@bolyra/sdk 0.2.0

package/README.md

@@ -0,0 +1,76 @@
+# @bolyra/sdk
+
+TypeScript SDK for **Bolyra (IdentityOS)** — mutual ZKP authentication for humans and AI agents.
+
+> **New here?** Start with the [5-minute Quickstart](./QUICKSTART.md) — from `npm install` to on-chain verification.
+
+## Install
+
+```bash
+npm install @bolyra/sdk
+```
+
+## Quick Start
+
+```typescript
+import {
+  createHumanIdentity,
+  createAgentCredential,
+  Permission,
+  proveHandshake,
+  verifyHandshake,
+} from '@bolyra/sdk';
+
+// 1. Create identities
+const human = await createHumanIdentity(123456789n);
+const agent = await createAgentCredential(
+  12345n,
+  operatorPrivateKey,
+  [Permission.READ_DATA, Permission.WRITE_DATA],
+  BigInt(Math.floor(Date.now() / 1000) + 86400),
+);
+
+// 2. Generate mutual handshake proofs (parallel, ~16s)
+const { humanProof, agentProof, nonce } = await proveHandshake(human, agent);
+
+// 3. Verify locally
+const result = await verifyHandshake(humanProof, agentProof, nonce);
+console.log('Verified:', result.verified); // true
+console.log('Human nullifier:', result.humanNullifier);
+console.log('Agent scope commitment:', result.scopeCommitment);
+
+// 4. Submit to chain (via ethers.js)
+// await registry.verifyHandshake(humanProof, agentProof, nonce);
+```
+
+## Permissions
+
+Permissions use cumulative bit encoding — higher tiers imply lower ones:
+
+| Bit | Permission          | Notes                    |
+|-----|---------------------|--------------------------|
+| 0   | `READ_DATA`         |                          |
+| 1   | `WRITE_DATA`        |                          |
+| 2   | `FINANCIAL_SMALL`   | < $100                   |
+| 3   | `FINANCIAL_MEDIUM`  | < $10,000 (implies bit 2)|
+| 4   | `FINANCIAL_UNLIMITED`| Unlimited (implies 2+3) |
+| 5   | `SIGN_ON_BEHALF`    |                          |
+| 6   | `SUB_DELEGATE`      |                          |
+| 7   | `ACCESS_PII`        |                          |
+
+## API Status
+
+| Function                      | Status |
+|-------------------------------|--------|
+| `createHumanIdentity()`       | v0.1   |
+| `createAgentCredential()`     | v0.1   |
+| `permissionsToBitmask()`      | v0.1   |
+| `validateCumulativeBitEncoding()` | v0.1 |
+| `proveHandshake()`            | v0.2   |
+| `verifyHandshake()`           | v0.2   |
+| `delegate()`                  | v0.3 (stub) |
+| `verifyDelegation()`          | v0.3 (stub) |
+
+## License
+
+MIT

package/dist/delegation.d.ts

@@ -0,0 +1,26 @@
+import { DelegationResult, Proof, BolyraConfig, AgentCredential } from './types';
+/**
+ * Delegate scoped permissions to another agent.
+ * Currently a stub -- full implementation requires the delegation circuit zkey.
+ *
+ * @param delegator - The delegating agent's credential
+ * @param delegatee - The receiving agent's credential
+ * @param parentScopeCommitment - Scope commitment from the parent handshake or delegation
+ * @param hopIndex - Current hop index in the delegation chain (0-indexed)
+ * @param config - SDK configuration
+ * @returns Delegation proof ready for on-chain verification
+ */
+export declare function delegate(_delegator: AgentCredential, _delegatee: AgentCredential, _parentScopeCommitment: bigint, _hopIndex: number, _config?: BolyraConfig): Promise<{
+    proof: Proof;
+    result: DelegationResult;
+}>;
+/**
+ * Verify a delegation proof on-chain.
+ *
+ * @param proof - The delegation ZK proof
+ * @param parentScopeCommitment - Expected parent scope commitment
+ * @param config - SDK configuration
+ * @returns DelegationResult with new scope commitment and hop index
+ */
+export declare function verifyDelegation(_proof: Proof, _parentScopeCommitment: bigint, _config?: BolyraConfig): Promise<DelegationResult>;
+//# sourceMappingURL=delegation.d.ts.map

package/dist/delegation.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"delegation.d.ts","sourceRoot":"","sources":["../src/delegation.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,gBAAgB,EAAE,KAAK,EAAE,YAAY,EAAE,eAAe,EAAE,MAAM,SAAS,CAAC;AAEjF;;;;;;;;;;GAUG;AACH,wBAAsB,QAAQ,CAC5B,UAAU,EAAE,eAAe,EAC3B,UAAU,EAAE,eAAe,EAC3B,sBAAsB,EAAE,MAAM,EAC9B,SAAS,EAAE,MAAM,EACjB,OAAO,CAAC,EAAE,YAAY,GACrB,OAAO,CAAC;IAAE,KAAK,EAAE,KAAK,CAAC;IAAC,MAAM,EAAE,gBAAgB,CAAA;CAAE,CAAC,CAKrD;AAED;;;;;;;GAOG;AACH,wBAAsB,gBAAgB,CACpC,MAAM,EAAE,KAAK,EACb,sBAAsB,EAAE,MAAM,EAC9B,OAAO,CAAC,EAAE,YAAY,GACrB,OAAO,CAAC,gBAAgB,CAAC,CAK3B"}

