@babylonlabs-io/ts-sdk 0.33.2 → 0.33.4

package/dist/types-ByW6nSLj.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"types-ByW6nSLj.js","sources":["../src/tbv/core/clients/vault-provider/json-rpc-client.ts","../src/tbv/core/clients/vault-provider/types.ts"],"sourcesContent":["/**\n * Generic JSON-RPC 2.0 HTTP Client\n *\n * Framework-agnostic client using `fetch()` — works in browsers and Node.js 18+.\n * Includes configurable retry policy and AbortSignal passthrough.\n */\n\nexport interface JsonRpcRequest<T = unknown> {\n  jsonrpc: \"2.0\";\n  method: string;\n  params: T;\n  id: number | string;\n}\n\nexport interface JsonRpcSuccessResponse<T = unknown> {\n  jsonrpc: \"2.0\";\n  result: T;\n  id: number | string;\n}\n\nexport interface JsonRpcErrorResponse {\n  jsonrpc: \"2.0\";\n  error: {\n    code: number;\n    message: string;\n    data?: unknown;\n  };\n  id: number | string;\n}\n\nexport type JsonRpcResponse<T = unknown> =\n  | JsonRpcSuccessResponse<T>\n  | JsonRpcErrorResponse;\n\n/**\n * Injects bearer tokens into requests for auth-gated methods, and is\n * notified on auth-expired responses so it can invalidate its cache.\n *\n * The `JsonRpcClient` is agnostic to which methods are auth-gated —\n * the provider's `getToken(method)` decides. Returning `null` means\n * \"no auth required for this method\"; the client then sends the\n * request with no `Authorization` header.\n */\nexport interface BearerTokenProvider {\n  /**\n   * Return the bearer token to inject for `method`, or `null` if the\n   * method does not require auth.\n   */\n  getToken(method: string): Promise<string | null>;\n  /**\n   * Drop the cached token. Next call to `getToken` must re-acquire.\n   * Called by the client on reactive-refresh-trigger responses.\n   */\n  invalidate(): void;\n}\n\nexport interface JsonRpcClientConfig {\n  /** Base URL of the RPC service */\n  baseUrl: string;\n  /** Timeout in milliseconds per request attempt */\n  timeout: number;\n  /** Optional custom headers */\n  headers?: Record<string, string>;\n  /** Number of retry attempts for transient errors (default: 3) */\n  retries?: number;\n  /** Initial retry delay in milliseconds (default: 1000) */\n  retryDelay?: number;\n  /**\n   * Maximum response body size, in bytes, for typed JSON-RPC calls.\n   * `callRaw` intentionally returns the unparsed Response and is not capped here.\n   * Default: 2 MiB.\n   */\n  maxResponseBytes?: number;\n  /**\n   * Predicate that decides which methods retry on transient errors.\n   * Default retries only `getPeginStatus`, `getPegoutStatus`, and\n   * `requestDepositorPresignTransactions`. Write methods are not\n   * retried by default.\n   */\n  retryableFor?: (method: string) => boolean;\n  /**\n   * Per-request bearer-token source. A non-null return attaches\n   * `Authorization: Bearer <token>`; `null` skips auth. `call`\n   * additionally retries once on wire `auth_expired` (invalidate +\n   * refetch + retry). `callRaw` skips reactive refresh.\n   */\n  tokenProvider?: BearerTokenProvider;\n}\n\n/**\n * Identifies whether an error was produced locally (timeout, network\n * failure, malformed response) or parsed from a wire-format JSON-RPC\n * error envelope returned by the server.\n *\n * This matters for anyone inspecting the shared `-32001` code: the SDK\n * uses it internally for network failures AND the server uses it for\n * auth-middleware rejections. The `source` field disambiguates.\n */\nexport type JsonRpcErrorSource = \"wire\" | \"local\";\n\nexport class JsonRpcError extends Error {\n  constructor(\n    public code: number,\n    message: string,\n    /** \"wire\" for server-returned envelopes; \"local\" for SDK-side failures. */\n    public source: JsonRpcErrorSource = \"local\",\n    /** Structured data from the server `error.data` field, if any. */\n    public data?: unknown,\n  ) {\n    super(message);\n    this.name = \"JsonRpcError\";\n  }\n}\n\nexport const JSON_RPC_ERROR_CODES = {\n  TIMEOUT: -32000,\n  NETWORK: -32001,\n  /** VP proxy: request timed out at proxy level */\n  PROXY_TIMEOUT: -32002,\n  /** VP proxy: VP unreachable / DNS failure / response too large */\n  PROXY_UNAVAILABLE: -32003,\n  /** SDK client: response missing \"result\" field (malformed JSON-RPC) */\n  INVALID_RESPONSE: -32700,\n  /** SDK client: response body exceeded the configured byte limit */\n  RESPONSE_TOO_LARGE: -32701,\n} as const;\n\n/** JSON-RPC protocol version */\nconst JSON_RPC_VERSION = \"2.0\" as const;\n\n/** Default number of retry attempts for transient errors */\nconst DEFAULT_RETRY_ATTEMPTS = 3;\n\n/** Default initial retry delay in milliseconds */\nconst DEFAULT_RETRY_DELAY_MS = 1000;\n\n/** Default maximum JSON-RPC response size for typed calls (2 MiB) */\nconst DEFAULT_MAX_RESPONSE_BYTES = 2 * 1024 * 1024;\n\n/**\n * TODO: Temporary typed-call exceptions for methods that currently return large\n * artifact payloads as JSON-RPC results.\n */\nconst UNCAPPED_TYPED_RESPONSE_METHODS: ReadonlySet<string> = new Set([\n  \"vaultProvider_requestDepositorClaimerArtifacts\",\n]);\n\n/** HTTP status codes that indicate transient server errors and are safe to retry */\nconst RETRYABLE_HTTP_STATUS_CODES: ReadonlySet<number> = new Set([\n  408, // Request Timeout\n  429, // Too Many Requests\n  500, // Internal Server Error\n  502, // Bad Gateway\n  503, // Service Unavailable\n  504, // Gateway Timeout\n]);\n\n/** Default retry predicate: only retry read-only / idempotent methods */\nconst DEFAULT_RETRYABLE_METHODS: ReadonlySet<string> = new Set([\n  \"vaultProvider_getPeginStatus\",\n  \"vaultProvider_getPegoutStatus\",\n  \"vaultProvider_requestDepositorPresignTransactions\",\n]);\n\nfunction defaultRetryableFor(method: string): boolean {\n  return DEFAULT_RETRYABLE_METHODS.has(method);\n}\n\n/**\n * Token-expired marker the server emits in `error.data.kind`. When\n * present on a wire-origin error, the client invalidates its cached\n * token and retries the request once with a freshly-acquired bearer.\n *\n * Kept in sync with btc-vault's auth middleware. Absence of the marker\n * means the server does not support reactive refresh yet; we fall back\n * to proactive-only refresh via `BearerTokenProvider.getToken()` TTL\n * checks.\n */\nconst AUTH_EXPIRED_DATA_KIND = \"auth_expired\";\n\nfunction isAuthExpiredError(error: unknown): boolean {\n  if (!(error instanceof JsonRpcError)) return false;\n  if (error.source !== \"wire\") return false;\n  const data = error.data;\n  if (data === null || typeof data !== \"object\") return false;\n  const kind = (data as { kind?: unknown }).kind;\n  return kind === AUTH_EXPIRED_DATA_KIND;\n}\n\n/**\n * Generic JSON-RPC 2.0 HTTP client with safe retry policy.\n */\nexport class JsonRpcClient {\n  private baseUrl: string;\n  private timeout: number;\n  private headers: Record<string, string>;\n  private requestId = 0;\n  private retries: number;\n  private retryDelay: number;\n  private maxResponseBytes: number;\n  private retryableFor: (method: string) => boolean;\n  private tokenProvider?: BearerTokenProvider;\n\n  constructor(config: JsonRpcClientConfig) {\n    this.baseUrl = config.baseUrl.replace(/\\/$/, \"\");\n    this.timeout = config.timeout;\n    this.headers = {\n      \"Content-Type\": \"application/json\",\n      ...config.headers,\n    };\n    this.retries = config.retries ?? DEFAULT_RETRY_ATTEMPTS;\n    this.retryDelay = config.retryDelay ?? DEFAULT_RETRY_DELAY_MS;\n    this.maxResponseBytes =\n      config.maxResponseBytes ?? DEFAULT_MAX_RESPONSE_BYTES;\n    if (!Number.isFinite(this.maxResponseBytes) || this.maxResponseBytes <= 0) {\n      throw new Error(\"maxResponseBytes must be a positive finite number\");\n    }\n    this.retryableFor = config.retryableFor ?? defaultRetryableFor;\n    this.tokenProvider = config.tokenProvider;\n  }\n\n  private async buildHeaders(method: string): Promise<Record<string, string>> {\n    const headers: Record<string, string> = { ...this.headers };\n    if (this.tokenProvider) {\n      const token = await this.tokenProvider.getToken(method);\n      if (token) {\n        headers.Authorization = `Bearer ${token}`;\n      }\n    }\n    return headers;\n  }\n\n  /**\n   * Make a JSON-RPC request with optional retry for safe methods.\n   *\n   * If the request fails with a wire-origin `auth_expired` error and a\n   * `tokenProvider` is configured, the client invalidates its cached\n   * token and retries the request once with a freshly-acquired bearer.\n   *\n   * @param method - The RPC method name\n   * @param params - The method parameters\n   * @param signal - Optional AbortSignal for caller-controlled cancellation\n   * @returns The result from the RPC method\n   * @throws JsonRpcError if the RPC call fails\n   */\n  async call<TParams, TResult>(\n    method: string,\n    params: TParams,\n    signal?: AbortSignal,\n  ): Promise<TResult> {\n    try {\n      return await this.callOnce<TParams, TResult>(method, params, signal);\n    } catch (error) {\n      // The auth-expired retry fires for ALL methods, including mutating\n      // ones. This is intentional and safe: the server's auth middleware\n      // validates the bearer token BEFORE dispatching to the method\n      // handler, so an `auth_expired` error means the handler never ran\n      // and no state was mutated. Confirmed against btc-vault at\n      // `crates/btc-auth/src/middleware/jsonrpc.rs` — token validation\n      // is pre-handler only. The `retryableFor` guard on\n      // HTTP-transient-error retries doesn't apply here because that\n      // guard is about retrying after a request the server may have\n      // started processing; auth_expired is categorically different.\n      if (this.tokenProvider && isAuthExpiredError(error)) {\n        this.tokenProvider.invalidate();\n        return await this.callOnce<TParams, TResult>(method, params, signal);\n      }\n      throw error;\n    }\n  }\n\n  private async callOnce<TParams, TResult>(\n    method: string,\n    params: TParams,\n    signal: AbortSignal | undefined,\n  ): Promise<TResult> {\n    const response = await this.fetchWithRetry(method, params, signal);\n\n    let jsonResponse: unknown;\n    try {\n      const responseText = UNCAPPED_TYPED_RESPONSE_METHODS.has(method)\n        ? await response.text()\n        : await readResponseTextWithLimit(response, this.maxResponseBytes);\n      jsonResponse = JSON.parse(responseText);\n    } catch (error) {\n      if (error instanceof JsonRpcError) {\n        throw error;\n      }\n      throw new JsonRpcError(\n        JSON_RPC_ERROR_CODES.INVALID_RESPONSE,\n        \"Invalid JSON-RPC response: body is not valid JSON\",\n        \"local\",\n      );\n    }\n\n    if (\n      jsonResponse === null ||\n      typeof jsonResponse !== \"object\" ||\n      Array.isArray(jsonResponse)\n    ) {\n      throw new JsonRpcError(\n        JSON_RPC_ERROR_CODES.INVALID_RESPONSE,\n        `Invalid JSON-RPC response: expected an object, got ${typeof jsonResponse}`,\n        \"local\",\n      );\n    }\n\n    const rpcResponse = jsonResponse as Record<string, unknown>;\n\n    if (\"error\" in rpcResponse && rpcResponse.error != null) {\n      const err = rpcResponse.error as {\n        code?: number;\n        message?: string;\n        data?: unknown;\n      };\n      throw new JsonRpcError(\n        err.code ?? JSON_RPC_ERROR_CODES.INVALID_RESPONSE,\n        err.message ?? \"Unknown RPC error\",\n        \"wire\",\n        err.data,\n      );\n    }\n\n    if (!(\"result\" in rpcResponse)) {\n      throw new JsonRpcError(\n        JSON_RPC_ERROR_CODES.INVALID_RESPONSE,\n        `Invalid JSON-RPC response: missing \"result\" field`,\n        \"local\",\n      );\n    }\n\n    return rpcResponse.result as TResult;\n  }\n\n  /**\n   * Make a JSON-RPC request returning the raw Response (unparsed body).\n   *\n   * Bearer tokens are injected identically to `call`. **Reactive refresh\n   * is NOT performed here** — the response body may be unbounded (e.g.\n   * claimer-artifact downloads), so the client refuses to parse it to\n   * detect auth errors. Callers relying on token-expired retries for\n   * large downloads must read the body themselves and re-invoke\n   * `callRaw` after `tokenProvider.invalidate()`.\n   */\n  async callRaw<TParams>(\n    method: string,\n    params: TParams,\n    signal?: AbortSignal,\n  ): Promise<Response> {\n    return this.fetchWithRetry(method, params, signal);\n  }\n\n  private async fetchWithRetry<TParams>(\n    method: string,\n    params: TParams,\n    callerSignal?: AbortSignal,\n  ): Promise<Response> {\n    const requestId = ++this.requestId;\n    const maxRetries = this.retryableFor(method) ? this.retries : 0;\n\n    // jsonrpsee (Rust backend) expects params as an array (positional parameters)\n    const request: JsonRpcRequest<TParams[]> = {\n      jsonrpc: JSON_RPC_VERSION,\n      method,\n      params: [params],\n      id: requestId,\n    };\n\n    const body = JSON.stringify(request);\n    let lastError: Error | null = null;\n\n    for (let attempt = 0; attempt <= maxRetries; attempt++) {\n      // Merge caller signal with per-request timeout signal\n      const timeoutController = new AbortController();\n      const timeoutId = setTimeout(\n        () => timeoutController.abort(),\n        this.timeout,\n      );\n\n      const merged = callerSignal\n        ? mergeAbortSignals(callerSignal, timeoutController.signal)\n        : null;\n      const signal = merged ? merged.signal : timeoutController.signal;\n\n      try {\n        // Build headers per-attempt so the token provider can return a\n        // freshly-acquired bearer after a prior invalidate() on this\n        // request (retry loop path) without plumbing state through.\n        const headers = await this.buildHeaders(method);\n\n        const response = await fetch(this.baseUrl, {\n          method: \"POST\",\n          headers,\n          body,\n          signal,\n        });\n\n        clearTimeout(timeoutId);\n        merged?.cleanup();\n\n        if (!response.ok) {\n          const shouldRetry =\n            attempt < maxRetries &&\n            RETRYABLE_HTTP_STATUS_CODES.has(response.status);\n\n          if (shouldRetry) {\n            const delay = this.retryDelay * Math.pow(2, attempt);\n            await this.sleep(delay, callerSignal);\n            continue;\n          }\n\n          throw new Error(\n            `HTTP error: ${response.status} ${response.statusText}`,\n          );\n        }\n\n        return response;\n      } catch (error) {\n        clearTimeout(timeoutId);\n        merged?.cleanup();\n        lastError = error instanceof Error ? error : new Error(String(error));\n\n        // Check if caller aborted (not our timeout)\n        if (callerSignal?.aborted) {\n          throw new Error(\"Request aborted\");\n        }\n\n        if (error instanceof Error && error.name === \"AbortError\") {\n          if (attempt < maxRetries) {\n            const delay = this.retryDelay * Math.pow(2, attempt);\n            await this.sleep(delay, callerSignal);\n            continue;\n          }\n          throw new JsonRpcError(\n            JSON_RPC_ERROR_CODES.TIMEOUT,\n            `Request timeout after ${this.timeout}ms (${maxRetries + 1} attempts)`,\n            \"local\",\n          );\n        }\n\n        // Handle network errors (CORS, connection refused, etc.)\n        if (error instanceof TypeError) {\n          if (attempt < maxRetries) {\n            const delay = this.retryDelay * Math.pow(2, attempt);\n            await this.sleep(delay, callerSignal);\n            continue;\n          }\n          throw new JsonRpcError(\n            JSON_RPC_ERROR_CODES.NETWORK,\n            `Network error: ${error.message} (${maxRetries + 1} attempts)`,\n            \"local\",\n          );\n        }\n\n        // Don't retry JSON-RPC errors (business logic errors)\n        throw error;\n      }\n    }\n\n    throw lastError || new Error(\"Unknown error after retries\");\n  }\n\n  private sleep(ms: number, signal?: AbortSignal): Promise<void> {\n    return new Promise((resolve, reject) => {\n      if (signal?.aborted) {\n        reject(new Error(\"Request aborted\"));\n        return;\n      }\n      const timeoutId = setTimeout(() => {\n        signal?.removeEventListener(\"abort\", onAbort);\n        resolve();\n      }, ms);\n      const onAbort = () => {\n        clearTimeout(timeoutId);\n        reject(new Error(\"Request aborted\"));\n      };\n      signal?.addEventListener(\"abort\", onAbort, { once: true });\n    });\n  }\n\n  getBaseUrl(): string {\n    return this.baseUrl;\n  }\n}\n\ninterface MergedSignal {\n  signal: AbortSignal;\n  /** Remove listeners from the source signals. Call after the request completes. */\n  cleanup: () => void;\n}\n\n/**\n * Merge two AbortSignals — the returned signal aborts if either input aborts.\n * Returns a cleanup function to remove listeners when the request completes\n * normally, preventing listener accumulation in long-lived polling flows.\n */\nfunction mergeAbortSignals(a: AbortSignal, b: AbortSignal): MergedSignal {\n  if (a.aborted) return { signal: a, cleanup: () => {} };\n  if (b.aborted) return { signal: b, cleanup: () => {} };\n\n  const controller = new AbortController();\n  const onAbortA = () => {\n    b.removeEventListener(\"abort\", onAbortB);\n    controller.abort();\n  };\n  const onAbortB = () => {\n    a.removeEventListener(\"abort\", onAbortA);\n    controller.abort();\n  };\n  a.addEventListener(\"abort\", onAbortA, { once: true });\n  b.addEventListener(\"abort\", onAbortB, { once: true });\n\n  const cleanup = () => {\n    a.removeEventListener(\"abort\", onAbortA);\n    b.removeEventListener(\"abort\", onAbortB);\n  };\n\n  return { signal: controller.signal, cleanup };\n}\n\nasync function readResponseTextWithLimit(\n  response: Response,\n  maxBytes: number,\n): Promise<string> {\n  const contentLength = response.headers.get(\"content-length\");\n  if (contentLength !== null) {\n    const parsedContentLength = Number(contentLength);\n    if (\n      Number.isFinite(parsedContentLength) &&\n      parsedContentLength > maxBytes\n    ) {\n      throw responseTooLargeError(maxBytes);\n    }\n  }\n\n  if (!response.body) {\n    return \"\";\n  }\n\n  const reader = response.body.getReader();\n  const decoder = new TextDecoder();\n  let totalBytes = 0;\n  let responseText = \"\";\n\n  try {\n    for (;;) {\n      const { done, value } = await reader.read();\n      if (done) break;\n      if (!value) continue;\n\n      totalBytes += value.byteLength;\n      if (totalBytes > maxBytes) {\n        await reader.cancel();\n        throw responseTooLargeError(maxBytes);\n      }\n      responseText += decoder.decode(value, { stream: true });\n    }\n  } finally {\n    reader.releaseLock();\n  }\n\n  return responseText + decoder.decode();\n}\n\nfunction responseTooLargeError(maxBytes: number): JsonRpcError {\n  return new JsonRpcError(\n    JSON_RPC_ERROR_CODES.RESPONSE_TOO_LARGE,\n    `JSON-RPC response exceeds maximum size of ${maxBytes} bytes`,\n    \"local\",\n  );\n}\n","/**\n * Type definitions for Vault Provider JSON-RPC API.\n *\n * These types match the `vaultProvider_*` RPC namespace defined by the\n * btc-vault daemon. They are the SDK's canonical copy of the VP protocol\n * contract, independent of any frontend framework.\n *\n * @see https://github.com/babylonlabs-io/btc-vault/blob/main/docs/pegin.md\n */\n\n// ============================================================================\n// Daemon Status\n// ============================================================================\n\n/**\n * Backend daemon status (vault provider database).\n * Source: btc-vault crates/vaultd/src/workers/claimer/mod.rs PegInStatus enum\n *\n * State flow (happy path):\n * PendingIngestion -> PendingDepositorWotsPK -> PendingBabeSetup -> PendingChallengerPresigning\n *   -> PendingPeginSigsAvailability -> PendingPrePegInConfirmations\n *   -> PendingDepositorSignatures -> PendingACKs -> PendingActivation -> Activated\n *\n * Terminal / branching states:\n * - Expired: vault timed out before activation\n * - ClaimPosted: claim transaction posted on-chain\n * - PeggedOut: BTC has been returned to the depositor\n */\nexport enum DaemonStatus {\n  PENDING_INGESTION = \"PendingIngestion\",\n  PENDING_DEPOSITOR_WOTS_PK = \"PendingDepositorWotsPK\",\n  PENDING_BABE_SETUP = \"PendingBabeSetup\",\n  PENDING_CHALLENGER_PRESIGNING = \"PendingChallengerPresigning\",\n  PENDING_PEGIN_SIGS_AVAILABILITY = \"PendingPeginSigsAvailability\",\n  PENDING_PRE_PEGIN_CONFIRMATIONS = \"PendingPrePegInConfirmations\",\n  PENDING_DEPOSITOR_SIGNATURES = \"PendingDepositorSignatures\",\n  PENDING_ACKS = \"PendingACKs\",\n  PENDING_ACTIVATION = \"PendingActivation\",\n  ACTIVATED = \"Activated\",\n  EXPIRED = \"Expired\",\n  CLAIM_POSTED = \"ClaimPosted\",\n  PEGGED_OUT = \"PeggedOut\",\n}\n\n// ============================================================================\n// Status Groups\n// ============================================================================\n\n/**\n * States where the VP is still processing (no depositor action needed).\n * Excludes PENDING_DEPOSITOR_WOTS_PK (requires depositor action).\n */\nexport const PRE_DEPOSITOR_SIGNATURES_STATES: readonly DaemonStatus[] = [\n  DaemonStatus.PENDING_INGESTION,\n  DaemonStatus.PENDING_BABE_SETUP,\n  DaemonStatus.PENDING_CHALLENGER_PRESIGNING,\n  DaemonStatus.PENDING_PEGIN_SIGS_AVAILABILITY,\n  DaemonStatus.PENDING_PRE_PEGIN_CONFIRMATIONS,\n];\n\n/** States after PendingDepositorSignatures where the depositor has no action. */\nconst POST_PAYOUT_SIGNATURE_STATUSES: readonly DaemonStatus[] = [\n  DaemonStatus.PENDING_ACKS,\n  DaemonStatus.PENDING_ACTIVATION,\n  DaemonStatus.ACTIVATED,\n];\n\n/**\n * Statuses where no depositor action is needed (VP processing or already past\n * depositor interaction). Excludes PENDING_INGESTION and PENDING_DEPOSITOR_WOTS_PK.\n */\nexport const VP_TRANSIENT_STATUSES: ReadonlySet<DaemonStatus> = new Set([\n  DaemonStatus.PENDING_BABE_SETUP,\n  DaemonStatus.PENDING_CHALLENGER_PRESIGNING,\n  DaemonStatus.PENDING_PEGIN_SIGS_AVAILABILITY,\n  DaemonStatus.PENDING_PRE_PEGIN_CONFIRMATIONS,\n  ...POST_PAYOUT_SIGNATURE_STATUSES,\n]);\n\n/**\n * Terminal VP statuses where no further progress is possible.\n * If the VP reaches one of these states while polling, polling should\n * stop immediately with an error rather than waiting for timeout.\n */\nexport const VP_TERMINAL_STATUSES: ReadonlySet<DaemonStatus> = new Set([\n  DaemonStatus.EXPIRED,\n  DaemonStatus.CLAIM_POSTED,\n  DaemonStatus.PEGGED_OUT,\n]);\n\n/**\n * Statuses that come after WOTS key submission.\n * If the VP is already in one of these states, the WOTS key was already\n * submitted and we can skip.\n */\nexport const POST_WOTS_STATUSES: ReadonlySet<DaemonStatus> = new Set([\n  ...VP_TRANSIENT_STATUSES,\n  DaemonStatus.PENDING_DEPOSITOR_SIGNATURES,\n]);\n\n// ============================================================================\n// WOTS Types (needed by SubmitDepositorWotsKeyParams)\n// ============================================================================\n\n/**\n * WOTS configuration for a single block.\n * Matches Rust `babe::wots::Config` serde format.\n */\nexport interface WotsConfig {\n  /** Digit bit-width (e.g. 4 → base-16 digits). */\n  d: number;\n  /** Number of message digits in this block. */\n  n: number;\n  /** Radix used for the checksum computation. */\n  checksum_radix: number;\n}\n\n/**\n * A single block of WOTS public keys.\n * Chain values are arrays of byte values (matching Rust `[u8; 20]`).