@babylonlabs-io/ts-sdk 0.48.4 → 0.49.0

package/dist/tbv/core/clients/mempool/types.d.ts

@@ -53,6 +53,26 @@ export interface TxStatus {
     block_hash?: string;
     block_time?: number;
 }
+/**
+ * Spend status of a single transaction output, from the esplora-compatible
+ * `GET /tx/{txid}/outspend/{vout}` endpoint served by the mempool.space
+ * backend.
+ *
+ * Source: mempool/electrs `src/rest.rs` `SpendingValue` — an unspent output
+ * serializes as `{ "spent": false }` (the optional fields use
+ * `skip_serializing_if`); a spent output serializes as
+ * `{ "spent": true, "txid", "vin", "status" }`.
+ */
+export interface OutspendStatus {
+    /** True when the output has been spent (mempool or a block). */
+    spent: boolean;
+    /** Spending transaction id; present only when `spent`. */
+    txid?: string;
+    /** Input index within the spending tx; present only when `spent`. */
+    vin?: number;
+    /** Confirmation status of the spending tx; present only when `spent`. */
+    status?: TxStatus;
+}
 /**
  * Full transaction info from mempool API.
  */

package/dist/tbv/core/clients/mempool/types.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../../../../src/tbv/core/clients/mempool/types.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH;;GAEG;AACH,MAAM,WAAW,WAAW;IAC1B,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,EAAE,MAAM,CAAC;IACb,KAAK,EAAE,MAAM,CAAC;IACd,YAAY,EAAE,MAAM,CAAC;IACrB,SAAS,EAAE,OAAO,CAAC;CACpB;AAED;;GAEG;AACH,MAAM,WAAW,OAAO;IACtB,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,EAAE,MAAM,CAAC;IACb,OAAO,EAAE;QACP,YAAY,EAAE,MAAM,CAAC;QACrB,gBAAgB,EAAE,MAAM,CAAC;QACzB,iBAAiB,EAAE,MAAM,CAAC;QAC1B,oBAAoB,EAAE,MAAM,CAAC;QAC7B,KAAK,EAAE,MAAM,CAAC;KACf,CAAC;IACF,SAAS,EAAE,MAAM,CAAC;IAClB,aAAa,EAAE,MAAM,CAAC;IACtB,OAAO,EAAE,MAAM,EAAE,CAAC;IAClB,WAAW,EAAE,OAAO,CAAC;IACrB,QAAQ,EAAE,MAAM,CAAC;CAClB;AAED;;GAEG;AACH,MAAM,WAAW,QAAQ;IACvB,YAAY,EAAE,MAAM,CAAC;IACrB,gBAAgB,EAAE,MAAM,CAAC;IACzB,iBAAiB,EAAE,MAAM,CAAC;IAC1B,oBAAoB,EAAE,MAAM,CAAC;IAC7B,KAAK,EAAE,MAAM,CAAC;CACf;AAED;;GAEG;AACH,MAAM,WAAW,QAAQ;IACvB,SAAS,EAAE,OAAO,CAAC;IACnB,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,UAAU,CAAC,EAAE,MAAM,CAAC;CACrB;AAED;;GAEG;AACH,MAAM,WAAW,MAAM;IACrB,IAAI,EAAE,MAAM,CAAC;IACb,OAAO,EAAE,MAAM,CAAC;IAChB,QAAQ,EAAE,MAAM,CAAC;IACjB,GAAG,EAAE,OAAO,EAAE,CAAC;IACf,IAAI,EAAE,QAAQ,EAAE,CAAC;IACjB,IAAI,EAAE,MAAM,CAAC;IACb,MAAM,EAAE,MAAM,CAAC;IACf,GAAG,EAAE,MAAM,CAAC;IACZ,MAAM,EAAE,QAAQ,CAAC;CAClB;AAED;;;;GAIG;AACH,MAAM,WAAW,QAAQ;IACvB,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,EAAE,MAAM,CAAC;IACb,KAAK,EAAE,MAAM,CAAC;IACd,YAAY,EAAE,MAAM,CAAC;CACtB;AAED;;;;GAIG;AACH,MAAM,WAAW,WAAW;IAC1B,2BAA2B;IAC3B,UAAU,EAAE,MAAM,CAAC;IACnB,kBAAkB;IAClB,WAAW,EAAE,MAAM,CAAC;IACpB,cAAc;IACd,OAAO,EAAE,MAAM,CAAC;IAChB,kCAAkC;IAClC,UAAU,EAAE,MAAM,CAAC;IACnB,0BAA0B;IAC1B,UAAU,EAAE,MAAM,CAAC;CACpB"}
+{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../../../../src/tbv/core/clients/mempool/types.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH;;GAEG;AACH,MAAM,WAAW,WAAW;IAC1B,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,EAAE,MAAM,CAAC;IACb,KAAK,EAAE,MAAM,CAAC;IACd,YAAY,EAAE,MAAM,CAAC;IACrB,SAAS,EAAE,OAAO,CAAC;CACpB;AAED;;GAEG;AACH,MAAM,WAAW,OAAO;IACtB,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,EAAE,MAAM,CAAC;IACb,OAAO,EAAE;QACP,YAAY,EAAE,MAAM,CAAC;QACrB,gBAAgB,EAAE,MAAM,CAAC;QACzB,iBAAiB,EAAE,MAAM,CAAC;QAC1B,oBAAoB,EAAE,MAAM,CAAC;QAC7B,KAAK,EAAE,MAAM,CAAC;KACf,CAAC;IACF,SAAS,EAAE,MAAM,CAAC;IAClB,aAAa,EAAE,MAAM,CAAC;IACtB,OAAO,EAAE,MAAM,EAAE,CAAC;IAClB,WAAW,EAAE,OAAO,CAAC;IACrB,QAAQ,EAAE,MAAM,CAAC;CAClB;AAED;;GAEG;AACH,MAAM,WAAW,QAAQ;IACvB,YAAY,EAAE,MAAM,CAAC;IACrB,gBAAgB,EAAE,MAAM,CAAC;IACzB,iBAAiB,EAAE,MAAM,CAAC;IAC1B,oBAAoB,EAAE,MAAM,CAAC;IAC7B,KAAK,EAAE,MAAM,CAAC;CACf;AAED;;GAEG;AACH,MAAM,WAAW,QAAQ;IACvB,SAAS,EAAE,OAAO,CAAC;IACnB,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,UAAU,CAAC,EAAE,MAAM,CAAC;CACrB;AAED;;;;;;;;;GASG;AACH,MAAM,WAAW,cAAc;IAC7B,gEAAgE;IAChE,KAAK,EAAE,OAAO,CAAC;IACf,0DAA0D;IAC1D,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,qEAAqE;IACrE,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,yEAAyE;IACzE,MAAM,CAAC,EAAE,QAAQ,CAAC;CACnB;AAED;;GAEG;AACH,MAAM,WAAW,MAAM;IACrB,IAAI,EAAE,MAAM,CAAC;IACb,OAAO,EAAE,MAAM,CAAC;IAChB,QAAQ,EAAE,MAAM,CAAC;IACjB,GAAG,EAAE,OAAO,EAAE,CAAC;IACf,IAAI,EAAE,QAAQ,EAAE,CAAC;IACjB,IAAI,EAAE,MAAM,CAAC;IACb,MAAM,EAAE,MAAM,CAAC;IACf,GAAG,EAAE,MAAM,CAAC;IACZ,MAAM,EAAE,QAAQ,CAAC;CAClB;AAED;;;;GAIG;AACH,MAAM,WAAW,QAAQ;IACvB,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,EAAE,MAAM,CAAC;IACb,KAAK,EAAE,MAAM,CAAC;IACd,YAAY,EAAE,MAAM,CAAC;CACtB;AAED;;;;GAIG;AACH,MAAM,WAAW,WAAW;IAC1B,2BAA2B;IAC3B,UAAU,EAAE,MAAM,CAAC;IACnB,kBAAkB;IAClB,WAAW,EAAE,MAAM,CAAC;IACpB,cAAc;IACd,OAAO,EAAE,MAAM,CAAC;IAChB,kCAAkC;IAClC,UAAU,EAAE,MAAM,CAAC;IACnB,0BAA0B;IAC1B,UAAU,EAAE,MAAM,CAAC;CACpB"}

package/dist/tbv/core/clients/vault-provider/auth/__tests__/cborDecode.test.d.ts

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=cborDecode.test.d.ts.map

package/dist/tbv/core/clients/vault-provider/auth/__tests__/cborDecode.test.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"cborDecode.test.d.ts","sourceRoot":"","sources":["../../../../../../../src/tbv/core/clients/vault-provider/auth/__tests__/cborDecode.test.ts"],"names":[],"mappings":""}