package/dist/delegation.js

@@ -0,0 +1,31 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.delegate = delegate;
+exports.verifyDelegation = verifyDelegation;
+const errors_1 = require("./errors");
+/**
+ * Delegate scoped permissions to another agent.
+ * Currently a stub -- full implementation requires the delegation circuit zkey.
+ *
+ * @param delegator - The delegating agent's credential
+ * @param delegatee - The receiving agent's credential
+ * @param parentScopeCommitment - Scope commitment from the parent handshake or delegation
+ * @param hopIndex - Current hop index in the delegation chain (0-indexed)
+ * @param config - SDK configuration
+ * @returns Delegation proof ready for on-chain verification
+ */
+async function delegate(_delegator, _delegatee, _parentScopeCommitment, _hopIndex, _config) {
+    throw new errors_1.BolyraError('delegate() coming in @bolyra/sdk v0.3 — delegation circuit integration.', 'NOT_IMPLEMENTED');
+}
+/**
+ * Verify a delegation proof on-chain.
+ *
+ * @param proof - The delegation ZK proof
+ * @param parentScopeCommitment - Expected parent scope commitment
+ * @param config - SDK configuration
+ * @returns DelegationResult with new scope commitment and hop index
+ */
+async function verifyDelegation(_proof, _parentScopeCommitment, _config) {
+    throw new errors_1.BolyraError('verifyDelegation() coming in @bolyra/sdk v0.3.', 'NOT_IMPLEMENTED');
+}
+//# sourceMappingURL=delegation.js.map

package/dist/delegation.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"delegation.js","sourceRoot":"","sources":["../src/delegation.ts"],"names":[],"mappings":";;AAcA,4BAWC;AAUD,4CASC;AA5CD,qCAAuC;AAGvC;;;;;;;;;;GAUG;AACI,KAAK,UAAU,QAAQ,CAC5B,UAA2B,EAC3B,UAA2B,EAC3B,sBAA8B,EAC9B,SAAiB,EACjB,OAAsB;IAEtB,MAAM,IAAI,oBAAW,CACnB,yEAAyE,EACzE,iBAAiB,CAClB,CAAC;AACJ,CAAC;AAED;;;;;;;GAOG;AACI,KAAK,UAAU,gBAAgB,CACpC,MAAa,EACb,sBAA8B,EAC9B,OAAsB;IAEtB,MAAM,IAAI,oBAAW,CACnB,gDAAgD,EAChD,iBAAiB,CAClB,CAAC;AACJ,CAAC"}

package/dist/errors.d.ts

@@ -0,0 +1,24 @@
+export declare class BolyraError extends Error {
+    code: string;
+    details?: Record<string, unknown> | undefined;
+    constructor(message: string, code: string, details?: Record<string, unknown> | undefined);
+}
+export declare class ProofGenerationError extends BolyraError {
+    constructor(circuit: string, reason: string);
+}
+export declare class VerificationError extends BolyraError {
+    constructor(reason: string);
+}
+export declare class InvalidPermissionError extends BolyraError {
+    constructor(message: string);
+}
+export declare class ExpiredCredentialError extends BolyraError {
+    constructor(expiryTimestamp: bigint);
+}
+export declare class ScopeEscalationError extends BolyraError {
+    constructor(delegatorScope: bigint, requestedScope: bigint);
+}
+export declare class StaleProofError extends BolyraError {
+    constructor(rootType: 'human' | 'agent');
+}
+//# sourceMappingURL=errors.d.ts.map

package/dist/errors.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"errors.d.ts","sourceRoot":"","sources":["../src/errors.ts"],"names":[],"mappings":"AAAA,qBAAa,WAAY,SAAQ,KAAK;IAG3B,IAAI,EAAE,MAAM;IACZ,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC;gBAFxC,OAAO,EAAE,MAAM,EACR,IAAI,EAAE,MAAM,EACZ,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,YAAA;CAK3C;AAED,qBAAa,oBAAqB,SAAQ,WAAW;gBACvC,OAAO,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM;CAO5C;AAED,qBAAa,iBAAkB,SAAQ,WAAW;gBACpC,MAAM,EAAE,MAAM;CAO3B;AAED,qBAAa,sBAAuB,SAAQ,WAAW;gBACzC,OAAO,EAAE,MAAM;CAG5B;AAED,qBAAa,sBAAuB,SAAQ,WAAW;gBACzC,eAAe,EAAE,MAAM;CAOpC;AAED,qBAAa,oBAAqB,SAAQ,WAAW;gBACvC,cAAc,EAAE,MAAM,EAAE,cAAc,EAAE,MAAM;CAU3D;AAED,qBAAa,eAAgB,SAAQ,WAAW;gBAClC,QAAQ,EAAE,OAAO,GAAG,OAAO;CAOxC"}