\n */\nexport interface WotsBlockPublicKey {\n  config: WotsConfig;\n  message_terminals: number[][];\n  checksum_major_terminal: number[];\n  checksum_minor_terminal: number[];\n}\n\n// ============================================================================\n// Request Parameter Types\n// ============================================================================\n\n/** Params for requesting the payout/claim/assert transactions to pre-sign. */\nexport interface RequestDepositorPresignTransactionsParams {\n  pegin_txid: string;\n  depositor_pk: string;\n}\n\n/** Params for submitting the depositor's WOTS public key to the VP. */\nexport interface SubmitDepositorWotsKeyParams {\n  pegin_txid: string;\n  depositor_pk: string;\n  wots_public_keys: WotsBlockPublicKey[];\n}\n\n/** Per-challenger signatures for the depositor-as-claimer flow. */\nexport interface DepositorPreSigsPerChallenger {\n  nopayout_signature: string;\n}\n\n/** Depositor-as-claimer pre-signatures (payout + per-challenger). */\nexport interface DepositorAsClaimerPresignatures {\n  payout_signatures: ClaimerSignatures;\n  per_challenger: Record<string, DepositorPreSigsPerChallenger>;\n}\n\n/** Params for submitting depositor pre-signatures including claimer presignatures. */\nexport interface SubmitDepositorPresignaturesParams {\n  pegin_txid: string;\n  depositor_pk: string;\n  signatures: Record<string, ClaimerSignatures>;\n  depositor_claimer_presignatures: DepositorAsClaimerPresignatures;\n}\n\n/** Payout signatures per claimer. */\nexport interface ClaimerSignatures {\n  payout_signature: string;\n}\n\n/** Params for requesting BaBe DecryptorArtifacts from the VP. */\nexport interface RequestDepositorClaimerArtifactsParams {\n  pegin_txid: string;\n  depositor_pk: string;\n}\n\n/** Params for querying pegin status. Either pegin_txid or vault_id must be provided. */\nexport type GetPeginStatusParams =\n  | { pegin_txid: string; vault_id?: never }\n  | { vault_id: string; pegin_txid?: never };\n\n// ============================================================================\n// Response Types\n// ============================================================================\n\n/** A raw Bitcoin transaction with its hex encoding. */\nexport interface TransactionData {\n  tx_hex: string;\n}\n\n/** Set of transactions the depositor must pre-sign for a single claimer. */\nexport interface ClaimerTransactions {\n  claimer_pubkey: string;\n  claim_tx: TransactionData;\n  assert_tx: TransactionData;\n  payout_tx: TransactionData;\n  payout_psbt: string;\n}\n\n/** Per-segment connector data for ChallengeAssert inputs. */\nexport interface ChallengeAssertConnectorData {\n  wots_pks_json: string;\n  gc_wots_keys_json: string;\n}\n\n/** Challenger-specific transactions and signing data for the depositor graph. */\nexport interface PresignDataPerChallenger {\n  challenger_pubkey: string;\n  challenge_assert_x_tx: TransactionData;\n  challenge_assert_y_tx: TransactionData;\n  nopayout_tx: TransactionData;\n  nopayout_psbt: string;\n  challenge_assert_connectors: ChallengeAssertConnectorData[];\n  output_label_hashes: string[];\n}\n\n/** Depositor-as-claimer TxGraph transactions. */\nexport interface DepositorGraphTransactions {\n  claim_tx: TransactionData;\n  assert_tx: TransactionData;\n  payout_tx: TransactionData;\n  payout_psbt: string;\n  challenger_presign_data: PresignDataPerChallenger[];\n  offchain_params_version: number;\n}\n\n/** Response from `requestDepositorPresignTransactions`. */\nexport interface RequestDepositorPresignTransactionsResponse {\n  txs: ClaimerTransactions[];\n  depositor_graph: DepositorGraphTransactions;\n}\n\n/** BaBe garbled-circuit session data for a single challenger. */\nexport interface BaBeSessionData {\n  decryptor_artifacts_hex: string;\n}\n\n/** Response from `requestDepositorClaimerArtifacts`. */\nexport interface RequestDepositorClaimerArtifactsResponse {\n  tx_graph_json: string;\n  verifying_key_hex: string;\n  babe_sessions: Record<string, BaBeSessionData>;\n}\n\n/** Progress tracker for a multi-challenger operation. */\nexport interface ChallengerProgress {\n  total_challengers: number;\n  completed_challengers: number;\n  completed_challenger_pubkeys: string[];\n  pending_challenger_pubkeys: string[];\n}\n\nexport type GcDataProgress = ChallengerProgress;\nexport type AckCollectionProgress = ChallengerProgress;\n\n/** Extended presigning progress with all 3 concurrent phases. */\nexport interface PresigningProgress extends ChallengerProgress {\n  depositor_graph_created?: boolean;\n  vk_challenger_presigning_completed?: number;\n  vk_challenger_presigning_total?: number;\n}\n\n/** Detailed progress breakdown for an in-progress pegin. */\nexport interface PeginProgressDetails {\n  gc_data?: GcDataProgress;\n  presigning?: PresigningProgress;\n  ack_collection?: AckCollectionProgress;\n  claimer_graphs?: ClaimerGraphStatus[];\n}\n\n/** Per-claimer graph status (challenger perspective). */\nexport interface ClaimerGraphStatus {\n  claimer_pubkey: string;\n  presigned: boolean;\n}\n\n/** Response from `getPeginStatus`. */\nexport interface GetPeginStatusResponse {\n  pegin_txid: string;\n  status: string;\n  progress: PeginProgressDetails;\n  health_info: string;\n  last_error?: string;\n}\n\n// ============================================================================\n// Pegout Types\n// ============================================================================\n\n/** Params for querying pegout status from the VP daemon. */\nexport interface GetPegoutStatusParams {\n  pegin_txid: string;\n}\n\n/** Claimer-side pegout progress. */\nexport interface ClaimerPegoutStatus {\n  status: string;\n  failed: boolean;\n  claim_txid?: string;\n  claimer_pubkey?: string;\n  challenger_pubkey?: string;\n  created_at?: string;\n  updated_at?: string;\n}\n\n/** Challenger-side pegout progress. */\nexport interface ChallengerPegoutStatus {\n  status: string;\n  claim_txid?: string;\n  claimer_pubkey?: string;\n  assert_txid?: string;\n  challenge_assert_txid?: string;\n  nopayout_txid?: string;\n  created_at?: string;\n  updated_at?: string;\n}\n\n/** Response from `getPegoutStatus`. */\nexport interface GetPegoutStatusResponse {\n  pegin_txid: string;\n  found: boolean;\n  claimer?: ClaimerPegoutStatus;\n  challenger?: ChallengerPegoutStatus;\n}\n\n// ============================================================================\n// Error Codes\n// ============================================================================\n\n/** JSON-RPC error codes returned by the vault provider. */\nexport enum RpcErrorCode {\n  DATABASE_ERROR = -32005,\n  PRESIGN_ERROR = -32006,\n  JSON_SERIALIZATION_ERROR = -32007,\n  TX_GRAPH_ERROR = -32008,\n  INVALID_GRAPH = -32009,\n  VALIDATION_ERROR = -32010,\n  NOT_FOUND = -32011,\n  INTERNAL_ERROR = -32603,\n}\n"],"names":["JsonRpcError","code","message","source","data","JSON_RPC_ERROR_CODES","JSON_RPC_VERSION","DEFAULT_RETRY_ATTEMPTS","DEFAULT_RETRY_DELAY_MS","DEFAULT_MAX_RESPONSE_BYTES","UNCAPPED_TYPED_RESPONSE_METHODS","RETRYABLE_HTTP_STATUS_CODES","DEFAULT_RETRYABLE_METHODS","defaultRetryableFor","method","AUTH_EXPIRED_DATA_KIND","isAuthExpiredError","error","JsonRpcClient","config","__publicField","headers","token","params","signal","response","jsonResponse","responseText","readResponseTextWithLimit","rpcResponse","err","callerSignal","requestId","maxRetries","body","lastError","attempt","timeoutController","timeoutId","merged","mergeAbortSignals","delay","ms","resolve","reject","onAbort","a","b","controller","onAbortA","onAbortB","cleanup","maxBytes","contentLength","parsedContentLength","responseTooLargeError","reader","decoder","totalBytes","done","value","DaemonStatus","PRE_DEPOSITOR_SIGNATURES_STATES","POST_PAYOUT_SIGNATURE_STATUSES","VP_TRANSIENT_STATUSES","VP_TERMINAL_STATUSES","POST_WOTS_STATUSES","RpcErrorCode"],"mappings":";;;AAoGO,MAAMA,UAAqB,MAAM;AAAA,EACtC,YACSC,GACPC,GAEOC,IAA6B,SAE7BC,GACP;AACA,UAAMF,CAAO,GAPN,KAAA,OAAAD,GAGA,KAAA,SAAAE,GAEA,KAAA,OAAAC,GAGP,KAAK,OAAO;AAAA,EACd;AACF;AAEO,MAAMC,IAAuB;AAAA,EAClC,SAAS;AAAA,EACT,SAAS;AAAA;AAAA,EAET,eAAe;AAAA;AAAA,EAEf,mBAAmB;AAAA;AAAA,EAEnB,kBAAkB;AAAA;AAAA,EAElB,oBAAoB;AACtB,GAGMC,IAAmB,OAGnBC,IAAyB,GAGzBC,IAAyB,KAGzBC,IAA6B,IAAI,OAAO,MAMxCC,wBAA2D,IAAI;AAAA,EACnE;AACF,CAAC,GAGKC,wBAAuD,IAAI;AAAA,EAC/D;AAAA;AAAA,EACA;AAAA;AAAA,EACA;AAAA;AAAA,EACA;AAAA;AAAA,EACA;AAAA;AAAA,EACA;AAAA;AACF,CAAC,GAGKC,wBAAqD,IAAI;AAAA,EAC7D;AAAA,EACA;AAAA,EACA;AACF,CAAC;AAED,SAASC,EAAoBC,GAAyB;AACpD,SAAOF,EAA0B,IAAIE,CAAM;AAC7C;AAYA,MAAMC,IAAyB;AAE/B,SAASC,EAAmBC,GAAyB;AAEnD,MADI,EAAEA,aAAiBjB,MACnBiB,EAAM,WAAW,OAAQ,QAAO;AACpC,QAAMb,IAAOa,EAAM;AACnB,SAAIb,MAAS,QAAQ,OAAOA,KAAS,WAAiB,KACxCA,EAA4B,SAC1BW;AAClB;AAKO,MAAMG,EAAc;AAAA,EAWzB,YAAYC,GAA6B;AAVjC,IAAAC,EAAA;AACA,IAAAA,EAAA;AACA,IAAAA,EAAA;AACA,IAAAA,EAAA,mBAAY;AACZ,IAAAA,EAAA;AACA,IAAAA,EAAA;AACA,IAAAA,EAAA;AACA,IAAAA,EAAA;AACA,IAAAA,EAAA;AAaN,QAVA,KAAK,UAAUD,EAAO,QAAQ,QAAQ,OAAO,EAAE,GAC/C,KAAK,UAAUA,EAAO,SACtB,KAAK,UAAU;AAAA,MACb,gBAAgB;AAAA,MAChB,GAAGA,EAAO;AAAA,IAAA,GAEZ,KAAK,UAAUA,EAAO,WAAWZ,GACjC,KAAK,aAAaY,EAAO,cAAcX,GACvC,KAAK,mBACHW,EAAO,oBAAoBV,GACzB,CAAC,OAAO,SAAS,KAAK,gBAAgB,KAAK,KAAK,oBAAoB;AACtE,YAAM,IAAI,MAAM,mDAAmD;AAErE,SAAK,eAAeU,EAAO,gBAAgBN,GAC3C,KAAK,gBAAgBM,EAAO;AAAA,EAC9B;AAAA,EAEA,MAAc,aAAaL,GAAiD;AAC1E,UAAMO,IAAkC,EAAE,GAAG,KAAK,QAAA;AAClD,QAAI,KAAK,eAAe;AACtB,YAAMC,IAAQ,MAAM,KAAK,cAAc,SAASR,CAAM;AACtD,MAAIQ,MACFD,EAAQ,gBAAgB,UAAUC,CAAK;AAAA,IAE3C;AACA,WAAOD;AAAA,EACT;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAeA,MAAM,KACJP,GACAS,GACAC,GACkB;AAClB,QAAI;AACF,aAAO,MAAM,KAAK,SAA2BV,GAAQS,GAAQC,CAAM;AAAA,IACrE,SAASP,GAAO;AAWd,UAAI,KAAK,iBAAiBD,EAAmBC,CAAK;AAChD,oBAAK,cAAc,WAAA,GACZ,MAAM,KAAK,SAA2BH,GAAQS,GAAQC,CAAM;AAErE,YAAMP;AAAA,IACR;AAAA,EACF;AAAA,EAEA,MAAc,SACZH,GACAS,GACAC,GACkB;AAClB,UAAMC,IAAW,MAAM,KAAK,eAAeX,GAAQS,GAAQC,CAAM;AAEjE,QAAIE;AACJ,QAAI;AACF,YAAMC,IAAejB,EAAgC,IAAII,CAAM,IAC3D,MAAMW,EAAS,KAAA,IACf,MAAMG,EAA0BH,GAAU,KAAK,gBAAgB;AACnE,MAAAC,IAAe,KAAK,MAAMC,CAAY;AAAA,IACxC,SAASV,GAAO;AACd,YAAIA,aAAiBjB,IACbiB,IAEF,IAAIjB;AAAA,QACRK,EAAqB;AAAA,QACrB;AAAA,QACA;AAAA,MAAA;AAAA,IAEJ;AAEA,QACEqB,MAAiB,QACjB,OAAOA,KAAiB,YACxB,MAAM,QAAQA,CAAY;AAE1B,YAAM,IAAI1B;AAAA,QACRK,EAAqB;AAAA,QACrB,sDAAsD,OAAOqB,CAAY;AAAA,QACzE;AAAA,MAAA;AAIJ,UAAMG,IAAcH;AAEpB,QAAI,WAAWG,KAAeA,EAAY,SAAS,MAAM;AACvD,YAAMC,IAAMD,EAAY;AAKxB,YAAM,IAAI7B;AAAA,QACR8B,EAAI,QAAQzB,EAAqB;AAAA,QACjCyB,EAAI,WAAW;AAAA,QACf;AAAA,QACAA,EAAI;AAAA,MAAA;AAAA,IAER;AAEA,QAAI,EAAE,YAAYD;AAChB,YAAM,IAAI7B;AAAA,QACRK,EAAqB;AAAA,QACrB;AAAA,QACA;AAAA,MAAA;AAIJ,WAAOwB,EAAY;AAAA,EACrB;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAYA,MAAM,QACJf,GACAS,GACAC,GACmB;AACnB,WAAO,KAAK,eAAeV,GAAQS,GAAQC,CAAM;AAAA,EACnD;AAAA,EAEA,MAAc,eACZV,GACAS,GACAQ,GACmB;AACnB,UAAMC,IAAY,EAAE,KAAK,WACnBC,IAAa,KAAK,aAAanB,CAAM,IAAI,KAAK,UAAU,GAUxDoB,IAAO,KAAK,UAPyB;AAAA,MACzC,SAAS5B;AAAA,MACT,QAAAQ;AAAA,MACA,QAAQ,CAACS,CAAM;AAAA,MACf,IAAIS;AAAA,IAAA,CAG6B;AACnC,QAAIG,IAA0B;AAE9B,aAASC,IAAU,GAAGA,KAAWH,GAAYG,KAAW;AAEtD,YAAMC,IAAoB,IAAI,gBAAA,GACxBC,IAAY;AAAA,QAChB,MAAMD,EAAkB,MAAA;AAAA,QACxB,KAAK;AAAA,MAAA,GAGDE,IAASR,IACXS,EAAkBT,GAAcM,EAAkB,MAAM,IACxD,MACEb,IAASe,IAASA,EAAO,SAASF,EAAkB;AAE1D,UAAI;AAIF,cAAMhB,IAAU,MAAM,KAAK,aAAaP,CAAM,GAExCW,IAAW,MAAM,MAAM,KAAK,SAAS;AAAA,UACzC,QAAQ;AAAA,UACR,SAAAJ;AAAA,UACA,MAAAa;AAAA,UACA,QAAAV;AAAA,QAAA,CACD;AAKD,YAHA,aAAac,CAAS,GACtBC,KAAA,QAAAA,EAAQ,WAEJ,CAACd,EAAS,IAAI;AAKhB,cAHEW,IAAUH,KACVtB,EAA4B,IAAIc,EAAS,MAAM,GAEhC;AACf,kBAAMgB,IAAQ,KAAK,aAAa,KAAK,IAAI,GAAGL,CAAO;AACnD,kBAAM,KAAK,MAAMK,GAAOV,CAAY;AACpC;AAAA,UACF;AAEA,gBAAM,IAAI;AAAA,YACR,eAAeN,EAAS,MAAM,IAAIA,EAAS,UAAU;AAAA,UAAA;AAAA,QAEzD;AAEA,eAAOA;AAAA,MACT,SAASR,GAAO;AAMd,YALA,aAAaqB,CAAS,GACtBC,KAAA,QAAAA,EAAQ,WACRJ,IAAYlB,aAAiB,QAAQA,IAAQ,IAAI,MAAM,OAAOA,CAAK,CAAC,GAGhEc,KAAA,QAAAA,EAAc;AAChB,gBAAM,IAAI,MAAM,iBAAiB;AAGnC,YAAId,aAAiB,SAASA,EAAM,SAAS,cAAc;AACzD,cAAImB,IAAUH,GAAY;AACxB,kBAAMQ,IAAQ,KAAK,aAAa,KAAK,IAAI,GAAGL,CAAO;AACnD,kBAAM,KAAK,MAAMK,GAAOV,CAAY;AACpC;AAAA,UACF;AACA,gBAAM,IAAI/B;AAAA,YACRK,EAAqB;AAAA,YACrB,yBAAyB,KAAK,OAAO,OAAO4B,IAAa,CAAC;AAAA,YAC1D;AAAA,UAAA;AAAA,QAEJ;AAGA,YAAIhB,aAAiB,WAAW;AAC9B,cAAImB,IAAUH,GAAY;AACxB,kBAAMQ,IAAQ,KAAK,aAAa,KAAK,IAAI,GAAGL,CAAO;AACnD,kBAAM,KAAK,MAAMK,GAAOV,CAAY;AACpC;AAAA,UACF;AACA,gBAAM,IAAI/B;AAAA,YACRK,EAAqB;AAAA,YACrB,kBAAkBY,EAAM,OAAO,KAAKgB,IAAa,CAAC;AAAA,YAClD;AAAA,UAAA;AAAA,QAEJ;AAGA,cAAMhB;AAAA,MACR;AAAA,IACF;AAEA,UAAMkB,KAAa,IAAI,MAAM,6BAA6B;AAAA,EAC5D;AAAA,EAEQ,MAAMO,GAAYlB,GAAqC;AAC7D,WAAO,IAAI,QAAQ,CAACmB,GAASC,MAAW;AACtC,UAAIpB,KAAA,QAAAA,EAAQ,SAAS;AACnB,QAAAoB,EAAO,IAAI,MAAM,iBAAiB,CAAC;AACnC;AAAA,MACF;AACA,YAAMN,IAAY,WAAW,MAAM;AACjC,QAAAd,KAAA,QAAAA,EAAQ,oBAAoB,SAASqB,IACrCF,EAAA;AAAA,MACF,GAAGD,CAAE,GACCG,IAAU,MAAM;AACpB,qBAAaP,CAAS,GACtBM,EAAO,IAAI,MAAM,iBAAiB,CAAC;AAAA,MACrC;AACA,MAAApB,KAAA,QAAAA,EAAQ,iBAAiB,SAASqB,GAAS,EAAE,MAAM;IACrD,CAAC;AAAA,EACH;AAAA,EAEA,aAAqB;AACnB,WAAO,KAAK;AAAA,EACd;AACF;AAaA,SAASL,EAAkBM,GAAgBC,GAA8B;AACvE,MAAID,EAAE,QAAS,QAAO,EAAE,QAAQA,GAAG,SAAS,MAAM;AAAA,EAAC,EAAA;AACnD,MAAIC,EAAE,QAAS,QAAO,EAAE,QAAQA,GAAG,SAAS,MAAM;AAAA,EAAC,EAAA;AAEnD,QAAMC,IAAa,IAAI,gBAAA,GACjBC,IAAW,MAAM;AACrB,IAAAF,EAAE,oBAAoB,SAASG,CAAQ,GACvCF,EAAW,MAAA;AAAA,EACb,GACME,IAAW,MAAM;AACrB,IAAAJ,EAAE,oBAAoB,SAASG,CAAQ,GACvCD,EAAW,MAAA;AAAA,EACb;AACA,EAAAF,EAAE,iBAAiB,SAASG,GAAU,EAAE,MAAM,IAAM,GACpDF,EAAE,iBAAiB,SAASG,GAAU,EAAE,MAAM,IAAM;AAEpD,QAAMC,IAAU,MAAM;AACpB,IAAAL,EAAE,oBAAoB,SAASG,CAAQ,GACvCF,EAAE,oBAAoB,SAASG,CAAQ;AAAA,EACzC;AAEA,SAAO,EAAE,QAAQF,EAAW,QAAQ,SAAAG,EAAA;AACtC;AAEA,eAAevB,EACbH,GACA2B,GACiB;AACjB,QAAMC,IAAgB5B,EAAS,QAAQ,IAAI,gBAAgB;AAC3D,MAAI4B,MAAkB,MAAM;AAC1B,UAAMC,IAAsB,OAAOD,CAAa;AAChD,QACE,OAAO,SAASC,CAAmB,KACnCA,IAAsBF;AAEtB,YAAMG,EAAsBH,CAAQ;AAAA,EAExC;AAEA,MAAI,CAAC3B,EAAS;AACZ,WAAO;AAGT,QAAM+B,IAAS/B,EAAS,KAAK,UAAA,GACvBgC,IAAU,IAAI,YAAA;AACpB,MAAIC,IAAa,GACb/B,IAAe;AAEnB,MAAI;AACF,eAAS;AACP,YAAM,EAAE,MAAAgC,GAAM,OAAAC,EAAA,IAAU,MAAMJ,EAAO,KAAA;AACrC,UAAIG,EAAM;AACV,UAAKC,GAGL;AAAA,YADAF,KAAcE,EAAM,YAChBF,IAAaN;AACf,sBAAMI,EAAO,OAAA,GACPD,EAAsBH,CAAQ;AAEtC,QAAAzB,KAAgB8B,EAAQ,OAAOG,GAAO,EAAE,QAAQ,IAAM;AAAA;AAAA,IACxD;AAAA,EACF,UAAA;AACE,IAAAJ,EAAO,YAAA;AAAA,EACT;AAEA,SAAO7B,IAAe8B,EAAQ,OAAA;AAChC;AAEA,SAASF,EAAsBH,GAAgC;AAC7D,SAAO,IAAIpD;AAAA,IACTK,EAAqB;AAAA,IACrB,6CAA6C+C,CAAQ;AAAA,IACrD;AAAA,EAAA;AAEJ;AC9hBO,IAAKS,sBAAAA,OACVA,EAAA,oBAAoB,oBACpBA,EAAA,4BAA4B,0BAC5BA,EAAA,qBAAqB,oBACrBA,EAAA,gCAAgC,+BAChCA,EAAA,kCAAkC,gCAClCA,EAAA,kCAAkC,gCAClCA,EAAA,+BAA+B,8BAC/BA,EAAA,eAAe,eACfA,EAAA,qBAAqB,qBACrBA,EAAA,YAAY,aACZA,EAAA,UAAU,WACVA,EAAA,eAAe,eACfA,EAAA,aAAa,aAbHA,IAAAA,KAAA,CAAA,CAAA;AAwBL,MAAMC,IAA2D;AAAA,EACtE;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA;AACF,GAGMC,IAA0D;AAAA,EAC9D;AAAA,EACA;AAAA,EACA;AAAA;AACF,GAMaC,wBAAuD,IAAI;AAAA,EACtE;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA,GAAGD;AACL,CAAC,GAOYE,wBAAsD,IAAI;AAAA,EACrE;AAAA,EACA;AAAA,EACA;AAAA;AACF,CAAC,GAOYC,wBAAoD,IAAI;AAAA,EACnE,GAAGF;AAAA,EACH;AAAA;AACF,CAAC;AAuOM,IAAKG,sBAAAA,OACVA,EAAAA,EAAA,iBAAiB,MAAA,IAAjB,kBACAA,EAAAA,EAAA,gBAAgB,MAAA,IAAhB,iBACAA,EAAAA,EAAA,2BAA2B,MAAA,IAA3B,4BACAA,EAAAA,EAAA,iBAAiB,MAAA,IAAjB,kBACAA,EAAAA,EAAA,gBAAgB,MAAA,IAAhB,iBACAA,EAAAA,EAAA,mBAAmB,MAAA,IAAnB,oBACAA,EAAAA,EAAA,YAAY,MAAA,IAAZ,aACAA,EAAAA,EAAA,iBAAiB,MAAA,IAAjB,kBARUA,IAAAA,KAAA,CAAA,CAAA;"}

package/dist/types-CfCZyfid.cjs

@@ -0,0 +1,2 @@
+"use strict";var y=Object.defineProperty;var b=(e,t,r)=>t in e?y(e,t,{enumerable:!0,configurable:!0,writable:!0,value:r}):e[t]=r;var P=(e,t,r)=>b(e,typeof t!="symbol"?t+"":t,r);class R extends Error{constructor(t,r,n="local",o){super(r),this.code=t,this.source=n,this.data=o,this.name="JsonRpcError"}}const u={TIMEOUT:-32e3,NETWORK:-32001,PROXY_TIMEOUT:-32002,PROXY_UNAVAILABLE:-32003,INVALID_RESPONSE:-32700,RESPONSE_TOO_LARGE:-32701},f="2.0",p=3,D=1e3,L=2*1024*1024,v=new Set(["vaultProvider_requestDepositorClaimerArtifacts"]),g=new Set([408,429,500,502,503,504]),U=new Set(["vaultProvider_getPeginStatus","vaultProvider_getPegoutStatus","vaultProvider_requestDepositorPresignTransactions"]);function m(e){return U.has(e)}const G="auth_expired";function C(e){if(!(e instanceof R)||e.source!=="wire")return!1;const t=e.data;return t===null||typeof t!="object"?!1:t.kind===G}class B{constructor(t){P(this,"baseUrl");P(this,"timeout");P(this,"headers");P(this,"requestId",0);P(this,"retries");P(this,"retryDelay");P(this,"maxResponseBytes");P(this,"retryableFor");P(this,"tokenProvider");if(this.baseUrl=t.baseUrl.replace(/\/$/,""),this.timeout=t.timeout,this.headers={"Content-Type":"application/json",...t.headers},this.retries=t.retries??p,this.retryDelay=t.retryDelay??D,this.maxResponseBytes=t.maxResponseBytes??L,!Number.isFinite(this.maxResponseBytes)||this.maxResponseBytes<=0)throw new Error("maxResponseBytes must be a positive finite number");this.retryableFor=t.retryableFor??m,this.tokenProvider=t.tokenProvider}async buildHeaders(t){const r={...this.headers};if(this.tokenProvider){const n=await this.tokenProvider.getToken(t);n&&(r.Authorization=`Bearer ${n}`)}return r}async call(t,r,n){try{return await this.callOnce(t,r,n)}catch(o){if(this.tokenProvider&&C(o))return this.tokenProvider.invalidate(),await this.callOnce(t,r,n);throw o}}async callOnce(t,r,n){const o=await this.fetchWithRetry(t,r,n);let s;try{const i=v.has(t)?await o.text():await k(o,this.maxResponseBytes);s=JSON.parse(i)}catch(i){throw i instanceof R?i:new R(u.INVALID_RESPONSE,"Invalid JSON-RPC response: body is not valid JSON","local")}if(s===null||typeof s!="object"||Array.isArray(s))throw new R(u.INVALID_RESPONSE,`Invalid JSON-RPC response: expected an object, got ${typeof s}`,"local");const a=s;if("error"in a&&a.error!=null){const i=a.error;throw new R(i.code??u.INVALID_RESPONSE,i.message??"Unknown RPC error","wire",i.data)}if(!("result"in a))throw new R(u.INVALID_RESPONSE,'Invalid JSON-RPC response: missing "result" field',"local");return a.result}async callRaw(t,r,n){return this.fetchWithRetry(t,r,n)}async fetchWithRetry(t,r,n){const o=++this.requestId,s=this.retryableFor(t)?this.retries:0,i=JSON.stringify({jsonrpc:f,method:t,params:[r],id:o});let l=null;for(let T=0;T<=s;T++){const A=new AbortController,S=setTimeout(()=>A.abort(),this.timeout),_=n?x(n,A.signal):null,I=_?_.signal:A.signal;try{const E=await this.buildHeaders(t),c=await fetch(this.baseUrl,{method:"POST",headers:E,body:i,signal:I});if(clearTimeout(S),_==null||_.cleanup(),!c.ok){if(T<s&&g.has(c.status)){const w=this.retryDelay*Math.pow(2,T);await this.sleep(w,n);continue}throw new Error(`HTTP error: ${c.status} ${c.statusText}`)}return c}catch(E){if(clearTimeout(S),_==null||_.cleanup(),l=E instanceof Error?E:new Error(String(E)),n!=null&&n.aborted)throw new Error("Request aborted");if(E instanceof Error&&E.name==="AbortError"){if(T<s){const c=this.retryDelay*Math.pow(2,T);await this.sleep(c,n);continue}throw new R(u.TIMEOUT,`Request timeout after ${this.timeout}ms (${s+1} attempts)`,"local")}if(E instanceof TypeError){if(T<s){const c=this.retryDelay*Math.pow(2,T);await this.sleep(c,n);continue}throw new R(u.NETWORK,`Network error: ${E.message} (${s+1} attempts)`,"local")}throw E}}throw l||new Error("Unknown error after retries")}sleep(t,r){return new Promise((n,o)=>{if(r!=null&&r.aborted){o(new Error("Request aborted"));return}const s=setTimeout(()=>{r==null||r.removeEventListener("abort",a),n()},t),a=()=>{clearTimeout(s),o(new Error("Request aborted"))};r==null||r.addEventListener("abort",a,{once:!0})})}getBaseUrl(){return this.baseUrl}}function x(e,t){if(e.aborted)return{signal:e,cleanup:()=>{}};if(t.aborted)return{signal:t,cleanup:()=>{}};const r=new AbortController,n=()=>{t.removeEventListener("abort",o),r.abort()},o=()=>{e.removeEventListener("abort",n),r.abort()};e.addEventListener("abort",n,{once:!0}),t.addEventListener("abort",o,{once:!0});const s=()=>{e.removeEventListener("abort",n),t.removeEventListener("abort",o)};return{signal:r.signal,cleanup:s}}async function k(e,t){const r=e.headers.get("content-length");if(r!==null){const i=Number(r);if(Number.isFinite(i)&&i>t)throw d(t)}if(!e.body)return"";const n=e.body.getReader(),o=new TextDecoder;let s=0,a="";try{for(;;){const{done:i,value:l}=await n.read();if(i)break;if(l){if(s+=l.byteLength,s>t)throw await n.cancel(),d(t);a+=o.decode(l,{stream:!0})}}}finally{n.releaseLock()}return a+o.decode()}function d(e){return new R(u.RESPONSE_TOO_LARGE,`JSON-RPC response exceeds maximum size of ${e} bytes`,"local")}var N=(e=>(e.PENDING_INGESTION="PendingIngestion",e.PENDING_DEPOSITOR_WOTS_PK="PendingDepositorWotsPK",e.PENDING_BABE_SETUP="PendingBabeSetup",e.PENDING_CHALLENGER_PRESIGNING="PendingChallengerPresigning",e.PENDING_PEGIN_SIGS_AVAILABILITY="PendingPeginSigsAvailability",e.PENDING_PRE_PEGIN_CONFIRMATIONS="PendingPrePegInConfirmations",e.PENDING_DEPOSITOR_SIGNATURES="PendingDepositorSignatures",e.PENDING_ACKS="PendingACKs",e.PENDING_ACTIVATION="PendingActivation",e.ACTIVATED="Activated",e.EXPIRED="Expired",e.CLAIM_POSTED="ClaimPosted",e.PEGGED_OUT="PeggedOut",e))(N||{});const V=["PendingIngestion","PendingBabeSetup","PendingChallengerPresigning","PendingPeginSigsAvailability","PendingPrePegInConfirmations"],J=["PendingACKs","PendingActivation","Activated"],O=new Set(["PendingBabeSetup","PendingChallengerPresigning","PendingPeginSigsAvailability","PendingPrePegInConfirmations",...J]),M=new Set(["Expired","ClaimPosted","PeggedOut"]),F=new Set([...O,"PendingDepositorSignatures"]);var h=(e=>(e[e.DATABASE_ERROR=-32005]="DATABASE_ERROR",e[e.PRESIGN_ERROR=-32006]="PRESIGN_ERROR",e[e.JSON_SERIALIZATION_ERROR=-32007]="JSON_SERIALIZATION_ERROR",e[e.TX_GRAPH_ERROR=-32008]="TX_GRAPH_ERROR",e[e.INVALID_GRAPH=-32009]="INVALID_GRAPH",e[e.VALIDATION_ERROR=-32010]="VALIDATION_ERROR",e[e.NOT_FOUND=-32011]="NOT_FOUND",e[e.INTERNAL_ERROR=-32603]="INTERNAL_ERROR",e))(h||{});exports.DaemonStatus=N;exports.JSON_RPC_ERROR_CODES=u;exports.JsonRpcClient=B;exports.JsonRpcError=R;exports.POST_WOTS_STATUSES=F;exports.PRE_DEPOSITOR_SIGNATURES_STATES=V;exports.RpcErrorCode=h;exports.VP_TERMINAL_STATUSES=M;exports.VP_TRANSIENT_STATUSES=O;
+//# sourceMappingURL=types-CfCZyfid.cjs.map

package/dist/types-CfCZyfid.cjs.map

@@ -0,0 +1 @@
+{"version":3,"file":"types-CfCZyfid.cjs","sources":["../src/tbv/core/clients/vault-provider/json-rpc-client.ts","../src/tbv/core/clients/vault-provider/types.ts"],"sourcesContent":["/**\n * Generic JSON-RPC 2.0 HTTP Client\n *\n * Framework-agnostic client using `fetch()` — works in browsers and Node.js 18+.\n * Includes configurable retry policy and AbortSignal passthrough.\n */\n\nexport interface JsonRpcRequest<T = unknown> {\n  jsonrpc: \"2.0\";\n  method: string;\n  params: T;\n  id: number | string;\n}\n\nexport interface JsonRpcSuccessResponse<T = unknown> {\n  jsonrpc: \"2.0\";\n  result: T;\n  id: number | string;\n}\n\nexport interface JsonRpcErrorResponse {\n  jsonrpc: \"2.0\";\n  error: {\n    code: number;\n    message: string;\n    data?: unknown;\n  };\n  id: number | string;\n}\n\nexport type JsonRpcResponse<T = unknown> =\n  | JsonRpcSuccessResponse<T>\n  | JsonRpcErrorResponse;\n\n/**\n * Injects bearer tokens into requests for auth-gated methods, and is\n * notified on auth-expired responses so it can invalidate its cache.\n *\n * The `JsonRpcClient` is agnostic to which methods are auth-gated —\n * the provider's `getToken(method)` decides. Returning `null` means\n * \"no auth required for this method\"; the client then sends the\n * request with no `Authorization` header.\n */\nexport interface BearerTokenProvider {\n  /**\n   * Return the bearer token to inject for `method`, or `null` if the\n   * method does not require auth.\n   */\n  getToken(method: string): Promise<string | null>;\n  /**\n   * Drop the cached token. Next call to `getToken` must re-acquire.\n   * Called by the client on reactive-refresh-trigger responses.\n   */\n  invalidate(): void;\n}\n\nexport interface JsonRpcClientConfig {\n  /** Base URL of the RPC service */\n  baseUrl: string;\n  /** Timeout in milliseconds per request attempt */\n  timeout: number;\n  /** Optional custom headers */\n  headers?: Record<string, string>;\n  /** Number of retry attempts for transient errors (default: 3) */\n  retries?: number;\n  /** Initial retry delay in milliseconds (default: 1000) */\n  retryDelay?: number;\n  /**\n   * Maximum response body size, in bytes, for typed JSON-RPC calls.\n   * `callRaw` intentionally returns the unparsed Response and is not capped here.\n   * Default: 2 MiB.\n   */\n  maxResponseBytes?: number;\n  /**\n   * Predicate that decides which methods retry on transient errors.\n   * Default retries only `getPeginStatus`, `getPegoutStatus`, and\n   * `requestDepositorPresignTransactions`. Write methods are not\n   * retried by default.\n   */\n  retryableFor?: (method: string) => boolean;\n  /**\n   * Per-request bearer-token source. A non-null return attaches\n   * `Authorization: Bearer <token>`; `null` skips auth. `call`\n   * additionally retries once on wire `auth_expired` (invalidate +\n   * refetch + retry). `callRaw` skips reactive refresh.\n   */\n  tokenProvider?: BearerTokenProvider;\n}\n\n/**\n * Identifies whether an error was produced locally (timeout, network\n * failure, malformed response) or parsed from a wire-format JSON-RPC\n * error envelope returned by the server.\n *\n * This matters for anyone inspecting the shared `-32001` code: the SDK\n * uses it internally for network failures AND the server uses it for\n * auth-middleware rejections. The `source` field disambiguates.\n */\nexport type JsonRpcErrorSource = \"wire\" | \"local\";\n\nexport class JsonRpcError extends Error {\n  constructor(\n    public code: number,\n    message: string,\n    /** \"wire\" for server-returned envelopes; \"local\" for SDK-side failures. */\n    public source: JsonRpcErrorSource = \"local\",\n    /** Structured data from the server `error.data` field, if any. */\n    public data?: unknown,\n  ) {\n    super(message);\n    this.name = \"JsonRpcError\";\n  }\n}\n\nexport const JSON_RPC_ERROR_CODES = {\n  TIMEOUT: -32000,\n  NETWORK: -32001,\n  /** VP proxy: request timed out at proxy level */\n  PROXY_TIMEOUT: -32002,\n  /** VP proxy: VP unreachable / DNS failure / response too large */\n  PROXY_UNAVAILABLE: -32003,\n  /** SDK client: response missing \"result\" field (malformed JSON-RPC) */\n  INVALID_RESPONSE: -32700,\n  /** SDK client: response body exceeded the configured byte limit */\n  RESPONSE_TOO_LARGE: -32701,\n} as const;\n\n/** JSON-RPC protocol version */\nconst JSON_RPC_VERSION = \"2.0\" as const;\n\n/** Default number of retry attempts for transient errors */\nconst DEFAULT_RETRY_ATTEMPTS = 3;\n\n/** Default initial retry delay in milliseconds */\nconst DEFAULT_RETRY_DELAY_MS = 1000;\n\n/** Default maximum JSON-RPC response size for typed calls (2 MiB) */\nconst DEFAULT_MAX_RESPONSE_BYTES = 2 * 1024 * 1024;\n\n/**\n * TODO: Temporary typed-call exceptions for methods that currently return large\n * artifact payloads as JSON-RPC results.\n */\nconst UNCAPPED_TYPED_RESPONSE_METHODS: ReadonlySet<string> = new Set([\n  \"vaultProvider_requestDepositorClaimerArtifacts\",\n]);\n\n/** HTTP status codes that indicate transient server errors and are safe to retry */\nconst RETRYABLE_HTTP_STATUS_CODES: ReadonlySet<number> = new Set([\n  408, // Request Timeout\n  429, // Too Many Requests\n  500, // Internal Server Error\n  502, // Bad Gateway\n  503, // Service Unavailable\n  504, // Gateway Timeout\n]);\n\n/** Default retry predicate: only retry read-only / idempotent methods */\nconst DEFAULT_RETRYABLE_METHODS: ReadonlySet<string> = new Set([\n  \"vaultProvider_getPeginStatus\",\n  \"vaultProvider_getPegoutStatus\",\n  \"vaultProvider_requestDepositorPresignTransactions\",\n]);\n\nfunction defaultRetryableFor(method: string): boolean {\n  return DEFAULT_RETRYABLE_METHODS.has(method);\n}\n\n/**\n * Token-expired marker the server emits in `error.data.kind`. When\n * present on a wire-origin error, the client invalidates its cached\n * token and retries the request once with a freshly-acquired bearer.