package/dist/tbv/core/clients/vault-provider/auth/__tests__/goldenVectors.d.ts

@@ -41,4 +41,18 @@ export declare const GOLDEN_EXPIRES_AT = 1700000000;
 export declare const GOLDEN_PAYLOAD_HEX = "83981b186218741863182d1861187518741868182e187318651872187618651872182d186918641865186e1874186918741879182e1876183198210218f018a118c7183e18c9186018611202187b1888161856181907187218b7187018f518b8181b18bf188618840d18bb18881877189d18e315188f1a6553f100";
 /** 64-byte BIP-322 Schnorr signature for the above payload + signing key. */
 export declare const GOLDEN_SIGNATURE_HEX = "89c7473a2b4128f7c015272d535c535d7508b8ca9d9a06e4863d7da4cea8feb99fc20f9cbbb49f67594a81fdd31406f9654e4964b9176e8d47259a0fbc322fdf";
+/** Depositor x-only pubkey carried in the `aud` claim (seed 99). */
+export declare const GOLDEN_CWT_AUDIENCE_XONLY = "4f401063cc0f559467937a3fad43929058922478886f70505e7d29569af2ab5e";
+/** `iat`/`nbf` of every CWT golden token. */
+export declare const GOLDEN_CWT_NBF = 1699996000;
+/** `exp` of the normal-lifetime tokens. ≤ GOLDEN_EXPIRES_AT (server-identity expiry). */
+export declare const GOLDEN_CWT_EXP = 1699999000;
+/** `exp` of the short-lifetime token used to exercise refresh-on-skew. */
+export declare const GOLDEN_CWT_SHORT_EXP = 1699996440;
+/** JSON-RPC-subject token (`sub` = "vaultd-jsonrpc"), exp = GOLDEN_CWT_EXP. */
+export declare const GOLDEN_CWT_TOKEN_JSONRPC = "0oREoQE4LqBYu6cBeEA0OTE2NGEwMmFjODFiNDJjYzRkY2RlN2E4MzExYmVjZjU2ODg2ODUwZjA2M2E4NmM2NmFmZWY1YzhhZTA3NzhjAm52YXVsdGQtanNvbnJwYwN4QDRmNDAxMDYzY2MwZjU1OTQ2NzkzN2EzZmFkNDM5MjkwNTg5MjI0Nzg4ODZmNzA1MDVlN2QyOTU2OWFmMmFiNWUEGmVT7RgFGmVT4WAGGmVT4WAHUKurq6urq6urq6urq6urq6tYQFYf_JPwc-IvtuwABdhlKk78PWG0KS2u30pRQ2U1CE4GHGrfmcLIrhZsoDifabPwgtcMLTuDEUHLGJM5dOC_Bi8";
+/** Same issuance shape but short-lived (exp = GOLDEN_CWT_SHORT_EXP). */
+export declare const GOLDEN_CWT_TOKEN_JSONRPC_SHORT = "0oREoQE4LqBYu6cBeEA0OTE2NGEwMmFjODFiNDJjYzRkY2RlN2E4MzExYmVjZjU2ODg2ODUwZjA2M2E4NmM2NmFmZWY1YzhhZTA3NzhjAm52YXVsdGQtanNvbnJwYwN4QDRmNDAxMDYzY2MwZjU1OTQ2NzkzN2EzZmFkNDM5MjkwNTg5MjI0Nzg4ODZmNzA1MDVlN2QyOTU2OWFmMmFiNWUEGmVT4xgFGmVT4WAGGmVT4WAHUM3Nzc3Nzc3Nzc3Nzc3Nzc1YQDayqqB4bTlHAaFOwyNcAMIEpiBW5GrgnkarO0yJ7bnkHjsmHlFcA9XDFupahH9wIQMGN8R6FVDax52MdYdg3Wc";
+/** gRPC-subject token (`sub` = "vaultd-grpc"), exp = GOLDEN_CWT_EXP. */
+export declare const GOLDEN_CWT_TOKEN_GRPC = "0oREoQE4LqBYuKcBeEA0OTE2NGEwMmFjODFiNDJjYzRkY2RlN2E4MzExYmVjZjU2ODg2ODUwZjA2M2E4NmM2NmFmZWY1YzhhZTA3NzhjAmt2YXVsdGQtZ3JwYwN4QDRmNDAxMDYzY2MwZjU1OTQ2NzkzN2EzZmFkNDM5MjkwNTg5MjI0Nzg4ODZmNzA1MDVlN2QyOTU2OWFmMmFiNWUEGmVT7RgFGmVT4WAGGmVT4WAHUO_v7-_v7-_v7-_v7-_v7-9YQJhF3CJH5sFKdi7jwGeqVxErk95edujMvMVF6JiU-Io6cbBBbcJtHWZPF_Cc3_SIlAO6s6Oi9N6u0XUOPQf5ZW8";
 //# sourceMappingURL=goldenVectors.d.ts.map

package/dist/tbv/core/clients/vault-provider/auth/__tests__/goldenVectors.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"goldenVectors.d.ts","sourceRoot":"","sources":["../../../../../../../src/tbv/core/clients/vault-provider/auth/__tests__/goldenVectors.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;GAiBG;AAEH,8EAA8E;AAC9E,eAAO,MAAM,kCAAkC,uEACuB,CAAC;AAEvE,yEAAyE;AACzE,eAAO,MAAM,wBAAwB,qEAC+B,CAAC;AAErE,2BAA2B;AAC3B,eAAO,MAAM,iBAAiB,aAAgB,CAAC;AAE/C;;;;;;;;;;;;;;;GAeG;AACH,eAAO,MAAM,kBAAkB,2PAC2N,CAAC;AAE3P,6EAA6E;AAC7E,eAAO,MAAM,oBAAoB,qIACmG,CAAC"}
+{"version":3,"file":"goldenVectors.d.ts","sourceRoot":"","sources":["../../../../../../../src/tbv/core/clients/vault-provider/auth/__tests__/goldenVectors.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;GAiBG;AAEH,8EAA8E;AAC9E,eAAO,MAAM,kCAAkC,uEACuB,CAAC;AAEvE,yEAAyE;AACzE,eAAO,MAAM,wBAAwB,qEAC+B,CAAC;AAErE,2BAA2B;AAC3B,eAAO,MAAM,iBAAiB,aAAgB,CAAC;AAE/C;;;;;;;;;;;;;;;GAeG;AACH,eAAO,MAAM,kBAAkB,2PAC2N,CAAC;AAE3P,6EAA6E;AAC7E,eAAO,MAAM,oBAAoB,qIACmG,CAAC;AAwBrI,oEAAoE;AACpE,eAAO,MAAM,yBAAyB,qEAC8B,CAAC;AAErE,6CAA6C;AAC7C,eAAO,MAAM,cAAc,aAAgB,CAAC;AAC5C,yFAAyF;AACzF,eAAO,MAAM,cAAc,aAAgB,CAAC;AAC5C,0EAA0E;AAC1E,eAAO,MAAM,oBAAoB,aAAgB,CAAC;AAElD,+EAA+E;AAC/E,eAAO,MAAM,wBAAwB,oWAC8T,CAAC;AAEpW,wEAAwE;AACxE,eAAO,MAAM,8BAA8B,oWACwT,CAAC;AAEpW,wEAAwE;AACxE,eAAO,MAAM,qBAAqB,gWAC6T,CAAC"}

package/dist/tbv/core/clients/vault-provider/auth/__tests__/mintTestCwt.d.ts

@@ -0,0 +1,43 @@
+/**
+ * Test-only minter for ES256K COSE Sign1 CWT bearer tokens.
+ *
+ * The genuine golden vectors in {@link ./goldenVectors} are signed by the
+ * Rust issuer's key, so they can only exercise the *happy* path and the
+ * checks that run before signature verification. The claim-rejection
+ * paths (`invalid_claims` for a malformed `aud`, `iat > exp`, an empty
+ * `cti`, …) run only *after* the COSE signature verifies, so reaching
+ * them needs a token signed over deliberately-bad claims.
+ *
+ * This helper signs tokens with a test-controlled key and hands the
+ * matching ephemeral pubkey to the verifier, so any claim combination can
+ * be minted with a signature that genuinely verifies. It builds the same
+ * COSE_Sign1 byte layout the verifier reads — tag(18), 4-element array,
+ * protected-header byte string, empty unprotected map, payload byte
+ * string, and the 64-byte compact signature.
+ *
+ * @module tbv/core/clients/vault-provider/auth/__tests__/mintTestCwt
+ */
+/** Compressed ephemeral pubkey matching {@link TEST_PRIVATE_KEY}. */
+export declare const MINT_EPHEMERAL_PUBKEY_COMPRESSED: string;
+/** COSE algorithm id for ES256K (the value the verifier requires). */
+export declare const ALG_ES256K = -47;
+export interface MintCwtOptions {
+    alg?: number;
+    iss: string;
+    sub: string;
+    aud: string;
+    exp: number;
+    nbf: number;
+    iat: number;
+    /** `cti` bytes; defaults to a single non-zero byte. */
+    cti?: Uint8Array;
+    /**
+     * Override the signature length. The genuine signature is always
+     * computed; when set, it is truncated/padded to this length so the
+     * verifier's structural length check can be exercised.
+     */
+    sigLenOverride?: number;
+}
+/** Build a base64url COSE Sign1 CWT signed with the test ephemeral key. */
+export declare function mintTestCwt(opts: MintCwtOptions): string;
+//# sourceMappingURL=mintTestCwt.d.ts.map

package/dist/tbv/core/clients/vault-provider/auth/__tests__/mintTestCwt.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"mintTestCwt.d.ts","sourceRoot":"","sources":["../../../../../../../src/tbv/core/clients/vault-provider/auth/__tests__/mintTestCwt.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;GAkBG;AAQH,qEAAqE;AACrE,eAAO,MAAM,gCAAgC,QAIzC,CAAC;AAEL,sEAAsE;AACtE,eAAO,MAAM,UAAU,MAAM,CAAC;AAwD9B,MAAM,WAAW,cAAc;IAC7B,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,GAAG,EAAE,MAAM,CAAC;IACZ,GAAG,EAAE,MAAM,CAAC;IACZ,GAAG,EAAE,MAAM,CAAC;IACZ,GAAG,EAAE,MAAM,CAAC;IACZ,GAAG,EAAE,MAAM,CAAC;IACZ,GAAG,EAAE,MAAM,CAAC;IACZ,uDAAuD;IACvD,GAAG,CAAC,EAAE,UAAU,CAAC;IACjB;;;;OAIG;IACH,cAAc,CAAC,EAAE,MAAM,CAAC;CACzB;AAED,2EAA2E;AAC3E,wBAAgB,WAAW,CAAC,IAAI,EAAE,cAAc,GAAG,MAAM,CAuDxD"}

package/dist/tbv/core/clients/vault-provider/auth/__tests__/verifyDepositorCwt.test.d.ts