package/dist/errors.js

@@ -0,0 +1,54 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.StaleProofError = exports.ScopeEscalationError = exports.ExpiredCredentialError = exports.InvalidPermissionError = exports.VerificationError = exports.ProofGenerationError = exports.BolyraError = void 0;
+class BolyraError extends Error {
+    code;
+    details;
+    constructor(message, code, details) {
+        super(message);
+        this.code = code;
+        this.details = details;
+        this.name = 'BolyraError';
+    }
+}
+exports.BolyraError = BolyraError;
+class ProofGenerationError extends BolyraError {
+    constructor(circuit, reason) {
+        super(`Failed to generate ${circuit} proof: ${reason}`, 'PROOF_GENERATION_FAILED', { circuit, reason });
+    }
+}
+exports.ProofGenerationError = ProofGenerationError;
+class VerificationError extends BolyraError {
+    constructor(reason) {
+        super(`On-chain verification failed: ${reason}`, 'VERIFICATION_FAILED', { reason });
+    }
+}
+exports.VerificationError = VerificationError;
+class InvalidPermissionError extends BolyraError {
+    constructor(message) {
+        super(message, 'INVALID_PERMISSION');
+    }
+}
+exports.InvalidPermissionError = InvalidPermissionError;
+class ExpiredCredentialError extends BolyraError {
+    constructor(expiryTimestamp) {
+        super(`Agent credential expired at ${expiryTimestamp}`, 'CREDENTIAL_EXPIRED', { expiryTimestamp: expiryTimestamp.toString() });
+    }
+}
+exports.ExpiredCredentialError = ExpiredCredentialError;
+class ScopeEscalationError extends BolyraError {
+    constructor(delegatorScope, requestedScope) {
+        super(`Delegation scope escalation: delegatee scope (${requestedScope}) is not a subset of delegator scope (${delegatorScope})`, 'SCOPE_ESCALATION', {
+            delegatorScope: delegatorScope.toString(),
+            requestedScope: requestedScope.toString(),
+        });
+    }
+}
+exports.ScopeEscalationError = ScopeEscalationError;
+class StaleProofError extends BolyraError {
+    constructor(rootType) {
+        super(`${rootType} Merkle root is stale — the tree was updated after proof generation. Regenerate the proof.`, 'STALE_MERKLE_ROOT', { rootType });
+    }
+}
+exports.StaleProofError = StaleProofError;
+//# sourceMappingURL=errors.js.map

package/dist/errors.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"errors.js","sourceRoot":"","sources":["../src/errors.ts"],"names":[],"mappings":";;;AAAA,MAAa,WAAY,SAAQ,KAAK;IAG3B;IACA;IAHT,YACE,OAAe,EACR,IAAY,EACZ,OAAiC;QAExC,KAAK,CAAC,OAAO,CAAC,CAAC;QAHR,SAAI,GAAJ,IAAI,CAAQ;QACZ,YAAO,GAAP,OAAO,CAA0B;QAGxC,IAAI,CAAC,IAAI,GAAG,aAAa,CAAC;IAC5B,CAAC;CACF;AATD,kCASC;AAED,MAAa,oBAAqB,SAAQ,WAAW;IACnD,YAAY,OAAe,EAAE,MAAc;QACzC,KAAK,CACH,sBAAsB,OAAO,WAAW,MAAM,EAAE,EAChD,yBAAyB,EACzB,EAAE,OAAO,EAAE,MAAM,EAAE,CACpB,CAAC;IACJ,CAAC;CACF;AARD,oDAQC;AAED,MAAa,iBAAkB,SAAQ,WAAW;IAChD,YAAY,MAAc;QACxB,KAAK,CACH,iCAAiC,MAAM,EAAE,EACzC,qBAAqB,EACrB,EAAE,MAAM,EAAE,CACX,CAAC;IACJ,CAAC;CACF;AARD,8CAQC;AAED,MAAa,sBAAuB,SAAQ,WAAW;IACrD,YAAY,OAAe;QACzB,KAAK,CAAC,OAAO,EAAE,oBAAoB,CAAC,CAAC;IACvC,CAAC;CACF;AAJD,wDAIC;AAED,MAAa,sBAAuB,SAAQ,WAAW;IACrD,YAAY,eAAuB;QACjC,KAAK,CACH,+BAA+B,eAAe,EAAE,EAChD,oBAAoB,EACpB,EAAE,eAAe,EAAE,eAAe,CAAC,QAAQ,EAAE,EAAE,CAChD,CAAC;IACJ,CAAC;CACF;AARD,wDAQC;AAED,MAAa,oBAAqB,SAAQ,WAAW;IACnD,YAAY,cAAsB,EAAE,cAAsB;QACxD,KAAK,CACH,iDAAiD,cAAc,yCAAyC,cAAc,GAAG,EACzH,kBAAkB,EAClB;YACE,cAAc,EAAE,cAAc,CAAC,QAAQ,EAAE;YACzC,cAAc,EAAE,cAAc,CAAC,QAAQ,EAAE;SAC1C,CACF,CAAC;IACJ,CAAC;CACF;AAXD,oDAWC;AAED,MAAa,eAAgB,SAAQ,WAAW;IAC9C,YAAY,QAA2B;QACrC,KAAK,CACH,GAAG,QAAQ,4FAA4F,EACvG,mBAAmB,EACnB,EAAE,QAAQ,EAAE,CACb,CAAC;IACJ,CAAC;CACF;AARD,0CAQC"}