\n *\n * Kept in sync with btc-vault's auth middleware. Absence of the marker\n * means the server does not support reactive refresh yet; we fall back\n * to proactive-only refresh via `BearerTokenProvider.getToken()` TTL\n * checks.\n */\nconst AUTH_EXPIRED_DATA_KIND = \"auth_expired\";\n\nfunction isAuthExpiredError(error: unknown): boolean {\n  if (!(error instanceof JsonRpcError)) return false;\n  if (error.source !== \"wire\") return false;\n  const data = error.data;\n  if (data === null || typeof data !== \"object\") return false;\n  const kind = (data as { kind?: unknown }).kind;\n  return kind === AUTH_EXPIRED_DATA_KIND;\n}\n\n/**\n * Generic JSON-RPC 2.0 HTTP client with safe retry policy.\n */\nexport class JsonRpcClient {\n  private baseUrl: string;\n  private timeout: number;\n  private headers: Record<string, string>;\n  private requestId = 0;\n  private retries: number;\n  private retryDelay: number;\n  private maxResponseBytes: number;\n  private retryableFor: (method: string) => boolean;\n  private tokenProvider?: BearerTokenProvider;\n\n  constructor(config: JsonRpcClientConfig) {\n    this.baseUrl = config.baseUrl.replace(/\\/$/, \"\");\n    this.timeout = config.timeout;\n    this.headers = {\n      \"Content-Type\": \"application/json\",\n      ...config.headers,\n    };\n    this.retries = config.retries ?? DEFAULT_RETRY_ATTEMPTS;\n    this.retryDelay = config.retryDelay ?? DEFAULT_RETRY_DELAY_MS;\n    this.maxResponseBytes =\n      config.maxResponseBytes ?? DEFAULT_MAX_RESPONSE_BYTES;\n    if (!Number.isFinite(this.maxResponseBytes) || this.maxResponseBytes <= 0) {\n      throw new Error(\"maxResponseBytes must be a positive finite number\");\n    }\n    this.retryableFor = config.retryableFor ?? defaultRetryableFor;\n    this.tokenProvider = config.tokenProvider;\n  }\n\n  private async buildHeaders(method: string): Promise<Record<string, string>> {\n    const headers: Record<string, string> = { ...this.headers };\n    if (this.tokenProvider) {\n      const token = await this.tokenProvider.getToken(method);\n      if (token) {\n        headers.Authorization = `Bearer ${token}`;\n      }\n    }\n    return headers;\n  }\n\n  /**\n   * Make a JSON-RPC request with optional retry for safe methods.\n   *\n   * If the request fails with a wire-origin `auth_expired` error and a\n   * `tokenProvider` is configured, the client invalidates its cached\n   * token and retries the request once with a freshly-acquired bearer.\n   *\n   * @param method - The RPC method name\n   * @param params - The method parameters\n   * @param signal - Optional AbortSignal for caller-controlled cancellation\n   * @returns The result from the RPC method\n   * @throws JsonRpcError if the RPC call fails\n   */\n  async call<TParams, TResult>(\n    method: string,\n    params: TParams,\n    signal?: AbortSignal,\n  ): Promise<TResult> {\n    try {\n      return await this.callOnce<TParams, TResult>(method, params, signal);\n    } catch (error) {\n      // The auth-expired retry fires for ALL methods, including mutating\n      // ones. This is intentional and safe: the server's auth middleware\n      // validates the bearer token BEFORE dispatching to the method\n      // handler, so an `auth_expired` error means the handler never ran\n      // and no state was mutated. Confirmed against btc-vault at\n      // `crates/btc-auth/src/middleware/jsonrpc.rs` — token validation\n      // is pre-handler only. The `retryableFor` guard on\n      // HTTP-transient-error retries doesn't apply here because that\n      // guard is about retrying after a request the server may have\n      // started processing; auth_expired is categorically different.\n      if (this.tokenProvider && isAuthExpiredError(error)) {\n        this.tokenProvider.invalidate();\n        return await this.callOnce<TParams, TResult>(method, params, signal);\n      }\n      throw error;\n    }\n  }\n\n  private async callOnce<TParams, TResult>(\n    method: string,\n    params: TParams,\n    signal: AbortSignal | undefined,\n  ): Promise<TResult> {\n    const response = await this.fetchWithRetry(method, params, signal);\n\n    let jsonResponse: unknown;\n    try {\n      const responseText = UNCAPPED_TYPED_RESPONSE_METHODS.has(method)\n        ? await response.text()\n        : await readResponseTextWithLimit(response, this.maxResponseBytes);\n      jsonResponse = JSON.parse(responseText);\n    } catch (error) {\n      if (error instanceof JsonRpcError) {\n        throw error;\n      }\n      throw new JsonRpcError(\n        JSON_RPC_ERROR_CODES.INVALID_RESPONSE,\n        \"Invalid JSON-RPC response: body is not valid JSON\",\n        \"local\",\n      );\n    }\n\n    if (\n      jsonResponse === null ||\n      typeof jsonResponse !== \"object\" ||\n      Array.isArray(jsonResponse)\n    ) {\n      throw new JsonRpcError(\n        JSON_RPC_ERROR_CODES.INVALID_RESPONSE,\n        `Invalid JSON-RPC response: expected an object, got ${typeof jsonResponse}`,\n        \"local\",\n      );\n    }\n\n    const rpcResponse = jsonResponse as Record<string, unknown>;\n\n    if (\"error\" in rpcResponse && rpcResponse.error != null) {\n      const err = rpcResponse.error as {\n        code?: number;\n        message?: string;\n        data?: unknown;\n      };\n      throw new JsonRpcError(\n        err.code ?? JSON_RPC_ERROR_CODES.INVALID_RESPONSE,\n        err.message ?? \"Unknown RPC error\",\n        \"wire\",\n        err.data,\n      );\n    }\n\n    if (!(\"result\" in rpcResponse)) {\n      throw new JsonRpcError(\n        JSON_RPC_ERROR_CODES.INVALID_RESPONSE,\n        `Invalid JSON-RPC response: missing \"result\" field`,\n        \"local\",\n      );\n    }\n\n    return rpcResponse.result as TResult;\n  }\n\n  /**\n   * Make a JSON-RPC request returning the raw Response (unparsed body).\n   *\n   * Bearer tokens are injected identically to `call`. **Reactive refresh\n   * is NOT performed here** — the response body may be unbounded (e.g.\n   * claimer-artifact downloads), so the client refuses to parse it to\n   * detect auth errors. Callers relying on token-expired retries for\n   * large downloads must read the body themselves and re-invoke\n   * `callRaw` after `tokenProvider.invalidate()`.\n   */\n  async callRaw<TParams>(\n    method: string,\n    params: TParams,\n    signal?: AbortSignal,\n  ): Promise<Response> {\n    return this.fetchWithRetry(method, params, signal);\n  }\n\n  private async fetchWithRetry<TParams>(\n    method: string,\n    params: TParams,\n    callerSignal?: AbortSignal,\n  ): Promise<Response> {\n    const requestId = ++this.requestId;\n    const maxRetries = this.retryableFor(method) ? this.retries : 0;\n\n    // jsonrpsee (Rust backend) expects params as an array (positional parameters)\n    const request: JsonRpcRequest<TParams[]> = {\n      jsonrpc: JSON_RPC_VERSION,\n      method,\n      params: [params],\n      id: requestId,\n    };\n\n    const body = JSON.stringify(request);\n    let lastError: Error | null = null;\n\n    for (let attempt = 0; attempt <= maxRetries; attempt++) {\n      // Merge caller signal with per-request timeout signal\n      const timeoutController = new AbortController();\n      const timeoutId = setTimeout(\n        () => timeoutController.abort(),\n        this.timeout,\n      );\n\n      const merged = callerSignal\n        ? mergeAbortSignals(callerSignal, timeoutController.signal)\n        : null;\n      const signal = merged ? merged.signal : timeoutController.signal;\n\n      try {\n        // Build headers per-attempt so the token provider can return a\n        // freshly-acquired bearer after a prior invalidate() on this\n        // request (retry loop path) without plumbing state through.\n        const headers = await this.buildHeaders(method);\n\n        const response = await fetch(this.baseUrl, {\n          method: \"POST\",\n          headers,\n          body,\n          signal,\n        });\n\n        clearTimeout(timeoutId);\n        merged?.cleanup();\n\n        if (!response.ok) {\n          const shouldRetry =\n            attempt < maxRetries &&\n            RETRYABLE_HTTP_STATUS_CODES.has(response.status);\n\n          if (shouldRetry) {\n            const delay = this.retryDelay * Math.pow(2, attempt);\n            await this.sleep(delay, callerSignal);\n            continue;\n          }\n\n          throw new Error(\n            `HTTP error: ${response.status} ${response.statusText}`,\n          );\n        }\n\n        return response;\n      } catch (error) {\n        clearTimeout(timeoutId);\n        merged?.cleanup();\n        lastError = error instanceof Error ? error : new Error(String(error));\n\n        // Check if caller aborted (not our timeout)\n        if (callerSignal?.aborted) {\n          throw new Error(\"Request aborted\");\n        }\n\n        if (error instanceof Error && error.name === \"AbortError\") {\n          if (attempt < maxRetries) {\n            const delay = this.retryDelay * Math.pow(2, attempt);\n            await this.sleep(delay, callerSignal);\n            continue;\n          }\n          throw new JsonRpcError(\n            JSON_RPC_ERROR_CODES.TIMEOUT,\n            `Request timeout after ${this.timeout}ms (${maxRetries + 1} attempts)`,\n            \"local\",\n          );\n        }\n\n        // Handle network errors (CORS, connection refused, etc.)\n        if (error instanceof TypeError) {\n          if (attempt < maxRetries) {\n            const delay = this.retryDelay * Math.pow(2, attempt);\n            await this.sleep(delay, callerSignal);\n            continue;\n          }\n          throw new JsonRpcError(\n            JSON_RPC_ERROR_CODES.NETWORK,\n            `Network error: ${error.message} (${maxRetries + 1} attempts)`,\n            \"local\",\n          );\n        }\n\n        // Don't retry JSON-RPC errors (business logic errors)\n        throw error;\n      }\n    }\n\n    throw lastError || new Error(\"Unknown error after retries\");\n  }\n\n  private sleep(ms: number, signal?: AbortSignal): Promise<void> {\n    return new Promise((resolve, reject) => {\n      if (signal?.aborted) {\n        reject(new Error(\"Request aborted\"));\n        return;\n      }\n      const timeoutId = setTimeout(() => {\n        signal?.removeEventListener(\"abort\", onAbort);\n        resolve();\n      }, ms);\n      const onAbort = () => {\n        clearTimeout(timeoutId);\n        reject(new Error(\"Request aborted\"));\n      };\n      signal?.addEventListener(\"abort\", onAbort, { once: true });\n    });\n  }\n\n  getBaseUrl(): string {\n    return this.baseUrl;\n  }\n}\n\ninterface MergedSignal {\n  signal: AbortSignal;\n  /** Remove listeners from the source signals. Call after the request completes. */\n  cleanup: () => void;\n}\n\n/**\n * Merge two AbortSignals — the returned signal aborts if either input aborts.\n * Returns a cleanup function to remove listeners when the request completes\n * normally, preventing listener accumulation in long-lived polling flows.\n */\nfunction mergeAbortSignals(a: AbortSignal, b: AbortSignal): MergedSignal {\n  if (a.aborted) return { signal: a, cleanup: () => {} };\n  if (b.aborted) return { signal: b, cleanup: () => {} };\n\n  const controller = new AbortController();\n  const onAbortA = () => {\n    b.removeEventListener(\"abort\", onAbortB);\n    controller.abort();\n  };\n  const onAbortB = () => {\n    a.removeEventListener(\"abort\", onAbortA);\n    controller.abort();\n  };\n  a.addEventListener(\"abort\", onAbortA, { once: true });\n  b.addEventListener(\"abort\", onAbortB, { once: true });\n\n  const cleanup = () => {\n    a.removeEventListener(\"abort\", onAbortA);\n    b.removeEventListener(\"abort\", onAbortB);\n  };\n\n  return { signal: controller.signal, cleanup };\n}\n\nasync function readResponseTextWithLimit(\n  response: Response,\n  maxBytes: number,\n): Promise<string> {\n  const contentLength = response.headers.get(\"content-length\");\n  if (contentLength !== null) {\n    const parsedContentLength = Number(contentLength);\n    if (\n      Number.isFinite(parsedContentLength) &&\n      parsedContentLength > maxBytes\n    ) {\n      throw responseTooLargeError(maxBytes);\n    }\n  }\n\n  if (!response.body) {\n    return \"\";\n  }\n\n  const reader = response.body.getReader();\n  const decoder = new TextDecoder();\n  let totalBytes = 0;\n  let responseText = \"\";\n\n  try {\n    for (;;) {\n      const { done, value } = await reader.read();\n      if (done) break;\n      if (!value) continue;\n\n      totalBytes += value.byteLength;\n      if (totalBytes > maxBytes) {\n        await reader.cancel();\n        throw responseTooLargeError(maxBytes);\n      }\n      responseText += decoder.decode(value, { stream: true });\n    }\n  } finally {\n    reader.releaseLock();\n  }\n\n  return responseText + decoder.decode();\n}\n\nfunction responseTooLargeError(maxBytes: number): JsonRpcError {\n  return new JsonRpcError(\n    JSON_RPC_ERROR_CODES.RESPONSE_TOO_LARGE,\n    `JSON-RPC response exceeds maximum size of ${maxBytes} bytes`,\n    \"local\",\n  );\n}\n","/**\n * Type definitions for Vault Provider JSON-RPC API.\n *\n * These types match the `vaultProvider_*` RPC namespace defined by the\n * btc-vault daemon. They are the SDK's canonical copy of the VP protocol\n * contract, independent of any frontend framework.\n *\n * @see https://github.com/babylonlabs-io/btc-vault/blob/main/docs/pegin.md\n */\n\n// ============================================================================\n// Daemon Status\n// ============================================================================\n\n/**\n * Backend daemon status (vault provider database).\n * Source: btc-vault crates/vaultd/src/workers/claimer/mod.rs PegInStatus enum\n *\n * State flow (happy path):\n * PendingIngestion -> PendingDepositorWotsPK -> PendingBabeSetup -> PendingChallengerPresigning\n *   -> PendingPeginSigsAvailability -> PendingPrePegInConfirmations\n *   -> PendingDepositorSignatures -> PendingACKs -> PendingActivation -> Activated\n *\n * Terminal / branching states:\n * - Expired: vault timed out before activation\n * - ClaimPosted: claim transaction posted on-chain\n * - PeggedOut: BTC has been returned to the depositor\n */\nexport enum DaemonStatus {\n  PENDING_INGESTION = \"PendingIngestion\",\n  PENDING_DEPOSITOR_WOTS_PK = \"PendingDepositorWotsPK\",\n  PENDING_BABE_SETUP = \"PendingBabeSetup\",\n  PENDING_CHALLENGER_PRESIGNING = \"PendingChallengerPresigning\",\n  PENDING_PEGIN_SIGS_AVAILABILITY = \"PendingPeginSigsAvailability\",\n  PENDING_PRE_PEGIN_CONFIRMATIONS = \"PendingPrePegInConfirmations\",\n  PENDING_DEPOSITOR_SIGNATURES = \"PendingDepositorSignatures\",\n  PENDING_ACKS = \"PendingACKs\",\n  PENDING_ACTIVATION = \"PendingActivation\",\n  ACTIVATED = \"Activated\",\n  EXPIRED = \"Expired\",\n  CLAIM_POSTED = \"ClaimPosted\",\n  PEGGED_OUT = \"PeggedOut\",\n}\n\n// ============================================================================\n// Status Groups\n// ============================================================================\n\n/**\n * States where the VP is still processing (no depositor action needed).\n * Excludes PENDING_DEPOSITOR_WOTS_PK (requires depositor action).\n */\nexport const PRE_DEPOSITOR_SIGNATURES_STATES: readonly DaemonStatus[] = [\n  DaemonStatus.PENDING_INGESTION,\n  DaemonStatus.PENDING_BABE_SETUP,\n  DaemonStatus.PENDING_CHALLENGER_PRESIGNING,\n  DaemonStatus.PENDING_PEGIN_SIGS_AVAILABILITY,\n  DaemonStatus.PENDING_PRE_PEGIN_CONFIRMATIONS,\n];\n\n/** States after PendingDepositorSignatures where the depositor has no action. */\nconst POST_PAYOUT_SIGNATURE_STATUSES: readonly DaemonStatus[] = [\n  DaemonStatus.PENDING_ACKS,\n  DaemonStatus.PENDING_ACTIVATION,\n  DaemonStatus.ACTIVATED,\n];\n\n/**\n * Statuses where no depositor action is needed (VP processing or already past\n * depositor interaction). Excludes PENDING_INGESTION and PENDING_DEPOSITOR_WOTS_PK.\n */\nexport const VP_TRANSIENT_STATUSES: ReadonlySet<DaemonStatus> = new Set([\n  DaemonStatus.PENDING_BABE_SETUP,\n  DaemonStatus.PENDING_CHALLENGER_PRESIGNING,\n  DaemonStatus.PENDING_PEGIN_SIGS_AVAILABILITY,\n  DaemonStatus.PENDING_PRE_PEGIN_CONFIRMATIONS,\n  ...POST_PAYOUT_SIGNATURE_STATUSES,\n]);\n\n/**\n * Terminal VP statuses where no further progress is possible.\n * If the VP reaches one of these states while polling, polling should\n * stop immediately with an error rather than waiting for timeout.\n */\nexport const VP_TERMINAL_STATUSES: ReadonlySet<DaemonStatus> = new Set([\n  DaemonStatus.EXPIRED,\n  DaemonStatus.CLAIM_POSTED,\n  DaemonStatus.PEGGED_OUT,\n]);\n\n/**\n * Statuses that come after WOTS key submission.\n * If the VP is already in one of these states, the WOTS key was already\n * submitted and we can skip.\n */\nexport const POST_WOTS_STATUSES: ReadonlySet<DaemonStatus> = new Set([\n  ...VP_TRANSIENT_STATUSES,\n  DaemonStatus.PENDING_DEPOSITOR_SIGNATURES,\n]);\n\n// ============================================================================\n// WOTS Types (needed by SubmitDepositorWotsKeyParams)\n// ============================================================================\n\n/**\n * WOTS configuration for a single block.\n * Matches Rust `babe::wots::Config` serde format.\n */\nexport interface WotsConfig {\n  /** Digit bit-width (e.g. 4 → base-16 digits). */\n  d: number;\n  /** Number of message digits in this block. */\n  n: number;\n  /** Radix used for the checksum computation. */\n  checksum_radix: number;\n}\n\n/**\n * A single block of WOTS public keys.\n * Chain values are arrays of byte values (matching Rust `[u8; 20]`).\n */\nexport interface WotsBlockPublicKey {\n  config: WotsConfig;\n  message_terminals: number[][];\n  checksum_major_terminal: number[];\n  checksum_minor_terminal: number[];\n}\n\n// ============================================================================\n// Request Parameter Types\n// ============================================================================\n\n/** Params for requesting the payout/claim/assert transactions to pre-sign. */\nexport interface RequestDepositorPresignTransactionsParams {\n  pegin_txid: string;\n  depositor_pk: string;\n}\n\n/** Params for submitting the depositor's WOTS public key to the VP. */\nexport interface SubmitDepositorWotsKeyParams {\n  pegin_txid: string;\n  depositor_pk: string;\n  wots_public_keys: WotsBlockPublicKey[];\n}\n\n/** Per-challenger signatures for the depositor-as-claimer flow. */\nexport interface DepositorPreSigsPerChallenger {\n  nopayout_signature: string;\n}\n\n/** Depositor-as-claimer pre-signatures (payout + per-challenger). */\nexport interface DepositorAsClaimerPresignatures {\n  payout_signatures: ClaimerSignatures;\n  per_challenger: Record<string, DepositorPreSigsPerChallenger>;\n}\n\n/** Params for submitting depositor pre-signatures including claimer presignatures. */\nexport interface SubmitDepositorPresignaturesParams {\n  pegin_txid: string;\n  depositor_pk: string;\n  signatures: Record<string, ClaimerSignatures>;\n  depositor_claimer_presignatures: DepositorAsClaimerPresignatures;\n}\n\n/** Payout signatures per claimer. */\nexport interface ClaimerSignatures {\n  payout_signature: string;\n}\n\n/** Params for requesting BaBe DecryptorArtifacts from the VP. */\nexport interface RequestDepositorClaimerArtifactsParams {\n  pegin_txid: string;\n  depositor_pk: string;\n}\n\n/** Params for querying pegin status. Either pegin_txid or vault_id must be provided. */\nexport type GetPeginStatusParams =\n  | { pegin_txid: string; vault_id?: never }\n  | { vault_id: string; pegin_txid?: never };\n\n// ============================================================================\n// Response Types\n// ============================================================================\n\n/** A raw Bitcoin transaction with its hex encoding. */\nexport interface TransactionData {\n  tx_hex: string;\n}\n\n/** Set of transactions the depositor must pre-sign for a single claimer. */\nexport interface ClaimerTransactions {\n  claimer_pubkey: string;\n  claim_tx: TransactionData;\n  assert_tx: TransactionData;\n  payout_tx: TransactionData;\n  payout_psbt: string;\n}\n\n/** Per-segment connector data for ChallengeAssert inputs. */\nexport interface ChallengeAssertConnectorData {\n  wots_pks_json: string;\n  gc_wots_keys_json: string;\n}\n\n/** Challenger-specific transactions and signing data for the depositor graph. */\nexport interface PresignDataPerChallenger {\n  challenger_pubkey: string;\n  challenge_assert_x_tx: TransactionData;\n  challenge_assert_y_tx: TransactionData;\n  nopayout_tx: TransactionData;\n  nopayout_psbt: string;\n  challenge_assert_connectors: ChallengeAssertConnectorData[];\n  output_label_hashes: string[];\n}\n\n/** Depositor-as-claimer TxGraph transactions. */\nexport interface DepositorGraphTransactions {\n  claim_tx: TransactionData;\n  assert_tx: TransactionData;\n  payout_tx: TransactionData;\n  payout_psbt: string;\n  challenger_presign_data: PresignDataPerChallenger[];\n  offchain_params_version: number;\n}\n\n/** Response from `requestDepositorPresignTransactions`. */\nexport interface RequestDepositorPresignTransactionsResponse {\n  txs: ClaimerTransactions[];\n  depositor_graph: DepositorGraphTransactions;\n}\n\n/** BaBe garbled-circuit session data for a single challenger. */\nexport interface BaBeSessionData {\n  decryptor_artifacts_hex: string;\n}\n\n/** Response from `requestDepositorClaimerArtifacts`. */\nexport interface RequestDepositorClaimerArtifactsResponse {\n  tx_graph_json: string;\n  verifying_key_hex: string;\n  babe_sessions: Record<string, BaBeSessionData>;\n}\n\n/** Progress tracker for a multi-challenger operation. */\nexport interface ChallengerProgress {\n  total_challengers: number;\n  completed_challengers: number;\n  completed_challenger_pubkeys: string[];\n  pending_challenger_pubkeys: string[];\n}\n\nexport type GcDataProgress = ChallengerProgress;\nexport type AckCollectionProgress = ChallengerProgress;\n\n/** Extended presigning progress with all 3 concurrent phases. */\nexport interface PresigningProgress extends ChallengerProgress {\n  depositor_graph_created?: boolean;\n  vk_challenger_presigning_completed?: number;\n  vk_challenger_presigning_total?: number;\n}\n\n/** Detailed progress breakdown for an in-progress pegin. */\nexport interface PeginProgressDetails {\n  gc_data?: GcDataProgress;\n  presigning?: PresigningProgress;\n  ack_collection?: AckCollectionProgress;\n  claimer_graphs?: ClaimerGraphStatus[];\n}\n\n/** Per-claimer graph status (challenger perspective). */\nexport interface ClaimerGraphStatus {\n  claimer_pubkey: string;\n  presigned: boolean;\n}\n\n/** Response from `getPeginStatus`. */\nexport interface GetPeginStatusResponse {\n  pegin_txid: string;\n  status: string;\n  progress: PeginProgressDetails;\n  health_info: string;\n  last_error?: string;\n}\n\n// ============================================================================\n// Pegout Types\n// ============================================================================\n\n/** Params for querying pegout status from the VP daemon. */\nexport interface GetPegoutStatusParams {\n  pegin_txid: string;\n}\n\n/** Claimer-side pegout progress. */\nexport interface ClaimerPegoutStatus {\n  status: string;\n  failed: boolean;\n  claim_txid?: string;\n  claimer_pubkey?: string;\n  challenger_pubkey?: string;\n  created_at?: string;\n  updated_at?: string;\n}\n\n/** Challenger-side pegout progress. */\nexport interface ChallengerPegoutStatus {\n  status: string;\n  claim_txid?: string;\n  claimer_pubkey?: string;\n  assert_txid?: string;\n  challenge_assert_txid?: string;\n  nopayout_txid?: string;\n  created_at?: string;\n  updated_at?: string;\n}\n\n/** Response from `getPegoutStatus`. */\nexport interface GetPegoutStatusResponse {\n  pegin_txid: string;\n  found: boolean;\n  claimer?: ClaimerPegoutStatus;\n  challenger?: ChallengerPegoutStatus;\n}\n\n// ============================================================================\n// Error Codes\n// ============================================================================\n\n/** JSON-RPC error codes returned by the vault provider. */\nexport enum RpcErrorCode {\n  DATABASE_ERROR = -32005,\n  PRESIGN_ERROR = -32006,\n  JSON_SERIALIZATION_ERROR = -32007,\n  TX_GRAPH_ERROR = -32008,\n  INVALID_GRAPH = -32009,\n  VALIDATION_ERROR = -32010,\n  NOT_FOUND = -32011,\n  INTERNAL_ERROR = -32603,\n}\n"],"names":["JsonRpcError","code","message","source","data","JSON_RPC_ERROR_CODES","JSON_RPC_VERSION","DEFAULT_RETRY_ATTEMPTS","DEFAULT_RETRY_DELAY_MS","DEFAULT_MAX_RESPONSE_BYTES","UNCAPPED_TYPED_RESPONSE_METHODS","RETRYABLE_HTTP_STATUS_CODES","DEFAULT_RETRYABLE_METHODS","defaultRetryableFor","method","AUTH_EXPIRED_DATA_KIND","isAuthExpiredError","error","JsonRpcClient","config","__publicField","headers","token","params","signal","response","jsonResponse","responseText","readResponseTextWithLimit","rpcResponse","err","callerSignal","requestId","maxRetries","body","lastError","attempt","timeoutController","timeoutId","merged","mergeAbortSignals","delay","ms","resolve","reject","onAbort","a","b","controller","onAbortA","onAbortB","cleanup","maxBytes","contentLength","parsedContentLength","responseTooLargeError","reader","decoder","totalBytes","done","value","DaemonStatus","PRE_DEPOSITOR_SIGNATURES_STATES","POST_PAYOUT_SIGNATURE_STATUSES","VP_TRANSIENT_STATUSES","VP_TERMINAL_STATUSES","POST_WOTS_STATUSES","RpcErrorCode"],"mappings":"iLAoGO,MAAMA,UAAqB,KAAM,CACtC,YACSC,EACPC,EAEOC,EAA6B,QAE7BC,EACP,CACA,MAAMF,CAAO,EAPN,KAAA,KAAAD,EAGA,KAAA,OAAAE,EAEA,KAAA,KAAAC,EAGP,KAAK,KAAO,cACd,CACF,CAEO,MAAMC,EAAuB,CAClC,QAAS,MACT,QAAS,OAET,cAAe,OAEf,kBAAmB,OAEnB,iBAAkB,OAElB,mBAAoB,MACtB,EAGMC,EAAmB,MAGnBC,EAAyB,EAGzBC,EAAyB,IAGzBC,EAA6B,EAAI,KAAO,KAMxCC,MAA2D,IAAI,CACnE,gDACF,CAAC,EAGKC,MAAuD,IAAI,CAC/D,IACA,IACA,IACA,IACA,IACA,GACF,CAAC,EAGKC,MAAqD,IAAI,CAC7D,+BACA,gCACA,mDACF,CAAC,EAED,SAASC,EAAoBC,EAAyB,CACpD,OAAOF,EAA0B,IAAIE,CAAM,CAC7C,CAYA,MAAMC,EAAyB,eAE/B,SAASC,EAAmBC,EAAyB,CAEnD,GADI,EAAEA,aAAiBjB,IACnBiB,EAAM,SAAW,OAAQ,MAAO,GACpC,MAAMb,EAAOa,EAAM,KACnB,OAAIb,IAAS,MAAQ,OAAOA,GAAS,SAAiB,GACxCA,EAA4B,OAC1BW,CAClB,CAKO,MAAMG,CAAc,CAWzB,YAAYC,EAA6B,CAVjCC,EAAA,gBACAA,EAAA,gBACAA,EAAA,gBACAA,EAAA,iBAAY,GACZA,EAAA,gBACAA,EAAA,mBACAA,EAAA,yBACAA,EAAA,qBACAA,EAAA,sBAaN,GAVA,KAAK,QAAUD,EAAO,QAAQ,QAAQ,MAAO,EAAE,EAC/C,KAAK,QAAUA,EAAO,QACtB,KAAK,QAAU,CACb,eAAgB,mBAChB,GAAGA,EAAO,OAAA,EAEZ,KAAK,QAAUA,EAAO,SAAWZ,EACjC,KAAK,WAAaY,EAAO,YAAcX,EACvC,KAAK,iBACHW,EAAO,kBAAoBV,EACzB,CAAC,OAAO,SAAS,KAAK,gBAAgB,GAAK,KAAK,kBAAoB,EACtE,MAAM,IAAI,MAAM,mDAAmD,EAErE,KAAK,aAAeU,EAAO,cAAgBN,EAC3C,KAAK,cAAgBM,EAAO,aAC9B,CAEA,MAAc,aAAaL,EAAiD,CAC1E,MAAMO,EAAkC,CAAE,GAAG,KAAK,OAAA,EAClD,GAAI,KAAK,cAAe,CACtB,MAAMC,EAAQ,MAAM,KAAK,cAAc,SAASR,CAAM,EAClDQ,IACFD,EAAQ,cAAgB,UAAUC,CAAK,GAE3C,CACA,OAAOD,CACT,CAeA,MAAM,KACJP,EACAS,EACAC,EACkB,CAClB,GAAI,CACF,OAAO,MAAM,KAAK,SAA2BV,EAAQS,EAAQC,CAAM,CACrE,OAASP,EAAO,CAWd,GAAI,KAAK,eAAiBD,EAAmBC,CAAK,EAChD,YAAK,cAAc,WAAA,EACZ,MAAM,KAAK,SAA2BH,EAAQS,EAAQC,CAAM,EAErE,MAAMP,CACR,CACF,CAEA,MAAc,SACZH,EACAS,EACAC,EACkB,CAClB,MAAMC,EAAW,MAAM,KAAK,eAAeX,EAAQS,EAAQC,CAAM,EAEjE,IAAIE,EACJ,GAAI,CACF,MAAMC,EAAejB,EAAgC,IAAII,CAAM,EAC3D,MAAMW,EAAS,KAAA,EACf,MAAMG,EAA0BH,EAAU,KAAK,gBAAgB,EACnEC,EAAe,KAAK,MAAMC,CAAY,CACxC,OAASV,EAAO,CACd,MAAIA,aAAiBjB,EACbiB,EAEF,IAAIjB,EACRK,EAAqB,iBACrB,oDACA,OAAA,CAEJ,CAEA,GACEqB,IAAiB,MACjB,OAAOA,GAAiB,UACxB,MAAM,QAAQA,CAAY,EAE1B,MAAM,IAAI1B,EACRK,EAAqB,iBACrB,sDAAsD,OAAOqB,CAAY,GACzE,OAAA,EAIJ,MAAMG,EAAcH,EAEpB,GAAI,UAAWG,GAAeA,EAAY,OAAS,KAAM,CACvD,MAAMC,EAAMD,EAAY,MAKxB,MAAM,IAAI7B,EACR8B,EAAI,MAAQzB,EAAqB,iBACjCyB,EAAI,SAAW,oBACf,OACAA,EAAI,IAAA,CAER,CAEA,GAAI,EAAE,WAAYD,GAChB,MAAM,IAAI7B,EACRK,EAAqB,iBACrB,oDACA,OAAA,EAIJ,OAAOwB,EAAY,MACrB,CAYA,MAAM,QACJf,EACAS,EACAC,EACmB,CACnB,OAAO,KAAK,eAAeV,EAAQS,EAAQC,CAAM,CACnD,CAEA,MAAc,eACZV,EACAS,EACAQ,EACmB,CACnB,MAAMC,EAAY,EAAE,KAAK,UACnBC,EAAa,KAAK,aAAanB,CAAM,EAAI,KAAK,QAAU,EAUxDoB,EAAO,KAAK,UAPyB,CACzC,QAAS5B,EACT,OAAAQ,EACA,OAAQ,CAACS,CAAM,EACf,GAAIS,CAAA,CAG6B,EACnC,IAAIG,EAA0B,KAE9B,QAASC,EAAU,EAAGA,GAAWH,EAAYG,IAAW,CAEtD,MAAMC,EAAoB,IAAI,gBACxBC,EAAY,WAChB,IAAMD,EAAkB,MAAA,EACxB,KAAK,OAAA,EAGDE,EAASR,EACXS,EAAkBT,EAAcM,EAAkB,MAAM,EACxD,KACEb,EAASe,EAASA,EAAO,OAASF,EAAkB,OAE1D,GAAI,CAIF,MAAMhB,EAAU,MAAM,KAAK,aAAaP,CAAM,EAExCW,EAAW,MAAM,MAAM,KAAK,QAAS,CACzC,OAAQ,OACR,QAAAJ,EACA,KAAAa,EACA,OAAAV,CAAA,CACD,EAKD,GAHA,aAAac,CAAS,EACtBC,GAAA,MAAAA,EAAQ,UAEJ,CAACd,EAAS,GAAI,CAKhB,GAHEW,EAAUH,GACVtB,EAA4B,IAAIc,EAAS,MAAM,EAEhC,CACf,MAAMgB,EAAQ,KAAK,WAAa,KAAK,IAAI,EAAGL,CAAO,EACnD,MAAM,KAAK,MAAMK,EAAOV,CAAY,EACpC,QACF,CAEA,MAAM,IAAI,MACR,eAAeN,EAAS,MAAM,IAAIA,EAAS,UAAU,EAAA,CAEzD,CAEA,OAAOA,CACT,OAASR,EAAO,CAMd,GALA,aAAaqB,CAAS,EACtBC,GAAA,MAAAA,EAAQ,UACRJ,EAAYlB,aAAiB,MAAQA,EAAQ,IAAI,MAAM,OAAOA,CAAK,CAAC,EAGhEc,GAAA,MAAAA,EAAc,QAChB,MAAM,IAAI,MAAM,iBAAiB,EAGnC,GAAId,aAAiB,OAASA,EAAM,OAAS,aAAc,CACzD,GAAImB,EAAUH,EAAY,CACxB,MAAMQ,EAAQ,KAAK,WAAa,KAAK,IAAI,EAAGL,CAAO,EACnD,MAAM,KAAK,MAAMK,EAAOV,CAAY,EACpC,QACF,CACA,MAAM,IAAI/B,EACRK,EAAqB,QACrB,yBAAyB,KAAK,OAAO,OAAO4B,EAAa,CAAC,aAC1D,OAAA,CAEJ,CAGA,GAAIhB,aAAiB,UAAW,CAC9B,GAAImB,EAAUH,EAAY,CACxB,MAAMQ,EAAQ,KAAK,WAAa,KAAK,IAAI,EAAGL,CAAO,EACnD,MAAM,KAAK,MAAMK,EAAOV,CAAY,EACpC,QACF,CACA,MAAM,IAAI/B,EACRK,EAAqB,QACrB,kBAAkBY,EAAM,OAAO,KAAKgB,EAAa,CAAC,aAClD,OAAA,CAEJ,CAGA,MAAMhB,CACR,CACF,CAEA,MAAMkB,GAAa,IAAI,MAAM,6BAA6B,CAC5D,CAEQ,MAAMO,EAAYlB,EAAqC,CAC7D,OAAO,IAAI,QAAQ,CAACmB,EAASC,IAAW,CACtC,GAAIpB,GAAA,MAAAA,EAAQ,QAAS,CACnBoB,EAAO,IAAI,MAAM,iBAAiB,CAAC,EACnC,MACF,CACA,MAAMN,EAAY,WAAW,IAAM,CACjCd,GAAA,MAAAA,EAAQ,oBAAoB,QAASqB,GACrCF,EAAA,CACF,EAAGD,CAAE,EACCG,EAAU,IAAM,CACpB,aAAaP,CAAS,EACtBM,EAAO,IAAI,MAAM,iBAAiB,CAAC,CACrC,EACApB,GAAA,MAAAA,EAAQ,iBAAiB,QAASqB,EAAS,CAAE,KAAM,IACrD,CAAC,CACH,CAEA,YAAqB,CACnB,OAAO,KAAK,OACd,CACF,CAaA,SAASL,EAAkBM,EAAgBC,EAA8B,CACvE,GAAID,EAAE,QAAS,MAAO,CAAE,OAAQA,EAAG,QAAS,IAAM,CAAC,CAAA,EACnD,GAAIC,EAAE,QAAS,MAAO,CAAE,OAAQA,EAAG,QAAS,IAAM,CAAC,CAAA,EAEnD,MAAMC,EAAa,IAAI,gBACjBC,EAAW,IAAM,CACrBF,EAAE,oBAAoB,QAASG,CAAQ,EACvCF,EAAW,MAAA,CACb,EACME,EAAW,IAAM,CACrBJ,EAAE,oBAAoB,QAASG,CAAQ,EACvCD,EAAW,MAAA,CACb,EACAF,EAAE,iBAAiB,QAASG,EAAU,CAAE,KAAM,GAAM,EACpDF,EAAE,iBAAiB,QAASG,EAAU,CAAE,KAAM,GAAM,EAEpD,MAAMC,EAAU,IAAM,CACpBL,EAAE,oBAAoB,QAASG,CAAQ,EACvCF,EAAE,oBAAoB,QAASG,CAAQ,CACzC,EAEA,MAAO,CAAE,OAAQF,EAAW,OAAQ,QAAAG,CAAA,CACtC,CAEA,eAAevB,EACbH,EACA2B,EACiB,CACjB,MAAMC,EAAgB5B,EAAS,QAAQ,IAAI,gBAAgB,EAC3D,GAAI4B,IAAkB,KAAM,CAC1B,MAAMC,EAAsB,OAAOD,CAAa,EAChD,GACE,OAAO,SAASC,CAAmB,GACnCA,EAAsBF,EAEtB,MAAMG,EAAsBH,CAAQ,CAExC,CAEA,GAAI,CAAC3B,EAAS,KACZ,MAAO,GAGT,MAAM+B,EAAS/B,EAAS,KAAK,UAAA,EACvBgC,EAAU,IAAI,YACpB,IAAIC,EAAa,EACb/B,EAAe,GAEnB,GAAI,CACF,OAAS,CACP,KAAM,CAAE,KAAAgC,EAAM,MAAAC,CAAA,EAAU,MAAMJ,EAAO,KAAA,EACrC,GAAIG,EAAM,MACV,GAAKC,EAGL,IADAF,GAAcE,EAAM,WAChBF,EAAaN,EACf,YAAMI,EAAO,OAAA,EACPD,EAAsBH,CAAQ,EAEtCzB,GAAgB8B,EAAQ,OAAOG,EAAO,CAAE,OAAQ,GAAM,EACxD,CACF,QAAA,CACEJ,EAAO,YAAA,CACT,CAEA,OAAO7B,EAAe8B,EAAQ,OAAA,CAChC,CAEA,SAASF,EAAsBH,EAAgC,CAC7D,OAAO,IAAIpD,EACTK,EAAqB,mBACrB,6CAA6C+C,CAAQ,SACrD,OAAA,CAEJ,CC9hBO,IAAKS,GAAAA,IACVA,EAAA,kBAAoB,mBACpBA,EAAA,0BAA4B,yBAC5BA,EAAA,mBAAqB,mBACrBA,EAAA,8BAAgC,8BAChCA,EAAA,gCAAkC,+BAClCA,EAAA,gCAAkC,+BAClCA,EAAA,6BAA+B,6BAC/BA,EAAA,aAAe,cACfA,EAAA,mBAAqB,oBACrBA,EAAA,UAAY,YACZA,EAAA,QAAU,UACVA,EAAA,aAAe,cACfA,EAAA,WAAa,YAbHA,IAAAA,GAAA,CAAA,CAAA,EAwBL,MAAMC,EAA2D,CACtE,mBACA,mBACA,8BACA,+BACA,8BACF,EAGMC,EAA0D,CAC9D,cACA,oBACA,WACF,EAMaC,MAAuD,IAAI,CACtE,mBACA,8BACA,+BACA,+BACA,GAAGD,CACL,CAAC,EAOYE,MAAsD,IAAI,CACrE,UACA,cACA,WACF,CAAC,EAOYC,MAAoD,IAAI,CACnE,GAAGF,EACH,4BACF,CAAC,EAuOM,IAAKG,GAAAA,IACVA,EAAAA,EAAA,eAAiB,MAAA,EAAjB,iBACAA,EAAAA,EAAA,cAAgB,MAAA,EAAhB,gBACAA,EAAAA,EAAA,yBAA2B,MAAA,EAA3B,2BACAA,EAAAA,EAAA,eAAiB,MAAA,EAAjB,iBACAA,EAAAA,EAAA,cAAgB,MAAA,EAAhB,gBACAA,EAAAA,EAAA,iBAAmB,MAAA,EAAnB,mBACAA,EAAAA,EAAA,UAAY,MAAA,EAAZ,YACAA,EAAAA,EAAA,eAAiB,MAAA,EAAjB,iBARUA,IAAAA,GAAA,CAAA,CAAA"}

package/dist/vault-registry-reader-OK2V08tk.cjs

@@ -0,0 +1,2 @@
+"use strict";var Q=Object.defineProperty;var ee=(r,e,t)=>e in r?Q(r,e,{enumerable:!0,configurable:!0,writable:!0,value:t}):r[e]=t;var c=(r,e,t)=>ee(r,typeof e!="symbol"?e+"":e,t);const B=require("./types-CfCZyfid.cjs"),l=require("./bitcoin-B3aqjuMP.cjs"),y=require("./validation-u8W7Lp2x.cjs"),te=require("@bitcoin-js/tiny-secp256k1-asmjs"),w=require("bitcoinjs-lib"),_=require("buffer"),H=require("./sha2-CsTynrfJ.cjs"),b=require("./BTCVaultRegistry.abi-ZdPpION2.cjs"),p=require("./ProtocolParams.abi-BmvHwQJV.cjs");function re(r){const e=Object.create(null,{[Symbol.toStringTag]:{value:"Module"}});if(r){for(const t in r)if(t!=="default"){const n=Object.getOwnPropertyDescriptor(r,t);Object.defineProperty(e,t,n.get?n:{enumerable:!0,get:()=>r[t]})}}return e.default=r,Object.freeze(e)}const k=re(te),N=new Set(Object.values(B.DaemonStatus)),ne=200;function o(r){var e;return((e=JSON.stringify(r))==null?void 0:e.slice(0,ne))??"undefined"}const se="The vault provider returned an unexpected response. Please try again or contact support.";class s extends Error{constructor(t){super(se);c(this,"detail");this.name="VpResponseValidationError",this.detail=t}}const x=64;function m(r){return typeof r=="string"&&r.length>0&&y.HEX_RE.test(r)}function L(r){return typeof r=="string"&&r.length>0}function X(r,e){if(!m(r))throw new s(`VP response validation failed: "${e}" must be a non-empty hex string, got ${o(r)}`)}function P(r,e){if(!L(r))throw new s(`VP response validation failed: "${e}" must be a non-empty string, got ${o(r)}`)}function q(r,e){if(!m(r)||r.length!==l.X_ONLY_PUBKEY_HEX_LEN&&r.length!==l.COMPRESSED_PUBKEY_HEX_LEN)throw new s(`VP response validation failed: "${e}" must be a ${l.X_ONLY_PUBKEY_HEX_LEN} or ${l.COMPRESSED_PUBKEY_HEX_LEN}-char hex string (BTC pubkey), got ${o(r)}`)}function ie(r){const e=r.presigning;if(e==null)return;if(typeof e!="object"||Array.isArray(e))throw new s('VP response validation failed: "progress.presigning" must be an object if present');const t=e;if(t.depositor_graph_created!==void 0&&typeof t.depositor_graph_created!="boolean")throw new s(`VP response validation failed: "progress.presigning.depositor_graph_created" must be a boolean if present, got ${o(t.depositor_graph_created)}`);if(t.vk_challenger_presigning_completed!==void 0&&typeof t.vk_challenger_presigning_completed!="number")throw new s(`VP response validation failed: "progress.presigning.vk_challenger_presigning_completed" must be a number if present, got ${o(t.vk_challenger_presigning_completed)}`);if(t.vk_challenger_presigning_total!==void 0&&typeof t.vk_challenger_presigning_total!="number")throw new s(`VP response validation failed: "progress.presigning.vk_challenger_presigning_total" must be a number if present, got ${o(t.vk_challenger_presigning_total)}`)}function ae(r){if(r===null||typeof r!="object")throw new s("VP response validation failed: getPeginStatus response is not an object");const e=r;if(!m(e.pegin_txid)||e.pegin_txid.length!==x)throw new s(`VP response validation failed: "pegin_txid" must be a ${x}-char hex string (txid), got ${o(e.pegin_txid)}`);if(typeof e.status!="string")throw new s('VP response validation failed: "status" must be a string');if(!N.has(e.status))throw new s(`VP response validation failed: unrecognized status "${e.status}". Expected one of: ${[...N].join(", ")}`);if(e.progress===null||typeof e.progress!="object"||Array.isArray(e.progress))throw new s('VP response validation failed: "progress" must be an object');if(ie(e.progress),typeof e.health_info!="string")throw new s('VP response validation failed: "health_info" must be a string');if(e.last_error!==void 0&&typeof e.last_error!="string")throw new s(`VP response validation failed: "last_error" must be a string if present, got ${o(e.last_error)}`)}function oe(r){if(r===null||typeof r!="object")throw new s("VP response validation failed: requestDepositorPresignTransactions response is not an object");const e=r;if(!Array.isArray(e.txs))throw new s('VP response validation failed: "txs" must be an array');for(let t=0;t<e.txs.length;t++)ce(e.txs[t],`txs[${t}]`);if(e.depositor_graph===null||typeof e.depositor_graph!="object")throw new s('VP response validation failed: "depositor_graph" must be an object');pe(e.depositor_graph)}function f(r,e){if(r===null||typeof r!="object")throw new s(`VP response validation failed: "${e}" must be an object`);X(r.tx_hex,`${e}.tx_hex`)}function ce(r,e){if(r===null||typeof r!="object")throw new s(`VP response validation failed: "${e}" must be an object`);const t=r;q(t.claimer_pubkey,`${e}.claimer_pubkey`),f(t.claim_tx,`${e}.claim_tx`),f(t.assert_tx,`${e}.assert_tx`),f(t.payout_tx,`${e}.payout_tx`),P(t.payout_psbt,`${e}.payout_psbt`)}function le(r,e){if(r===null||typeof r!="object")throw new s(`VP response validation failed: "${e}" must be an object`);const t=r;P(t.wots_pks_json,`${e}.wots_pks_json`),P(t.gc_wots_keys_json,`${e}.gc_wots_keys_json`)}function ue(r,e){if(r===null||typeof r!="object")throw new s(`VP response validation failed: "${e}" must be an object`);const t=r;if(q(t.challenger_pubkey,`${e}.challenger_pubkey`),f(t.challenge_assert_x_tx,`${e}.challenge_assert_x_tx`),f(t.challenge_assert_y_tx,`${e}.challenge_assert_y_tx`),f(t.nopayout_tx,`${e}.nopayout_tx`),P(t.nopayout_psbt,`${e}.nopayout_psbt`),!Array.isArray(t.challenge_assert_connectors))throw new s(`VP response validation failed: "${e}.challenge_assert_connectors" must be an array`);for(let n=0;n<t.challenge_assert_connectors.length;n++)le(t.challenge_assert_connectors[n],`${e}.challenge_assert_connectors[${n}]`);if(!Array.isArray(t.output_label_hashes))throw new s(`VP response validation failed: "${e}.output_label_hashes" must be an array`);for(let n=0;n<t.output_label_hashes.length;n++)X(t.output_label_hashes[n],`${e}.output_label_hashes[${n}]`)}function M(r){if(r===null||typeof r!="object")throw new s("VP response validation failed: requestDepositorClaimerArtifacts response is not an object");const e=r;if(!L(e.tx_graph_json))throw new s(`VP response validation failed: "tx_graph_json" must be a non-empty string, got ${o(e.tx_graph_json)}`);if(!m(e.verifying_key_hex))throw new s(`VP response validation failed: "verifying_key_hex" must be a non-empty hex string, got ${o(e.verifying_key_hex)}`);if(e.babe_sessions===null||typeof e.babe_sessions!="object")throw new s('VP response validation failed: "babe_sessions" must be an object');for(const[t,n]of Object.entries(e.babe_sessions)){if(n===null||typeof n!="object")throw new s(`VP response validation failed: "babe_sessions.${t}" must be an object`);const i=n;if(!m(i.decryptor_artifacts_hex))throw new s(`VP response validation failed: "babe_sessions.${t}.decryptor_artifacts_hex" must be a non-empty hex string, got ${o(i.decryptor_artifacts_hex)}`)}}function de(r){if(r===null||typeof r!="object")throw new s("VP response validation failed: getPegoutStatus response is not an object");const e=r;if(!m(e.pegin_txid)||e.pegin_txid.length!==x)throw new s(`VP response validation failed: "pegin_txid" must be a ${x}-char hex string (txid), got ${o(e.pegin_txid)}`);if(typeof e.found!="boolean")throw new s(`VP response validation failed: "found" must be a boolean, got ${o(e.found)}`);if(e.claimer!==void 0){if(e.claimer===null||typeof e.claimer!="object")throw new s('VP response validation failed: "claimer" must be an object if present');const t=e.claimer;if(typeof t.status!="string")throw new s(`VP response validation failed: "claimer.status" must be a string, got ${o(t.status)}`);if(typeof t.failed!="boolean")throw new s(`VP response validation failed: "claimer.failed" must be a boolean, got ${o(t.failed)}`)}if(e.challenger!==void 0){if(e.challenger===null||typeof e.challenger!="object")throw new s('VP response validation failed: "challenger" must be an object if present');const t=e.challenger;if(typeof t.status!="string")throw new s(`VP response validation failed: "challenger.status" must be a string, got ${o(t.status)}`)}}function pe(r){if(f(r.claim_tx,"depositor_graph.claim_tx"),f(r.assert_tx,"depositor_graph.assert_tx"),f(r.payout_tx,"depositor_graph.payout_tx"),P(r.payout_psbt,"depositor_graph.payout_psbt"),!Array.isArray(r.challenger_presign_data))throw new s('VP response validation failed: "depositor_graph.challenger_presign_data" must be an array');for(let e=0;e<r.challenger_presign_data.length;e++)ue(r.challenger_presign_data[e],`depositor_graph.challenger_presign_data[${e}]`);if(typeof r.offchain_params_version!="number")throw new s('VP response validation failed: "depositor_graph.offchain_params_version" must be a number')}const he=6e4;class F{constructor(e,t){c(this,"client");const n={baseUrl:e,timeout:(t==null?void 0:t.timeout)??he,retries:t==null?void 0:t.retries,retryDelay:t==null?void 0:t.retryDelay,retryableFor:t==null?void 0:t.retryableFor,headers:t==null?void 0:t.headers,tokenProvider:t==null?void 0:t.tokenProvider,maxResponseBytes:t==null?void 0:t.maxResponseBytes};this.client=new B.JsonRpcClient(n)}async requestDepositorPresignTransactions(e,t){const n=await this.client.call("vaultProvider_requestDepositorPresignTransactions",e,t);return oe(n),n}async submitDepositorPresignatures(e,t){return this.client.call("vaultProvider_submitDepositorPresignatures",e,t)}async submitDepositorWotsKey(e,t){return this.client.call("vaultProvider_submitDepositorWotsKey",e,t)}async requestDepositorClaimerArtifacts(e,t){const n=await this.client.call("vaultProvider_requestDepositorClaimerArtifacts",e,t);return M(n),n}async getPeginStatus(e,t){const n=await this.client.call("vaultProvider_getPeginStatus",e,t);return ae(n),n}async getPegoutStatus(e,t){const n=await this.client.call("vaultProvider_getPegoutStatus",e,t);return de(n),n}}const ge="BIP0322-signed-message",fe="TapTweak",G=32,_e=64;function Y(r,e){const t=new TextEncoder().encode(r),n=H.sha256(t),i=new Uint8Array(n.length*2+e.length);return i.set(n,0),i.set(n,n.length),i.set(e,n.length*2),H.sha256(i)}function me(r){if(r.length!==G)return null;const e=Y(fe,r),t=k.xOnlyPointAddTweak(r,e);return t?t.xOnlyPubkey:null}function ye(r,e,t){if(e.length!==G||t.length!==_e)return!1;try{const n=Y(ge,r),i=w.payments.p2tr({internalPubkey:_.Buffer.from(e)});if(!i.output)return!1;const a=i.output,u=0,g=new w.Transaction;g.version=0,g.locktime=0;const T=_.Buffer.concat([_.Buffer.from([0,32]),_.Buffer.from(n)]);g.addInput(_.Buffer.alloc(32,0),4294967295,0,T),g.addOutput(a,u);const h=new w.Transaction;h.version=0,h.locktime=0;const S=g.getHash();h.addInput(S,0,0),h.addOutput(_.Buffer.from([106]),u);const I=h.hashForWitnessV1(0,[a],[u],w.Transaction.SIGHASH_DEFAULT),R=me(e);return R?k.verifySchnorr(I,R,t):!1}catch{return!1}}function A(r,e){const t=(r&7)<<5,n=typeof e=="bigint"?e:BigInt(e);if(n<0n)throw new Error("cborHead: negative argument");if(n<24n)return new Uint8Array([t|Number(n)]);if(n<0x100n)return new Uint8Array([t|24,Number(n)]);if(n<0x10000n){const a=Number(n);return new Uint8Array([t|25,a>>>8&255,a&255])}if(n<0x100000000n){const a=Number(n);return new Uint8Array([t|26,a>>>24&255,a>>>16&255,a>>>8&255,a&255])}const i=new Uint8Array(9);i[0]=t|27;for(let a=7;a>=0;a--)i[1+a]=Number(n>>BigInt((7-a)*8))&255;return i}function W(...r){const e=r.reduce((i,a)=>i+a.length,0),t=new Uint8Array(e);let n=0;for(const i of r)t.set(i,n),n+=i.length;return t}function O(r){const t=[A(4,r.length)];for(const n of r)t.push(A(0,n));return W(...t)}function be(r,e,t){if(!Number.isSafeInteger(t)||t<0)throw new Error(`encodeServerIdentityPayload: expires_at must be a non-negative safe integer, got ${t}`);const n=A(4,3),i=O(r),a=O(e),u=A(0,t);return W(n,i,a,u)}const Pe=new TextEncoder().encode("btc-auth.server-identity.v1");class d extends Error{constructor(e,t){super(e),this.reason=t,this.name="ServerIdentityError"}}function v(r){const e=new Uint8Array(r.length/2);for(let t=0;t<e.length;t++)e[t]=parseInt(r.slice(t*2,t*2+2),16);return e}function z(r){const{proof:e,pinnedServerPubkey:t,now:n}=r,i=l.stripHexPrefix(t).toLowerCase();if(i.length!==l.X_ONLY_PUBKEY_HEX_LEN||!y.HEX_RE.test(i))throw new d(`pinnedServerPubkey must be 32-byte hex; got ${i.length} chars`,"invalid_pubkey_encoding");const a=l.stripHexPrefix(e.server_pubkey).toLowerCase();if(a.length!==l.X_ONLY_PUBKEY_HEX_LEN||!y.HEX_RE.test(a))throw new d(`server_pubkey must be 32-byte hex; got ${a.length} chars`,"invalid_pubkey_encoding");if(a!==i)throw new d(`server_pubkey does not match pinned value: expected ${i}, got ${a}`,"pinned_pubkey_mismatch");if(!Number.isSafeInteger(e.expires_at))throw new d(`expires_at must be a finite integer; got ${JSON.stringify(e.expires_at)}`,"invalid_expires_at");if(!Number.isSafeInteger(n))throw new d(`now must be a finite integer; got ${JSON.stringify(n)}`,"invalid_expires_at");if(e.expires_at<=n)throw new d(`server identity proof expired at ${e.expires_at}, now ${n}`,"expired");const u=l.stripHexPrefix(e.ephemeral_pubkey).toLowerCase();if(u.length!==l.COMPRESSED_PUBKEY_HEX_LEN||!y.HEX_RE.test(u))throw new d(`ephemeral_pubkey must be 33-byte compressed hex; got ${u.length} chars`,"invalid_ephemeral_pubkey");const g=u.slice(0,2);if(g!=="02"&&g!=="03")throw new d(`ephemeral_pubkey must be compressed (prefix 02/03); got ${g}`,"invalid_ephemeral_pubkey");const T=v(u);if(!k.isPoint(T))throw new d("ephemeral_pubkey is not a valid secp256k1 point","invalid_ephemeral_pubkey");const h=l.stripHexPrefix(e.signature).toLowerCase();if(h.length!==l.SCHNORR_SIG_HEX_LEN||!y.HEX_RE.test(h))throw new d(`signature must be 64-byte Schnorr hex; got ${h.length} chars`,"invalid_signature_encoding");const S=be(Pe,v(u),e.expires_at);if(!ye(S,v(a),v(h)))throw new d("BIP-322 signature verification failed — ephemeral key is not attested by pinned server pubkey","signature_verification_failed")}const we=new Set(["vaultProvider_submitDepositorWotsKey","vaultProvider_submitDepositorPresignatures","vaultProvider_requestDepositorPresignTransactions"]),ve=6e4,E="auth_createDepositorToken";function J(r,e){return new B.JsonRpcClient({baseUrl:r,timeout:ve,headers:e,retryableFor:t=>t===E})}const j=4102444800,xe=30;class Ae{constructor(e){c(this,"client");c(this,"peginTxid");c(this,"authAnchorHex");c(this,"pinnedServerPubkey");c(this,"authGatedMethods");c(this,"refreshSkewSecs");c(this,"now");c(this,"cached",null);c(this,"inFlight",null);this.client=e.client,this.peginTxid=e.peginTxid,this.authAnchorHex=e.authAnchorHex,this.pinnedServerPubkey=e.pinnedServerPubkey,this.authGatedMethods=e.authGatedMethods,this.refreshSkewSecs=e.refreshSkewSecs??xe,this.now=e.now??(()=>Math.floor(Date.now()/1e3))}async getToken(e){if(e===E||!this.authGatedMethods.has(e))return null;const t=this.cached;return t&&this.now()+this.refreshSkewSecs<t.expiresAt?t.token:(await this.acquireSingleFlight()).token}invalidate(){this.cached=null}setClient(e){this.client=e}acquireSingleFlight(){const e=this.inFlight;if(e)return e;const t=(async()=>{try{const n=await this.client.call(E,{pegin_txid:this.peginTxid,auth_anchor:this.authAnchorHex});if(z({proof:n.server_identity,pinnedServerPubkey:this.pinnedServerPubkey,now:this.now()}),typeof n.token!="string"||n.token.length===0)throw new Error(`VpTokenProvider: invalid token in acquire response (expected non-empty string, got ${typeof n.token})`);const i=this.now();if(!Number.isSafeInteger(n.expires_at)||n.expires_at<=i||n.expires_at>j)throw new Error(`VpTokenProvider: invalid expires_at in acquire response (got ${JSON.stringify(n.expires_at)}; must be a safe integer in (${i}, ${j}])`);const a={token:n.token,expiresAt:n.expires_at};return this.cached=a,a}finally{this.inFlight=null}})();return this.inFlight=t,t}}class Z{constructor(){c(this,"entries",new Map)}getOrCreate(e){const t=this.entries.get(e.peginTxid);if(t){if(t.authAnchorHex!==e.authAnchorHex)throw new Error(`VpTokenRegistry: peginTxid ${e.peginTxid} already bound to authAnchorHex ${t.authAnchorHex.slice(0,8)}…; got ${e.authAnchorHex.slice(0,8)}…`);if(t.pinnedServerPubkey!==e.pinnedServerPubkey)throw new Error(`VpTokenRegistry: peginTxid ${e.peginTxid} already bound to pinnedServerPubkey ${t.pinnedServerPubkey.slice(0,8)}…; got ${e.pinnedServerPubkey.slice(0,8)}…`);return t.provider.setClient(e.client),t.provider}const n=new Ae({client:e.client,peginTxid:e.peginTxid,authAnchorHex:e.authAnchorHex,pinnedServerPubkey:e.pinnedServerPubkey,authGatedMethods:we});return this.entries.set(e.peginTxid,{provider:n,authAnchorHex:e.authAnchorHex,pinnedServerPubkey:e.pinnedServerPubkey}),n}peek(e){var t;return(t=this.entries.get(e))==null?void 0:t.provider}release(e){this.entries.delete(e)}clear(){this.entries.clear()}get size(){return this.entries.size}}const $=new Z;function Ve(r){var n;const e=J(r.baseUrl,(n=r.options)==null?void 0:n.headers),t=$.getOrCreate({client:e,peginTxid:r.peginTxid,authAnchorHex:r.authAnchorHex,pinnedServerPubkey:r.pinnedServerPubkey});return new F(r.baseUrl,{...r.options,tokenProvider:t})}function ke(r){$.getOrCreate({client:J(r.baseUrl,r.headers),peginTxid:r.peginTxid,authAnchorHex:r.authAnchorHex,pinnedServerPubkey:r.pinnedServerPubkey})}async function Te(r,e){const[t,n]=await r.multicall({contracts:[{address:e,abi:b.BTCVaultRegistryABI,functionName:"protocolParams"},{address:e,abi:b.BTCVaultRegistryABI,functionName:"applicationRegistry"}],allowFailure:!1});return{protocolParams:t,applicationRegistry:n}}const D=65535;function C(r){return{timelockAssert:r.timelockAssert,timelockChallengeAssert:r.timelockChallengeAssert,securityCouncilKeys:[...r.securityCouncilKeys],councilQuorum:r.councilQuorum,feeRate:r.feeRate,babeTotalInstances:r.babeTotalInstances,babeInstancesToFinalize:r.babeInstancesToFinalize,minVpCommissionBps:r.minVpCommissionBps,tRefund:r.tRefund,tStale:r.tStale,minPeginFeeRate:r.minPeginFeeRate,proverProgramVersion:r.proverProgramVersion,minPrepeginDepth:r.minPrepeginDepth}}function U(r){return{minimumPegInAmount:r.minimumPegInAmount,maxPegInAmount:r.maxPegInAmount,pegInAckTimeout:r.pegInAckTimeout,pegInActivationTimeout:r.pegInActivationTimeout,maxHtlcOutputCount:r.maxHtlcOutputCount}}function K(r){if(r>BigInt(D))throw new Error(`timelockAssert value ${r} exceeds uint16 max (${D})`);return Number(r)}class Se{constructor(e,t){this.publicClient=e,this.contractAddress=t}async getTBVProtocolParams(){const e=await this.publicClient.readContract({address:this.contractAddress,abi:p.ProtocolParamsABI,functionName:"getTBVProtocolParams"});return U(e)}async getLatestOffchainParams(){const e=await this.publicClient.readContract({address:this.contractAddress,abi:p.ProtocolParamsABI,functionName:"getLatestOffchainParams"});return C(e)}async getOffchainParamsByVersion(e){const t=await this.publicClient.readContract({address:this.contractAddress,abi:p.ProtocolParamsABI,functionName:"getOffchainParamsByVersion",args:[e]});return C(t)}async getLatestOffchainParamsVersion(){return await this.publicClient.readContract({address:this.contractAddress,abi:p.ProtocolParamsABI,functionName:"latestOffchainParamsVersion"})}async getTimelockPeginByVersion(e){const t=await this.getOffchainParamsByVersion(e);return K(t.timelockAssert)}async getPegInConfiguration(){const e=await this.publicClient.multicall({contracts:[{address:this.contractAddress,abi:p.ProtocolParamsABI,functionName:"getTBVProtocolParams"},{address:this.contractAddress,abi:p.ProtocolParamsABI,functionName:"getLatestOffchainParams"}],allowFailure:!1}),t=U(e[0]),n=C(e[1]);return{minimumPegInAmount:t.minimumPegInAmount,maxPegInAmount:t.maxPegInAmount,pegInAckTimeout:t.pegInAckTimeout,pegInActivationTimeout:t.pegInActivationTimeout,maxHtlcOutputCount:t.maxHtlcOutputCount,timelockPegin:K(n.timelockAssert),timelockRefund:n.tRefund,minVpCommissionBps:n.minVpCommissionBps,offchainParams:n}}}function V(r){return r.map(e=>({ethAddress:e.ethAddress,btcPubKey:e.btcPubKey}))}class Ce{constructor(e,t){this.publicClient=e,this.contractAddress=t}async getVaultKeepersByVersion(e,t){const n=await this.publicClient.readContract({address:this.contractAddress,abi:p.ApplicationRegistryABI,functionName:"getVaultKeepersByVersion",args:[e,t]});return V(n)}async getCurrentVaultKeepers(e){const t=await this.publicClient.readContract({address:this.contractAddress,abi:p.ApplicationRegistryABI,functionName:"getCurrentVaultKeepers",args:[e]});return V(t)}async getCurrentVaultKeepersVersion(e){return await this.publicClient.readContract({address:this.contractAddress,abi:p.ApplicationRegistryABI,functionName:"getCurrentVaultKeepersVersion",args:[e]})}}class Ee{constructor(e,t){this.publicClient=e,this.contractAddress=t}async getUniversalChallengersByVersion(e){const t=await this.publicClient.readContract({address:this.contractAddress,abi:p.ProtocolParamsABI,functionName:"getUniversalChallengersByVersion",args:[e]});return V(t)}async getCurrentUniversalChallengers(){const e=await this.publicClient.readContract({address:this.contractAddress,abi:p.ProtocolParamsABI,functionName:"getCurrentUniversalChallengers"});return V(e)}async getLatestUniversalChallengersVersion(){return await this.publicClient.readContract({address:this.contractAddress,abi:p.ProtocolParamsABI,functionName:"latestUniversalChallengersVersion"})}}class Be{constructor(e,t){this.publicClient=e,this.contractAddress=t}async getVaultProviderBtcPubKey(e){const n=(await this.publicClient.readContract({address:this.contractAddress,abi:b.BTCVaultRegistryABI,functionName:"getVaultProviderBTCKey",args:[e]})).toLowerCase();if(!