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=verifyDepositorCwt.test.d.ts.map

package/dist/tbv/core/clients/vault-provider/auth/__tests__/verifyDepositorCwt.test.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"verifyDepositorCwt.test.d.ts","sourceRoot":"","sources":["../../../../../../../src/tbv/core/clients/vault-provider/auth/__tests__/verifyDepositorCwt.test.ts"],"names":[],"mappings":""}

package/dist/tbv/core/clients/vault-provider/auth/cborDecode.d.ts

@@ -0,0 +1,80 @@
+/**
+ * Minimal CBOR decoder — the read-side counterpart to {@link ./cbor}.
+ *
+ * Decodes only the subset needed to verify a vault-provider CWT bearer
+ * token (RFC 8392) wrapped in a COSE Sign1 envelope (RFC 8152): tagged
+ * values, definite-length arrays and maps, byte/text strings, and
+ * unsigned/negative integers. Indefinite-length items, floats, and
+ * big-number tags are intentionally rejected — the issuer
+ * (btc-vault's `coset`/`ciborium` stack) never emits them for this
+ * shape, so accepting them would only widen the parser's attack
+ * surface.
+ *
+ * The decoder is a cursor over a single buffer. {@link CborReader.pos}
+ * is public so callers can slice the exact encoded byte range of an
+ * item (head + content) — required to reconstruct the COSE
+ * `Sig_structure` byte-for-byte from the token's own protected-header
+ * and payload byte strings.
+ *
+ * @module tbv/core/clients/vault-provider/auth/cborDecode
+ */
+/** A decoded CBOR data item. Maps preserve key insertion order. */
+export type CborValue = number | bigint | string | Uint8Array | boolean | null | CborValue[] | Map<CborValue, CborValue> | CborTagged;
+/** A CBOR tagged value (major type 6). */
+export interface CborTagged {
+    tag: number;
+    value: CborValue;
+}
+/** Parsed initial-byte header: major type plus its decoded argument. */
+export interface CborHead {
+    major: number;
+    /** The header argument (length, value, tag number, …) as a number. */
+    arg: number;
+}
+export declare class CborDecodeError extends Error {
+    constructor(message: string);
+}
+/**
+ * Cursor-based reader over a CBOR buffer. Not reusable across buffers —
+ * construct one per decode.
+ */
+export declare class CborReader {
+    readonly buf: Uint8Array;
+    /** Current read offset. Public so callers can slice encoded sub-ranges. */
+    pos: number;
+    constructor(buf: Uint8Array);
+    private nextByte;
+    /**
+     * Read an initial byte and its argument. Rejects indefinite-length
+     * and reserved additional-info encodings. Arguments wider than
+     * {@link Number.MAX_SAFE_INTEGER} are rejected — none of the token's
+     * lengths, tags, or timestamps approach that bound.
+     */
+    readHead(): CborHead;
+    /** Read `length` raw bytes as a sub-array view into the backing buffer. */
+    private readBytes;
+    /**
+     * Read a byte string (major type 2), returning its content bytes.
+     * Throws if the next item is not a byte string.
+     */
+    readByteString(): Uint8Array;
+    /**
+     * Read the next complete data item as a decoded {@link CborValue}.
+     *
+     * `depth` tracks the current nesting level so a deeply-nested blob is
+     * rejected with a {@link CborDecodeError} rather than overflowing the
+     * native call stack (see {@link MAX_NESTING_DEPTH}).
+     */
+    readValue(depth?: number): CborValue;
+}
+/**
+ * Decode a single CBOR item from `bytes`, rejecting any trailing bytes.
+ *
+ * Used to parse the COSE protected header and CWT claims set — both are
+ * exactly one top-level item, so a valid prefix followed by extra bytes
+ * is a malformed structure, not a benign tail. Strict consumption keeps
+ * the parser from silently accepting a token a stricter CWT/COSE
+ * consumer would interpret differently.
+ */
+export declare function decodeCbor(bytes: Uint8Array): CborValue;
+//# sourceMappingURL=cborDecode.d.ts.map

package/dist/tbv/core/clients/vault-provider/auth/cborDecode.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"cborDecode.d.ts","sourceRoot":"","sources":["../../../../../../src/tbv/core/clients/vault-provider/auth/cborDecode.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;GAmBG;AAmCH,mEAAmE;AACnE,MAAM,MAAM,SAAS,GACjB,MAAM,GACN,MAAM,GACN,MAAM,GACN,UAAU,GACV,OAAO,GACP,IAAI,GACJ,SAAS,EAAE,GACX,GAAG,CAAC,SAAS,EAAE,SAAS,CAAC,GACzB,UAAU,CAAC;AAEf,0CAA0C;AAC1C,MAAM,WAAW,UAAU;IACzB,GAAG,EAAE,MAAM,CAAC;IACZ,KAAK,EAAE,SAAS,CAAC;CAClB;AAED,wEAAwE;AACxE,MAAM,WAAW,QAAQ;IACvB,KAAK,EAAE,MAAM,CAAC;IACd,sEAAsE;IACtE,GAAG,EAAE,MAAM,CAAC;CACb;AAED,qBAAa,eAAgB,SAAQ,KAAK;gBAC5B,OAAO,EAAE,MAAM;CAI5B;AAED;;;GAGG;AACH,qBAAa,UAAU;IACrB,QAAQ,CAAC,GAAG,EAAE,UAAU,CAAC;IACzB,2EAA2E;IAC3E,GAAG,SAAK;gBAEI,GAAG,EAAE,UAAU;IAI3B,OAAO,CAAC,QAAQ;IAOhB;;;;;OAKG;IACH,QAAQ,IAAI,QAAQ;IA0BpB,2EAA2E;IAC3E,OAAO,CAAC,SAAS;IASjB;;;OAGG;IACH,cAAc,IAAI,UAAU;IAU5B;;;;;;OAMG;IACH,SAAS,CAAC,KAAK,SAAI,GAAG,SAAS;CAgDhC;AAED;;;;;;;;GAQG;AACH,wBAAgB,UAAU,CAAC,KAAK,EAAE,UAAU,GAAG,SAAS,CAOvD"}

package/dist/tbv/core/clients/vault-provider/auth/createAuthenticatedVpClient.d.ts

@@ -9,6 +9,11 @@ export interface AuthenticatedVpClientConfig {
     authAnchorHex: string;
     /** On-chain VP pubkey, branded so it can only come from the registry reader. */
     pinnedServerPubkey: OnChainBtcPubkey;
+    /**
+     * Depositor BTC pubkey (x-only or compressed hex). Normalized to
+     * x-only and asserted against every issued token's CWT `aud` claim.
+     */
+    depositorBtcPubkey: string;
     /**
      * Opt into gRPC-subject auth for the artifact stream. Defaults to
      * `false` (JSON-RPC bearer). Only enable against a proxy running with

package/dist/tbv/core/clients/vault-provider/auth/createAuthenticatedVpClient.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"createAuthenticatedVpClient.d.ts","sourceRoot":"","sources":["../../../../../../src/tbv/core/clients/vault-provider/auth/createAuthenticatedVpClient.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAEH,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,iBAAiB,CAAC;AACxD,OAAO,EACL,sBAAsB,EACtB,KAAK,6BAA6B,EACnC,MAAM,QAAQ,CAAC;AAKhB,MAAM,WAAW,2BAA2B;IAC1C,uEAAuE;IACvE,OAAO,EAAE,MAAM,CAAC;IAChB,mEAAmE;IACnE,SAAS,EAAE,MAAM,CAAC;IAClB,2EAA2E;IAC3E,aAAa,EAAE,MAAM,CAAC;IACtB,gFAAgF;IAChF,kBAAkB,EAAE,gBAAgB,CAAC;IACrC;;;;OAIG;IACH,sBAAsB,CAAC,EAAE,OAAO,CAAC;IACjC,wEAAwE;IACxE,OAAO,CAAC,EAAE,6BAA6B,CAAC;CACzC;AAED,wBAAgB,2BAA2B,CACzC,MAAM,EAAE,2BAA2B,GAClC,sBAAsB,CAkBxB"}
+{"version":3,"file":"createAuthenticatedVpClient.d.ts","sourceRoot":"","sources":["../../../../../../src/tbv/core/clients/vault-provider/auth/createAuthenticatedVpClient.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAGH,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,iBAAiB,CAAC;AACxD,OAAO,EACL,sBAAsB,EACtB,KAAK,6BAA6B,EACnC,MAAM,QAAQ,CAAC;AAKhB,MAAM,WAAW,2BAA2B;IAC1C,uEAAuE;IACvE,OAAO,EAAE,MAAM,CAAC;IAChB,mEAAmE;IACnE,SAAS,EAAE,MAAM,CAAC;IAClB,2EAA2E;IAC3E,aAAa,EAAE,MAAM,CAAC;IACtB,gFAAgF;IAChF,kBAAkB,EAAE,gBAAgB,CAAC;IACrC;;;OAGG;IACH,kBAAkB,EAAE,MAAM,CAAC;IAC3B;;;;OAIG;IACH,sBAAsB,CAAC,EAAE,OAAO,CAAC;IACjC,wEAAwE;IACxE,OAAO,CAAC,EAAE,6BAA6B,CAAC;CACzC;AAED,wBAAgB,2BAA2B,CACzC,MAAM,EAAE,2BAA2B,GAClC,sBAAsB,CAqBxB"}

package/dist/tbv/core/clients/vault-provider/auth/primeVpAuth.d.ts

@@ -4,6 +4,11 @@ export interface PrimeVpAuthInput {
     peginTxid: string;
     authAnchorHex: string;
     pinnedServerPubkey: OnChainBtcPubkey;
+    /**
+     * Depositor BTC pubkey (x-only or compressed hex). Normalized to
+     * x-only and asserted against every issued token's CWT `aud` claim.
+     */
+    depositorBtcPubkey: string;
     /** Optional headers forwarded to the inner token client (e.g. gateway auth). */
     headers?: Record<string, string>;
     /**