package/dist/handshake.d.ts

@@ -0,0 +1,41 @@
+import { HumanIdentity, AgentCredential, HandshakeResult, Proof, BolyraConfig } from './types';
+/**
+ * Generate a mutual handshake proof (human + agent).
+ * Both proofs can be generated in parallel for wall-clock optimization.
+ *
+ * @param human - The human's identity (secret + publicKey + commitment)
+ * @param agent - The agent's credential (signed by operator)
+ * @param options - Optional scope, nonce override, and SDK config
+ * @returns Both proofs and the session nonce
+ *
+ * @example
+ * ```ts
+ * const { humanProof, agentProof, nonce } = await proveHandshake(
+ *   humanIdentity,
+ *   agentCredential,
+ *   { scope: 1n }
+ * );
+ * // Submit both proofs to IdentityRegistry.verifyHandshake()
+ * ```
+ */
+export declare function proveHandshake(human: HumanIdentity, agent: AgentCredential, options?: {
+    scope?: bigint;
+    nonce?: bigint;
+    config?: BolyraConfig;
+}): Promise<{
+    humanProof: Proof;
+    agentProof: Proof;
+    nonce: bigint;
+}>;
+/**
+ * Verify a handshake result (check proof validity without on-chain submission).
+ * For on-chain verification, submit proofs to IdentityRegistry.verifyHandshake().
+ *
+ * @param humanProof - The human's ZK proof
+ * @param agentProof - The agent's ZK proof
+ * @param nonce - The session nonce used during proof generation
+ * @param config - SDK configuration (circuitDir for vkey paths)
+ * @returns HandshakeResult with nullifiers and verification status
+ */
+export declare function verifyHandshake(humanProof: Proof, agentProof: Proof, nonce: bigint, config?: BolyraConfig): Promise<HandshakeResult>;
+//# sourceMappingURL=handshake.d.ts.map

package/dist/handshake.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"handshake.d.ts","sourceRoot":"","sources":["../src/handshake.ts"],"names":[],"mappings":"AAEA,OAAO,EACL,aAAa,EACb,eAAe,EACf,eAAe,EACf,KAAK,EACL,YAAY,EACb,MAAM,SAAS,CAAC;AAMjB;;;;;;;;;;;;;;;;;;GAkBG;AACH,wBAAsB,cAAc,CAClC,KAAK,EAAE,aAAa,EACpB,KAAK,EAAE,eAAe,EACtB,OAAO,CAAC,EAAE;IACR,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,MAAM,CAAC,EAAE,YAAY,CAAC;CACvB,GACA,OAAO,CAAC;IAAE,UAAU,EAAE,KAAK,CAAC;IAAC,UAAU,EAAE,KAAK,CAAC;IAAC,KAAK,EAAE,MAAM,CAAA;CAAE,CAAC,CAYlE;AAyFD;;;;;;;;;GASG;AACH,wBAAsB,eAAe,CACnC,UAAU,EAAE,KAAK,EACjB,UAAU,EAAE,KAAK,EACjB,KAAK,EAAE,MAAM,EACb,MAAM,CAAC,EAAE,YAAY,GACpB,OAAO,CAAC,eAAe,CAAC,CA4B1B"}