/^0x[0-9a-f]{64}$/.test(n))throw new Error(`getVaultProviderBTCKey returned an unexpected value (vp=${e}, length ${n.length}, prefix "${n.slice(0,2)}")`);const i=n.slice(2);if(!k.isXOnlyPoint(l.hexToUint8Array(i)))throw new Error(`getVaultProviderBTCKey returned a value that is not on the secp256k1 curve (vp=${e})`);return i}async getVaultBasicInfo(e){const t=await this.publicClient.readContract({address:this.contractAddress,abi:b.BTCVaultRegistryABI,functionName:"getBtcVaultBasicInfo",args:[e]});return{depositor:t.depositor,depositorBtcPubKey:t.depositorBtcPubKey,amount:t.amount,vaultProvider:t.vaultProvider,status:t.status,applicationEntryPoint:t.applicationEntryPoint,createdAt:t.createdAt}}async getVaultProtocolInfo(e){const t=await this.publicClient.readContract({address:this.contractAddress,abi:b.BTCVaultRegistryABI,functionName:"getBtcVaultProtocolInfo",args:[e]});return{depositorSignedPeginTx:t.depositorSignedPeginTx,universalChallengersVersion:t.universalChallengersVersion,appVaultKeepersVersion:t.appVaultKeepersVersion,offchainParamsVersion:t.offchainParamsVersion,verifiedAt:t.verifiedAt,depositorWotsPkHash:t.depositorWotsPkHash,hashlock:t.hashlock,htlcVout:t.htlcVout,depositorPopSignature:t.depositorPopSignature,prePeginTxHash:t.prePeginTxHash,vaultProviderCommissionBps:t.vaultProviderCommissionBps}}async getVaultData(e){const[t,n]=await Promise.all([this.getVaultBasicInfo(e),this.getVaultProtocolInfo(e)]);if(!n.depositorSignedPeginTx||n.depositorSignedPeginTx==="0x")throw new Error(`Vault ${e} not found on-chain or has no pegin transaction`);return{basic:t,protocol:n}}}exports.ServerIdentityError=d;exports.VaultProviderRpcClient=F;exports.ViemProtocolParamsReader=Se;exports.ViemUniversalChallengerReader=Ee;exports.ViemVaultKeeperReader=Ce;exports.ViemVaultRegistryReader=Be;exports.VpResponseValidationError=s;exports.VpTokenRegistry=Z;exports.createAuthenticatedVpClient=Ve;exports.primeVpTokenRegistry=ke;exports.resolveProtocolAddresses=Te;exports.validateRequestDepositorClaimerArtifactsResponse=M;exports.verifyServerIdentity=z;exports.vpTokenRegistry=$;
+//# sourceMappingURL=vault-registry-reader-OK2V08tk.cjs.map

package/dist/vault-registry-reader-OK2V08tk.cjs.map

@@ -0,0 +1 @@
+{"version":3,"file":"vault-registry-reader-OK2V08tk.cjs","sources":["../src/tbv/core/clients/vault-provider/validators.ts","../src/tbv/core/clients/vault-provider/api.ts","../src/tbv/core/clients/vault-provider/auth/bip322Verify.ts","../src/tbv/core/clients/vault-provider/auth/cbor.ts","../src/tbv/core/clients/vault-provider/auth/serverIdentity.ts","../src/tbv/core/clients/vault-provider/auth/gatedMethods.ts","../src/tbv/core/clients/vault-provider/auth/innerTokenClient.ts","../src/tbv/core/clients/vault-provider/auth/tokenProvider.ts","../src/tbv/core/clients/vault-provider/auth/tokenRegistry.ts","../src/tbv/core/clients/vault-provider/auth/createAuthenticatedVpClient.ts","../src/tbv/core/clients/vault-provider/auth/primeVpAuth.ts","../src/tbv/core/clients/eth/contract-address-resolver.ts","../src/tbv/core/clients/eth/protocol-params-reader.ts","../src/tbv/core/clients/eth/signer-set-reader.ts","../src/tbv/core/clients/eth/vault-registry-reader.ts"],"sourcesContent":["/**\n * Runtime validation for vault provider RPC responses.\n *\n * All VP RPC methods return untyped JSON that TypeScript generics cast without\n * inspection. These validators check the critical top-level fields and\n * security-relevant values (status, txids, pubkeys). Optional progress\n * sub-fields (gc_data, ack_collection, claimer_graphs) are NOT validated\n * since they are informational and not used for signing or transaction\n * construction. Only `progress.presigning` sub-fields are checked.\n */\n\nimport {\n  COMPRESSED_PUBKEY_HEX_LEN,\n  X_ONLY_PUBKEY_HEX_LEN,\n} from \"../../primitives/utils/bitcoin\";\nimport { HEX_RE } from \"../../utils/validation\";\n\nimport { DaemonStatus } from \"./types\";\nimport type {\n  GetPeginStatusResponse,\n  GetPegoutStatusResponse,\n  RequestDepositorClaimerArtifactsResponse,\n  RequestDepositorPresignTransactionsResponse,\n} from \"./types\";\n\nconst DAEMON_STATUS_VALUES = new Set<string>(Object.values(DaemonStatus));\n\nconst VP_ERROR_PREVIEW_MAX_LEN = 200;\n\nfunction preview(value: unknown): string {\n  return (\n    JSON.stringify(value)?.slice(0, VP_ERROR_PREVIEW_MAX_LEN) ?? \"undefined\"\n  );\n}\n\nconst VP_VALIDATION_USER_MESSAGE =\n  \"The vault provider returned an unexpected response. Please try again or contact support.\";\n\n/**\n * Thrown when a VP RPC response fails runtime validation.\n *\n * `.message` is a user-facing string safe to display in the UI.\n * `.detail` contains the technical reason, suitable for logging.\n */\nexport class VpResponseValidationError extends Error {\n  readonly detail: string;\n\n  constructor(detail: string) {\n    super(VP_VALIDATION_USER_MESSAGE);\n    this.name = \"VpResponseValidationError\";\n    this.detail = detail;\n  }\n}\n\n/** Expected length (in hex chars) of a Bitcoin transaction ID (32 bytes). */\nconst TXID_HEX_LEN = 64;\n\nfunction isNonEmptyHex(value: unknown): value is string {\n  return typeof value === \"string\" && value.length > 0 && HEX_RE.test(value);\n}\n\nfunction isNonEmptyString(value: unknown): value is string {\n  return typeof value === \"string\" && value.length > 0;\n}\n\nfunction assertNonEmptyHex(value: unknown, field: string): void {\n  if (!isNonEmptyHex(value)) {\n    throw new VpResponseValidationError(\n      `VP response validation failed: \"${field}\" must be a non-empty hex string, got ${preview(value)}`,\n    );\n  }\n}\n\nfunction assertNonEmptyString(value: unknown, field: string): void {\n  if (!isNonEmptyString(value)) {\n    throw new VpResponseValidationError(\n      `VP response validation failed: \"${field}\" must be a non-empty string, got ${preview(value)}`,\n    );\n  }\n}\n\n/**\n * Accept both x-only (64-char) and compressed (66-char) pubkeys from VP responses.\n * The signing code normalizes to x-only via processPublicKeyToXOnly().\n */\nfunction assertBtcPubkey(value: unknown, field: string): void {\n  if (\n    !isNonEmptyHex(value) ||\n    (value.length !== X_ONLY_PUBKEY_HEX_LEN &&\n      value.length !== COMPRESSED_PUBKEY_HEX_LEN)\n  ) {\n    throw new VpResponseValidationError(\n      `VP response validation failed: \"${field}\" must be a ${X_ONLY_PUBKEY_HEX_LEN} or ${COMPRESSED_PUBKEY_HEX_LEN}-char hex string (BTC pubkey), got ${preview(value)}`,\n    );\n  }\n}\n\n/**\n * Validate the optional presigning progress fields returned inside PeginProgressDetails.\n */\nfunction validatePresigningProgressFields(\n  progress: Record<string, unknown>,\n): void {\n  const presigning = progress.presigning;\n  if (presigning === undefined || presigning === null) return;\n  if (typeof presigning !== \"object\" || Array.isArray(presigning)) {\n    throw new VpResponseValidationError(\n      `VP response validation failed: \"progress.presigning\" must be an object if present`,\n    );\n  }\n\n  const p = presigning as Record<string, unknown>;\n\n  if (\n    p.depositor_graph_created !== undefined &&\n    typeof p.depositor_graph_created !== \"boolean\"\n  ) {\n    throw new VpResponseValidationError(\n      `VP response validation failed: \"progress.presigning.depositor_graph_created\" must be a boolean if present, got ${preview(p.depositor_graph_created)}`,\n    );\n  }\n\n  if (\n    p.vk_challenger_presigning_completed !== undefined &&\n    typeof p.vk_challenger_presigning_completed !== \"number\"\n  ) {\n    throw new VpResponseValidationError(\n      `VP response validation failed: \"progress.presigning.vk_challenger_presigning_completed\" must be a number if present, got ${preview(p.vk_challenger_presigning_completed)}`,\n    );\n  }\n\n  if (\n    p.vk_challenger_presigning_total !== undefined &&\n    typeof p.vk_challenger_presigning_total !== \"number\"\n  ) {\n    throw new VpResponseValidationError(\n      `VP response validation failed: \"progress.presigning.vk_challenger_presigning_total\" must be a number if present, got ${preview(p.vk_challenger_presigning_total)}`,\n    );\n  }\n}\n\n/**\n * Validate a getPeginStatus response.\n *\n * Throws if the status field is not a recognized DaemonStatus value.\n */\nexport function validateGetPeginStatusResponse(\n  response: unknown,\n): asserts response is GetPeginStatusResponse {\n  if (response === null || typeof response !== \"object\") {\n    throw new VpResponseValidationError(\n      `VP response validation failed: getPeginStatus response is not an object`,\n    );\n  }\n\n  const r = response as Record<string, unknown>;\n\n  if (!isNonEmptyHex(r.pegin_txid) || r.pegin_txid.length !== TXID_HEX_LEN) {\n    throw new VpResponseValidationError(\n      `VP response validation failed: \"pegin_txid\" must be a ${TXID_HEX_LEN}-char hex string (txid), got ${preview(r.pegin_txid)}`,\n    );\n  }\n\n  if (typeof r.status !== \"string\") {\n    throw new VpResponseValidationError(\n      `VP response validation failed: \"status\" must be a string`,\n    );\n  }\n\n  if (!DAEMON_STATUS_VALUES.has(r.status)) {\n    throw new VpResponseValidationError(\n      `VP response validation failed: unrecognized status \"${r.status}\". Expected one of: ${[...DAEMON_STATUS_VALUES].join(\", \")}`,\n    );\n  }\n\n  if (\n    r.progress === null ||\n    typeof r.progress !== \"object\" ||\n    Array.isArray(r.progress)\n  ) {\n    throw new VpResponseValidationError(\n      `VP response validation failed: \"progress\" must be an object`,\n    );\n  }\n\n  validatePresigningProgressFields(r.progress as Record<string, unknown>);\n\n  if (typeof r.health_info !== \"string\") {\n    throw new VpResponseValidationError(\n      `VP response validation failed: \"health_info\" must be a string`,\n    );\n  }\n\n  if (r.last_error !== undefined && typeof r.last_error !== \"string\") {\n    throw new VpResponseValidationError(\n      `VP response validation failed: \"last_error\" must be a string if present, got ${preview(r.last_error)}`,\n    );\n  }\n}\n\n/**\n * Validate a requestDepositorPresignTransactions response.\n */\nexport function validateRequestDepositorPresignTransactionsResponse(\n  response: unknown,\n): asserts response is RequestDepositorPresignTransactionsResponse {\n  if (response === null || typeof response !== \"object\") {\n    throw new VpResponseValidationError(\n      `VP response validation failed: requestDepositorPresignTransactions response is not an object`,\n    );\n  }\n\n  const r = response as Record<string, unknown>;\n\n  if (!Array.isArray(r.txs)) {\n    throw new VpResponseValidationError(\n      `VP response validation failed: \"txs\" must be an array`,\n    );\n  }\n\n  for (let i = 0; i < r.txs.length; i++) {\n    validateClaimerTransactions(r.txs[i], `txs[${i}]`);\n  }\n\n  if (r.depositor_graph === null || typeof r.depositor_graph !== \"object\") {\n    throw new VpResponseValidationError(\n      `VP response validation failed: \"depositor_graph\" must be an object`,\n    );\n  }\n\n  validateDepositorGraphTransactions(\n    r.depositor_graph as Record<string, unknown>,\n  );\n}\n\nfunction validateTransactionData(value: unknown, field: string): void {\n  if (value === null || typeof value !== \"object\") {\n    throw new VpResponseValidationError(\n      `VP response validation failed: \"${field}\" must be an object`,\n    );\n  }\n  const tx = value as Record<string, unknown>;\n  assertNonEmptyHex(tx.tx_hex, `${field}.tx_hex`);\n}\n\nfunction validateClaimerTransactions(value: unknown, field: string): void {\n  if (value === null || typeof value !== \"object\") {\n    throw new VpResponseValidationError(\n      `VP response validation failed: \"${field}\" must be an object`,\n    );\n  }\n\n  const tx = value as Record<string, unknown>;\n\n  assertBtcPubkey(tx.claimer_pubkey, `${field}.claimer_pubkey`);\n  validateTransactionData(tx.claim_tx, `${field}.claim_tx`);\n  validateTransactionData(tx.assert_tx, `${field}.assert_tx`);\n  validateTransactionData(tx.payout_tx, `${field}.payout_tx`);\n  assertNonEmptyString(tx.payout_psbt, `${field}.payout_psbt`);\n}\n\nfunction validateChallengeAssertConnectorData(\n  value: unknown,\n  field: string,\n): void {\n  if (value === null || typeof value !== \"object\") {\n    throw new VpResponseValidationError(\n      `VP response validation failed: \"${field}\" must be an object`,\n    );\n  }\n\n  const c = value as Record<string, unknown>;\n  assertNonEmptyString(c.wots_pks_json, `${field}.wots_pks_json`);\n  assertNonEmptyString(c.gc_wots_keys_json, `${field}.gc_wots_keys_json`);\n}\n\nfunction validatePresignDataPerChallenger(value: unknown, field: string): void {\n  if (value === null || typeof value !== \"object\") {\n    throw new VpResponseValidationError(\n      `VP response validation failed: \"${field}\" must be an object`,\n    );\n  }\n\n  const d = value as Record<string, unknown>;\n\n  assertBtcPubkey(d.challenger_pubkey, `${field}.challenger_pubkey`);\n  validateTransactionData(\n    d.challenge_assert_x_tx,\n    `${field}.challenge_assert_x_tx`,\n  );\n  validateTransactionData(\n    d.challenge_assert_y_tx,\n    `${field}.challenge_assert_y_tx`,\n  );\n  validateTransactionData(d.nopayout_tx, `${field}.nopayout_tx`);\n  assertNonEmptyString(d.nopayout_psbt, `${field}.nopayout_psbt`);\n\n  if (!Array.isArray(d.challenge_assert_connectors)) {\n    throw new VpResponseValidationError(\n      `VP response validation failed: \"${field}.challenge_assert_connectors\" must be an array`,\n    );\n  }\n\n  for (let i = 0; i < d.challenge_assert_connectors.length; i++) {\n    validateChallengeAssertConnectorData(\n      d.challenge_assert_connectors[i],\n      `${field}.challenge_assert_connectors[${i}]`,\n    );\n  }\n\n  if (!Array.isArray(d.output_label_hashes)) {\n    throw new VpResponseValidationError(\n      `VP response validation failed: \"${field}.output_label_hashes\" must be an array`,\n    );\n  }\n\n  for (let i = 0; i < d.output_label_hashes.length; i++) {\n    assertNonEmptyHex(\n      d.output_label_hashes[i],\n      `${field}.output_label_hashes[${i}]`,\n    );\n  }\n}\n\n/**\n * Validate a requestDepositorClaimerArtifacts response.\n */\nexport function validateRequestDepositorClaimerArtifactsResponse(\n  response: unknown,\n): asserts response is RequestDepositorClaimerArtifactsResponse {\n  if (response === null || typeof response !== \"object\") {\n    throw new VpResponseValidationError(\n      `VP response validation failed: requestDepositorClaimerArtifacts response is not an object`,\n    );\n  }\n\n  const r = response as Record<string, unknown>;\n\n  if (!isNonEmptyString(r.tx_graph_json)) {\n    throw new VpResponseValidationError(\n      `VP response validation failed: \"tx_graph_json\" must be a non-empty string, got ${preview(r.tx_graph_json)}`,\n    );\n  }\n\n  if (!isNonEmptyHex(r.verifying_key_hex)) {\n    throw new VpResponseValidationError(\n      `VP response validation failed: \"verifying_key_hex\" must be a non-empty hex string, got ${preview(r.verifying_key_hex)}`,\n    );\n  }\n\n  if (r.babe_sessions === null || typeof r.babe_sessions !== \"object\") {\n    throw new VpResponseValidationError(\n      `VP response validation failed: \"babe_sessions\" must be an object`,\n    );\n  }\n\n  for (const [key, session] of Object.entries(\n    r.babe_sessions as Record<string, unknown>,\n  )) {\n    if (session === null || typeof session !== \"object\") {\n      throw new VpResponseValidationError(\n        `VP response validation failed: \"babe_sessions.${key}\" must be an object`,\n      );\n    }\n    const s = session as Record<string, unknown>;\n    if (!isNonEmptyHex(s.decryptor_artifacts_hex)) {\n      throw new VpResponseValidationError(\n        `VP response validation failed: \"babe_sessions.${key}.decryptor_artifacts_hex\" must be a non-empty hex string, got ${preview(s.decryptor_artifacts_hex)}`,\n      );\n    }\n  }\n}\n\n/**\n * Validate a getPegoutStatus response.\n */\nexport function validateGetPegoutStatusResponse(\n  response: unknown,\n): asserts response is GetPegoutStatusResponse {\n  if (response === null || typeof response !== \"object\") {\n    throw new VpResponseValidationError(\n      `VP response validation failed: getPegoutStatus response is not an object`,\n    );\n  }\n\n  const r = response as Record<string, unknown>;\n\n  if (!isNonEmptyHex(r.pegin_txid) || r.pegin_txid.length !== TXID_HEX_LEN) {\n    throw new VpResponseValidationError(\n      `VP response validation failed: \"pegin_txid\" must be a ${TXID_HEX_LEN}-char hex string (txid), got ${preview(r.pegin_txid)}`,\n    );\n  }\n\n  if (typeof r.found !== \"boolean\") {\n    throw new VpResponseValidationError(\n      `VP response validation failed: \"found\" must be a boolean, got ${preview(r.found)}`,\n    );\n  }\n\n  if (r.claimer !== undefined) {\n    if (r.claimer === null || typeof r.claimer !== \"object\") {\n      throw new VpResponseValidationError(\n        `VP response validation failed: \"claimer\" must be an object if present`,\n      );\n    }\n    const claimer = r.claimer as Record<string, unknown>;\n    if (typeof claimer.status !== \"string\") {\n      throw new VpResponseValidationError(\n        `VP response validation failed: \"claimer.status\" must be a string, got ${preview(claimer.status)}`,\n      );\n    }\n    if (typeof claimer.failed !== \"boolean\") {\n      throw new VpResponseValidationError(\n        `VP response validation failed: \"claimer.failed\" must be a boolean, got ${preview(claimer.failed)}`,\n      );\n    }\n  }\n\n  if (r.challenger !== undefined) {\n    if (r.challenger === null || typeof r.challenger !== \"object\") {\n      throw new VpResponseValidationError(\n        `VP response validation failed: \"challenger\" must be an object if present`,\n      );\n    }\n    const challenger = r.challenger as Record<string, unknown>;\n    if (typeof challenger.status !== \"string\") {\n      throw new VpResponseValidationError(\n        `VP response validation failed: \"challenger.status\" must be a string, got ${preview(challenger.status)}`,\n      );\n    }\n  }\n}\n\nfunction validateDepositorGraphTransactions(\n  graph: Record<string, unknown>,\n): void {\n  validateTransactionData(graph.claim_tx, \"depositor_graph.claim_tx\");\n  validateTransactionData(graph.assert_tx, \"depositor_graph.assert_tx\");\n  validateTransactionData(graph.payout_tx, \"depositor_graph.payout_tx\");\n  assertNonEmptyString(graph.payout_psbt, \"depositor_graph.payout_psbt\");\n\n  if (!Array.isArray(graph.challenger_presign_data)) {\n    throw new VpResponseValidationError(\n      `VP response validation failed: \"depositor_graph.challenger_presign_data\" must be an array`,\n    );\n  }\n\n  for (let i = 0; i < graph.challenger_presign_data.length; i++) {\n    validatePresignDataPerChallenger(\n      graph.challenger_presign_data[i],\n      `depositor_graph.challenger_presign_data[${i}]`,\n    );\n  }\n\n  if (typeof graph.offchain_params_version !== \"number\") {\n    throw new VpResponseValidationError(\n      `VP response validation failed: \"depositor_graph.offchain_params_version\" must be a number`,\n    );\n  }\n}\n","/**\n * JSON-RPC client for the Vault Provider API.\n *\n * Wraps {@link JsonRpcClient} with typed methods matching the\n * `vaultProvider_*` RPC namespace defined in the btc-vault pegin spec.\n *\n * Implements the narrow service interfaces (PeginStatusReader, WotsKeySubmitter,\n * PresignClient, ClaimerArtifactsReader) so it can be passed directly to\n * any deposit protocol service function.\n *\n * @see https://github.com/babylonlabs-io/btc-vault/blob/main/docs/pegin.md\n */\n\nimport type { PeginStatusReader, WotsKeySubmitter, PresignClient, ClaimerArtifactsReader } from \"../../services/deposit/interfaces\";\n\nimport {\n  type BearerTokenProvider,\n  JsonRpcClient,\n  type JsonRpcClientConfig,\n} from \"./json-rpc-client\";\nimport type {\n  GetPeginStatusParams,\n  GetPeginStatusResponse,\n  GetPegoutStatusParams,\n  GetPegoutStatusResponse,\n  RequestDepositorClaimerArtifactsParams,\n  RequestDepositorClaimerArtifactsResponse,\n  RequestDepositorPresignTransactionsParams,\n  RequestDepositorPresignTransactionsResponse,\n  SubmitDepositorPresignaturesParams,\n  SubmitDepositorWotsKeyParams,\n} from \"./types\";\nimport {\n  validateGetPeginStatusResponse,\n  validateGetPegoutStatusResponse,\n  validateRequestDepositorClaimerArtifactsResponse,\n  validateRequestDepositorPresignTransactionsResponse,\n} from \"./validators\";\n\nexport interface VaultProviderRpcClientOptions {\n  /** Timeout in milliseconds per request (default: 60000) */\n  timeout?: number;\n  /** Number of retry attempts for safe methods (default: 3) */\n  retries?: number;\n  /** Initial retry delay in milliseconds (default: 1000) */\n  retryDelay?: number;\n  /**\n   * Custom retry predicate. Default retries only the idempotent read\n   * methods: `getPeginStatus`, `getPegoutStatus`,\n   * `requestDepositorPresignTransactions`.\n   */\n  retryableFor?: (method: string) => boolean;\n  /** Custom headers. */\n  headers?: Record<string, string>;\n  /**\n   * Per-request bearer-token source. A non-null return attaches\n   * `Authorization: Bearer <token>`; `null` skips auth. Wire a\n   * {@link VpTokenProvider} for depositor-gated methods.\n   */\n  tokenProvider?: BearerTokenProvider;\n  /** Maximum response body size, in bytes, for typed JSON-RPC calls */\n  maxResponseBytes?: number;\n}\n\nconst DEFAULT_TIMEOUT_MS = 60_000;\n\n/**\n * Concrete VP RPC client implementing all service interfaces.\n *\n * Usage:\n * ```ts\n * const client = new VaultProviderRpcClient(\"https://vp.example.com/rpc\");\n * const status = await client.getPeginStatus({ pegin_txid: \"abc...\" });\n * ```\n */\nexport class VaultProviderRpcClient\n  implements PeginStatusReader, WotsKeySubmitter, PresignClient, ClaimerArtifactsReader\n{\n  private client: JsonRpcClient;\n\n  constructor(baseUrl: string, options?: VaultProviderRpcClientOptions) {\n    const config: JsonRpcClientConfig = {\n      baseUrl,\n      timeout: options?.timeout ?? DEFAULT_TIMEOUT_MS,\n      retries: options?.retries,\n      retryDelay: options?.retryDelay,\n      retryableFor: options?.retryableFor,\n      headers: options?.headers,\n      tokenProvider: options?.tokenProvider,\n      maxResponseBytes: options?.maxResponseBytes,\n    };\n    this.client = new JsonRpcClient(config);\n  }\n\n  /**\n   * Request the payout/claim/assert transactions that the depositor\n   * needs to pre-sign before the vault can be activated on Bitcoin.\n   */\n  async requestDepositorPresignTransactions(\n    params: RequestDepositorPresignTransactionsParams,\n    signal?: AbortSignal,\n  ): Promise<RequestDepositorPresignTransactionsResponse> {\n    const response = await this.client.call<\n      RequestDepositorPresignTransactionsParams,\n      unknown\n    >(\"vaultProvider_requestDepositorPresignTransactions\", params, signal);\n    validateRequestDepositorPresignTransactionsResponse(response);\n    return response;\n  }\n\n  /**\n   * Submit the depositor's pre-signatures for the payout transactions\n   * and the depositor-as-claimer graph.