package/dist/tbv/core/clients/vault-provider/auth/primeVpAuth.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"primeVpAuth.d.ts","sourceRoot":"","sources":["../../../../../../src/tbv/core/clients/vault-provider/auth/primeVpAuth.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,iBAAiB,CAAC;AAKxD,MAAM,WAAW,gBAAgB;IAC/B,OAAO,EAAE,MAAM,CAAC;IAChB,SAAS,EAAE,MAAM,CAAC;IAClB,aAAa,EAAE,MAAM,CAAC;IACtB,kBAAkB,EAAE,gBAAgB,CAAC;IACrC,gFAAgF;IAChF,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IACjC;;;;;;OAMG;IACH,sBAAsB,CAAC,EAAE,OAAO,CAAC;CAClC;AAED,wBAAgB,oBAAoB,CAAC,KAAK,EAAE,gBAAgB,GAAG,IAAI,CAQlE"}
+{"version":3,"file":"primeVpAuth.d.ts","sourceRoot":"","sources":["../../../../../../src/tbv/core/clients/vault-provider/auth/primeVpAuth.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAGH,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,iBAAiB,CAAC;AAKxD,MAAM,WAAW,gBAAgB;IAC/B,OAAO,EAAE,MAAM,CAAC;IAChB,SAAS,EAAE,MAAM,CAAC;IAClB,aAAa,EAAE,MAAM,CAAC;IACtB,kBAAkB,EAAE,gBAAgB,CAAC;IACrC;;;OAGG;IACH,kBAAkB,EAAE,MAAM,CAAC;IAC3B,gFAAgF;IAChF,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IACjC;;;;;;OAMG;IACH,sBAAsB,CAAC,EAAE,OAAO,CAAC;CAClC;AAED,wBAAgB,oBAAoB,CAAC,KAAK,EAAE,gBAAgB,GAAG,IAAI,CAWlE"}

package/dist/tbv/core/clients/vault-provider/auth/tokenProvider.d.ts

@@ -20,6 +20,13 @@ export interface VpTokenProviderConfig {
     authAnchorHex: string;
     /** Pinned VP pubkey from the on-chain registry; branded so indexer mirrors can't substitute. */
     pinnedServerPubkey: OnChainBtcPubkey;
+    /**
+     * Depositor x-only pubkey (32-byte hex). Asserted against every
+     * issued token's CWT `aud` claim so a token minted for a different
+     * depositor — or mis-issued by a buggy/compromised VP — is rejected
+     * before it can authenticate a mutation.
+     */
+    expectedAudienceXOnlyPubkey: string;
     /**
      * Methods that need a JSON-RPC-subject bearer (minted via
      * `auth_createDepositorToken`). Forwarded over plain HTTP JSON-RPC by
@@ -50,6 +57,7 @@ export declare class VpTokenProvider implements BearerTokenProvider {
     private readonly peginTxid;
     private readonly authAnchorHex;
     private readonly pinnedServerPubkey;
+    private readonly expectedAudienceXOnlyPubkey;
     private readonly authGatedMethods;
     private readonly grpcGatedMethods;
     private readonly refreshSkewSecs;

package/dist/tbv/core/clients/vault-provider/auth/tokenProvider.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"tokenProvider.d.ts","sourceRoot":"","sources":["../../../../../../src/tbv/core/clients/vault-provider/auth/tokenProvider.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;GA0BG;AAEH,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,iBAAiB,CAAC;AACxD,OAAO,KAAK,EAAE,mBAAmB,EAAE,aAAa,EAAE,MAAM,oBAAoB,CAAC;AAK7E,OAAO,EACL,KAAK,sBAAsB,EAE5B,MAAM,kBAAkB,CAAC;AAgB1B;;GAEG;AACH,MAAM,WAAW,4BAA4B;IAC3C,qDAAqD;IACrD,KAAK,EAAE,MAAM,CAAC;IACd,iDAAiD;IACjD,UAAU,EAAE,MAAM,CAAC;IACnB,+DAA+D;IAC/D,eAAe,EAAE,sBAAsB,CAAC;CACzC;AAED,MAAM,WAAW,qBAAqB;IACpC,MAAM,EAAE,aAAa,CAAC;IACtB,2FAA2F;IAC3F,SAAS,EAAE,MAAM,CAAC;IAClB,iEAAiE;IACjE,aAAa,EAAE,MAAM,CAAC;IACtB,gGAAgG;IAChG,kBAAkB,EAAE,gBAAgB,CAAC;IACrC;;;;;OAKG;IACH,gBAAgB,EAAE,WAAW,CAAC,MAAM,CAAC,CAAC;IACtC;;;;;OAKG;IACH,gBAAgB,EAAE,WAAW,CAAC,MAAM,CAAC,CAAC;IACtC,iDAAiD;IACjD,eAAe,CAAC,EAAE,MAAM,CAAC;IACzB,oCAAoC;IACpC,GAAG,CAAC,EAAE,MAAM,MAAM,CAAC;CACpB;AAOD;;;;;GAKG;AACH,qBAAa,eAAgB,YAAW,mBAAmB;IAKzD,OAAO,CAAC,MAAM,CAAgB;IAC9B,OAAO,CAAC,QAAQ,CAAC,SAAS,CAAS;IACnC,OAAO,CAAC,QAAQ,CAAC,aAAa,CAAS;IACvC,OAAO,CAAC,QAAQ,CAAC,kBAAkB,CAAmB;IACtD,OAAO,CAAC,QAAQ,CAAC,gBAAgB,CAAsB;IACvD,OAAO,CAAC,QAAQ,CAAC,gBAAgB,CAAsB;IACvD,OAAO,CAAC,QAAQ,CAAC,eAAe,CAAS;IACzC,OAAO,CAAC,QAAQ,CAAC,GAAG,CAAe;IAEnC,kEAAkE;IAClE,OAAO,CAAC,aAAa,CAA4B;IACjD,OAAO,CAAC,eAAe,CAAqC;IAC5D,kEAAkE;IAClE,OAAO,CAAC,UAAU,CAA4B;IAC9C,OAAO,CAAC,YAAY,CAAqC;gBAE7C,MAAM,EAAE,qBAAqB;IAWzC;;;;;;;;;;;;;;;;OAgBG;IACG,QAAQ,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC;IActD;;;;;;;;;OASG;IACH,UAAU,IAAI,IAAI;YASJ,kBAAkB;IAYhC;;;;;;;OAOG;IACH,SAAS,CAAC,MAAM,EAAE,aAAa,GAAG,IAAI;IAItC,OAAO,CAAC,mBAAmB;CAuE5B"}
+{"version":3,"file":"tokenProvider.d.ts","sourceRoot":"","sources":["../../../../../../src/tbv/core/clients/vault-provider/auth/tokenProvider.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;GA0BG;AAEH,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,iBAAiB,CAAC;AACxD,OAAO,KAAK,EAAE,mBAAmB,EAAE,aAAa,EAAE,MAAM,oBAAoB,CAAC;AAK7E,OAAO,EACL,KAAK,sBAAsB,EAE5B,MAAM,kBAAkB,CAAC;AAqB1B;;GAEG;AACH,MAAM,WAAW,4BAA4B;IAC3C,qDAAqD;IACrD,KAAK,EAAE,MAAM,CAAC;IACd,iDAAiD;IACjD,UAAU,EAAE,MAAM,CAAC;IACnB,+DAA+D;IAC/D,eAAe,EAAE,sBAAsB,CAAC;CACzC;AAED,MAAM,WAAW,qBAAqB;IACpC,MAAM,EAAE,aAAa,CAAC;IACtB,2FAA2F;IAC3F,SAAS,EAAE,MAAM,CAAC;IAClB,iEAAiE;IACjE,aAAa,EAAE,MAAM,CAAC;IACtB,gGAAgG;IAChG,kBAAkB,EAAE,gBAAgB,CAAC;IACrC;;;;;OAKG;IACH,2BAA2B,EAAE,MAAM,CAAC;IACpC;;;;;OAKG;IACH,gBAAgB,EAAE,WAAW,CAAC,MAAM,CAAC,CAAC;IACtC;;;;;OAKG;IACH,gBAAgB,EAAE,WAAW,CAAC,MAAM,CAAC,CAAC;IACtC,iDAAiD;IACjD,eAAe,CAAC,EAAE,MAAM,CAAC;IACzB,oCAAoC;IACpC,GAAG,CAAC,EAAE,MAAM,MAAM,CAAC;CACpB;AAOD;;;;;GAKG;AACH,qBAAa,eAAgB,YAAW,mBAAmB;IAKzD,OAAO,CAAC,MAAM,CAAgB;IAC9B,OAAO,CAAC,QAAQ,CAAC,SAAS,CAAS;IACnC,OAAO,CAAC,QAAQ,CAAC,aAAa,CAAS;IACvC,OAAO,CAAC,QAAQ,CAAC,kBAAkB,CAAmB;IACtD,OAAO,CAAC,QAAQ,CAAC,2BAA2B,CAAS;IACrD,OAAO,CAAC,QAAQ,CAAC,gBAAgB,CAAsB;IACvD,OAAO,CAAC,QAAQ,CAAC,gBAAgB,CAAsB;IACvD,OAAO,CAAC,QAAQ,CAAC,eAAe,CAAS;IACzC,OAAO,CAAC,QAAQ,CAAC,GAAG,CAAe;IAEnC,kEAAkE;IAClE,OAAO,CAAC,aAAa,CAA4B;IACjD,OAAO,CAAC,eAAe,CAAqC;IAC5D,kEAAkE;IAClE,OAAO,CAAC,UAAU,CAA4B;IAC9C,OAAO,CAAC,YAAY,CAAqC;gBAE7C,MAAM,EAAE,qBAAqB;IAYzC;;;;;;;;;;;;;;;;OAgBG;IACG,QAAQ,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC;IActD;;;;;;;;;OASG;IACH,UAAU,IAAI,IAAI;YASJ,kBAAkB;IAYhC;;;;;;;OAOG;IACH,SAAS,CAAC,MAAM,EAAE,aAAa,GAAG,IAAI;IAItC,OAAO,CAAC,mBAAmB;CAyF5B"}

package/dist/tbv/core/clients/vault-provider/auth/tokenRegistry.d.ts

@@ -6,6 +6,8 @@ export interface VpTokenRegistryInput {
     peginTxid: string;
     authAnchorHex: string;
     pinnedServerPubkey: OnChainBtcPubkey;
+    /** Depositor x-only pubkey (32-byte hex), asserted against each token's CWT `aud`. */
+    expectedAudienceXOnlyPubkey: string;
     /**
      * Opt into gRPC-subject auth for {@link GRPC_AUTH_GATED_METHODS}
      * (currently the artifact stream). Defaults to `false`: those methods