package/dist/handshake.js

@@ -0,0 +1,152 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.proveHandshake = proveHandshake;
+exports.verifyHandshake = verifyHandshake;
+const snarkjs = __importStar(require("snarkjs"));
+const path = __importStar(require("path"));
+const errors_1 = require("./errors");
+// Default paths to circuit artifacts (relative to package root)
+const DEFAULT_CIRCUIT_DIR = path.join(__dirname, '../../circuits/build');
+/**
+ * Generate a mutual handshake proof (human + agent).
+ * Both proofs can be generated in parallel for wall-clock optimization.
+ *
+ * @param human - The human's identity (secret + publicKey + commitment)
+ * @param agent - The agent's credential (signed by operator)
+ * @param options - Optional scope, nonce override, and SDK config
+ * @returns Both proofs and the session nonce
+ *
+ * @example
+ * ```ts
+ * const { humanProof, agentProof, nonce } = await proveHandshake(
+ *   humanIdentity,
+ *   agentCredential,
+ *   { scope: 1n }
+ * );
+ * // Submit both proofs to IdentityRegistry.verifyHandshake()
+ * ```
+ */
+async function proveHandshake(human, agent, options) {
+    const scope = options?.scope ?? 1n;
+    const nonce = options?.nonce ?? BigInt(Date.now());
+    const circuitDir = options?.config?.circuitDir ?? DEFAULT_CIRCUIT_DIR;
+    // Generate both proofs in parallel
+    const [humanProof, agentProof] = await Promise.all([
+        generateHumanProof(human, scope, nonce, circuitDir),
+        generateAgentProof(agent, nonce, circuitDir),
+    ]);
+    return { humanProof, agentProof, nonce };
+}
+async function generateHumanProof(human, scope, nonce, circuitDir) {
+    const wasmPath = path.join(circuitDir, 'HumanUniqueness_js/HumanUniqueness.wasm');
+    const zkeyPath = path.join(circuitDir, 'HumanUniqueness_final.zkey');
+    // Build Merkle proof inputs (single leaf: depth 0, padded to 20)
+    const siblings = new Array(20).fill('0');
+    const input = {
+        secret: human.secret.toString(),
+        merkleProofLength: '0', // depth 0 for single-leaf tree
+        merkleProofIndex: '0',
+        merkleProofSiblings: siblings,
+        scope: scope.toString(),
+        sessionNonce: nonce.toString(),
+    };
+    try {
+        const { proof, publicSignals } = await snarkjs.groth16.fullProve(input, wasmPath, zkeyPath);
+        return { proof, publicSignals };
+    }
+    catch (err) {
+        throw new errors_1.ProofGenerationError('HumanUniqueness', err.message ?? String(err));
+    }
+}
+async function generateAgentProof(agent, nonce, circuitDir) {
+    const wasmPath = path.join(circuitDir, 'AgentPolicy_js/AgentPolicy.wasm');
+    const zkeyPath = path.join(circuitDir, 'AgentPolicy_plonk.zkey');
+    const currentTimestamp = BigInt(Math.floor(Date.now() / 1000));
+    const requiredScopeMask = 0n; // no required scope for basic handshake
+    const siblings = new Array(20).fill('0');
+    const input = {
+        modelHash: agent.modelHash.toString(),
+        operatorPubkeyAx: agent.operatorPublicKey.x.toString(),
+        operatorPubkeyAy: agent.operatorPublicKey.y.toString(),
+        permissionBitmask: agent.permissionBitmask.toString(),
+        expiryTimestamp: agent.expiryTimestamp.toString(),
+        sigR8x: agent.signature.R8.x.toString(),
+        sigR8y: agent.signature.R8.y.toString(),
+        sigS: agent.signature.S.toString(),
+        merkleProofLength: '0',
+        merkleProofIndex: '0',
+        merkleProofSiblings: siblings,
+        requiredScopeMask: requiredScopeMask.toString(),
+        currentTimestamp: currentTimestamp.toString(),
+        sessionNonce: nonce.toString(),
+    };
+    try {
+        const { proof, publicSignals } = await snarkjs.plonk.fullProve(input, wasmPath, zkeyPath);
+        return { proof, publicSignals };
+    }
+    catch (err) {
+        throw new errors_1.ProofGenerationError('AgentPolicy', err.message ?? String(err));
+    }
+}
+/**
+ * Verify a handshake result (check proof validity without on-chain submission).
+ * For on-chain verification, submit proofs to IdentityRegistry.verifyHandshake().
+ *
+ * @param humanProof - The human's ZK proof
+ * @param agentProof - The agent's ZK proof
+ * @param nonce - The session nonce used during proof generation
+ * @param config - SDK configuration (circuitDir for vkey paths)
+ * @returns HandshakeResult with nullifiers and verification status
+ */
+async function verifyHandshake(humanProof, agentProof, nonce, config) {
+    const circuitDir = config?.circuitDir ?? DEFAULT_CIRCUIT_DIR;
+    // Verify human proof (Groth16)
+    const humanVkeyPath = path.join(circuitDir, 'HumanUniqueness_vkey.json');
+    const humanVkey = require(humanVkeyPath);
+    const humanValid = await snarkjs.groth16.verify(humanVkey, humanProof.publicSignals, humanProof.proof);
+    // Verify agent proof (PLONK)
+    const agentVkeyPath = path.join(circuitDir, 'AgentPolicy_vkey.json');
+    const agentVkey = require(agentVkeyPath);
+    const agentValid = await snarkjs.plonk.verify(agentVkey, agentProof.publicSignals, agentProof.proof);
+    return {
+        humanNullifier: BigInt(humanProof.publicSignals[1]),
+        agentNullifier: BigInt(agentProof.publicSignals[1]),
+        sessionNonce: nonce,
+        scopeCommitment: BigInt(agentProof.publicSignals[2]),
+        verified: humanValid && agentValid,
+    };
+}
+//# sourceMappingURL=handshake.js.map

