared key (must be extractable)
+ * @returns A hex string representation of the hash
+ *
+ * @example
+ * ```typescript
+ * const hash = await hashSharedSecret(sharedKey);
+ * const emoji = hashToEmoji(hash);
+ * ```
+ */
+export async function hashSharedSecret(sharedKey: CryptoKey): Promise<string> {
+  const rawKey = await crypto.subtle.exportKey('raw', sharedKey);
+  const hash = await crypto.subtle.digest('SHA-256', rawKey);
+  const bytes = new Uint8Array(hash.slice(0, 16));
+  return Array.from(bytes)
+    .map(b => b.toString(16).padStart(2, '0'))
+    .join('');
+}
+
+/**
+ * Converts a hex hash to an emoji sequence for visual verification.
+ *
+ * This is used for anti-MITM verification - both the dApp and wallet
+ * independently compute the same emoji sequence from the shared secret.
+ * Users can visually compare the sequences to detect interception.
+ *
+ * Similar to SAS (Short Authentication String) in ZRTP/Signal.
+ *
+ * @param hash - Hex string from {@link hashSharedSecret}
+ * @param length - Number of emojis to generate (default: 4)
+ * @returns A string of emojis representing the hash
+ *
+ * @example
+ * ```typescript
+ * const hash = await hashSharedSecret(sharedKey);
+ * const emoji = hashToEmoji(hash); // e.g., "🔵🦋🎯🐼"
+ * // Display to user for verification
+ * ```
+ */
+export function hashToEmoji(hash: string, length: number = 4): string {
+  const bytes: number[] = [];
+  for (let i = 0; i < hash.length && bytes.length < length; i += 2) {
+    bytes.push(parseInt(hash.slice(i, i + 2), 16));
+  }
+  return bytes.map(b => EMOJI_ALPHABET[b % EMOJI_ALPHABET.length]).join('');
+}

package/src/manager/index.ts

@@ -5,17 +5,13 @@ export type {
   WebWalletConfig,
   WalletProviderType,
   WalletProvider,
+  ProviderDisconnectionCallback,
   DiscoverWalletsOptions,
 } from './types.js';
 
-// Re-export types from providers for convenience
-export type {
-  WalletInfo,
-  WalletMessage,
-  WalletResponse,
-  DiscoveryRequest,
-  DiscoveryResponse,
-} from '../providers/types.js';
+// Re-export types and enums from providers for convenience
+export { WalletMessageType } from '../types.js';
+export type { WalletInfo, WalletMessage, WalletResponse, DiscoveryRequest, DiscoveryResponse } from '../types.js';
 
 // Re-export commonly needed utilities for wallet integration
 export { ChainInfoSchema } from '@aztec/aztec.js/account';