package/dist/tbv/core/clients/vault-provider/auth/tokenRegistry.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"tokenRegistry.d.ts","sourceRoot":"","sources":["../../../../../../src/tbv/core/clients/vault-provider/auth/tokenRegistry.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,iBAAiB,CAAC;AACxD,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,oBAAoB,CAAC;AAGxD,OAAO,EAAE,eAAe,EAAE,MAAM,iBAAiB,CAAC;AAElD,MAAM,WAAW,oBAAoB;IACnC,MAAM,EAAE,aAAa,CAAC;IACtB,SAAS,EAAE,MAAM,CAAC;IAClB,aAAa,EAAE,MAAM,CAAC;IACtB,kBAAkB,EAAE,gBAAgB,CAAC;IACrC;;;;;;;OAOG;IACH,sBAAsB,CAAC,EAAE,OAAO,CAAC;CAClC;AAUD,qBAAa,eAAe;IAC1B,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAoC;IAE5D;;;;;;;OAOG;IACH,WAAW,CAAC,KAAK,EAAE,oBAAoB,GAAG,eAAe;IAwDzD,0DAA0D;IAC1D,IAAI,CAAC,SAAS,EAAE,MAAM,GAAG,eAAe,GAAG,SAAS;IAIpD;;;;OAIG;IACH,OAAO,CAAC,SAAS,EAAE,MAAM,GAAG,IAAI;IAIhC;;;;;OAKG;IACH,KAAK,IAAI,IAAI;IAIb,IAAI,IAAI,IAAI,MAAM,CAEjB;CACF;AAED;;;GAGG;AACH,MAAM,WAAW,qBAAqB;IACpC,WAAW,CAAC,KAAK,EAAE,oBAAoB,GAAG,eAAe,CAAC;IAC1D,IAAI,CAAC,SAAS,EAAE,MAAM,GAAG,eAAe,GAAG,SAAS,CAAC;IACrD,OAAO,CAAC,SAAS,EAAE,MAAM,GAAG,IAAI,CAAC;IACjC,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;CACvB;AAED,eAAO,MAAM,eAAe,EAAE,qBAA6C,CAAC"}
+{"version":3,"file":"tokenRegistry.d.ts","sourceRoot":"","sources":["../../../../../../src/tbv/core/clients/vault-provider/auth/tokenRegistry.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,iBAAiB,CAAC;AACxD,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,oBAAoB,CAAC;AAGxD,OAAO,EAAE,eAAe,EAAE,MAAM,iBAAiB,CAAC;AAElD,MAAM,WAAW,oBAAoB;IACnC,MAAM,EAAE,aAAa,CAAC;IACtB,SAAS,EAAE,MAAM,CAAC;IAClB,aAAa,EAAE,MAAM,CAAC;IACtB,kBAAkB,EAAE,gBAAgB,CAAC;IACrC,sFAAsF;IACtF,2BAA2B,EAAE,MAAM,CAAC;IACpC;;;;;;;OAOG;IACH,sBAAsB,CAAC,EAAE,OAAO,CAAC;CAClC;AAWD,qBAAa,eAAe;IAC1B,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAoC;IAE5D;;;;;;;OAOG;IACH,WAAW,CAAC,KAAK,EAAE,oBAAoB,GAAG,eAAe;IAkEzD,0DAA0D;IAC1D,IAAI,CAAC,SAAS,EAAE,MAAM,GAAG,eAAe,GAAG,SAAS;IAIpD;;;;OAIG;IACH,OAAO,CAAC,SAAS,EAAE,MAAM,GAAG,IAAI;IAIhC;;;;;OAKG;IACH,KAAK,IAAI,IAAI;IAIb,IAAI,IAAI,IAAI,MAAM,CAEjB;CACF;AAED;;;GAGG;AACH,MAAM,WAAW,qBAAqB;IACpC,WAAW,CAAC,KAAK,EAAE,oBAAoB,GAAG,eAAe,CAAC;IAC1D,IAAI,CAAC,SAAS,EAAE,MAAM,GAAG,eAAe,GAAG,SAAS,CAAC;IACrD,OAAO,CAAC,SAAS,EAAE,MAAM,GAAG,IAAI,CAAC;IACjC,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;CACvB;AAED,eAAO,MAAM,eAAe,EAAE,qBAA6C,CAAC"}

package/dist/tbv/core/clients/vault-provider/auth/verifyDepositorCwt.d.ts

@@ -0,0 +1,80 @@
+/**
+ * Verify a vault-provider CWT bearer token (RFC 8392) wrapped in a
+ * COSE Sign1 envelope (RFC 8152), signed with ES256K by the VP's
+ * ephemeral token-signing key.
+ *
+ * This is the TypeScript port of the btc-vault Rust client verifier
+ * (`crates/btc-auth/src/client.rs::validate_token_with_public_key_at_time`
+ * plus the response cross-checks from `verify_token_response_at_time`).
+ * The FE previously verified only the server-identity proof
+ * ({@link ./serverIdentity}) and treated the token itself as an opaque
+ * blob; this closes that gap by cryptographically verifying the token
+ * and binding its claims to the expected issuer, subject, and depositor.
+ *
+ * Trust chain: {@link ./serverIdentity} first proves the
+ * `ephemeral_pubkey` is attested by the on-chain-pinned server key.
+ * This function then verifies the token's COSE signature against that
+ * same ephemeral key, so a token that decodes and verifies here is one
+ * the pinned VP actually issued.
+ *
+ * The byte-level expectations (COSE tag, ES256K alg id, Sig_structure
+ * layout, CWT registered-claim keys) mirror the issuer's `coset` stack
+ * and are pinned by the golden-vector test against a real Rust-issued
+ * token.
+ *
+ * @module tbv/core/clients/vault-provider/auth/verifyDepositorCwt
+ */
+/** CWT `sub` value for JSON-RPC-subject tokens (`auth_createDepositorToken`). */
+export declare const CWT_SUBJECT_JSONRPC = "vaultd-jsonrpc";
+/** CWT `sub` value for gRPC-subject tokens (`auth_createDepositorTokenGrpc`). */
+export declare const CWT_SUBJECT_GRPC = "vaultd-grpc";
+export type CwtVerificationReason = "invalid_input" | "invalid_token_structure" | "unexpected_algorithm" | "signature_verification_failed" | "invalid_claims" | "issuer_mismatch" | "subject_mismatch" | "audience_mismatch" | "token_not_yet_valid" | "token_expired" | "expiry_mismatch" | "server_identity_expires_before_token";
+export declare class CwtVerificationError extends Error {
+    readonly reason: CwtVerificationReason;
+    constructor(message: string, reason: CwtVerificationReason);
+}
+export interface VerifyDepositorCwtInput {
+    /** Base64url (no padding) COSE Sign1 token from `auth_createDepositorToken`. */
+    token: string;
+    /**
+     * VP ephemeral token-signing pubkey (33-byte compressed hex) from the
+     * bundled `server_identity` proof — MUST already be verified by
+     * {@link verifyServerIdentity} before being passed here.
+     */
+    ephemeralPubkeyHex: string;
+    /** Pinned VP persistent x-only pubkey (on-chain). Asserted against the token `iss`. */
+    expectedIssuerXOnlyPubkey: string;
+    /** Expected `sub` — {@link CWT_SUBJECT_JSONRPC} or {@link CWT_SUBJECT_GRPC}. */
+    expectedSubject: string;
+    /** Depositor x-only pubkey. Asserted against the token `aud`. */
+    expectedAudienceXOnlyPubkey: string;
+    /** Outer wire `expires_at`. Must equal the token's `exp` exactly. */
+    responseExpiresAt: number;
+    /** `server_identity.expires_at`. Must be ≥ the token's `exp`. */
+    serverIdentityExpiresAt: number;
+    /** Current Unix time (seconds). Injected for testability. */
+    now: number;
+}
+export interface VerifiedCwtClaims {
+    issuer: string;
+    subject: string;
+    audience: string;
+    expiresAt: number;
+    notBefore: number;
+    issuedAt: number;
+}
+/**
+ * Verify a depositor CWT and return its claims, or throw
+ * {@link CwtVerificationError}.
+ *
+ * Steps (matching the Rust reference):
+ *   1. Decode the COSE Sign1 envelope and assert the protected header
+ *      pins ES256K.
+ *   2. Verify the ECDSA signature over the reconstructed Sig_structure
+ *      against the (already server-identity-verified) ephemeral key.
+ *   3. Decode the CWT claims and assert `iss`/`sub`/`aud` bindings,
+ *      `nbf`/`exp` validity, `cti` presence, and the outer-vs-inner
+ *      expiry cross-checks.
+ */
+export declare function verifyDepositorCwt(input: VerifyDepositorCwtInput): VerifiedCwtClaims;
+//# sourceMappingURL=verifyDepositorCwt.d.ts.map