package/dist/handshake.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"handshake.js","sourceRoot":"","sources":["../src/handshake.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAiCA,wCAoBC;AAmGD,0CAiCC;AAzLD,iDAAmC;AACnC,2CAA6B;AAQ7B,qCAAgD;AAEhD,gEAAgE;AAChE,MAAM,mBAAmB,GAAG,IAAI,CAAC,IAAI,CAAC,SAAS,EAAE,sBAAsB,CAAC,CAAC;AAEzE;;;;;;;;;;;;;;;;;;GAkBG;AACI,KAAK,UAAU,cAAc,CAClC,KAAoB,EACpB,KAAsB,EACtB,OAIC;IAED,MAAM,KAAK,GAAG,OAAO,EAAE,KAAK,IAAI,EAAE,CAAC;IACnC,MAAM,KAAK,GAAG,OAAO,EAAE,KAAK,IAAI,MAAM,CAAC,IAAI,CAAC,GAAG,EAAE,CAAC,CAAC;IACnD,MAAM,UAAU,GAAG,OAAO,EAAE,MAAM,EAAE,UAAU,IAAI,mBAAmB,CAAC;IAEtE,mCAAmC;IACnC,MAAM,CAAC,UAAU,EAAE,UAAU,CAAC,GAAG,MAAM,OAAO,CAAC,GAAG,CAAC;QACjD,kBAAkB,CAAC,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,UAAU,CAAC;QACnD,kBAAkB,CAAC,KAAK,EAAE,KAAK,EAAE,UAAU,CAAC;KAC7C,CAAC,CAAC;IAEH,OAAO,EAAE,UAAU,EAAE,UAAU,EAAE,KAAK,EAAE,CAAC;AAC3C,CAAC;AAED,KAAK,UAAU,kBAAkB,CAC/B,KAAoB,EACpB,KAAa,EACb,KAAa,EACb,UAAkB;IAElB,MAAM,QAAQ,GAAG,IAAI,CAAC,IAAI,CACxB,UAAU,EACV,yCAAyC,CAC1C,CAAC;IACF,MAAM,QAAQ,GAAG,IAAI,CAAC,IAAI,CAAC,UAAU,EAAE,4BAA4B,CAAC,CAAC;IAErE,iEAAiE;IACjE,MAAM,QAAQ,GAAG,IAAI,KAAK,CAAC,EAAE,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;IAEzC,MAAM,KAAK,GAAG;QACZ,MAAM,EAAE,KAAK,CAAC,MAAM,CAAC,QAAQ,EAAE;QAC/B,iBAAiB,EAAE,GAAG,EAAE,+BAA+B;QACvD,gBAAgB,EAAE,GAAG;QACrB,mBAAmB,EAAE,QAAQ;QAC7B,KAAK,EAAE,KAAK,CAAC,QAAQ,EAAE;QACvB,YAAY,EAAE,KAAK,CAAC,QAAQ,EAAE;KAC/B,CAAC;IAEF,IAAI,CAAC;QACH,MAAM,EAAE,KAAK,EAAE,aAAa,EAAE,GAAG,MAAM,OAAO,CAAC,OAAO,CAAC,SAAS,CAC9D,KAAK,EACL,QAAQ,EACR,QAAQ,CACT,CAAC;QACF,OAAO,EAAE,KAAK,EAAE,aAAa,EAAE,CAAC;IAClC,CAAC;IAAC,OAAO,GAAQ,EAAE,CAAC;QAClB,MAAM,IAAI,6BAAoB,CAC5B,iBAAiB,EACjB,GAAG,CAAC,OAAO,IAAI,MAAM,CAAC,GAAG,CAAC,CAC3B,CAAC;IACJ,CAAC;AACH,CAAC;AAED,KAAK,UAAU,kBAAkB,CAC/B,KAAsB,EACtB,KAAa,EACb,UAAkB;IAElB,MAAM,QAAQ,GAAG,IAAI,CAAC,IAAI,CACxB,UAAU,EACV,iCAAiC,CAClC,CAAC;IACF,MAAM,QAAQ,GAAG,IAAI,CAAC,IAAI,CAAC,UAAU,EAAE,wBAAwB,CAAC,CAAC;IAEjE,MAAM,gBAAgB,GAAG,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC,CAAC;IAC/D,MAAM,iBAAiB,GAAG,EAAE,CAAC,CAAC,wCAAwC;IAEtE,MAAM,QAAQ,GAAG,IAAI,KAAK,CAAC,EAAE,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;IAEzC,MAAM,KAAK,GAAG;QACZ,SAAS,EAAE,KAAK,CAAC,SAAS,CAAC,QAAQ,EAAE;QACrC,gBAAgB,EAAE,KAAK,CAAC,iBAAiB,CAAC,CAAC,CAAC,QAAQ,EAAE;QACtD,gBAAgB,EAAE,KAAK,CAAC,iBAAiB,CAAC,CAAC,CAAC,QAAQ,EAAE;QACtD,iBAAiB,EAAE,KAAK,CAAC,iBAAiB,CAAC,QAAQ,EAAE;QACrD,eAAe,EAAE,KAAK,CAAC,eAAe,CAAC,QAAQ,EAAE;QACjD,MAAM,EAAE,KAAK,CAAC,SAAS,CAAC,EAAE,CAAC,CAAC,CAAC,QAAQ,EAAE;QACvC,MAAM,EAAE,KAAK,CAAC,SAAS,CAAC,EAAE,CAAC,CAAC,CAAC,QAAQ,EAAE;QACvC,IAAI,EAAE,KAAK,CAAC,SAAS,CAAC,CAAC,CAAC,QAAQ,EAAE;QAClC,iBAAiB,EAAE,GAAG;QACtB,gBAAgB,EAAE,GAAG;QACrB,mBAAmB,EAAE,QAAQ;QAC7B,iBAAiB,EAAE,iBAAiB,CAAC,QAAQ,EAAE;QAC/C,gBAAgB,EAAE,gBAAgB,CAAC,QAAQ,EAAE;QAC7C,YAAY,EAAE,KAAK,CAAC,QAAQ,EAAE;KAC/B,CAAC;IAEF,IAAI,CAAC;QACH,MAAM,EAAE,KAAK,EAAE,aAAa,EAAE,GAAG,MAAM,OAAO,CAAC,KAAK,CAAC,SAAS,CAC5D,KAAK,EACL,QAAQ,EACR,QAAQ,CACT,CAAC;QACF,OAAO,EAAE,KAAK,EAAE,aAAa,EAAE,CAAC;IAClC,CAAC;IAAC,OAAO,GAAQ,EAAE,CAAC;QAClB,MAAM,IAAI,6BAAoB,CAC5B,aAAa,EACb,GAAG,CAAC,OAAO,IAAI,MAAM,CAAC,GAAG,CAAC,CAC3B,CAAC;IACJ,CAAC;AACH,CAAC;AAED;;;;;;;;;GASG;AACI,KAAK,UAAU,eAAe,CACnC,UAAiB,EACjB,UAAiB,EACjB,KAAa,EACb,MAAqB;IAErB,MAAM,UAAU,GAAG,MAAM,EAAE,UAAU,IAAI,mBAAmB,CAAC;IAE7D,+BAA+B;IAC/B,MAAM,aAAa,GAAG,IAAI,CAAC,IAAI,CAAC,UAAU,EAAE,2BAA2B,CAAC,CAAC;IACzE,MAAM,SAAS,GAAG,OAAO,CAAC,aAAa,CAAC,CAAC;IACzC,MAAM,UAAU,GAAG,MAAM,OAAO,CAAC,OAAO,CAAC,MAAM,CAC7C,SAAS,EACT,UAAU,CAAC,aAAa,EACxB,UAAU,CAAC,KAAK,CACjB,CAAC;IAEF,6BAA6B;IAC7B,MAAM,aAAa,GAAG,IAAI,CAAC,IAAI,CAAC,UAAU,EAAE,uBAAuB,CAAC,CAAC;IACrE,MAAM,SAAS,GAAG,OAAO,CAAC,aAAa,CAAC,CAAC;IACzC,MAAM,UAAU,GAAG,MAAM,OAAO,CAAC,KAAK,CAAC,MAAM,CAC3C,SAAS,EACT,UAAU,CAAC,aAAa,EACxB,UAAU,CAAC,KAAK,CACjB,CAAC;IAEF,OAAO;QACL,cAAc,EAAE,MAAM,CAAC,UAAU,CAAC,aAAa,CAAC,CAAC,CAAC,CAAC;QACnD,cAAc,EAAE,MAAM,CAAC,UAAU,CAAC,aAAa,CAAC,CAAC,CAAC,CAAC;QACnD,YAAY,EAAE,KAAK;QACnB,eAAe,EAAE,MAAM,CAAC,UAAU,CAAC,aAAa,CAAC,CAAC,CAAC,CAAC;QACpD,QAAQ,EAAE,UAAU,IAAI,UAAU;KACnC,CAAC;AACJ,CAAC"}