\n   */\n  async submitDepositorPresignatures(\n    params: SubmitDepositorPresignaturesParams,\n    signal?: AbortSignal,\n  ): Promise<void> {\n    return this.client.call<SubmitDepositorPresignaturesParams, void>(\n      \"vaultProvider_submitDepositorPresignatures\",\n      params,\n      signal,\n    );\n  }\n\n  /**\n   * Submit the depositor's WOTS public key to the vault provider.\n   * Called after the pegin is finalized on Ethereum, when the VP is in\n   * `PendingDepositorWotsPK` status.\n   */\n  async submitDepositorWotsKey(\n    params: SubmitDepositorWotsKeyParams,\n    signal?: AbortSignal,\n  ): Promise<void> {\n    return this.client.call<SubmitDepositorWotsKeyParams, void>(\n      \"vaultProvider_submitDepositorWotsKey\",\n      params,\n      signal,\n    );\n  }\n\n  /**\n   * Request the BaBe DecryptorArtifacts needed for the depositor to\n   * independently evaluate garbled circuits during a challenge.\n   */\n  async requestDepositorClaimerArtifacts(\n    params: RequestDepositorClaimerArtifactsParams,\n    signal?: AbortSignal,\n  ): Promise<RequestDepositorClaimerArtifactsResponse> {\n    const response = await this.client.call<\n      RequestDepositorClaimerArtifactsParams,\n      unknown\n    >(\"vaultProvider_requestDepositorClaimerArtifacts\", params, signal);\n    validateRequestDepositorClaimerArtifactsResponse(response);\n    return response;\n  }\n\n  /** Get the current pegin status from the vault provider daemon. */\n  async getPeginStatus(\n    params: GetPeginStatusParams,\n    signal?: AbortSignal,\n  ): Promise<GetPeginStatusResponse> {\n    const response = await this.client.call<GetPeginStatusParams, unknown>(\n      \"vaultProvider_getPeginStatus\",\n      params,\n      signal,\n    );\n    validateGetPeginStatusResponse(response);\n    return response;\n  }\n\n  /** Get the current pegout status from the vault provider daemon. */\n  async getPegoutStatus(\n    params: GetPegoutStatusParams,\n    signal?: AbortSignal,\n  ): Promise<GetPegoutStatusResponse> {\n    const response = await this.client.call<GetPegoutStatusParams, unknown>(\n      \"vaultProvider_getPegoutStatus\",\n      params,\n      signal,\n    );\n    validateGetPegoutStatusResponse(response);\n    return response;\n  }\n}\n","/**\n * BIP-322 \"simple\" signature verification for P2TR key-path.\n *\n * Mirrors the Rust reference in\n * `btc-vault/crates/btc-signer/src/message.rs::verify_bip322_message`\n * (which delegates to `rust-bitcoin::bip322::verify_simple` for a\n * P2TR key-path-only address with no merkle root).\n *\n * The algorithm:\n *\n *   1. Compute the BIP-322 tagged-hash of the message:\n *        m_hash = SHA256( SHA256(tag) || SHA256(tag) || message )\n *      where tag = \"BIP0322-signed-message\".\n *\n *   2. Build a virtual \"to_spend\" transaction with one input (prevout\n *      all-zero txid + 0xFFFFFFFF vout, scriptSig = `OP_0 PUSH32 m_hash`,\n *      sequence = 0) and one output (value 0, scriptPubKey = P2TR for\n *      the signer's x-only pubkey).\n *\n *   3. Build a \"to_sign\" transaction that spends to_spend[0] and has a\n *      single `OP_RETURN` output (value 0).\n *\n *   4. Compute the BIP-341 taproot sighash of to_sign input 0 with\n *      SIGHASH_DEFAULT (0x00).\n *\n *   5. Verify the 64-byte Schnorr signature against the **tweaked**\n *      output key `Q = P + tap_tweak(P) * G`, where `tap_tweak(P) =\n *      hash_TapTweak(serialize_x_only(P))` (no merkle root — key-path\n *      only).\n *\n * `bitcoinjs-lib` handles (2)–(4); `tiny-secp256k1-asmjs` provides\n * the tweak and Schnorr verify. Pulling in a full BIP-322 library\n * would add a peer dep for what amounts to ~40 lines of glue.\n *\n * @module tbv/core/clients/vault-provider/auth/bip322Verify\n */\n\nimport * as ecc from \"@bitcoin-js/tiny-secp256k1-asmjs\";\nimport { payments, Transaction } from \"bitcoinjs-lib\";\n\nimport { Buffer } from \"buffer\";\nimport { sha256 } from \"@noble/hashes/sha2.js\";\n\n/** BIP-322 message tag (BIP-340 tagged-hash style). */\nconst BIP322_TAG = \"BIP0322-signed-message\";\n\n/** BIP-341 taproot-tweak tag. */\nconst TAPTWEAK_TAG = \"TapTweak\";\n\nconst X_ONLY_PUBKEY_SIZE = 32;\nconst SCHNORR_SIG_SIZE = 64;\n\n/**\n * BIP-340 tagged hash: `SHA256( SHA256(tag) || SHA256(tag) || data )`.\n * Used for both BIP-322 message hashing and BIP-341 tap-tweak.\n */\nfunction taggedHash(tag: string, data: Uint8Array): Uint8Array {\n  const tagBytes = new TextEncoder().encode(tag);\n  const tagHash = sha256(tagBytes);\n  const preimage = new Uint8Array(tagHash.length * 2 + data.length);\n  preimage.set(tagHash, 0);\n  preimage.set(tagHash, tagHash.length);\n  preimage.set(data, tagHash.length * 2);\n  return sha256(preimage);\n}\n\n/**\n * Apply BIP-341 taproot tweak to an x-only pubkey with no merkle\n * root (key-path-only address).\n *\n * `tap_tweak = hash_TapTweak(P)`\n * `Q = P + tap_tweak * G` (x-only, even-Y parity)\n *\n * Returns the tweaked 32-byte x-only pubkey, or null if the tweak\n * produces a point-at-infinity or invalid result.\n */\nfunction tweakXOnlyKey(xOnly: Uint8Array): Uint8Array | null {\n  if (xOnly.length !== X_ONLY_PUBKEY_SIZE) return null;\n  const tweak = taggedHash(TAPTWEAK_TAG, xOnly);\n  const tweaked = ecc.xOnlyPointAddTweak(xOnly, tweak);\n  return tweaked ? tweaked.xOnlyPubkey : null;\n}\n\n/**\n * Verify a BIP-322 \"simple\" P2TR key-path signature over an arbitrary\n * byte message.\n *\n * @internal Exposed only so the golden-vector test suite can pin the\n * verifier independently of `verifyServerIdentity`. Production callers\n * should use `verifyServerIdentity` from `./serverIdentity` instead.\n *\n * @param messageBytes - The bytes that were signed (e.g. a CBOR-encoded\n *                       payload). Not pre-hashed; this function applies\n *                       the BIP-322 tagged hash internally.\n * @param xOnlyPubkey  - 32-byte x-only pubkey of the signer (pre-tweak).\n * @param signature    - 64-byte raw Schnorr signature (BIP-340), as\n *                       emitted by a key-path witness with\n *                       SIGHASH_DEFAULT.\n * @returns `true` if the signature verifies against the address\n *          derived from `xOnlyPubkey`; `false` otherwise.\n */\nexport function verifyBip322Simple(\n  messageBytes: Uint8Array,\n  xOnlyPubkey: Uint8Array,\n  signature: Uint8Array,\n): boolean {\n  if (xOnlyPubkey.length !== X_ONLY_PUBKEY_SIZE) return false;\n  if (signature.length !== SCHNORR_SIG_SIZE) return false;\n\n  // Any exception from the underlying crypto libraries (e.g. the\n  // `Expected Point` error `tiny-secp256k1` throws when the supplied\n  // 32 bytes don't represent a valid x-coordinate on secp256k1) is\n  // treated as a verification failure rather than propagated — a\n  // verifier MUST return a boolean, not raise.\n  try {\n    // Step 1: BIP-322 tagged hash of the message.\n    const messageHash = taggedHash(BIP322_TAG, messageBytes);\n\n    // Step 2: scriptPubKey for the signer's P2TR key-path-only address.\n    // bitcoinjs-lib's `payments.p2tr({ internalPubkey })` computes the\n    // tweak and produces the `OP_1 <tweaked_xonly>` output script.\n    const p2tr = payments.p2tr({\n      internalPubkey: Buffer.from(xOnlyPubkey),\n    });\n    if (!p2tr.output) return false;\n    const scriptPubKey = p2tr.output;\n\n    // Step 3: build to_spend virtual tx.\n    //\n    // NOTE: bitcoinjs-lib v6.x's `Transaction.addOutput` and\n    // `hashForWitnessV1` are typed for `Satoshi` (a UInt53 number),\n    // not `bigint`. Passing `BigInt(0)` triggers a typeforce\n    // assertion in `addOutput` (\"Expected property '1' of type\n    // Satoshi, got BigInt 0\") which our outer try/catch silently\n    // turns into `verify -> false`. Use plain `0` everywhere.\n    const ZERO_SATS = 0;\n    const toSpend = new Transaction();\n    toSpend.version = 0;\n    toSpend.locktime = 0;\n    // scriptSig: OP_0 (0x00) + OP_PUSHBYTES_32 (0x20) + message_hash (32B)\n    const scriptSig = Buffer.concat([\n      Buffer.from([0x00, 0x20]),\n      Buffer.from(messageHash),\n    ]);\n    toSpend.addInput(\n      Buffer.alloc(32, 0), // prev_txid = 0x0000...0000\n      0xffffffff,          // prev_vout = 0xFFFFFFFF\n      0,                   // sequence = 0\n      scriptSig,\n    );\n    toSpend.addOutput(scriptPubKey, ZERO_SATS);\n\n    // Step 4: build to_sign virtual tx spending to_spend[0].\n    const toSign = new Transaction();\n    toSign.version = 0;\n    toSign.locktime = 0;\n    // Bitcoin txid in natural-byte (little-endian) form.\n    const toSpendTxid = toSpend.getHash();\n    toSign.addInput(toSpendTxid, 0, 0);\n    toSign.addOutput(Buffer.from([0x6a]), ZERO_SATS); // OP_RETURN\n\n    // Step 5: taproot sighash for to_sign input 0 (SIGHASH_DEFAULT).\n    const sighash = toSign.hashForWitnessV1(\n      0,\n      [scriptPubKey],\n      [ZERO_SATS],\n      Transaction.SIGHASH_DEFAULT,\n    );\n\n    // Step 6: tweak the x-only pubkey (no merkle root) and verify Schnorr.\n    const tweakedXOnly = tweakXOnlyKey(xOnlyPubkey);\n    if (!tweakedXOnly) return false;\n\n    return ecc.verifySchnorr(sighash, tweakedXOnly, signature);\n  } catch {\n    return false;\n  }\n}\n","/**\n * Minimal CBOR encoder for the server-identity payload shape.\n *\n * We only need to encode one specific CBOR structure — the 3-tuple\n * `(SERVER_IDENTITY_DOMAIN, ephemeral_pubkey_bytes, expires_at_u64)` —\n * byte-for-byte identical to what the Rust `ciborium` crate produces\n * for the corresponding tuple, because that's the exact message the\n * VP signs with BIP-322.\n *\n * IMPORTANT encoding quirk: the Rust side passes the domain and\n * pubkey as `&[u8]` / `Vec<u8>` without a `#[serde(with = \"serde_bytes\")]`\n * attribute, so serde/ciborium encodes them as **CBOR arrays of u8**\n * (major type 4, one item per byte) — NOT as CBOR byte strings (major\n * type 2). A naive byte-string encoding would produce the wrong bytes\n * and signature verification would fail.\n *\n * Rather than pull in a full CBOR dependency for this one shape, we\n * implement the exact subset inline (~40 LOC) and pin it with golden\n * vectors against the Rust reference output.\n *\n * @module tbv/core/clients/vault-provider/auth/cbor\n */\n\n/**\n * Encode a small CBOR unsigned-integer \"head\" byte for major type\n * `major` (0..7) with argument `arg` (0..2^64-1).\n *\n * Returns the header bytes; the caller concatenates any trailing data\n * (e.g. array elements). Encoding rules:\n *   arg < 24         → single byte `(major << 5) | arg`\n *   arg < 256        → `(major << 5) | 24` + 1-byte arg\n *   arg < 65536      → `(major << 5) | 25` + 2-byte BE arg\n *   arg < 2^32       → `(major << 5) | 26` + 4-byte BE arg\n *   arg < 2^64       → `(major << 5) | 27` + 8-byte BE arg\n */\nfunction cborHead(major: number, arg: number | bigint): Uint8Array {\n  const tag = (major & 0x07) << 5;\n  const n = typeof arg === \"bigint\" ? arg : BigInt(arg);\n  if (n < 0n) throw new Error(\"cborHead: negative argument\");\n\n  if (n < 24n) return new Uint8Array([tag | Number(n)]);\n  if (n < 0x100n) return new Uint8Array([tag | 24, Number(n)]);\n  if (n < 0x10000n) {\n    const v = Number(n);\n    return new Uint8Array([tag | 25, (v >>> 8) & 0xff, v & 0xff]);\n  }\n  if (n < 0x1_0000_0000n) {\n    const v = Number(n);\n    return new Uint8Array([\n      tag | 26,\n      (v >>> 24) & 0xff,\n      (v >>> 16) & 0xff,\n      (v >>> 8) & 0xff,\n      v & 0xff,\n    ]);\n  }\n  // 8-byte BE for u64 range\n  const out = new Uint8Array(9);\n  out[0] = tag | 27;\n  for (let i = 7; i >= 0; i--) {\n    out[1 + i] = Number(n >> BigInt((7 - i) * 8)) & 0xff;\n  }\n  return out;\n}\n\nfunction concat(...parts: Uint8Array[]): Uint8Array {\n  const total = parts.reduce((s, p) => s + p.length, 0);\n  const out = new Uint8Array(total);\n  let offset = 0;\n  for (const p of parts) {\n    out.set(p, offset);\n    offset += p.length;\n  }\n  return out;\n}\n\n/**\n * Encode a `Vec<u8>` / `&[u8]` the way ciborium does by default — as a\n * CBOR array of u8 (major type 4), one element per byte.\n *\n * Each byte becomes a CBOR unsigned integer (major type 0): bytes\n * < 24 are encoded as single bytes, bytes 24..255 as `0x18 XX`.\n */\nfunction encodeBytesAsArrayOfU8(bytes: Uint8Array): Uint8Array {\n  const header = cborHead(4, bytes.length);\n  const items: Uint8Array[] = [header];\n  for (const b of bytes) {\n    items.push(cborHead(0, b));\n  }\n  return concat(...items);\n}\n\n/**\n * Encode the server-identity payload the Rust side signs:\n *\n *     ciborium::into_writer(\n *       &(SERVER_IDENTITY_DOMAIN, ephemeral_pubkey.serialize().to_vec(), expires_at),\n *       buf\n *     )\n *\n * Output bytes are byte-for-byte identical to the Rust reference,\n * pinned by the golden vector in the corresponding test file.\n *\n * @internal Exposed only for the golden-vector test that pins this\n * encoding against ciborium's output. Production callers reach this\n * via `verifyServerIdentity` from `./serverIdentity`.\n *\n * @param domain - Must be `\"btc-auth.server-identity.v1\"` (27 bytes)\n *                 — the constant from btc-vault's `server_identity.rs`.\n * @param ephemeralPubkeyCompressed - 33-byte SEC1-compressed pubkey.\n * @param expiresAt - Unix timestamp (seconds). Must be a safe integer.\n */\nexport function encodeServerIdentityPayload(\n  domain: Uint8Array,\n  ephemeralPubkeyCompressed: Uint8Array,\n  expiresAt: number,\n): Uint8Array {\n  if (!Number.isSafeInteger(expiresAt) || expiresAt < 0) {\n    throw new Error(\n      `encodeServerIdentityPayload: expires_at must be a non-negative safe integer, got ${expiresAt}`,\n    );\n  }\n  const arrayHeader = cborHead(4, 3); // 3-tuple encoded as array of 3\n  const domainBytes = encodeBytesAsArrayOfU8(domain);\n  const pubkeyBytes = encodeBytesAsArrayOfU8(ephemeralPubkeyCompressed);\n  const expiresAtBytes = cborHead(0, expiresAt);\n  return concat(arrayHeader, domainBytes, pubkeyBytes, expiresAtBytes);\n}\n","/**\n * Server-identity verification for the vault provider's\n * `auth_createDepositorToken` response.\n *\n * The VP returns a `ServerIdentityResponse` bundled with every issued\n * token:\n *\n *   - `server_pubkey`:    VP's persistent x-only pubkey (HEX, 32B)\n *   - `ephemeral_pubkey`: VP's ephemeral token-signing key (HEX, 33B compressed)\n *   - `expires_at`:       Unix timestamp when the ephemeral key expires\n *   - `signature`:        BIP-322 signature by the persistent key over\n *                         `(SERVER_IDENTITY_DOMAIN, ephemeral_pubkey, expires_at)`\n *\n * The FE pins `server_pubkey` against the on-chain `VaultProvider.btcPubKey`\n * it reads from the registry contract. A mismatch rejects the token.\n *\n * @module tbv/core/clients/vault-provider/auth/serverIdentity\n */\n\nimport * as ecc from \"@bitcoin-js/tiny-secp256k1-asmjs\";\n\nimport {\n  COMPRESSED_PUBKEY_HEX_LEN,\n  SCHNORR_SIG_HEX_LEN,\n  stripHexPrefix,\n  X_ONLY_PUBKEY_HEX_LEN,\n} from \"../../../primitives/utils/bitcoin\";\nimport { HEX_RE } from \"../../../utils/validation\";\n\nimport { verifyBip322Simple } from \"./bip322Verify\";\nimport { encodeServerIdentityPayload } from \"./cbor\";\n\n/**\n * Byte-string domain the btc-vault Rust reference passes as the first\n * element of the CBOR tuple signed over for server-identity proofs.\n * Must match `SERVER_IDENTITY_DOMAIN` in\n * `btc-vault/crates/btc-auth/src/server_identity.rs`.\n */\nconst SERVER_IDENTITY_DOMAIN = new TextEncoder().encode(\n  \"btc-auth.server-identity.v1\",\n);\n\n/**\n * Wire representation from btc-vault's `ServerIdentityResponse`.\n */\nexport interface ServerIdentityResponse {\n  /** Hex-encoded x-only (32-byte) persistent server pubkey. */\n  server_pubkey: string;\n  /** Hex-encoded compressed (33-byte) ephemeral token-signing pubkey. */\n  ephemeral_pubkey: string;\n  /** Unix timestamp at which the ephemeral key expires. */\n  expires_at: number;\n  /** Hex-encoded 64-byte BIP-322 Schnorr signature. */\n  signature: string;\n}\n\nexport interface VerifyServerIdentityInput {\n  /** The proof returned by `auth_createDepositorToken`. */\n  proof: ServerIdentityResponse;\n  /**\n   * The x-only persistent server pubkey the FE expects (sourced from\n   * the on-chain `VaultProvider.btcPubKey` via the vault registry\n   * reader). 64-char lowercase hex, no `0x` prefix.\n   */\n  pinnedServerPubkey: string;\n  /** Current Unix timestamp in seconds. Injected for testability. */\n  now: number;\n}\n\nexport class ServerIdentityError extends Error {\n  constructor(\n    message: string,\n    public readonly reason:\n      | \"pinned_pubkey_mismatch\"\n      | \"expired\"\n      | \"invalid_expires_at\"\n      | \"invalid_pubkey_encoding\"\n      | \"invalid_ephemeral_pubkey\"\n      | \"invalid_signature_encoding\"\n      | \"signature_verification_failed\",\n  ) {\n    super(message);\n    this.name = \"ServerIdentityError\";\n  }\n}\n\n/** Parse a lowercase-hex string to bytes. Expects even length, already validated. */\nfunction hexToBytes(hex: string): Uint8Array {\n  const out = new Uint8Array(hex.length / 2);\n  for (let i = 0; i < out.length; i++) {\n    out[i] = parseInt(hex.slice(i * 2, i * 2 + 2), 16);\n  }\n  return out;\n}\n\n\n/**\n * Verify a server identity proof against a pinned server pubkey.\n *\n * Checks:\n *   1. `server_pubkey` matches the pin.\n *   2. `expires_at > now` (with integer guards).\n *   3. `ephemeral_pubkey` is a well-formed 33-byte compressed pubkey.\n *   4. `signature` is a well-formed 64-byte Schnorr hex string.\n *   5. The BIP-322 Schnorr signature cryptographically verifies\n *      against `server_pubkey` over the CBOR-encoded tuple\n *      `(SERVER_IDENTITY_DOMAIN, ephemeral_pubkey, expires_at)`.\n *\n * Step 5 is what actually binds the ephemeral key to the persistent\n * pubkey — without it, a TLS-MITM attacker who reads the pinned\n * pubkey from the on-chain registry could substitute an arbitrary\n * ephemeral pubkey paired with any lexically-valid signature.\n *\n * @throws ServerIdentityError on any validation failure.\n */\nexport function verifyServerIdentity(input: VerifyServerIdentityInput): void {\n  const { proof, pinnedServerPubkey, now } = input;\n\n  const pinned = stripHexPrefix(pinnedServerPubkey).toLowerCase();\n  if (pinned.length !== X_ONLY_PUBKEY_HEX_LEN || !HEX_RE.test(pinned)) {\n    throw new ServerIdentityError(\n      `pinnedServerPubkey must be 32-byte hex; got ${pinned.length} chars`,\n      \"invalid_pubkey_encoding\",\n    );\n  }\n\n  const actual = stripHexPrefix(proof.server_pubkey).toLowerCase();\n  if (actual.length !== X_ONLY_PUBKEY_HEX_LEN || !HEX_RE.test(actual)) {\n    throw new ServerIdentityError(\n      `server_pubkey must be 32-byte hex; got ${actual.length} chars`,\n      \"invalid_pubkey_encoding\",\n    );\n  }\n\n  if (actual !== pinned) {\n    throw new ServerIdentityError(\n      `server_pubkey does not match pinned value: expected ${pinned}, got ${actual}`,\n      \"pinned_pubkey_mismatch\",\n    );\n  }\n\n  // Validate both sides of the comparison are well-formed integers\n  // BEFORE comparing — untrusted JSON-RPC input can supply\n  // undefined/NaN/string values for `expires_at`, and relational\n  // comparisons with those silently evaluate to `false` (accepting the\n  // proof). Caller's `now` is injected but we still sanity-check it.\n  // Garbage data and \"valid but past\" both render the proof unusable\n  // but mean different things to a caller — keep the reasons distinct.\n  if (!Number.isSafeInteger(proof.expires_at)) {\n    throw new ServerIdentityError(\n      `expires_at must be a finite integer; got ${JSON.stringify(proof.expires_at)}`,\n      \"invalid_expires_at\",\n    );\n  }\n  if (!Number.isSafeInteger(now)) {\n    throw new ServerIdentityError(\n      `now must be a finite integer; got ${JSON.stringify(now)}`,\n      \"invalid_expires_at\",\n    );\n  }\n  if (proof.expires_at <= now) {\n    throw new ServerIdentityError(\n      `server identity proof expired at ${proof.expires_at}, now ${now}`,\n      \"expired\",\n    );\n  }\n\n  const eph = stripHexPrefix(proof.ephemeral_pubkey).toLowerCase();\n  if (eph.length !== COMPRESSED_PUBKEY_HEX_LEN || !HEX_RE.test(eph)) {\n    throw new ServerIdentityError(\n      `ephemeral_pubkey must be 33-byte compressed hex; got ${eph.length} chars`,\n      \"invalid_ephemeral_pubkey\",\n    );\n  }\n  const prefix = eph.slice(0, 2);\n  if (prefix !== \"02\" && prefix !== \"03\") {\n    throw new ServerIdentityError(\n      `ephemeral_pubkey must be compressed (prefix 02/03); got ${prefix}`,\n      \"invalid_ephemeral_pubkey\",\n    );\n  }\n  // Curve validation. The BIP-322 signature attests to the byte string\n  // of `ephemeral_pubkey` only, not to its curve validity. Without\n  // this check, a server could sign a structurally-valid byte string\n  // that doesn't decode to a secp256k1 point — passing verification\n  // here and surfacing as an obscure crypto error later when the\n  // depositor tries to use the key. Reject up front.\n  const ephBytes = hexToBytes(eph);\n  if (!ecc.isPoint(ephBytes)) {\n    throw new ServerIdentityError(\n      \"ephemeral_pubkey is not a valid secp256k1 point\",\n      \"invalid_ephemeral_pubkey\",\n    );\n  }\n\n  const sig = stripHexPrefix(proof.signature).toLowerCase();\n  if (sig.length !== SCHNORR_SIG_HEX_LEN || !HEX_RE.test(sig)) {\n    throw new ServerIdentityError(\n      `signature must be 64-byte Schnorr hex; got ${sig.length} chars`,\n      \"invalid_signature_encoding\",\n    );\n  }\n\n  // Cryptographic verification of the BIP-322 signature over the\n  // CBOR-encoded payload. Without this, the ephemeral-key binding is\n  // unenforced and a TLS-MITM could substitute a fake ephemeral key\n  // alongside the real (publicly-readable) pinned pubkey.\n  const payload = encodeServerIdentityPayload(\n    SERVER_IDENTITY_DOMAIN,\n    hexToBytes(eph),\n    proof.expires_at,\n  );\n  const verified = verifyBip322Simple(payload, hexToBytes(actual), hexToBytes(sig));\n  if (!verified) {\n    throw new ServerIdentityError(\n      \"BIP-322 signature verification failed — ephemeral key is not attested by pinned server pubkey\",\n      \"signature_verification_failed\",\n    );\n  }\n}\n","/**\n * VP RPC methods that require `Authorization: Bearer <token>`.\n * Protocol invariant — must be kept in sync with the VP server.\n *\n * @stability frozen\n *\n * @module tbv/core/clients/vault-provider/auth/gatedMethods\n */\n\nexport const AUTH_GATED_METHODS: ReadonlySet<string> = new Set([\n  \"vaultProvider_submitDepositorWotsKey\",\n  \"vaultProvider_submitDepositorPresignatures\",\n  \"vaultProvider_requestDepositorPresignTransactions\",\n]);\n","/**\n * Shared internals for the unauthenticated token-issuing JSON-RPC\n * client. The \"inner\" client is dedicated to `auth_createDepositorToken`\n * — it MUST NOT carry a `tokenProvider`, else the JSON-RPC header\n * builder would recurse into token acquisition.\n *\n * @module tbv/core/clients/vault-provider/auth/innerTokenClient\n */\n\nimport { JsonRpcClient } from \"../json-rpc-client\";\n\nconst TOKEN_RPC_TIMEOUT_MS = 60_000;\n\nexport const TOKEN_ISSUE_METHOD = \"auth_createDepositorToken\";\n\nexport function buildInnerTokenClient(\n  baseUrl: string,\n  headers?: Record<string, string>,\n): JsonRpcClient {\n  return new JsonRpcClient({\n    baseUrl,\n    timeout: TOKEN_RPC_TIMEOUT_MS,\n    headers,\n    retryableFor: (method) => method === TOKEN_ISSUE_METHOD,\n  });\n}\n","/**\n * `VpTokenProvider` — caches CWT bearer tokens issued by the vault\n * provider's `auth_createDepositorToken` RPC, with lazy expiry check\n * and single-flight concurrent acquire.\n *\n * Usage:\n *\n * ```ts\n * const provider = new VpTokenProvider({\n *   client,\n *   peginTxid,\n *   authAnchorHex,\n *   pinnedServerPubkey,\n *   authGatedMethods,\n * });\n * const bearer = await provider.getToken(method); // null if not gated\n * ```\n *\n * The provider implements the `BearerTokenProvider` interface expected\n * by `JsonRpcClient`. Plug directly:\n *\n * ```ts\n * const client = new JsonRpcClient({ ..., tokenProvider: provider });\n * ```\n *\n * @module tbv/core/clients/vault-provider/auth/tokenProvider\n */\n\nimport type { OnChainBtcPubkey } from \"../../eth/types\";\nimport type { BearerTokenProvider, JsonRpcClient } from \"../json-rpc-client\";\nimport { TOKEN_ISSUE_METHOD } from \"./innerTokenClient\";\nimport {\n  type ServerIdentityResponse,\n  verifyServerIdentity,\n} from \"./serverIdentity\";\n\n/**\n * Maximum reasonable `expires_at` value (seconds since epoch). Guards\n * against a bogus far-future timestamp that would lock the cache on a\n * bad token forever. Jan 1, 2100 in Unix seconds.\n */\nconst MAX_EXPIRES_AT_SECS = 4_102_444_800;\n\n/**\n * Default safety margin before `expires_at` — we treat a token as\n * expired this many seconds before its stated expiry so that in-flight\n * requests don't race the expiry boundary.\n */\nconst DEFAULT_REFRESH_SKEW_SECS = 30;\n\n/**\n * Wire response shape of `auth_createDepositorToken`.