package/dist/tbv/core/clients/vault-provider/auth/verifyDepositorCwt.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"verifyDepositorCwt.d.ts","sourceRoot":"","sources":["../../../../../../src/tbv/core/clients/vault-provider/auth/verifyDepositorCwt.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;GAyBG;AAeH,iFAAiF;AACjF,eAAO,MAAM,mBAAmB,mBAAmB,CAAC;AACpD,iFAAiF;AACjF,eAAO,MAAM,gBAAgB,gBAAgB,CAAC;AAmC9C,MAAM,MAAM,qBAAqB,GAC7B,eAAe,GACf,yBAAyB,GACzB,sBAAsB,GACtB,+BAA+B,GAC/B,gBAAgB,GAChB,iBAAiB,GACjB,kBAAkB,GAClB,mBAAmB,GACnB,qBAAqB,GACrB,eAAe,GACf,iBAAiB,GACjB,sCAAsC,CAAC;AAE3C,qBAAa,oBAAqB,SAAQ,KAAK;aAG3B,MAAM,EAAE,qBAAqB;gBAD7C,OAAO,EAAE,MAAM,EACC,MAAM,EAAE,qBAAqB;CAKhD;AAED,MAAM,WAAW,uBAAuB;IACtC,gFAAgF;IAChF,KAAK,EAAE,MAAM,CAAC;IACd;;;;OAIG;IACH,kBAAkB,EAAE,MAAM,CAAC;IAC3B,uFAAuF;IACvF,yBAAyB,EAAE,MAAM,CAAC;IAClC,gFAAgF;IAChF,eAAe,EAAE,MAAM,CAAC;IACxB,iEAAiE;IACjE,2BAA2B,EAAE,MAAM,CAAC;IACpC,qEAAqE;IACrE,iBAAiB,EAAE,MAAM,CAAC;IAC1B,iEAAiE;IACjE,uBAAuB,EAAE,MAAM,CAAC;IAChC,6DAA6D;IAC7D,GAAG,EAAE,MAAM,CAAC;CACb;AAED,MAAM,WAAW,iBAAiB;IAChC,MAAM,EAAE,MAAM,CAAC;IACf,OAAO,EAAE,MAAM,CAAC;IAChB,QAAQ,EAAE,MAAM,CAAC;IACjB,SAAS,EAAE,MAAM,CAAC;IAClB,SAAS,EAAE,MAAM,CAAC;IAClB,QAAQ,EAAE,MAAM,CAAC;CAClB;AAED;;;;;;;;;;;;GAYG;AACH,wBAAgB,kBAAkB,CAChC,KAAK,EAAE,uBAAuB,GAC7B,iBAAiB,CAgKnB"}