package/dist/identity.d.ts

@@ -0,0 +1,42 @@
+import { HumanIdentity, AgentCredential, Permission } from './types';
+/**
+ * Create a human identity (EdDSA keypair + commitment).
+ * Compatible with Semaphore v4 identity scheme.
+ *
+ * @param secret - A secret value (random bigint or derived from a seed phrase).
+ *                 KEEP THIS PRIVATE — it is the human's authentication key.
+ * @returns HumanIdentity with secret, publicKey, and commitment
+ *
+ * @example
+ * ```ts
+ * const identity = await createHumanIdentity(BigInt(crypto.getRandomValues(new Uint8Array(32)).reduce((a, b) => a * 256n + BigInt(b), 0n)));
+ * console.log(identity.commitment); // Poseidon2(Ax, Ay) — enroll this in humanTree
+ * ```
+ */
+export declare function createHumanIdentity(secret: bigint): Promise<HumanIdentity>;
+/**
+ * Create an AI agent credential signed by the operator.
+ *
+ * @param modelHash - Hash of the model identifier (e.g., sha256("gpt-4o"))
+ * @param operatorPrivateKey - Operator's EdDSA private key (signs the credential)
+ * @param permissions - Array of Permission flags (cumulative encoding enforced)
+ * @param expiryTimestamp - Unix timestamp when the credential expires
+ * @returns AgentCredential with all fields + operator signature + commitment
+ *
+ * @example
+ * ```ts
+ * const credential = await createAgentCredential(
+ *   hashModel("gpt-4o"),
+ *   operatorKey,
+ *   [Permission.READ_DATA, Permission.WRITE_DATA, Permission.FINANCIAL_SMALL],
+ *   BigInt(Math.floor(Date.now() / 1000) + 86400) // +1 day
+ * );
+ * console.log(credential.commitment); // enroll this in agentTree
+ * ```
+ */
+export declare function createAgentCredential(modelHash: bigint, operatorPrivateKey: bigint | Buffer, permissions: Permission[], expiryTimestamp: bigint): Promise<AgentCredential>;
+/** Convert an array of Permission flags to a 64-bit bitmask */
+export declare function permissionsToBitmask(permissions: Permission[]): bigint;
+/** Validate cumulative bit encoding: bit 4 implies 2+3, bit 3 implies 2 */
+export declare function validateCumulativeBitEncoding(bitmask: bigint): void;
+//# sourceMappingURL=identity.d.ts.map

package/dist/identity.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"identity.d.ts","sourceRoot":"","sources":["../src/identity.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,aAAa,EAAE,eAAe,EAAE,UAAU,EAAE,MAAM,SAAS,CAAC;AAIrE;;;;;;;;;;;;;GAaG;AACH,wBAAsB,mBAAmB,CACvC,MAAM,EAAE,MAAM,GACb,OAAO,CAAC,aAAa,CAAC,CAMxB;AAED;;;;;;;;;;;;;;;;;;;GAmBG;AACH,wBAAsB,qBAAqB,CACzC,SAAS,EAAE,MAAM,EACjB,kBAAkB,EAAE,MAAM,GAAG,MAAM,EACnC,WAAW,EAAE,UAAU,EAAE,EACzB,eAAe,EAAE,MAAM,GACtB,OAAO,CAAC,eAAe,CAAC,CA4B1B;AAED,+DAA+D;AAC/D,wBAAgB,oBAAoB,CAAC,WAAW,EAAE,UAAU,EAAE,GAAG,MAAM,CAMtE;AAED,2EAA2E;AAC3E,wBAAgB,6BAA6B,CAAC,OAAO,EAAE,MAAM,GAAG,IAAI,CAoBnE"}