\n */\nexport interface CreateDepositorTokenResponse {\n  /** Base64url-encoded COSE Sign1 CWT bearer token. */\n  token: string;\n  /** Unix timestamp at which the token expires. */\n  expires_at: number;\n  /** Server identity proof bundled with every token response. */\n  server_identity: ServerIdentityResponse;\n}\n\nexport interface VpTokenProviderConfig {\n  client: JsonRpcClient;\n  /** Per-vault depositor-signed PegIn tx id. NOT shared across sibling vaults in a batch. */\n  peginTxid: string;\n  /** 64-char hex of the 32-byte OP_RETURN auth-anchor preimage. */\n  authAnchorHex: string;\n  /** Pinned VP pubkey from the on-chain registry; branded so indexer mirrors can't substitute. */\n  pinnedServerPubkey: OnChainBtcPubkey;\n  /** Methods that require a bearer; `getToken` returns `null` for anything outside this set. */\n  authGatedMethods: ReadonlySet<string>;\n  /** Default {@link DEFAULT_REFRESH_SKEW_SECS}. */\n  refreshSkewSecs?: number;\n  /** Clock source for testability. */\n  now?: () => number;\n}\n\ninterface CachedToken {\n  token: string;\n  expiresAt: number;\n}\n\n/**\n * Acquire, cache, and refresh VP bearer tokens.\n *\n * Implements {@link BearerTokenProvider}. Safe to pass directly into\n * `JsonRpcClient` as `tokenProvider`.\n */\nexport class VpTokenProvider implements BearerTokenProvider {\n  // `client` is the only mutable field — see `setClient`. The\n  // identity-bearing fields (peginTxid/authAnchorHex/pinnedServerPubkey)\n  // remain readonly and are checked against re-registration in the\n  // registry's `getOrCreate`.\n  private client: JsonRpcClient;\n  private readonly peginTxid: string;\n  private readonly authAnchorHex: string;\n  private readonly pinnedServerPubkey: OnChainBtcPubkey;\n  private readonly authGatedMethods: ReadonlySet<string>;\n  private readonly refreshSkewSecs: number;\n  private readonly now: () => number;\n\n  private cached: CachedToken | null = null;\n  private inFlight: Promise<CachedToken> | null = null;\n\n  constructor(config: VpTokenProviderConfig) {\n    this.client = config.client;\n    this.peginTxid = config.peginTxid;\n    this.authAnchorHex = config.authAnchorHex;\n    this.pinnedServerPubkey = config.pinnedServerPubkey;\n    this.authGatedMethods = config.authGatedMethods;\n    this.refreshSkewSecs = config.refreshSkewSecs ?? DEFAULT_REFRESH_SKEW_SECS;\n    this.now = config.now ?? (() => Math.floor(Date.now() / 1000));\n  }\n\n  /**\n   * Return a bearer token for `method`, or `null` if `method` is not\n   * auth-gated. Triggers a token acquisition if no token is cached or\n   * the cached token is within {@link refreshSkewSecs} of expiry.\n   *\n   * The token-issuing method itself is hard-exempted from the gate —\n   * if `auth_createDepositorToken` were ever included in\n   * `authGatedMethods` (caller misconfiguration) the provider would\n   * recurse into `acquireSingleFlight` from inside the JSON-RPC header\n   * builder before `inFlight` is assigned, defeating the single-flight\n   * guard. Returning `null` here breaks that recursion deterministically.\n   */\n  async getToken(method: string): Promise<string | null> {\n    if (method === TOKEN_ISSUE_METHOD) return null;\n    if (!this.authGatedMethods.has(method)) return null;\n\n    const cached = this.cached;\n    if (cached && this.now() + this.refreshSkewSecs < cached.expiresAt) {\n      return cached.token;\n    }\n\n    const fresh = await this.acquireSingleFlight();\n    return fresh.token;\n  }\n\n  /**\n   * Drop the cached token. Next `getToken` call re-acquires.\n   * Called by `JsonRpcClient` on wire `auth_expired` responses.\n   */\n  invalidate(): void {\n    this.cached = null;\n    // Do NOT clear `inFlight` — a concurrent acquire is still valid;\n    // the invalidator is saying \"the cached token is bad\", not \"any\n    // in-flight acquire is bad\". The in-flight acquire will populate\n    // a fresh `cached` on completion.\n  }\n\n  /**\n   * Swap in a different transport for subsequent token-issuing calls.\n   * Used by the registry when a later caller registers the same\n   * `peginTxid` against a different `baseUrl` — the cached token\n   * (bound to identity, not transport) stays valid, but future\n   * refreshes hit the new URL. An in-flight acquire keeps using the\n   * old client (it captured the reference); next call uses the new.\n   */\n  setClient(client: JsonRpcClient): void {\n    this.client = client;\n  }\n\n  private acquireSingleFlight(): Promise<CachedToken> {\n    const existing = this.inFlight;\n    if (existing) return existing;\n\n    const p = (async () => {\n      try {\n        const response = await this.client.call<\n          { pegin_txid: string; auth_anchor: string },\n          CreateDepositorTokenResponse\n        >(TOKEN_ISSUE_METHOD, {\n          pegin_txid: this.peginTxid,\n          auth_anchor: this.authAnchorHex,\n        });\n\n        verifyServerIdentity({\n          proof: response.server_identity,\n          pinnedServerPubkey: this.pinnedServerPubkey,\n          now: this.now(),\n        });\n\n        // Validate wire payload before caching so a malformed response\n        // from a compromised VP or proxy can't poison the cache with\n        // unusable values (non-string token, non-integer expiry, etc.).\n        if (typeof response.token !== \"string\" || response.token.length === 0) {\n          throw new Error(\n            `VpTokenProvider: invalid token in acquire response (expected non-empty string, got ${typeof response.token})`,\n          );\n        }\n        const now = this.now();\n        if (\n          !Number.isSafeInteger(response.expires_at) ||\n          response.expires_at <= now ||\n          response.expires_at > MAX_EXPIRES_AT_SECS\n        ) {\n          throw new Error(\n            `VpTokenProvider: invalid expires_at in acquire response (got ${JSON.stringify(response.expires_at)}; must be a safe integer in (${now}, ${MAX_EXPIRES_AT_SECS}])`,\n          );\n        }\n\n        const fresh: CachedToken = {\n          token: response.token,\n          expiresAt: response.expires_at,\n        };\n        this.cached = fresh;\n        return fresh;\n      } finally {\n        this.inFlight = null;\n      }\n    })();\n\n    this.inFlight = p;\n    return p;\n  }\n}\n","/**\n * In-memory registry of {@link VpTokenProvider} instances keyed by\n * the per-vault depositor-signed PegIn tx hash. Module-level\n * singleton, per-tab, never persisted.\n *\n * @module tbv/core/clients/vault-provider/auth/tokenRegistry\n */\n\nimport type { OnChainBtcPubkey } from \"../../eth/types\";\nimport type { JsonRpcClient } from \"../json-rpc-client\";\n\nimport { AUTH_GATED_METHODS } from \"./gatedMethods\";\nimport { VpTokenProvider } from \"./tokenProvider\";\n\nexport interface VpTokenRegistryInput {\n  client: JsonRpcClient;\n  peginTxid: string;\n  authAnchorHex: string;\n  pinnedServerPubkey: OnChainBtcPubkey;\n}\n\ninterface RegistryEntry {\n  provider: VpTokenProvider;\n  authAnchorHex: string;\n  pinnedServerPubkey: OnChainBtcPubkey;\n}\n\nexport class VpTokenRegistry {\n  private readonly entries = new Map<string, RegistryEntry>();\n\n  /**\n   * Return the cached `VpTokenProvider` for `peginTxid` if one exists\n   * with matching `authAnchorHex` and `pinnedServerPubkey`, otherwise\n   * construct and cache a fresh provider. A mismatch on either field\n   * throws — silent overwrite would mask derivation drift or VP\n   * pubkey rotation.\n   */\n  getOrCreate(input: VpTokenRegistryInput): VpTokenProvider {\n    const existing = this.entries.get(input.peginTxid);\n    if (existing) {\n      if (existing.authAnchorHex !== input.authAnchorHex) {\n        throw new Error(\n          `VpTokenRegistry: peginTxid ${input.peginTxid} already bound to authAnchorHex ${existing.authAnchorHex.slice(0, 8)}…; got ${input.authAnchorHex.slice(0, 8)}…`,\n        );\n      }\n      if (existing.pinnedServerPubkey !== input.pinnedServerPubkey) {\n        throw new Error(\n          `VpTokenRegistry: peginTxid ${input.peginTxid} already bound to pinnedServerPubkey ${existing.pinnedServerPubkey.slice(0, 8)}…; got ${input.pinnedServerPubkey.slice(0, 8)}…`,\n        );\n      }\n      // Refresh the inner transport on every reuse so a VP URL\n      // change between calls doesn't leave the cached provider\n      // pinned to a dead URL for token refresh.\n      existing.provider.setClient(input.client);\n      return existing.provider;\n    }\n\n    const provider = new VpTokenProvider({\n      client: input.client,\n      peginTxid: input.peginTxid,\n      authAnchorHex: input.authAnchorHex,\n      pinnedServerPubkey: input.pinnedServerPubkey,\n      authGatedMethods: AUTH_GATED_METHODS,\n    });\n    this.entries.set(input.peginTxid, {\n      provider,\n      authAnchorHex: input.authAnchorHex,\n      pinnedServerPubkey: input.pinnedServerPubkey,\n    });\n    return provider;\n  }\n\n  /** Return the cached provider, or `undefined` if none. */\n  peek(peginTxid: string): VpTokenProvider | undefined {\n    return this.entries.get(peginTxid)?.provider;\n  }\n\n  /**\n   * Evict the entry for `peginTxid`. Idempotent. Called on terminal\n   * paths — activation success, user-cancel, or component unmount —\n   * so `authAnchorHex` doesn't outlive the deposit session.\n   */\n  release(peginTxid: string): void {\n    this.entries.delete(peginTxid);\n  }\n\n  /**\n   * Wipe every cached entry. Test-only escape hatch — not exposed on\n   * the public {@link VpTokenRegistryPublic} singleton type.\n   *\n   * @internal\n   */\n  clear(): void {\n    this.entries.clear();\n  }\n\n  get size(): number {\n    return this.entries.size;\n  }\n}\n\n/**\n * Public surface of the singleton — excludes the test-only `clear`\n * method.\n */\nexport interface VpTokenRegistryPublic {\n  getOrCreate(input: VpTokenRegistryInput): VpTokenProvider;\n  peek(peginTxid: string): VpTokenProvider | undefined;\n  release(peginTxid: string): void;\n  readonly size: number;\n}\n\nexport const vpTokenRegistry: VpTokenRegistryPublic = new VpTokenRegistry();\n","/**\n * Build a {@link VaultProviderRpcClient} that auto-attaches CWT\n * bearer tokens on auth-gated methods. Caller pre-derives both the\n * `authAnchorHex` (from the wallet) and the `pinnedServerPubkey`\n * (from the on-chain registry) and hands them in — the SDK has no\n * notion of wallets here.\n *\n * @module tbv/core/clients/vault-provider/auth/createAuthenticatedVpClient\n */\n\nimport type { OnChainBtcPubkey } from \"../../eth/types\";\nimport {\n  VaultProviderRpcClient,\n  type VaultProviderRpcClientOptions,\n} from \"../api\";\n\nimport { buildInnerTokenClient } from \"./innerTokenClient\";\nimport { vpTokenRegistry } from \"./tokenRegistry\";\n\nexport interface AuthenticatedVpClientConfig {\n  /** Base URL of the VP RPC endpoint (already proxied if applicable). */\n  baseUrl: string;\n  /** Per-vault depositor-signed PegIn tx id (registry cache key). */\n  peginTxid: string;\n  /** Already-derived 32-byte auth-anchor preimage (64-char hex, no `0x`). */\n  authAnchorHex: string;\n  /** On-chain VP pubkey, branded so it can only come from the registry reader. */\n  pinnedServerPubkey: OnChainBtcPubkey;\n  /** Optional outer-client tunables (timeout, retries, headers, etc.). */\n  options?: VaultProviderRpcClientOptions;\n}\n\nexport function createAuthenticatedVpClient(\n  config: AuthenticatedVpClientConfig,\n): VaultProviderRpcClient {\n  const innerTokenClient = buildInnerTokenClient(\n    config.baseUrl,\n    config.options?.headers,\n  );\n\n  const tokenProvider = vpTokenRegistry.getOrCreate({\n    client: innerTokenClient,\n    peginTxid: config.peginTxid,\n    authAnchorHex: config.authAnchorHex,\n    pinnedServerPubkey: config.pinnedServerPubkey,\n  });\n\n  return new VaultProviderRpcClient(config.baseUrl, {\n    ...config.options,\n    tokenProvider,\n  });\n}\n","/**\n * Pre-populate {@link vpTokenRegistry} when the caller already has\n * both the auth-anchor preimage and the on-chain VP pubkey. Seeds\n * the cache for a `peginTxid` so a later `createAuthenticatedVpClient`\n * call reuses the cached `VpTokenProvider` instead of rebuilding it.\n *\n * @module tbv/core/clients/vault-provider/auth/primeVpAuth\n */\n\nimport type { OnChainBtcPubkey } from \"../../eth/types\";\n\nimport { buildInnerTokenClient } from \"./innerTokenClient\";\nimport { vpTokenRegistry } from \"./tokenRegistry\";\n\nexport interface PrimeVpAuthInput {\n  baseUrl: string;\n  peginTxid: string;\n  authAnchorHex: string;\n  pinnedServerPubkey: OnChainBtcPubkey;\n  /** Optional headers forwarded to the inner token client (e.g. gateway auth). */\n  headers?: Record<string, string>;\n}\n\nexport function primeVpTokenRegistry(input: PrimeVpAuthInput): void {\n  vpTokenRegistry.getOrCreate({\n    client: buildInnerTokenClient(input.baseUrl, input.headers),\n    peginTxid: input.peginTxid,\n    authAnchorHex: input.authAnchorHex,\n    pinnedServerPubkey: input.pinnedServerPubkey,\n  });\n}\n","/**\n * Contract Address Resolver\n *\n * Resolves ProtocolParams and ApplicationRegistry contract addresses\n * from the BTCVaultRegistry contract. These addresses are needed to\n * construct the SDK's contract readers.\n *\n * @module clients/eth/contract-address-resolver\n */\n\nimport type { Address, PublicClient } from \"viem\";\n\nimport { BTCVaultRegistryABI } from \"../../contracts/abis/BTCVaultRegistry.abi\";\n\nexport interface ProtocolAddresses {\n  /** Address of the ProtocolParams contract */\n  protocolParams: Address;\n  /** Address of the ApplicationRegistry contract */\n  applicationRegistry: Address;\n}\n\n/**\n * Resolve ProtocolParams and ApplicationRegistry addresses from BTCVaultRegistry.\n *\n * Uses a single multicall for atomicity and efficiency.\n *\n * @param publicClient - viem PublicClient instance\n * @param btcVaultRegistryAddress - Address of the BTCVaultRegistry contract\n * @returns Resolved contract addresses\n */\nexport async function resolveProtocolAddresses(\n  publicClient: PublicClient,\n  btcVaultRegistryAddress: Address,\n): Promise<ProtocolAddresses> {\n  const [protocolParams, applicationRegistry] = await publicClient.multicall({\n    contracts: [\n      {\n        address: btcVaultRegistryAddress,\n        abi: BTCVaultRegistryABI,\n        functionName: \"protocolParams\",\n      },\n      {\n        address: btcVaultRegistryAddress,\n        abi: BTCVaultRegistryABI,\n        functionName: \"applicationRegistry\",\n      },\n    ],\n    allowFailure: false,\n  });\n\n  return {\n    protocolParams: protocolParams as Address,\n    applicationRegistry: applicationRegistry as Address,\n  };\n}\n","/**\n * Concrete ProtocolParams reader using viem's readContract and multicall.\n *\n * This is an optional utility — callers can use their own implementation\n * of the ProtocolParamsReader interface.\n */\n\nimport type { Address, Hex, PublicClient } from \"viem\";\n\nimport { ProtocolParamsABI } from \"../../contracts/abis/ProtocolParams.abi\";\nimport type {\n  PegInConfiguration,\n  ProtocolParamsReader,\n  TBVProtocolParams,\n  VersionedOffchainParams,\n} from \"./types\";\n\n/**\n * Maximum value for a Solidity uint16.\n * PeginLogic.sol casts timelockAssert to uint16, so values above this are invalid.\n */\nconst UINT16_MAX = 65535;\n\n/**\n * Raw shape viem returns for VersionedOffchainParams struct.\n * viem resolves ABI struct outputs to named objects (not tuples).\n */\ninterface RawOffchainParams {\n  timelockAssert: bigint;\n  timelockChallengeAssert: bigint;\n  securityCouncilKeys: readonly Hex[];\n  councilQuorum: number;\n  feeRate: bigint;\n  babeTotalInstances: number;\n  babeInstancesToFinalize: number;\n  minVpCommissionBps: number;\n  tRefund: number;\n  tStale: number;\n  minPeginFeeRate: bigint;\n  proverProgramVersion: number;\n  minPrepeginDepth: number;\n}\n\n/** Raw shape viem returns for TBVProtocolParams struct. */\ninterface RawTBVParams {\n  minimumPegInAmount: bigint;\n  maxPegInAmount: bigint;\n  pegInAckTimeout: bigint;\n  pegInActivationTimeout: bigint;\n  maxHtlcOutputCount: number;\n}\n\n/** Map viem struct result to VersionedOffchainParams. */\nfunction mapOffchainParams(result: RawOffchainParams): VersionedOffchainParams {\n  return {\n    timelockAssert: result.timelockAssert,\n    timelockChallengeAssert: result.timelockChallengeAssert,\n    securityCouncilKeys: [...result.securityCouncilKeys],\n    councilQuorum: result.councilQuorum,\n    feeRate: result.feeRate,\n    babeTotalInstances: result.babeTotalInstances,\n    babeInstancesToFinalize: result.babeInstancesToFinalize,\n    minVpCommissionBps: result.minVpCommissionBps,\n    tRefund: result.tRefund,\n    tStale: result.tStale,\n    minPeginFeeRate: result.minPeginFeeRate,\n    proverProgramVersion: result.proverProgramVersion,\n    minPrepeginDepth: result.minPrepeginDepth,\n  };\n}\n\n/** Map viem struct result to TBVProtocolParams. */\nfunction mapTBVParams(result: RawTBVParams): TBVProtocolParams {\n  return {\n    minimumPegInAmount: result.minimumPegInAmount,\n    maxPegInAmount: result.maxPegInAmount,\n    pegInAckTimeout: result.pegInAckTimeout,\n    pegInActivationTimeout: result.pegInActivationTimeout,\n    maxHtlcOutputCount: result.maxHtlcOutputCount,\n  };\n}\n\n/**\n * Derive timelockPegin from timelockAssert.\n *\n * Matches PeginLogic.sol: `uint16(timelockAssert)`.\n * The contract validates `timelockAssert <= type(uint16).max` on write,\n * but we enforce the same bound here to reject invalid values early\n * rather than silently truncating.\n *\n * @throws if timelockAssert exceeds uint16 max (65535)\n */\nfunction deriveTimelockPegin(timelockAssert: bigint): number {\n  if (timelockAssert > BigInt(UINT16_MAX)) {\n    throw new Error(\n      `timelockAssert value ${timelockAssert} exceeds uint16 max (${UINT16_MAX})`,\n    );\n  }\n  return Number(timelockAssert);\n}\n\n/**\n * Concrete protocol params reader using viem.\n *\n * Usage:\n * ```ts\n * const reader = new ViemProtocolParamsReader(publicClient, protocolParamsAddress);\n * const config = await reader.getPegInConfiguration();\n * ```\n */\nexport class ViemProtocolParamsReader implements ProtocolParamsReader {\n  constructor(\n    private publicClient: PublicClient,\n    private contractAddress: Address,\n  ) {}\n\n  async getTBVProtocolParams(): Promise<TBVProtocolParams> {\n    const result = (await this.publicClient.readContract({\n      address: this.contractAddress,\n      abi: ProtocolParamsABI,\n      functionName: \"getTBVProtocolParams\",\n    })) as RawTBVParams;\n\n    return mapTBVParams(result);\n  }\n\n  async getLatestOffchainParams(): Promise<VersionedOffchainParams> {\n    const result = (await this.publicClient.readContract({\n      address: this.contractAddress,\n      abi: ProtocolParamsABI,\n      functionName: \"getLatestOffchainParams\",\n    })) as RawOffchainParams;\n\n    return mapOffchainParams(result);\n  }\n\n  async getOffchainParamsByVersion(\n    version: number,\n  ): Promise<VersionedOffchainParams> {\n    const result = (await this.publicClient.readContract({\n      address: this.contractAddress,\n      abi: ProtocolParamsABI,\n      functionName: \"getOffchainParamsByVersion\",\n      args: [version],\n    })) as RawOffchainParams;\n\n    return mapOffchainParams(result);\n  }\n\n  async getLatestOffchainParamsVersion(): Promise<number> {\n    const result = (await this.publicClient.readContract({\n      address: this.contractAddress,\n      abi: ProtocolParamsABI,\n      functionName: \"latestOffchainParamsVersion\",\n    })) as number;\n\n    return result;\n  }\n\n  async getTimelockPeginByVersion(version: number): Promise<number> {\n    const params = await this.getOffchainParamsByVersion(version);\n    return deriveTimelockPegin(params.timelockAssert);\n  }\n\n  /**\n   * Read TBV protocol params and latest offchain params atomically via multicall.\n   * Prevents TOCTOU inconsistency if governance updates params between reads.\n   */\n  async getPegInConfiguration(): Promise<PegInConfiguration> {\n    const results = await this.publicClient.multicall({\n      contracts: [\n        {\n          address: this.contractAddress,\n          abi: ProtocolParamsABI,\n          functionName: \"getTBVProtocolParams\",\n        },\n        {\n          address: this.contractAddress,\n          abi: ProtocolParamsABI,\n          functionName: \"getLatestOffchainParams\",\n        },\n      ],\n      allowFailure: false,\n    });\n\n    const tbvParams = mapTBVParams(results[0] as RawTBVParams);\n    const offchainParams = mapOffchainParams(results[1] as RawOffchainParams);\n\n    return {\n      minimumPegInAmount: tbvParams.minimumPegInAmount,\n      maxPegInAmount: tbvParams.maxPegInAmount,\n      pegInAckTimeout: tbvParams.pegInAckTimeout,\n      pegInActivationTimeout: tbvParams.pegInActivationTimeout,\n      maxHtlcOutputCount: tbvParams.maxHtlcOutputCount,\n      timelockPegin: deriveTimelockPegin(offchainParams.timelockAssert),\n      timelockRefund: offchainParams.tRefund,\n      minVpCommissionBps: offchainParams.minVpCommissionBps,\n      offchainParams,\n    };\n  }\n}\n","/**\n * Concrete signer-set readers for vault keepers and universal challengers.\n *\n * These are optional utilities — callers can use their own implementations\n * of the VaultKeeperReader and UniversalChallengerReader interfaces.\n */\n\nimport type { Address, Hex, PublicClient } from \"viem\";\n\nimport { ApplicationRegistryABI } from \"../../contracts/abis/ApplicationRegistry.abi\";\nimport { ProtocolParamsABI } from \"../../contracts/abis/ProtocolParams.abi\";\nimport type {\n  AddressBTCKeyPair,\n  UniversalChallengerReader,\n  VaultKeeperReader,\n} from \"./types\";\n\n/** Map viem tuple array to AddressBTCKeyPair[]. */\nfunction mapKeyPairs(\n  result: readonly { ethAddress: Address; btcPubKey: Hex }[],\n): AddressBTCKeyPair[] {\n  return result.map((pair) => ({\n    ethAddress: pair.ethAddress,\n    btcPubKey: pair.btcPubKey,\n  }));\n}\n\n/**\n * Reads vault keepers from the ApplicationRegistry contract.\n *\n * Usage:\n * ```ts\n * const reader = new ViemVaultKeeperReader(publicClient, applicationRegistryAddress);\n * const keepers = await reader.getCurrentVaultKeepers(appEntryPoint);\n * ```\n */\nexport class ViemVaultKeeperReader implements VaultKeeperReader {\n  constructor(\n    private publicClient: PublicClient,\n    private contractAddress: Address,\n  ) {}\n\n  async getVaultKeepersByVersion(\n    appEntryPoint: Address,\n    version: number,\n  ): Promise<AddressBTCKeyPair[]> {\n    const result = (await this.publicClient.readContract({\n      address: this.contractAddress,\n      abi: ApplicationRegistryABI,\n      functionName: \"getVaultKeepersByVersion\",\n      args: [appEntryPoint, version],\n    })) as readonly { ethAddress: Address; btcPubKey: Hex }[];\n\n    return mapKeyPairs(result);\n  }\n\n  async getCurrentVaultKeepers(\n    appEntryPoint: Address,\n  ): Promise<AddressBTCKeyPair[]> {\n    const result = (await this.publicClient.readContract({\n      address: this.contractAddress,\n      abi: ApplicationRegistryABI,\n      functionName: \"getCurrentVaultKeepers\",\n      args: [appEntryPoint],\n    })) as readonly { ethAddress: Address; btcPubKey: Hex }[];\n\n    return mapKeyPairs(result);\n  }\n\n  async getCurrentVaultKeepersVersion(\n    appEntryPoint: Address,\n  ): Promise<number> {\n    const result = (await this.publicClient.readContract({\n      address: this.contractAddress,\n      abi: ApplicationRegistryABI,\n      functionName: \"getCurrentVaultKeepersVersion\",\n      args: [appEntryPoint],\n    })) as number;\n\n    return result;\n  }\n}\n\n/**\n * Reads universal challengers from the ProtocolParams contract.\n *\n * Usage:\n * ```ts\n * const reader = new ViemUniversalChallengerReader(publicClient, protocolParamsAddress);\n * const challengers = await reader.getCurrentUniversalChallengers();\n * ```\n */\nexport class ViemUniversalChallengerReader implements UniversalChallengerReader {\n  constructor(\n    private publicClient: PublicClient,\n    private contractAddress: Address,\n  ) {}\n\n  async getUniversalChallengersByVersion(\n    version: number,\n  ): Promise<AddressBTCKeyPair[]> {\n    const result = (await this.publicClient.readContract({\n      address: this.contractAddress,\n      abi: ProtocolParamsABI,\n      functionName: \"getUniversalChallengersByVersion\",\n      args: [version],\n    })) as readonly { ethAddress: Address; btcPubKey: Hex }[];\n\n    return mapKeyPairs(result);\n  }\n\n  async getCurrentUniversalChallengers(): Promise<AddressBTCKeyPair[]> {\n    const result = (await this.publicClient.readContract({\n      address: this.contractAddress,\n      abi: ProtocolParamsABI,\n      functionName: \"getCurrentUniversalChallengers\",\n    })) as readonly { ethAddress: Address; btcPubKey: Hex }[];\n\n    return mapKeyPairs(result);\n  }\n\n  async getLatestUniversalChallengersVersion(): Promise<number> {\n    const result = (await this.publicClient.readContract({\n      address: this.contractAddress,\n      abi: ProtocolParamsABI,\n      functionName: \"latestUniversalChallengersVersion\",\n    })) as number;\n\n    return result;\n  }\n}\n","/**\n * Concrete BTCVaultRegistry reader using viem's readContract.\n *\n * This is an optional utility — callers can use their own implementation\n * of the VaultRegistryReader interface.\n */\n\nimport * as ecc from \"@bitcoin-js/tiny-secp256k1-asmjs\";\nimport type { Address, Hex, PublicClient } from \"viem\";\n\nimport { hexToUint8Array } from \"../../primitives/utils/bitcoin\";\nimport { BTCVaultRegistryABI } from \"../../contracts/abis/BTCVaultRegistry.abi\";\nimport type {\n  OnChainBtcPubkey,\n  VaultBasicInfo,\n  VaultData,\n  VaultProtocolInfo,\n  VaultRegistryReader,\n} from \"./types\";\n\n/**\n * Concrete vault registry reader using viem.