package/dist/tbv/core/index.cjs

@@ -1,2 +1,2 @@
-"use strict";Object.defineProperty(exports,Symbol.toStringTag,{value:"Module"});const E=require("../../challengeAssert-HNbugpqL.cjs"),l=require("@babylonlabs-io/babylon-tbv-rust-wasm"),n=require("../../verifyScriptPathSchnorrSignature-Cl7tu77P.cjs"),S=require("../../peginInput-DH6X4ITS.cjs"),A=require("../../noPayout-lyIRiUyG.cjs"),r=require("../../bitcoin-CHfKAhcI.cjs"),R=require("../../signing-Bnsro0hE.cjs"),c=require("../../validation-u8W7Lp2x.cjs"),u=require("../../PeginManager-NfDjKQGV.cjs"),p=require("../../PayoutManager-BZVEyi10.cjs"),_=require("../../ApplicationRegistry.abi-BAPhJch3.cjs"),m=require("../../BTCVaultRegistry.abi-JdeqLz4x.cjs"),P=require("../../errors-CGcNP0rV.cjs"),o=require("../../waitForTransactionReceiptSmartAware-U706oKTc.cjs"),t=require("../../fundPeginTransaction-DuMwnytD.cjs"),d=require("../../reservation-xTL2a9Q-.cjs"),a=require("../../mempoolApi-C_9JhjCI.cjs"),i=require("../../primeVpAuth-wKbRw0m4.cjs"),s=require("../../types-WA0LrDk1.cjs"),g=require("../../errors-Bu0H-dZD.cjs"),e=require("../../buildAndBroadcastRefund-BOtxUi05.cjs"),T=require("../../peginState-BijNNT15.cjs");exports.buildChallengeAssertPsbt=E.buildChallengeAssertPsbt;exports.buildDepositorPayoutPsbt=E.buildDepositorPayoutPsbt;exports.computeNumLocalChallengers=E.computeNumLocalChallengers;Object.defineProperty(exports,"computeMinClaimValue",{enumerable:!0,get:()=>l.computeMinClaimValue});Object.defineProperty(exports,"computeMinPeginFee",{enumerable:!0,get:()=>l.computeMinPeginFee});Object.defineProperty(exports,"deriveVaultId",{enumerable:!0,get:()=>l.deriveVaultId});Object.defineProperty(exports,"expandAuthAnchor",{enumerable:!0,get:()=>l.expandAuthAnchor});Object.defineProperty(exports,"expandHashlockSecret",{enumerable:!0,get:()=>l.expandHashlockSecret});Object.defineProperty(exports,"expandWotsSeed",{enumerable:!0,get:()=>l.expandWotsSeed});exports.PsbtSubstitutionError=n.PsbtSubstitutionError;exports.assertPsbtUnsignedTxMatches=n.assertPsbtUnsignedTxMatches;exports.assertScriptPathSchnorrSignature=n.assertScriptPathSchnorrSignature;exports.buildPayoutPsbt=n.buildPayoutPsbt;exports.buildPeginTxFromFundedPrePegin=n.buildPeginTxFromFundedPrePegin;exports.buildPrePeginPsbt=n.buildPrePeginPsbt;exports.createPayoutScript=n.createPayoutScript;exports.extractPayoutSignature=n.extractPayoutSignature;exports.buildPeginInputPsbt=S.buildPeginInputPsbt;exports.extractPeginInputSignature=S.extractPeginInputSignature;exports.finalizePeginInputPsbt=S.finalizePeginInputPsbt;exports.buildNoPayoutPsbt=A.buildNoPayoutPsbt;exports.buildRefundPsbt=A.buildRefundPsbt;exports.deriveBip86ScriptPubKeyHex=r.deriveBip86ScriptPubKeyHex;exports.deriveNativeSegwitAddress=r.deriveNativeSegwitAddress;exports.deriveTaprootAddress=r.deriveTaprootAddress;exports.ensureHexPrefix=r.ensureHexPrefix;exports.formatSatoshisToBtc=r.formatSatoshisToBtc;exports.getNetwork=r.getNetwork;exports.getSortedXOnlyPubkeys=r.getSortedXOnlyPubkeys;exports.hexToUint8Array=r.hexToUint8Array;exports.isAddressFromPublicKey=r.isAddressFromPublicKey;exports.isValidHex=r.isValidHex;exports.processPublicKeyToXOnly=r.processPublicKeyToXOnly;exports.stripHexPrefix=r.stripHexPrefix;exports.toXOnly=r.toXOnly;exports.uint8ArrayToHex=r.uint8ArrayToHex;exports.validateWalletPubkey=r.validateWalletPubkey;exports.createTaprootScriptPathSignOptions=R.createTaprootScriptPathSignOptions;exports.BITCOIN_ADDRESS_RE=c.BITCOIN_ADDRESS_RE;exports.HEX_RE=c.HEX_RE;exports.KNOWN_SCRIPT_PREFIXES=c.KNOWN_SCRIPT_PREFIXES;exports.MAX_REASONABLE_FEE_SATS=c.MAX_REASONABLE_FEE_SATS;exports.TXID_RE=c.TXID_RE;exports.PeginManager=u.PeginManager;exports.VAULT_APP_NAME=u.VAULT_APP_NAME;exports.buildFundingOutpointsCommitment=u.buildFundingOutpointsCommitment;exports.buildVaultContext=u.buildVaultContext;exports.computeWotsBlockPublicKeysHash=u.computeWotsBlockPublicKeysHash;exports.deriveVaultRoot=u.deriveVaultRoot;exports.deriveWotsBlocksFromSeed=u.deriveWotsBlocksFromSeed;exports.estimateSubmitPeginRequestBatchGas=u.estimateSubmitPeginRequestBatchGas;exports.PayoutManager=p.PayoutManager;exports.computeHashlock=p.computeHashlock;exports.validateSecretAgainstHashlock=p.validateSecretAgainstHashlock;exports.ApplicationRegistryABI=_.ApplicationRegistryABI;exports.ProtocolParamsABI=_.ProtocolParamsABI;exports.BTCVaultRegistryABI=m.BTCVaultRegistryABI;exports.CONTRACT_ERRORS=P.CONTRACT_ERRORS;exports.extractErrorData=P.extractErrorData;exports.getContractErrorMessage=P.getContractErrorMessage;exports.handleContractError=P.handleContractError;exports.isKnownContractError=P.isKnownContractError;exports.BitcoinScriptType=o.BitcoinScriptType;exports.applyChangeOutputPolicy=o.applyChangeOutputPolicy;exports.calculateBtcTxHash=o.calculateBtcTxHash;exports.computeChangeOutputFeeSats=o.computeChangeOutputFeeSats;exports.computeMaxDeposit=o.computeMaxDeposit;exports.computePeginBaseFeeSats=o.computePeginBaseFeeSats;exports.getDustThreshold=o.getDustThreshold;exports.getPsbtInputFields=o.getPsbtInputFields;exports.getScriptType=o.getScriptType;exports.selectUtxosForPegin=o.selectUtxosForPegin;exports.shouldAddChangeOutput=o.shouldAddChangeOutput;exports.waitForTransactionReceiptSmartAware=o.waitForTransactionReceiptSmartAware;exports.BTC_DUST_SAT=t.BTC_DUST_SAT;exports.DUST_THRESHOLD=t.DUST_THRESHOLD;exports.FEE_SAFETY_MARGIN=t.FEE_SAFETY_MARGIN;exports.LOW_RATE_ESTIMATION_ACCURACY_BUFFER=t.LOW_RATE_ESTIMATION_ACCURACY_BUFFER;exports.MAX_NON_LEGACY_OUTPUT_SIZE=t.MAX_NON_LEGACY_OUTPUT_SIZE;exports.MAX_REASONABLE_PEGIN_VBYTES=t.MAX_REASONABLE_PEGIN_VBYTES;exports.P2TR_INPUT_SIZE=t.P2TR_INPUT_SIZE;exports.PEGIN_AUTH_ANCHOR_OUTPUTS=t.PEGIN_AUTH_ANCHOR_OUTPUTS;exports.PEGIN_FIXED_OUTPUTS=t.PEGIN_FIXED_OUTPUTS;exports.SPLIT_TX_FEE_SAFETY_MULTIPLIER=t.SPLIT_TX_FEE_SAFETY_MULTIPLIER;exports.TX_BUFFER_SIZE_OVERHEAD=t.TX_BUFFER_SIZE_OVERHEAD;exports.WALLET_RELAY_FEE_RATE_THRESHOLD=t.WALLET_RELAY_FEE_RATE_THRESHOLD;exports.fundPeginTransaction=t.fundPeginTransaction;exports.parseUnfundedWasmTransaction=t.parseUnfundedWasmTransaction;exports.peginOutputCount=t.peginOutputCount;exports.rateBasedTxBufferFee=t.rateBasedTxBufferFee;exports.UtxoNotAvailableError=d.UtxoNotAvailableError;exports.assertUtxosAvailable=d.assertUtxosAvailable;exports.extractInputsFromTransaction=d.extractInputsFromTransaction;exports.findOverlappingPendingVaults=d.findOverlappingPendingVaults;exports.validateUtxosAvailable=d.validateUtxosAvailable;exports.MEMPOOL_API_URLS=a.MEMPOOL_API_URLS;exports.ViemVaultRegistryReader=a.ViemVaultRegistryReader;exports.getAddressTxs=a.getAddressTxs;exports.getAddressUtxos=a.getAddressUtxos;exports.getMempoolApiUrl=a.getMempoolApiUrl;exports.getNetworkFees=a.getNetworkFees;exports.getTipHeight=a.getTipHeight;exports.getTxHex=a.getTxHex;exports.getTxInfo=a.getTxInfo;exports.getUtxoInfo=a.getUtxoInfo;exports.pushTx=a.pushTx;exports.validateOffchainParams=a.validateOffchainParams;exports.validatePegInConfiguration=a.validatePegInConfiguration;exports.validateTBVProtocolParams=a.validateTBVProtocolParams;exports.OnChainBtcVaultStatus=i.OnChainBtcVaultStatus;exports.ServerIdentityError=i.ServerIdentityError;exports.VaultProviderRpcClient=i.VaultProviderRpcClient;exports.ViemProtocolParamsReader=i.ViemProtocolParamsReader;exports.ViemUniversalChallengerReader=i.ViemUniversalChallengerReader;exports.ViemVaultKeeperReader=i.ViemVaultKeeperReader;exports.VpResponseValidationError=i.VpResponseValidationError;exports.VpTokenRegistry=i.VpTokenRegistry;exports.batchPollByProvider=i.batchPollByProvider;exports.createAuthenticatedVpClient=i.createAuthenticatedVpClient;exports.primeVpTokenRegistry=i.primeVpTokenRegistry;exports.resolveProtocolAddresses=i.resolveProtocolAddresses;exports.validateRequestDepositorClaimerArtifactsResponse=i.validateRequestDepositorClaimerArtifactsResponse;exports.verifyServerIdentity=i.verifyServerIdentity;exports.vpTokenRegistry=i.vpTokenRegistry;exports.AUTH_EXPIRED_DATA_KIND=s.AUTH_EXPIRED_DATA_KIND;exports.DaemonStatus=s.DaemonStatus;exports.JSON_RPC_ERROR_CODES=s.JSON_RPC_ERROR_CODES;exports.JsonRpcClient=s.JsonRpcClient;exports.JsonRpcError=s.JsonRpcError;exports.POST_WOTS_STATUSES=s.POST_WOTS_STATUSES;exports.PRE_DEPOSITOR_SIGNATURES_STATES=s.PRE_DEPOSITOR_SIGNATURES_STATES;exports.RpcErrorCode=s.RpcErrorCode;exports.VP_BATCH_MAX_SIZE=s.VP_BATCH_MAX_SIZE;exports.VP_TERMINAL_FAILURE_STATUSES=s.VP_TERMINAL_FAILURE_STATUSES;exports.VP_TRANSIENT_STATUSES=s.VP_TRANSIENT_STATUSES;exports.isWotsMismatchError=g.isWotsMismatchError;exports.parseFundingOutpointsFromTx=g.parseFundingOutpointsFromTx;exports.BIP68NotMatureError=e.BIP68NotMatureError;exports.ClaimerPegoutStatusValue=e.ClaimerPegoutStatusValue;exports.REFUND_MAX_FEE_FRACTION_DENOMINATOR=e.REFUND_MAX_FEE_FRACTION_DENOMINATOR;exports.REFUND_MAX_FEE_FRACTION_NUMERATOR=e.REFUND_MAX_FEE_FRACTION_NUMERATOR;exports.REFUND_MAX_FEE_RATE_SATS_VB=e.REFUND_MAX_FEE_RATE_SATS_VB;exports.REFUND_VSIZE=e.REFUND_VSIZE;exports.RegisteredVaultVersionMismatchError=e.RegisteredVaultVersionMismatchError;exports.activateVault=e.activateVault;exports.buildAndBroadcastRefund=e.buildAndBroadcastRefund;exports.estimateRefundFeeSats=e.estimateRefundFeeSats;exports.isDepositAmountValid=e.isDepositAmountValid;exports.isPegoutTerminalStatus=e.isPegoutTerminalStatus;exports.isRecognizedPegoutStatus=e.isRecognizedPegoutStatus;exports.isRegisteredVaultVersionMismatchError=e.isRegisteredVaultVersionMismatchError;exports.runDepositorPresignFlow=e.runDepositorPresignFlow;exports.signDepositorGraph=e.signDepositorGraph;exports.submitWotsPublicKey=e.submitWotsPublicKey;exports.validateDepositAmount=e.validateDepositAmount;exports.validateMultiVaultDepositInputs=e.validateMultiVaultDepositInputs;exports.validateOnChainParticipantKeys=e.validateOnChainParticipantKeys;exports.validateProviderSelection=e.validateProviderSelection;exports.validateRemainingCapacity=e.validateRemainingCapacity;exports.validateVaultAmounts=e.validateVaultAmounts;exports.validateVaultProviderPubkey=e.validateVaultProviderPubkey;exports.verifyRegisteredVaultVersions=e.verifyRegisteredVaultVersions;exports.waitForPeginStatus=e.waitForPeginStatus;exports.ContractStatus=T.ContractStatus;exports.PeginAction=T.PeginAction;exports.canPerformAction=T.canPerformAction;exports.getPeginProtocolState=T.getPeginProtocolState;
+"use strict";Object.defineProperty(exports,Symbol.toStringTag,{value:"Module"});const E=require("../../challengeAssert-HNbugpqL.cjs"),l=require("@babylonlabs-io/babylon-tbv-rust-wasm"),n=require("../../verifyScriptPathSchnorrSignature-Cl7tu77P.cjs"),S=require("../../peginInput-DH6X4ITS.cjs"),A=require("../../noPayout-lyIRiUyG.cjs"),r=require("../../bitcoin-CHfKAhcI.cjs"),R=require("../../signing-Bnsro0hE.cjs"),c=require("../../validation-u8W7Lp2x.cjs"),u=require("../../PeginManager-BvxfSwsr.cjs"),p=require("../../PayoutManager-BZVEyi10.cjs"),_=require("../../ApplicationRegistry.abi-BAPhJch3.cjs"),m=require("../../BTCVaultRegistry.abi-JdeqLz4x.cjs"),P=require("../../errors-CGcNP0rV.cjs"),o=require("../../waitForTransactionReceiptSmartAware-U706oKTc.cjs"),t=require("../../fundPeginTransaction-DuMwnytD.cjs"),d=require("../../reservation-xTL2a9Q-.cjs"),i=require("../../mempoolApi-NMiYQAXI.cjs"),a=require("../../primeVpAuth-Brl_bnBH.cjs"),s=require("../../types-WA0LrDk1.cjs"),g=require("../../errors-Bu0H-dZD.cjs"),e=require("../../buildAndBroadcastRefund-BOtxUi05.cjs"),T=require("../../peginState-BijNNT15.cjs");exports.buildChallengeAssertPsbt=E.buildChallengeAssertPsbt;exports.buildDepositorPayoutPsbt=E.buildDepositorPayoutPsbt;exports.computeNumLocalChallengers=E.computeNumLocalChallengers;Object.defineProperty(exports,"computeMinClaimValue",{enumerable:!0,get:()=>l.computeMinClaimValue});Object.defineProperty(exports,"computeMinPeginFee",{enumerable:!0,get:()=>l.computeMinPeginFee});Object.defineProperty(exports,"deriveVaultId",{enumerable:!0,get:()=>l.deriveVaultId});Object.defineProperty(exports,"expandAuthAnchor",{enumerable:!0,get:()=>l.expandAuthAnchor});Object.defineProperty(exports,"expandHashlockSecret",{enumerable:!0,get:()=>l.expandHashlockSecret});Object.defineProperty(exports,"expandWotsSeed",{enumerable:!0,get:()=>l.expandWotsSeed});exports.PsbtSubstitutionError=n.PsbtSubstitutionError;exports.assertPsbtUnsignedTxMatches=n.assertPsbtUnsignedTxMatches;exports.assertScriptPathSchnorrSignature=n.assertScriptPathSchnorrSignature;exports.buildPayoutPsbt=n.buildPayoutPsbt;exports.buildPeginTxFromFundedPrePegin=n.buildPeginTxFromFundedPrePegin;exports.buildPrePeginPsbt=n.buildPrePeginPsbt;exports.createPayoutScript=n.createPayoutScript;exports.extractPayoutSignature=n.extractPayoutSignature;exports.buildPeginInputPsbt=S.buildPeginInputPsbt;exports.extractPeginInputSignature=S.extractPeginInputSignature;exports.finalizePeginInputPsbt=S.finalizePeginInputPsbt;exports.buildNoPayoutPsbt=A.buildNoPayoutPsbt;exports.buildRefundPsbt=A.buildRefundPsbt;exports.deriveBip86ScriptPubKeyHex=r.deriveBip86ScriptPubKeyHex;exports.deriveNativeSegwitAddress=r.deriveNativeSegwitAddress;exports.deriveTaprootAddress=r.deriveTaprootAddress;exports.ensureHexPrefix=r.ensureHexPrefix;exports.formatSatoshisToBtc=r.formatSatoshisToBtc;exports.getNetwork=r.getNetwork;exports.getSortedXOnlyPubkeys=r.getSortedXOnlyPubkeys;exports.hexToUint8Array=r.hexToUint8Array;exports.isAddressFromPublicKey=r.isAddressFromPublicKey;exports.isValidHex=r.isValidHex;exports.processPublicKeyToXOnly=r.processPublicKeyToXOnly;exports.stripHexPrefix=r.stripHexPrefix;exports.toXOnly=r.toXOnly;exports.uint8ArrayToHex=r.uint8ArrayToHex;exports.validateWalletPubkey=r.validateWalletPubkey;exports.createTaprootScriptPathSignOptions=R.createTaprootScriptPathSignOptions;exports.BITCOIN_ADDRESS_RE=c.BITCOIN_ADDRESS_RE;exports.HEX_RE=c.HEX_RE;exports.KNOWN_SCRIPT_PREFIXES=c.KNOWN_SCRIPT_PREFIXES;exports.MAX_REASONABLE_FEE_SATS=c.MAX_REASONABLE_FEE_SATS;exports.TXID_RE=c.TXID_RE;exports.PeginManager=u.PeginManager;exports.VAULT_APP_NAME=u.VAULT_APP_NAME;exports.buildFundingOutpointsCommitment=u.buildFundingOutpointsCommitment;exports.buildVaultContext=u.buildVaultContext;exports.computeWotsBlockPublicKeysHash=u.computeWotsBlockPublicKeysHash;exports.deriveVaultRoot=u.deriveVaultRoot;exports.deriveWotsBlocksFromSeed=u.deriveWotsBlocksFromSeed;exports.estimateSubmitPeginRequestBatchGas=u.estimateSubmitPeginRequestBatchGas;exports.PayoutManager=p.PayoutManager;exports.computeHashlock=p.computeHashlock;exports.validateSecretAgainstHashlock=p.validateSecretAgainstHashlock;exports.ApplicationRegistryABI=_.ApplicationRegistryABI;exports.ProtocolParamsABI=_.ProtocolParamsABI;exports.BTCVaultRegistryABI=m.BTCVaultRegistryABI;exports.CONTRACT_ERRORS=P.CONTRACT_ERRORS;exports.extractErrorData=P.extractErrorData;exports.getContractErrorMessage=P.getContractErrorMessage;exports.handleContractError=P.handleContractError;exports.isKnownContractError=P.isKnownContractError;exports.BitcoinScriptType=o.BitcoinScriptType;exports.applyChangeOutputPolicy=o.applyChangeOutputPolicy;exports.calculateBtcTxHash=o.calculateBtcTxHash;exports.computeChangeOutputFeeSats=o.computeChangeOutputFeeSats;exports.computeMaxDeposit=o.computeMaxDeposit;exports.computePeginBaseFeeSats=o.computePeginBaseFeeSats;exports.getDustThreshold=o.getDustThreshold;exports.getPsbtInputFields=o.getPsbtInputFields;exports.getScriptType=o.getScriptType;exports.selectUtxosForPegin=o.selectUtxosForPegin;exports.shouldAddChangeOutput=o.shouldAddChangeOutput;exports.waitForTransactionReceiptSmartAware=o.waitForTransactionReceiptSmartAware;exports.BTC_DUST_SAT=t.BTC_DUST_SAT;exports.DUST_THRESHOLD=t.DUST_THRESHOLD;exports.FEE_SAFETY_MARGIN=t.FEE_SAFETY_MARGIN;exports.LOW_RATE_ESTIMATION_ACCURACY_BUFFER=t.LOW_RATE_ESTIMATION_ACCURACY_BUFFER;exports.MAX_NON_LEGACY_OUTPUT_SIZE=t.MAX_NON_LEGACY_OUTPUT_SIZE;exports.MAX_REASONABLE_PEGIN_VBYTES=t.MAX_REASONABLE_PEGIN_VBYTES;exports.P2TR_INPUT_SIZE=t.P2TR_INPUT_SIZE;exports.PEGIN_AUTH_ANCHOR_OUTPUTS=t.PEGIN_AUTH_ANCHOR_OUTPUTS;exports.PEGIN_FIXED_OUTPUTS=t.PEGIN_FIXED_OUTPUTS;exports.SPLIT_TX_FEE_SAFETY_MULTIPLIER=t.SPLIT_TX_FEE_SAFETY_MULTIPLIER;exports.TX_BUFFER_SIZE_OVERHEAD=t.TX_BUFFER_SIZE_OVERHEAD;exports.WALLET_RELAY_FEE_RATE_THRESHOLD=t.WALLET_RELAY_FEE_RATE_THRESHOLD;exports.fundPeginTransaction=t.fundPeginTransaction;exports.parseUnfundedWasmTransaction=t.parseUnfundedWasmTransaction;exports.peginOutputCount=t.peginOutputCount;exports.rateBasedTxBufferFee=t.rateBasedTxBufferFee;exports.UtxoNotAvailableError=d.UtxoNotAvailableError;exports.assertUtxosAvailable=d.assertUtxosAvailable;exports.extractInputsFromTransaction=d.extractInputsFromTransaction;exports.findOverlappingPendingVaults=d.findOverlappingPendingVaults;exports.validateUtxosAvailable=d.validateUtxosAvailable;exports.MEMPOOL_API_URLS=i.MEMPOOL_API_URLS;exports.ViemVaultRegistryReader=i.ViemVaultRegistryReader;exports.getAddressTxs=i.getAddressTxs;exports.getAddressUtxos=i.getAddressUtxos;exports.getMempoolApiUrl=i.getMempoolApiUrl;exports.getNetworkFees=i.getNetworkFees;exports.getOutspend=i.getOutspend;exports.getTipHeight=i.getTipHeight;exports.getTxHex=i.getTxHex;exports.getTxInfo=i.getTxInfo;exports.getUtxoInfo=i.getUtxoInfo;exports.pushTx=i.pushTx;exports.validateOffchainParams=i.validateOffchainParams;exports.validatePegInConfiguration=i.validatePegInConfiguration;exports.validateTBVProtocolParams=i.validateTBVProtocolParams;exports.OnChainBtcVaultStatus=a.OnChainBtcVaultStatus;exports.ServerIdentityError=a.ServerIdentityError;exports.VaultProviderRpcClient=a.VaultProviderRpcClient;exports.ViemProtocolParamsReader=a.ViemProtocolParamsReader;exports.ViemUniversalChallengerReader=a.ViemUniversalChallengerReader;exports.ViemVaultKeeperReader=a.ViemVaultKeeperReader;exports.VpResponseValidationError=a.VpResponseValidationError;exports.VpTokenRegistry=a.VpTokenRegistry;exports.batchPollByProvider=a.batchPollByProvider;exports.createAuthenticatedVpClient=a.createAuthenticatedVpClient;exports.primeVpTokenRegistry=a.primeVpTokenRegistry;exports.resolveProtocolAddresses=a.resolveProtocolAddresses;exports.validateRequestDepositorClaimerArtifactsResponse=a.validateRequestDepositorClaimerArtifactsResponse;exports.verifyServerIdentity=a.verifyServerIdentity;exports.vpTokenRegistry=a.vpTokenRegistry;exports.AUTH_EXPIRED_DATA_KIND=s.AUTH_EXPIRED_DATA_KIND;exports.DaemonStatus=s.DaemonStatus;exports.JSON_RPC_ERROR_CODES=s.JSON_RPC_ERROR_CODES;exports.JsonRpcClient=s.JsonRpcClient;exports.JsonRpcError=s.JsonRpcError;exports.POST_WOTS_STATUSES=s.POST_WOTS_STATUSES;exports.PRE_DEPOSITOR_SIGNATURES_STATES=s.PRE_DEPOSITOR_SIGNATURES_STATES;exports.RpcErrorCode=s.RpcErrorCode;exports.VP_BATCH_MAX_SIZE=s.VP_BATCH_MAX_SIZE;exports.VP_TERMINAL_FAILURE_STATUSES=s.VP_TERMINAL_FAILURE_STATUSES;exports.VP_TRANSIENT_STATUSES=s.VP_TRANSIENT_STATUSES;exports.isWotsMismatchError=g.isWotsMismatchError;exports.parseFundingOutpointsFromTx=g.parseFundingOutpointsFromTx;exports.BIP68NotMatureError=e.BIP68NotMatureError;exports.ClaimerPegoutStatusValue=e.ClaimerPegoutStatusValue;exports.REFUND_MAX_FEE_FRACTION_DENOMINATOR=e.REFUND_MAX_FEE_FRACTION_DENOMINATOR;exports.REFUND_MAX_FEE_FRACTION_NUMERATOR=e.REFUND_MAX_FEE_FRACTION_NUMERATOR;exports.REFUND_MAX_FEE_RATE_SATS_VB=e.REFUND_MAX_FEE_RATE_SATS_VB;exports.REFUND_VSIZE=e.REFUND_VSIZE;exports.RegisteredVaultVersionMismatchError=e.RegisteredVaultVersionMismatchError;exports.activateVault=e.activateVault;exports.buildAndBroadcastRefund=e.buildAndBroadcastRefund;exports.estimateRefundFeeSats=e.estimateRefundFeeSats;exports.isDepositAmountValid=e.isDepositAmountValid;exports.isPegoutTerminalStatus=e.isPegoutTerminalStatus;exports.isRecognizedPegoutStatus=e.isRecognizedPegoutStatus;exports.isRegisteredVaultVersionMismatchError=e.isRegisteredVaultVersionMismatchError;exports.runDepositorPresignFlow=e.runDepositorPresignFlow;exports.signDepositorGraph=e.signDepositorGraph;exports.submitWotsPublicKey=e.submitWotsPublicKey;exports.validateDepositAmount=e.validateDepositAmount;exports.validateMultiVaultDepositInputs=e.validateMultiVaultDepositInputs;exports.validateOnChainParticipantKeys=e.validateOnChainParticipantKeys;exports.validateProviderSelection=e.validateProviderSelection;exports.validateRemainingCapacity=e.validateRemainingCapacity;exports.validateVaultAmounts=e.validateVaultAmounts;exports.validateVaultProviderPubkey=e.validateVaultProviderPubkey;exports.verifyRegisteredVaultVersions=e.verifyRegisteredVaultVersions;exports.waitForPeginStatus=e.waitForPeginStatus;exports.ContractStatus=T.ContractStatus;exports.PeginAction=T.PeginAction;exports.canPerformAction=T.canPerformAction;exports.getPeginProtocolState=T.getPeginProtocolState;
 //# sourceMappingURL=index.cjs.map