\n *\n * Usage:\n * ```ts\n * const reader = new ViemVaultRegistryReader(publicClient, registryAddress);\n * const data = await reader.getVaultData(vaultId);\n * ```\n */\nexport class ViemVaultRegistryReader implements VaultRegistryReader {\n  constructor(\n    private publicClient: PublicClient,\n    private contractAddress: Address,\n  ) {}\n\n  /**\n   * Read the VP's persistent x-only BTC pubkey from the on-chain\n   * registry. Validates length, hex form, and secp256k1 curve\n   * membership before minting the brand. Returns 64-char lowercase\n   * hex without the `0x` prefix.\n   */\n  async getVaultProviderBtcPubKey(\n    vpAddress: Address,\n  ): Promise<OnChainBtcPubkey> {\n    const result = (await this.publicClient.readContract({\n      address: this.contractAddress,\n      abi: BTCVaultRegistryABI,\n      functionName: \"getVaultProviderBTCKey\",\n      args: [vpAddress],\n    })) as Hex;\n    const lowered = result.toLowerCase();\n    if (!/^0x[0-9a-f]{64}$/.test(lowered)) {\n      throw new Error(\n        `getVaultProviderBTCKey returned an unexpected value (vp=${vpAddress}, length ${lowered.length}, prefix \"${lowered.slice(0, 2)}\")`,\n      );\n    }\n    const stripped = lowered.slice(2);\n    if (!ecc.isXOnlyPoint(hexToUint8Array(stripped))) {\n      throw new Error(\n        `getVaultProviderBTCKey returned a value that is not on the secp256k1 curve (vp=${vpAddress})`,\n      );\n    }\n    return stripped as OnChainBtcPubkey;\n  }\n\n  async getVaultBasicInfo(vaultId: Hex): Promise<VaultBasicInfo> {\n    const result = (await this.publicClient.readContract({\n      address: this.contractAddress,\n      abi: BTCVaultRegistryABI,\n      functionName: \"getBtcVaultBasicInfo\",\n      args: [vaultId],\n    })) as {\n      depositor: Address;\n      depositorBtcPubKey: Hex;\n      amount: bigint;\n      vaultProvider: Address;\n      status: number;\n      applicationEntryPoint: Address;\n      createdAt: bigint;\n    };\n\n    return {\n      depositor: result.depositor,\n      depositorBtcPubKey: result.depositorBtcPubKey,\n      amount: result.amount,\n      vaultProvider: result.vaultProvider,\n      status: result.status,\n      applicationEntryPoint: result.applicationEntryPoint,\n      createdAt: result.createdAt,\n    };\n  }\n\n  async getVaultProtocolInfo(vaultId: Hex): Promise<VaultProtocolInfo> {\n    const result = (await this.publicClient.readContract({\n      address: this.contractAddress,\n      abi: BTCVaultRegistryABI,\n      functionName: \"getBtcVaultProtocolInfo\",\n      args: [vaultId],\n    })) as {\n      depositorSignedPeginTx: Hex;\n      universalChallengersVersion: number;\n      appVaultKeepersVersion: number;\n      offchainParamsVersion: number;\n      verifiedAt: bigint;\n      depositorWotsPkHash: Hex;\n      hashlock: Hex;\n      htlcVout: number;\n      depositorPopSignature: Hex;\n      prePeginTxHash: Hex;\n      vaultProviderCommissionBps: number;\n    };\n\n    return {\n      depositorSignedPeginTx: result.depositorSignedPeginTx,\n      universalChallengersVersion: result.universalChallengersVersion,\n      appVaultKeepersVersion: result.appVaultKeepersVersion,\n      offchainParamsVersion: result.offchainParamsVersion,\n      verifiedAt: result.verifiedAt,\n      depositorWotsPkHash: result.depositorWotsPkHash,\n      hashlock: result.hashlock,\n      htlcVout: result.htlcVout,\n      depositorPopSignature: result.depositorPopSignature,\n      prePeginTxHash: result.prePeginTxHash,\n      vaultProviderCommissionBps: result.vaultProviderCommissionBps,\n    };\n  }\n\n  async getVaultData(vaultId: Hex): Promise<VaultData> {\n    const [basic, protocol] = await Promise.all([\n      this.getVaultBasicInfo(vaultId),\n      this.getVaultProtocolInfo(vaultId),\n    ]);\n\n    if (\n      !protocol.depositorSignedPeginTx ||\n      protocol.depositorSignedPeginTx === \"0x\"\n    ) {\n      throw new Error(\n        `Vault ${vaultId} not found on-chain or has no pegin transaction`,\n      );\n    }\n\n    return { basic, protocol };\n  }\n}\n"],"names":["DAEMON_STATUS_VALUES","DaemonStatus","VP_ERROR_PREVIEW_MAX_LEN","preview","value","_a","VP_VALIDATION_USER_MESSAGE","VpResponseValidationError","detail","__publicField","TXID_HEX_LEN","isNonEmptyHex","HEX_RE","isNonEmptyString","assertNonEmptyHex","field","assertNonEmptyString","assertBtcPubkey","X_ONLY_PUBKEY_HEX_LEN","COMPRESSED_PUBKEY_HEX_LEN","validatePresigningProgressFields","progress","presigning","p","validateGetPeginStatusResponse","response","r","validateRequestDepositorPresignTransactionsResponse","i","validateClaimerTransactions","validateDepositorGraphTransactions","validateTransactionData","tx","validateChallengeAssertConnectorData","c","validatePresignDataPerChallenger","d","validateRequestDepositorClaimerArtifactsResponse","key","session","s","validateGetPegoutStatusResponse","claimer","challenger","graph","DEFAULT_TIMEOUT_MS","VaultProviderRpcClient","baseUrl","options","config","JsonRpcClient","params","signal","BIP322_TAG","TAPTWEAK_TAG","X_ONLY_PUBKEY_SIZE","SCHNORR_SIG_SIZE","taggedHash","tag","data","tagBytes","tagHash","sha256","preimage","tweakXOnlyKey","xOnly","tweak","tweaked","ecc","verifyBip322Simple","messageBytes","xOnlyPubkey","signature","messageHash","p2tr","payments","Buffer","scriptPubKey","ZERO_SATS","toSpend","Transaction","scriptSig","toSign","toSpendTxid","sighash","tweakedXOnly","cborHead","major","arg","v","out","concat","parts","total","offset","encodeBytesAsArrayOfU8","bytes","items","b","encodeServerIdentityPayload","domain","ephemeralPubkeyCompressed","expiresAt","arrayHeader","domainBytes","pubkeyBytes","expiresAtBytes","SERVER_IDENTITY_DOMAIN","ServerIdentityError","message","reason","hexToBytes","hex","verifyServerIdentity","input","proof","pinnedServerPubkey","now","pinned","stripHexPrefix","actual","eph","prefix","ephBytes","sig","SCHNORR_SIG_HEX_LEN","payload","AUTH_GATED_METHODS","TOKEN_RPC_TIMEOUT_MS","TOKEN_ISSUE_METHOD","buildInnerTokenClient","headers","method","MAX_EXPIRES_AT_SECS","DEFAULT_REFRESH_SKEW_SECS","VpTokenProvider","cached","client","existing","fresh","VpTokenRegistry","provider","peginTxid","vpTokenRegistry","createAuthenticatedVpClient","innerTokenClient","tokenProvider","primeVpTokenRegistry","resolveProtocolAddresses","publicClient","btcVaultRegistryAddress","protocolParams","applicationRegistry","BTCVaultRegistryABI","UINT16_MAX","mapOffchainParams","result","mapTBVParams","deriveTimelockPegin","timelockAssert","ViemProtocolParamsReader","contractAddress","ProtocolParamsABI","version","results","tbvParams","offchainParams","mapKeyPairs","pair","ViemVaultKeeperReader","appEntryPoint","ApplicationRegistryABI","ViemUniversalChallengerReader","ViemVaultRegistryReader","vpAddress","lowered","stripped","hexToUint8Array","vaultId","basic","protocol"],"mappings":"kyBAyBMA,EAAuB,IAAI,IAAY,OAAO,OAAOC,EAAAA,YAAY,CAAC,EAElEC,GAA2B,IAEjC,SAASC,EAAQC,EAAwB,OACvC,QACEC,EAAA,KAAK,UAAUD,CAAK,IAApB,YAAAC,EAAuB,MAAM,EAAGH,MAA6B,WAEjE,CAEA,MAAMI,GACJ,2FAQK,MAAMC,UAAkC,KAAM,CAGnD,YAAYC,EAAgB,CAC1B,MAAMF,EAA0B,EAHzBG,EAAA,eAIP,KAAK,KAAO,4BACZ,KAAK,OAASD,CAChB,CACF,CAGA,MAAME,EAAe,GAErB,SAASC,EAAcP,EAAiC,CACtD,OAAO,OAAOA,GAAU,UAAYA,EAAM,OAAS,GAAKQ,EAAAA,OAAO,KAAKR,CAAK,CAC3E,CAEA,SAASS,EAAiBT,EAAiC,CACzD,OAAO,OAAOA,GAAU,UAAYA,EAAM,OAAS,CACrD,CAEA,SAASU,EAAkBV,EAAgBW,EAAqB,CAC9D,GAAI,CAACJ,EAAcP,CAAK,EACtB,MAAM,IAAIG,EACR,mCAAmCQ,CAAK,yCAAyCZ,EAAQC,CAAK,CAAC,EAAA,CAGrG,CAEA,SAASY,EAAqBZ,EAAgBW,EAAqB,CACjE,GAAI,CAACF,EAAiBT,CAAK,EACzB,MAAM,IAAIG,EACR,mCAAmCQ,CAAK,qCAAqCZ,EAAQC,CAAK,CAAC,EAAA,CAGjG,CAMA,SAASa,EAAgBb,EAAgBW,EAAqB,CAC5D,GACE,CAACJ,EAAcP,CAAK,GACnBA,EAAM,SAAWc,yBAChBd,EAAM,SAAWe,4BAEnB,MAAM,IAAIZ,EACR,mCAAmCQ,CAAK,eAAeG,EAAAA,qBAAqB,OAAOC,EAAAA,yBAAyB,sCAAsChB,EAAQC,CAAK,CAAC,EAAA,CAGtK,CAKA,SAASgB,GACPC,EACM,CACN,MAAMC,EAAaD,EAAS,WAC5B,GAAgCC,GAAe,KAAM,OACrD,GAAI,OAAOA,GAAe,UAAY,MAAM,QAAQA,CAAU,EAC5D,MAAM,IAAIf,EACR,mFAAA,EAIJ,MAAMgB,EAAID,EAEV,GACEC,EAAE,0BAA4B,QAC9B,OAAOA,EAAE,yBAA4B,UAErC,MAAM,IAAIhB,EACR,kHAAkHJ,EAAQoB,EAAE,uBAAuB,CAAC,EAAA,EAIxJ,GACEA,EAAE,qCAAuC,QACzC,OAAOA,EAAE,oCAAuC,SAEhD,MAAM,IAAIhB,EACR,4HAA4HJ,EAAQoB,EAAE,kCAAkC,CAAC,EAAA,EAI7K,GACEA,EAAE,iCAAmC,QACrC,OAAOA,EAAE,gCAAmC,SAE5C,MAAM,IAAIhB,EACR,wHAAwHJ,EAAQoB,EAAE,8BAA8B,CAAC,EAAA,CAGvK,CAOO,SAASC,GACdC,EAC4C,CAC5C,GAAIA,IAAa,MAAQ,OAAOA,GAAa,SAC3C,MAAM,IAAIlB,EACR,yEAAA,EAIJ,MAAMmB,EAAID,EAEV,GAAI,CAACd,EAAce,EAAE,UAAU,GAAKA,EAAE,WAAW,SAAWhB,EAC1D,MAAM,IAAIH,EACR,yDAAyDG,CAAY,gCAAgCP,EAAQuB,EAAE,UAAU,CAAC,EAAA,EAI9H,GAAI,OAAOA,EAAE,QAAW,SACtB,MAAM,IAAInB,EACR,0DAAA,EAIJ,GAAI,CAACP,EAAqB,IAAI0B,EAAE,MAAM,EACpC,MAAM,IAAInB,EACR,uDAAuDmB,EAAE,MAAM,uBAAuB,CAAC,GAAG1B,CAAoB,EAAE,KAAK,IAAI,CAAC,EAAA,EAI9H,GACE0B,EAAE,WAAa,MACf,OAAOA,EAAE,UAAa,UACtB,MAAM,QAAQA,EAAE,QAAQ,EAExB,MAAM,IAAInB,EACR,6DAAA,EAMJ,GAFAa,GAAiCM,EAAE,QAAmC,EAElE,OAAOA,EAAE,aAAgB,SAC3B,MAAM,IAAInB,EACR,+DAAA,EAIJ,GAAImB,EAAE,aAAe,QAAa,OAAOA,EAAE,YAAe,SACxD,MAAM,IAAInB,EACR,gFAAgFJ,EAAQuB,EAAE,UAAU,CAAC,EAAA,CAG3G,CAKO,SAASC,GACdF,EACiE,CACjE,GAAIA,IAAa,MAAQ,OAAOA,GAAa,SAC3C,MAAM,IAAIlB,EACR,8FAAA,EAIJ,MAAMmB,EAAID,EAEV,GAAI,CAAC,MAAM,QAAQC,EAAE,GAAG,EACtB,MAAM,IAAInB,EACR,uDAAA,EAIJ,QAASqB,EAAI,EAAGA,EAAIF,EAAE,IAAI,OAAQE,IAChCC,GAA4BH,EAAE,IAAIE,CAAC,EAAG,OAAOA,CAAC,GAAG,EAGnD,GAAIF,EAAE,kBAAoB,MAAQ,OAAOA,EAAE,iBAAoB,SAC7D,MAAM,IAAInB,EACR,oEAAA,EAIJuB,GACEJ,EAAE,eAAA,CAEN,CAEA,SAASK,EAAwB3B,EAAgBW,EAAqB,CACpE,GAAIX,IAAU,MAAQ,OAAOA,GAAU,SACrC,MAAM,IAAIG,EACR,mCAAmCQ,CAAK,qBAAA,EAI5CD,EADWV,EACU,OAAQ,GAAGW,CAAK,SAAS,CAChD,CAEA,SAASc,GAA4BzB,EAAgBW,EAAqB,CACxE,GAAIX,IAAU,MAAQ,OAAOA,GAAU,SACrC,MAAM,IAAIG,EACR,mCAAmCQ,CAAK,qBAAA,EAI5C,MAAMiB,EAAK5B,EAEXa,EAAgBe,EAAG,eAAgB,GAAGjB,CAAK,iBAAiB,EAC5DgB,EAAwBC,EAAG,SAAU,GAAGjB,CAAK,WAAW,EACxDgB,EAAwBC,EAAG,UAAW,GAAGjB,CAAK,YAAY,EAC1DgB,EAAwBC,EAAG,UAAW,GAAGjB,CAAK,YAAY,EAC1DC,EAAqBgB,EAAG,YAAa,GAAGjB,CAAK,cAAc,CAC7D,CAEA,SAASkB,GACP7B,EACAW,EACM,CACN,GAAIX,IAAU,MAAQ,OAAOA,GAAU,SACrC,MAAM,IAAIG,EACR,mCAAmCQ,CAAK,qBAAA,EAI5C,MAAMmB,EAAI9B,EACVY,EAAqBkB,EAAE,cAAe,GAAGnB,CAAK,gBAAgB,EAC9DC,EAAqBkB,EAAE,kBAAmB,GAAGnB,CAAK,oBAAoB,CACxE,CAEA,SAASoB,GAAiC/B,EAAgBW,EAAqB,CAC7E,GAAIX,IAAU,MAAQ,OAAOA,GAAU,SACrC,MAAM,IAAIG,EACR,mCAAmCQ,CAAK,qBAAA,EAI5C,MAAMqB,EAAIhC,EAcV,GAZAa,EAAgBmB,EAAE,kBAAmB,GAAGrB,CAAK,oBAAoB,EACjEgB,EACEK,EAAE,sBACF,GAAGrB,CAAK,wBAAA,EAEVgB,EACEK,EAAE,sBACF,GAAGrB,CAAK,wBAAA,EAEVgB,EAAwBK,EAAE,YAAa,GAAGrB,CAAK,cAAc,EAC7DC,EAAqBoB,EAAE,cAAe,GAAGrB,CAAK,gBAAgB,EAE1D,CAAC,MAAM,QAAQqB,EAAE,2BAA2B,EAC9C,MAAM,IAAI7B,EACR,mCAAmCQ,CAAK,gDAAA,EAI5C,QAASa,EAAI,EAAGA,EAAIQ,EAAE,4BAA4B,OAAQR,IACxDK,GACEG,EAAE,4BAA4BR,CAAC,EAC/B,GAAGb,CAAK,gCAAgCa,CAAC,GAAA,EAI7C,GAAI,CAAC,MAAM,QAAQQ,EAAE,mBAAmB,EACtC,MAAM,IAAI7B,EACR,mCAAmCQ,CAAK,wCAAA,EAI5C,QAASa,EAAI,EAAGA,EAAIQ,EAAE,oBAAoB,OAAQR,IAChDd,EACEsB,EAAE,oBAAoBR,CAAC,EACvB,GAAGb,CAAK,wBAAwBa,CAAC,GAAA,CAGvC,CAKO,SAASS,EACdZ,EAC8D,CAC9D,GAAIA,IAAa,MAAQ,OAAOA,GAAa,SAC3C,MAAM,IAAIlB,EACR,2FAAA,EAIJ,MAAMmB,EAAID,EAEV,GAAI,CAACZ,EAAiBa,EAAE,aAAa,EACnC,MAAM,IAAInB,EACR,kFAAkFJ,EAAQuB,EAAE,aAAa,CAAC,EAAA,EAI9G,GAAI,CAACf,EAAce,EAAE,iBAAiB,EACpC,MAAM,IAAInB,EACR,0FAA0FJ,EAAQuB,EAAE,iBAAiB,CAAC,EAAA,EAI1H,GAAIA,EAAE,gBAAkB,MAAQ,OAAOA,EAAE,eAAkB,SACzD,MAAM,IAAInB,EACR,kEAAA,EAIJ,SAAW,CAAC+B,EAAKC,CAAO,IAAK,OAAO,QAClCb,EAAE,aAAA,EACD,CACD,GAAIa,IAAY,MAAQ,OAAOA,GAAY,SACzC,MAAM,IAAIhC,EACR,iDAAiD+B,CAAG,qBAAA,EAGxD,MAAME,EAAID,EACV,GAAI,CAAC5B,EAAc6B,EAAE,uBAAuB,EAC1C,MAAM,IAAIjC,EACR,iDAAiD+B,CAAG,iEAAiEnC,EAAQqC,EAAE,uBAAuB,CAAC,EAAA,CAG7J,CACF,CAKO,SAASC,GACdhB,EAC6C,CAC7C,GAAIA,IAAa,MAAQ,OAAOA,GAAa,SAC3C,MAAM,IAAIlB,EACR,0EAAA,EAIJ,MAAMmB,EAAID,EAEV,GAAI,CAACd,EAAce,EAAE,UAAU,GAAKA,EAAE,WAAW,SAAWhB,EAC1D,MAAM,IAAIH,EACR,yDAAyDG,CAAY,gCAAgCP,EAAQuB,EAAE,UAAU,CAAC,EAAA,EAI9H,GAAI,OAAOA,EAAE,OAAU,UACrB,MAAM,IAAInB,EACR,iEAAiEJ,EAAQuB,EAAE,KAAK,CAAC,EAAA,EAIrF,GAAIA,EAAE,UAAY,OAAW,CAC3B,GAAIA,EAAE,UAAY,MAAQ,OAAOA,EAAE,SAAY,SAC7C,MAAM,IAAInB,EACR,uEAAA,EAGJ,MAAMmC,EAAUhB,EAAE,QAClB,GAAI,OAAOgB,EAAQ,QAAW,SAC5B,MAAM,IAAInC,EACR,yEAAyEJ,EAAQuC,EAAQ,MAAM,CAAC,EAAA,EAGpG,GAAI,OAAOA,EAAQ,QAAW,UAC5B,MAAM,IAAInC,EACR,0EAA0EJ,EAAQuC,EAAQ,MAAM,CAAC,EAAA,CAGvG,CAEA,GAAIhB,EAAE,aAAe,OAAW,CAC9B,GAAIA,EAAE,aAAe,MAAQ,OAAOA,EAAE,YAAe,SACnD,MAAM,IAAInB,EACR,0EAAA,EAGJ,MAAMoC,EAAajB,EAAE,WACrB,GAAI,OAAOiB,EAAW,QAAW,SAC/B,MAAM,IAAIpC,EACR,4EAA4EJ,EAAQwC,EAAW,MAAM,CAAC,EAAA,CAG5G,CACF,CAEA,SAASb,GACPc,EACM,CAMN,GALAb,EAAwBa,EAAM,SAAU,0BAA0B,EAClEb,EAAwBa,EAAM,UAAW,2BAA2B,EACpEb,EAAwBa,EAAM,UAAW,2BAA2B,EACpE5B,EAAqB4B,EAAM,YAAa,6BAA6B,EAEjE,CAAC,MAAM,QAAQA,EAAM,uBAAuB,EAC9C,MAAM,IAAIrC,EACR,2FAAA,EAIJ,QAASqB,EAAI,EAAGA,EAAIgB,EAAM,wBAAwB,OAAQhB,IACxDO,GACES,EAAM,wBAAwBhB,CAAC,EAC/B,2CAA2CA,CAAC,GAAA,EAIhD,GAAI,OAAOgB,EAAM,yBAA4B,SAC3C,MAAM,IAAIrC,EACR,2FAAA,CAGN,CC3YA,MAAMsC,GAAqB,IAWpB,MAAMC,CAEb,CAGE,YAAYC,EAAiBC,EAAyC,CAF9DvC,EAAA,eAGN,MAAMwC,EAA8B,CAClC,QAAAF,EACA,SAASC,GAAA,YAAAA,EAAS,UAAWH,GAC7B,QAASG,GAAA,YAAAA,EAAS,QAClB,WAAYA,GAAA,YAAAA,EAAS,WACrB,aAAcA,GAAA,YAAAA,EAAS,aACvB,QAASA,GAAA,YAAAA,EAAS,QAClB,cAAeA,GAAA,YAAAA,EAAS,cACxB,iBAAkBA,GAAA,YAAAA,EAAS,gBAAA,EAE7B,KAAK,OAAS,IAAIE,EAAAA,cAAcD,CAAM,CACxC,CAMA,MAAM,oCACJE,EACAC,EACsD,CACtD,MAAM3B,EAAW,MAAM,KAAK,OAAO,KAGjC,oDAAqD0B,EAAQC,CAAM,EACrE,OAAAzB,GAAoDF,CAAQ,EACrDA,CACT,CAMA,MAAM,6BACJ0B,EACAC,EACe,CACf,OAAO,KAAK,OAAO,KACjB,6CACAD,EACAC,CAAA,CAEJ,CAOA,MAAM,uBACJD,EACAC,EACe,CACf,OAAO,KAAK,OAAO,KACjB,uCACAD,EACAC,CAAA,CAEJ,CAMA,MAAM,iCACJD,EACAC,EACmD,CACnD,MAAM3B,EAAW,MAAM,KAAK,OAAO,KAGjC,iDAAkD0B,EAAQC,CAAM,EAClE,OAAAf,EAAiDZ,CAAQ,EAClDA,CACT,CAGA,MAAM,eACJ0B,EACAC,EACiC,CACjC,MAAM3B,EAAW,MAAM,KAAK,OAAO,KACjC,+BACA0B,EACAC,CAAA,EAEF,OAAA5B,GAA+BC,CAAQ,EAChCA,CACT,CAGA,MAAM,gBACJ0B,EACAC,EACkC,CAClC,MAAM3B,EAAW,MAAM,KAAK,OAAO,KACjC,gCACA0B,EACAC,CAAA,EAEF,OAAAX,GAAgChB,CAAQ,EACjCA,CACT,CACF,CC5IA,MAAM4B,GAAa,yBAGbC,GAAe,WAEfC,EAAqB,GACrBC,GAAmB,GAMzB,SAASC,EAAWC,EAAaC,EAA8B,CAC7D,MAAMC,EAAW,IAAI,cAAc,OAAOF,CAAG,EACvCG,EAAUC,EAAAA,OAAOF,CAAQ,EACzBG,EAAW,IAAI,WAAWF,EAAQ,OAAS,EAAIF,EAAK,MAAM,EAChE,OAAAI,EAAS,IAAIF,EAAS,CAAC,EACvBE,EAAS,IAAIF,EAASA,EAAQ,MAAM,EACpCE,EAAS,IAAIJ,EAAME,EAAQ,OAAS,CAAC,EAC9BC,EAAAA,OAAOC,CAAQ,CACxB,CAYA,SAASC,GAAcC,EAAsC,CAC3D,GAAIA,EAAM,SAAWV,EAAoB,OAAO,KAChD,MAAMW,EAAQT,EAAWH,GAAcW,CAAK,EACtCE,EAAUC,EAAI,mBAAmBH,EAAOC,CAAK,EACnD,OAAOC,EAAUA,EAAQ,YAAc,IACzC,CAoBO,SAASE,GACdC,EACAC,EACAC,EACS,CAET,GADID,EAAY,SAAWhB,GACvBiB,EAAU,SAAWhB,GAAkB,MAAO,GAOlD,GAAI,CAEF,MAAMiB,EAAchB,EAAWJ,GAAYiB,CAAY,EAKjDI,EAAOC,EAAAA,SAAS,KAAK,CACzB,eAAgBC,EAAAA,OAAO,KAAKL,CAAW,CAAA,CACxC,EACD,GAAI,CAACG,EAAK,OAAQ,MAAO,GACzB,MAAMG,EAAeH,EAAK,OAUpBI,EAAY,EACZC,EAAU,IAAIC,cACpBD,EAAQ,QAAU,EAClBA,EAAQ,SAAW,EAEnB,MAAME,EAAYL,EAAAA,OAAO,OAAO,CAC9BA,EAAAA,OAAO,KAAK,CAAC,EAAM,EAAI,CAAC,EACxBA,EAAAA,OAAO,KAAKH,CAAW,CAAA,CACxB,EACDM,EAAQ,SACNH,SAAO,MAAM,GAAI,CAAC,EAClB,WACA,EACAK,CAAA,EAEFF,EAAQ,UAAUF,EAAcC,CAAS,EAGzC,MAAMI,EAAS,IAAIF,cACnBE,EAAO,QAAU,EACjBA,EAAO,SAAW,EAElB,MAAMC,EAAcJ,EAAQ,QAAA,EAC5BG,EAAO,SAASC,EAAa,EAAG,CAAC,EACjCD,EAAO,UAAUN,SAAO,KAAK,CAAC,GAAI,CAAC,EAAGE,CAAS,EAG/C,MAAMM,EAAUF,EAAO,iBACrB,EACA,CAACL,CAAY,EACb,CAACC,CAAS,EACVE,cAAY,eAAA,EAIRK,EAAerB,GAAcO,CAAW,EAC9C,OAAKc,EAEEjB,EAAI,cAAcgB,EAASC,EAAcb,CAAS,EAF/B,EAG5B,MAAQ,CACN,MAAO,EACT,CACF,CC9IA,SAASc,EAASC,EAAeC,EAAkC,CACjE,MAAM9B,GAAO6B,EAAQ,IAAS,EACxB,EAAI,OAAOC,GAAQ,SAAWA,EAAM,OAAOA,CAAG,EACpD,GAAI,EAAI,GAAI,MAAM,IAAI,MAAM,6BAA6B,EAEzD,GAAI,EAAI,IAAK,OAAO,IAAI,WAAW,CAAC9B,EAAM,OAAO,CAAC,CAAC,CAAC,EACpD,GAAI,EAAI,OAAQ,OAAO,IAAI,WAAW,CAACA,EAAM,GAAI,OAAO,CAAC,CAAC,CAAC,EAC3D,GAAI,EAAI,SAAU,CAChB,MAAM+B,EAAI,OAAO,CAAC,EAClB,OAAO,IAAI,WAAW,CAAC/B,EAAM,GAAK+B,IAAM,EAAK,IAAMA,EAAI,GAAI,CAAC,CAC9D,CACA,GAAI,EAAI,aAAgB,CACtB,MAAMA,EAAI,OAAO,CAAC,EAClB,OAAO,IAAI,WAAW,CACpB/B,EAAM,GACL+B,IAAM,GAAM,IACZA,IAAM,GAAM,IACZA,IAAM,EAAK,IACZA,EAAI,GAAA,CACL,CACH,CAEA,MAAMC,EAAM,IAAI,WAAW,CAAC,EAC5BA,EAAI,CAAC,EAAIhC,EAAM,GACf,QAAS9B,EAAI,EAAGA,GAAK,EAAGA,IACtB8D,EAAI,EAAI9D,CAAC,EAAI,OAAO,GAAK,QAAQ,EAAIA,GAAK,CAAC,CAAC,EAAI,IAElD,OAAO8D,CACT,CAEA,SAASC,KAAUC,EAAiC,CAClD,MAAMC,EAAQD,EAAM,OAAO,CAACpD,EAAGjB,IAAMiB,EAAIjB,EAAE,OAAQ,CAAC,EAC9CmE,EAAM,IAAI,WAAWG,CAAK,EAChC,IAAIC,EAAS,EACb,UAAWvE,KAAKqE,EACdF,EAAI,IAAInE,EAAGuE,CAAM,EACjBA,GAAUvE,EAAE,OAEd,OAAOmE,CACT,CASA,SAASK,EAAuBC,EAA+B,CAE7D,MAAMC,EAAsB,CADbX,EAAS,EAAGU,EAAM,MAAM,CACJ,EACnC,UAAWE,KAAKF,EACdC,EAAM,KAAKX,EAAS,EAAGY,CAAC,CAAC,EAE3B,OAAOP,EAAO,GAAGM,CAAK,CACxB,CAsBO,SAASE,GACdC,EACAC,EACAC,EACY,CACZ,GAAI,CAAC,OAAO,cAAcA,CAAS,GAAKA,EAAY,EAClD,MAAM,IAAI,MACR,oFAAoFA,CAAS,EAAA,EAGjG,MAAMC,EAAcjB,EAAS,EAAG,CAAC,EAC3BkB,EAAcT,EAAuBK,CAAM,EAC3CK,EAAcV,EAAuBM,CAAyB,EAC9DK,EAAiBpB,EAAS,EAAGgB,CAAS,EAC5C,OAAOX,EAAOY,EAAaC,EAAaC,EAAaC,CAAc,CACrE,CCzFA,MAAMC,GAAyB,IAAI,YAAA,EAAc,OAC/C,6BACF,EA6BO,MAAMC,UAA4B,KAAM,CAC7C,YACEC,EACgBC,EAQhB,CACA,MAAMD,CAAO,EATG,KAAA,OAAAC,EAUhB,KAAK,KAAO,qBACd,CACF,CAGA,SAASC,EAAWC,EAAyB,CAC3C,MAAMtB,EAAM,IAAI,WAAWsB,EAAI,OAAS,CAAC,EACzC,QAASpF,EAAI,EAAGA,EAAI8D,EAAI,OAAQ9D,IAC9B8D,EAAI9D,CAAC,EAAI,SAASoF,EAAI,MAAMpF,EAAI,EAAGA,EAAI,EAAI,CAAC,EAAG,EAAE,EAEnD,OAAO8D,CACT,CAsBO,SAASuB,EAAqBC,EAAwC,CAC3E,KAAM,CAAE,MAAAC,EAAO,mBAAAC,EAAoB,IAAAC,CAAA,EAAQH,EAErCI,EAASC,EAAAA,eAAeH,CAAkB,EAAE,YAAA,EAClD,GAAIE,EAAO,SAAWpG,EAAAA,uBAAyB,CAACN,EAAAA,OAAO,KAAK0G,CAAM,EAChE,MAAM,IAAIV,EACR,+CAA+CU,EAAO,MAAM,SAC5D,yBAAA,EAIJ,MAAME,EAASD,EAAAA,eAAeJ,EAAM,aAAa,EAAE,YAAA,EACnD,GAAIK,EAAO,SAAWtG,EAAAA,uBAAyB,CAACN,EAAAA,OAAO,KAAK4G,CAAM,EAChE,MAAM,IAAIZ,EACR,0CAA0CY,EAAO,MAAM,SACvD,yBAAA,EAIJ,GAAIA,IAAWF,EACb,MAAM,IAAIV,EACR,uDAAuDU,CAAM,SAASE,CAAM,GAC5E,wBAAA,EAWJ,GAAI,CAAC,OAAO,cAAcL,EAAM,UAAU,EACxC,MAAM,IAAIP,EACR,4CAA4C,KAAK,UAAUO,EAAM,UAAU,CAAC,GAC5E,oBAAA,EAGJ,GAAI,CAAC,OAAO,cAAcE,CAAG,EAC3B,MAAM,IAAIT,EACR,qCAAqC,KAAK,UAAUS,CAAG,CAAC,GACxD,oBAAA,EAGJ,GAAIF,EAAM,YAAcE,EACtB,MAAM,IAAIT,EACR,oCAAoCO,EAAM,UAAU,SAASE,CAAG,GAChE,SAAA,EAIJ,MAAMI,EAAMF,EAAAA,eAAeJ,EAAM,gBAAgB,EAAE,YAAA,EACnD,GAAIM,EAAI,SAAWtG,EAAAA,2BAA6B,CAACP,EAAAA,OAAO,KAAK6G,CAAG,EAC9D,MAAM,IAAIb,EACR,wDAAwDa,EAAI,MAAM,SAClE,0BAAA,EAGJ,MAAMC,EAASD,EAAI,MAAM,EAAG,CAAC,EAC7B,GAAIC,IAAW,MAAQA,IAAW,KAChC,MAAM,IAAId,EACR,2DAA2Dc,CAAM,GACjE,0BAAA,EASJ,MAAMC,EAAWZ,EAAWU,CAAG,EAC/B,GAAI,CAACrD,EAAI,QAAQuD,CAAQ,EACvB,MAAM,IAAIf,EACR,kDACA,0BAAA,EAIJ,MAAMgB,EAAML,EAAAA,eAAeJ,EAAM,SAAS,EAAE,YAAA,EAC5C,GAAIS,EAAI,SAAWC,EAAAA,qBAAuB,CAACjH,EAAAA,OAAO,KAAKgH,CAAG,EACxD,MAAM,IAAIhB,EACR,8CAA8CgB,EAAI,MAAM,SACxD,4BAAA,EAQJ,MAAME,EAAU3B,GACdQ,GACAI,EAAWU,CAAG,EACdN,EAAM,UAAA,EAGR,GAAI,CADa9C,GAAmByD,EAASf,EAAWS,CAAM,EAAGT,EAAWa,CAAG,CAAC,EAE9E,MAAM,IAAIhB,EACR,gGACA,+BAAA,CAGN,CClNO,MAAMmB,OAA8C,IAAI,CAC7D,uCACA,6CACA,mDACF,CAAC,ECFKC,GAAuB,IAEhBC,EAAqB,4BAE3B,SAASC,EACdnF,EACAoF,EACe,CACf,OAAO,IAAIjF,EAAAA,cAAc,CACvB,QAAAH,EACA,QAASiF,GACT,QAAAG,EACA,aAAeC,GAAWA,IAAWH,CAAA,CACtC,CACH,CCgBA,MAAMI,EAAsB,WAOtBC,GAA4B,GAyC3B,MAAMC,EAA+C,CAgB1D,YAAYtF,EAA+B,CAXnCxC,EAAA,eACSA,EAAA,kBACAA,EAAA,sBACAA,EAAA,2BACAA,EAAA,yBACAA,EAAA,wBACAA,EAAA,YAETA,EAAA,cAA6B,MAC7BA,EAAA,gBAAwC,MAG9C,KAAK,OAASwC,EAAO,OACrB,KAAK,UAAYA,EAAO,UACxB,KAAK,cAAgBA,EAAO,cAC5B,KAAK,mBAAqBA,EAAO,mBACjC,KAAK,iBAAmBA,EAAO,iBAC/B,KAAK,gBAAkBA,EAAO,iBAAmBqF,GACjD,KAAK,IAAMrF,EAAO,MAAQ,IAAM,KAAK,MAAM,KAAK,MAAQ,GAAI,EAC9D,CAcA,MAAM,SAASmF,EAAwC,CAErD,GADIA,IAAWH,GACX,CAAC,KAAK,iBAAiB,IAAIG,CAAM,EAAG,OAAO,KAE/C,MAAMI,EAAS,KAAK,OACpB,OAAIA,GAAU,KAAK,IAAA,EAAQ,KAAK,gBAAkBA,EAAO,UAChDA,EAAO,OAGF,MAAM,KAAK,oBAAA,GACZ,KACf,CAMA,YAAmB,CACjB,KAAK,OAAS,IAKhB,CAUA,UAAUC,EAA6B,CACrC,KAAK,OAASA,CAChB,CAEQ,qBAA4C,CAClD,MAAMC,EAAW,KAAK,SACtB,GAAIA,EAAU,OAAOA,EAErB,MAAMnH,GAAK,SAAY,CACrB,GAAI,CACF,MAAME,EAAW,MAAM,KAAK,OAAO,KAGjCwG,EAAoB,CACpB,WAAY,KAAK,UACjB,YAAa,KAAK,aAAA,CACnB,EAWD,GATAhB,EAAqB,CACnB,MAAOxF,EAAS,gBAChB,mBAAoB,KAAK,mBACzB,IAAK,KAAK,IAAA,CAAI,CACf,EAKG,OAAOA,EAAS,OAAU,UAAYA,EAAS,MAAM,SAAW,EAClE,MAAM,IAAI,MACR,sFAAsF,OAAOA,EAAS,KAAK,GAAA,EAG/G,MAAM4F,EAAM,KAAK,IAAA,EACjB,GACE,CAAC,OAAO,cAAc5F,EAAS,UAAU,GACzCA,EAAS,YAAc4F,GACvB5F,EAAS,WAAa4G,EAEtB,MAAM,IAAI,MACR,gEAAgE,KAAK,UAAU5G,EAAS,UAAU,CAAC,gCAAgC4F,CAAG,KAAKgB,CAAmB,IAAA,EAIlK,MAAMM,EAAqB,CACzB,MAAOlH,EAAS,MAChB,UAAWA,EAAS,UAAA,EAEtB,YAAK,OAASkH,EACPA,CACT,QAAA,CACE,KAAK,SAAW,IAClB,CACF,GAAA,EAEA,YAAK,SAAWpH,EACTA,CACT,CACF,CC9LO,MAAMqH,CAAgB,CAAtB,cACYnI,EAAA,mBAAc,KAS/B,YAAYyG,EAA8C,CACxD,MAAMwB,EAAW,KAAK,QAAQ,IAAIxB,EAAM,SAAS,EACjD,GAAIwB,EAAU,CACZ,GAAIA,EAAS,gBAAkBxB,EAAM,cACnC,MAAM,IAAI,MACR,8BAA8BA,EAAM,SAAS,mCAAmCwB,EAAS,cAAc,MAAM,EAAG,CAAC,CAAC,UAAUxB,EAAM,cAAc,MAAM,EAAG,CAAC,CAAC,GAAA,EAG/J,GAAIwB,EAAS,qBAAuBxB,EAAM,mBACxC,MAAM,IAAI,MACR,8BAA8BA,EAAM,SAAS,wCAAwCwB,EAAS,mBAAmB,MAAM,EAAG,CAAC,CAAC,UAAUxB,EAAM,mBAAmB,MAAM,EAAG,CAAC,CAAC,GAAA,EAM9K,OAAAwB,EAAS,SAAS,UAAUxB,EAAM,MAAM,EACjCwB,EAAS,QAClB,CAEA,MAAMG,EAAW,IAAIN,GAAgB,CACnC,OAAQrB,EAAM,OACd,UAAWA,EAAM,UACjB,cAAeA,EAAM,cACrB,mBAAoBA,EAAM,mBAC1B,iBAAkBa,EAAA,CACnB,EACD,YAAK,QAAQ,IAAIb,EAAM,UAAW,CAChC,SAAA2B,EACA,cAAe3B,EAAM,cACrB,mBAAoBA,EAAM,kBAAA,CAC3B,EACM2B,CACT,CAGA,KAAKC,EAAgD,OACnD,OAAOzI,EAAA,KAAK,QAAQ,IAAIyI,CAAS,IAA1B,YAAAzI,EAA6B,QACtC,CAOA,QAAQyI,EAAyB,CAC/B,KAAK,QAAQ,OAAOA,CAAS,CAC/B,CAQA,OAAc,CACZ,KAAK,QAAQ,MAAA,CACf,CAEA,IAAI,MAAe,CACjB,OAAO,KAAK,QAAQ,IACtB,CACF,CAaO,MAAMC,EAAyC,IAAIH,EChFnD,SAASI,GACd/F,EACwB,OACxB,MAAMgG,EAAmBf,EACvBjF,EAAO,SACP5C,EAAA4C,EAAO,UAAP,YAAA5C,EAAgB,OAAA,EAGZ6I,EAAgBH,EAAgB,YAAY,CAChD,OAAQE,EACR,UAAWhG,EAAO,UAClB,cAAeA,EAAO,cACtB,mBAAoBA,EAAO,kBAAA,CAC5B,EAED,OAAO,IAAIH,EAAuBG,EAAO,QAAS,CAChD,GAAGA,EAAO,QACV,cAAAiG,CAAA,CACD,CACH,CC5BO,SAASC,GAAqBjC,EAA+B,CAClE6B,EAAgB,YAAY,CAC1B,OAAQb,EAAsBhB,EAAM,QAASA,EAAM,OAAO,EAC1D,UAAWA,EAAM,UACjB,cAAeA,EAAM,cACrB,mBAAoBA,EAAM,kBAAA,CAC3B,CACH,CCAA,eAAsBkC,GACpBC,EACAC,EAC4B,CAC5B,KAAM,CAACC,EAAgBC,CAAmB,EAAI,MAAMH,EAAa,UAAU,CACzE,UAAW,CACT,CACE,QAASC,EACT,IAAKG,EAAAA,oBACL,aAAc,gBAAA,EAEhB,CACE,QAASH,EACT,IAAKG,EAAAA,oBACL,aAAc,qBAAA,CAChB,EAEF,aAAc,EAAA,CACf,EAED,MAAO,CACL,eAAAF,EACA,oBAAAC,CAAA,CAEJ,CCjCA,MAAME,EAAa,MAgCnB,SAASC,EAAkBC,EAAoD,CAC7E,MAAO,CACL,eAAgBA,EAAO,eACvB,wBAAyBA,EAAO,wBAChC,oBAAqB,CAAC,GAAGA,EAAO,mBAAmB,EACnD,cAAeA,EAAO,cACtB,QAASA,EAAO,QAChB,mBAAoBA,EAAO,mBAC3B,wBAAyBA,EAAO,wBAChC,mBAAoBA,EAAO,mBAC3B,QAASA,EAAO,QAChB,OAAQA,EAAO,OACf,gBAAiBA,EAAO,gBACxB,qBAAsBA,EAAO,qBAC7B,iBAAkBA,EAAO,gBAAA,CAE7B,CAGA,SAASC,EAAaD,EAAyC,CAC7D,MAAO,CACL,mBAAoBA,EAAO,mBAC3B,eAAgBA,EAAO,eACvB,gBAAiBA,EAAO,gBACxB,uBAAwBA,EAAO,uBAC/B,mBAAoBA,EAAO,kBAAA,CAE/B,CAYA,SAASE,EAAoBC,EAAgC,CAC3D,GAAIA,EAAiB,OAAOL,CAAU,EACpC,MAAM,IAAI,MACR,wBAAwBK,CAAc,wBAAwBL,CAAU,GAAA,EAG5E,OAAO,OAAOK,CAAc,CAC9B,CAWO,MAAMC,EAAyD,CACpE,YACUX,EACAY,EACR,CAFQ,KAAA,aAAAZ,EACA,KAAA,gBAAAY,CACP,CAEH,MAAM,sBAAmD,CACvD,MAAML,EAAU,MAAM,KAAK,aAAa,aAAa,CACnD,QAAS,KAAK,gBACd,IAAKM,EAAAA,kBACL,aAAc,sBAAA,CACf,EAED,OAAOL,EAAaD,CAAM,CAC5B,CAEA,MAAM,yBAA4D,CAChE,MAAMA,EAAU,MAAM,KAAK,aAAa,aAAa,CACnD,QAAS,KAAK,gBACd,IAAKM,EAAAA,kBACL,aAAc,yBAAA,CACf,EAED,OAAOP,EAAkBC,CAAM,CACjC,CAEA,MAAM,2BACJO,EACkC,CAClC,MAAMP,EAAU,MAAM,KAAK,aAAa,aAAa,CACnD,QAAS,KAAK,gBACd,IAAKM,EAAAA,kBACL,aAAc,6BACd,KAAM,CAACC,CAAO,CAAA,CACf,EAED,OAAOR,EAAkBC,CAAM,CACjC,CAEA,MAAM,gCAAkD,CAOtD,OANgB,MAAM,KAAK,aAAa,aAAa,CACnD,QAAS,KAAK,gBACd,IAAKM,EAAAA,kBACL,aAAc,6BAAA,CACf,CAGH,CAEA,MAAM,0BAA0BC,EAAkC,CAChE,MAAMhH,EAAS,MAAM,KAAK,2BAA2BgH,CAAO,EAC5D,OAAOL,EAAoB3G,EAAO,cAAc,CAClD,CAMA,MAAM,uBAAqD,CACzD,MAAMiH,EAAU,MAAM,KAAK,aAAa,UAAU,CAChD,UAAW,CACT,CACE,QAAS,KAAK,gBACd,IAAKF,EAAAA,kBACL,aAAc,sBAAA,EAEhB,CACE,QAAS,KAAK,gBACd,IAAKA,EAAAA,kBACL,aAAc,yBAAA,CAChB,EAEF,aAAc,EAAA,CACf,EAEKG,EAAYR,EAAaO,EAAQ,CAAC,CAAiB,EACnDE,EAAiBX,EAAkBS,EAAQ,CAAC,CAAsB,EAExE,MAAO,CACL,mBAAoBC,EAAU,mBAC9B,eAAgBA,EAAU,eAC1B,gBAAiBA,EAAU,gBAC3B,uBAAwBA,EAAU,uBAClC,mBAAoBA,EAAU,mBAC9B,cAAeP,EAAoBQ,EAAe,cAAc,EAChE,eAAgBA,EAAe,QAC/B,mBAAoBA,EAAe,mBACnC,eAAAA,CAAA,CAEJ,CACF,CCtLA,SAASC,EACPX,EACqB,CACrB,OAAOA,EAAO,IAAKY,IAAU,CAC3B,WAAYA,EAAK,WACjB,UAAWA,EAAK,SAAA,EAChB,CACJ,CAWO,MAAMC,EAAmD,CAC9D,YACUpB,EACAY,EACR,CAFQ,KAAA,aAAAZ,EACA,KAAA,gBAAAY,CACP,CAEH,MAAM,yBACJS,EACAP,EAC8B,CAC9B,MAAMP,EAAU,MAAM,KAAK,aAAa,aAAa,CACnD,QAAS,KAAK,gBACd,IAAKe,EAAAA,uBACL,aAAc,2BACd,KAAM,CAACD,EAAeP,CAAO,CAAA,CAC9B,EAED,OAAOI,EAAYX,CAAM,CAC3B,CAEA,MAAM,uBACJc,EAC8B,CAC9B,MAAMd,EAAU,MAAM,KAAK,aAAa,aAAa,CACnD,QAAS,KAAK,gBACd,IAAKe,EAAAA,uBACL,aAAc,yBACd,KAAM,CAACD,CAAa,CAAA,CACrB,EAED,OAAOH,EAAYX,CAAM,CAC3B,CAEA,MAAM,8BACJc,EACiB,CAQjB,OAPgB,MAAM,KAAK,aAAa,aAAa,CACnD,QAAS,KAAK,gBACd,IAAKC,EAAAA,uBACL,aAAc,gCACd,KAAM,CAACD,CAAa,CAAA,CACrB,CAGH,CACF,CAWO,MAAME,EAAmE,CAC9E,YACUvB,EACAY,EACR,CAFQ,KAAA,aAAAZ,EACA,KAAA,gBAAAY,CACP,CAEH,MAAM,iCACJE,EAC8B,CAC9B,MAAMP,EAAU,MAAM,KAAK,aAAa,aAAa,CACnD,QAAS,KAAK,gBACd,IAAKM,EAAAA,kBACL,aAAc,mCACd,KAAM,CAACC,CAAO,CAAA,CACf,EAED,OAAOI,EAAYX,CAAM,CAC3B,CAEA,MAAM,gCAA+D,CACnE,MAAMA,EAAU,MAAM,KAAK,aAAa,aAAa,CACnD,QAAS,KAAK,gBACd,IAAKM,EAAAA,kBACL,aAAc,gCAAA,CACf,EAED,OAAOK,EAAYX,CAAM,CAC3B,CAEA,MAAM,sCAAwD,CAO5D,OANgB,MAAM,KAAK,aAAa,aAAa,CACnD,QAAS,KAAK,gBACd,IAAKM,EAAAA,kBACL,aAAc,mCAAA,CACf,CAGH,CACF,CCrGO,MAAMW,EAAuD,CAClE,YACUxB,EACAY,EACR,CAFQ,KAAA,aAAAZ,EACA,KAAA,gBAAAY,CACP,CAQH,MAAM,0BACJa,EAC2B,CAO3B,MAAMC,GANU,MAAM,KAAK,aAAa,aAAa,CACnD,QAAS,KAAK,gBACd,IAAKtB,EAAAA,oBACL,aAAc,yBACd,KAAM,CAACqB,CAAS,CAAA,CACjB,GACsB,YAAA,EACvB,GAAI,CAAC,mBAAmB,KAAKC,CAAO,EAClC,MAAM,IAAI,MACR,2DAA2DD,CAAS,YAAYC,EAAQ,MAAM,aAAaA,EAAQ,MAAM,EAAG,CAAC,CAAC,IAAA,EAGlI,MAAMC,EAAWD,EAAQ,MAAM,CAAC,EAChC,GAAI,CAAC3G,EAAI,aAAa6G,EAAAA,gBAAgBD,CAAQ,CAAC,EAC7C,MAAM,IAAI,MACR,kFAAkFF,CAAS,GAAA,EAG/F,OAAOE,CACT,CAEA,MAAM,kBAAkBE,EAAuC,CAC7D,MAAMtB,EAAU,MAAM,KAAK,aAAa,aAAa,CACnD,QAAS,KAAK,gBACd,IAAKH,EAAAA,oBACL,aAAc,uBACd,KAAM,CAACyB,CAAO,CAAA,CACf,EAUD,MAAO,CACL,UAAWtB,EAAO,UAClB,mBAAoBA,EAAO,mBAC3B,OAAQA,EAAO,OACf,cAAeA,EAAO,cACtB,OAAQA,EAAO,OACf,sBAAuBA,EAAO,sBAC9B,UAAWA,EAAO,SAAA,CAEtB,CAEA,MAAM,qBAAqBsB,EAA0C,CACnE,MAAMtB,EAAU,MAAM,KAAK,aAAa,aAAa,CACnD,QAAS,KAAK,gBACd,IAAKH,EAAAA,oBACL,aAAc,0BACd,KAAM,CAACyB,CAAO,CAAA,CACf,EAcD,MAAO,CACL,uBAAwBtB,EAAO,uBAC/B,4BAA6BA,EAAO,4BACpC,uBAAwBA,EAAO,uBAC/B,sBAAuBA,EAAO,sBAC9B,WAAYA,EAAO,WACnB,oBAAqBA,EAAO,oBAC5B,SAAUA,EAAO,SACjB,SAAUA,EAAO,SACjB,sBAAuBA,EAAO,sBAC9B,eAAgBA,EAAO,eACvB,2BAA4BA,EAAO,0BAAA,CAEvC,CAEA,MAAM,aAAasB,EAAkC,CACnD,KAAM,CAACC,EAAOC,CAAQ,EAAI,MAAM,QAAQ,IAAI,CAC1C,KAAK,kBAAkBF,CAAO,EAC9B,KAAK,qBAAqBA,CAAO,CAAA,CAClC,EAED,GACE,CAACE,EAAS,wBACVA,EAAS,yBAA2B,KAEpC,MAAM,IAAI,MACR,SAASF,CAAO,iDAAA,EAIpB,MAAO,CAAE,MAAAC,EAAO,SAAAC,CAAA,CAClB,CACF"}