package/dist/identity.js

@@ -0,0 +1,90 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.createHumanIdentity = createHumanIdentity;
+exports.createAgentCredential = createAgentCredential;
+exports.permissionsToBitmask = permissionsToBitmask;
+exports.validateCumulativeBitEncoding = validateCumulativeBitEncoding;
+const utils_1 = require("./utils");
+const errors_1 = require("./errors");
+/**
+ * Create a human identity (EdDSA keypair + commitment).
+ * Compatible with Semaphore v4 identity scheme.
+ *
+ * @param secret - A secret value (random bigint or derived from a seed phrase).
+ *                 KEEP THIS PRIVATE — it is the human's authentication key.
+ * @returns HumanIdentity with secret, publicKey, and commitment
+ *
+ * @example
+ * ```ts
+ * const identity = await createHumanIdentity(BigInt(crypto.getRandomValues(new Uint8Array(32)).reduce((a, b) => a * 256n + BigInt(b), 0n)));
+ * console.log(identity.commitment); // Poseidon2(Ax, Ay) — enroll this in humanTree
+ * ```
+ */
+async function createHumanIdentity(secret) {
+    // HumanUniqueness circuit uses BabyPbk (direct scalar multiply),
+    // NOT EdDSA prv2pub. Use derivePublicKeyScalar here.
+    const publicKey = await (0, utils_1.derivePublicKeyScalar)(secret);
+    const commitment = await (0, utils_1.poseidon2)(publicKey.x, publicKey.y);
+    return { secret, publicKey, commitment };
+}
+/**
+ * Create an AI agent credential signed by the operator.
+ *
+ * @param modelHash - Hash of the model identifier (e.g., sha256("gpt-4o"))
+ * @param operatorPrivateKey - Operator's EdDSA private key (signs the credential)
+ * @param permissions - Array of Permission flags (cumulative encoding enforced)
+ * @param expiryTimestamp - Unix timestamp when the credential expires
+ * @returns AgentCredential with all fields + operator signature + commitment
+ *
+ * @example
+ * ```ts
+ * const credential = await createAgentCredential(
+ *   hashModel("gpt-4o"),
+ *   operatorKey,
+ *   [Permission.READ_DATA, Permission.WRITE_DATA, Permission.FINANCIAL_SMALL],
+ *   BigInt(Math.floor(Date.now() / 1000) + 86400) // +1 day
+ * );
+ * console.log(credential.commitment); // enroll this in agentTree
+ * ```
+ */
+async function createAgentCredential(modelHash, operatorPrivateKey, permissions, expiryTimestamp) {
+    const bitmask = permissionsToBitmask(permissions);
+    validateCumulativeBitEncoding(bitmask);
+    const operatorPublicKey = await (0, utils_1.derivePublicKey)(typeof operatorPrivateKey === 'bigint'
+        ? operatorPrivateKey
+        : BigInt('0x' + operatorPrivateKey.toString('hex')));
+    const commitment = await (0, utils_1.poseidon5)(modelHash, operatorPublicKey.x, operatorPublicKey.y, bitmask, expiryTimestamp);
+    const signature = await (0, utils_1.eddsaSign)(operatorPrivateKey, commitment);
+    return {
+        modelHash,
+        operatorPublicKey,
+        permissionBitmask: bitmask,
+        expiryTimestamp,
+        signature,
+        commitment,
+    };
+}
+/** Convert an array of Permission flags to a 64-bit bitmask */
+function permissionsToBitmask(permissions) {
+    let bitmask = 0n;
+    for (const p of permissions) {
+        bitmask |= 1n << BigInt(p);
+    }
+    return bitmask;
+}
+/** Validate cumulative bit encoding: bit 4 implies 2+3, bit 3 implies 2 */
+function validateCumulativeBitEncoding(bitmask) {
+    const bit2 = (bitmask >> 2n) & 1n;
+    const bit3 = (bitmask >> 3n) & 1n;
+    const bit4 = (bitmask >> 4n) & 1n;
+    if (bit4 && !bit3) {
+        throw new errors_1.InvalidPermissionError('FINANCIAL_UNLIMITED (bit 4) requires FINANCIAL_MEDIUM (bit 3)');
+    }
+    if (bit4 && !bit2) {
+        throw new errors_1.InvalidPermissionError('FINANCIAL_UNLIMITED (bit 4) requires FINANCIAL_SMALL (bit 2)');
+    }
+    if (bit3 && !bit2) {
+        throw new errors_1.InvalidPermissionError('FINANCIAL_MEDIUM (bit 3) requires FINANCIAL_SMALL (bit 2)');
+    }
+}
+//# sourceMappingURL=identity.js.map

package/dist/identity.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"identity.js","sourceRoot":"","sources":["../src/identity.ts"],"names":[],"mappings":";;AAkBA,kDAQC;AAsBD,sDAiCC;AAGD,oDAMC;AAGD,sEAoBC;AAhHD,mCAAkG;AAClG,qCAAkD;AAElD;;;;;;;;;;;;;GAaG;AACI,KAAK,UAAU,mBAAmB,CACvC,MAAc;IAEd,iEAAiE;IACjE,qDAAqD;IACrD,MAAM,SAAS,GAAG,MAAM,IAAA,6BAAqB,EAAC,MAAM,CAAC,CAAC;IACtD,MAAM,UAAU,GAAG,MAAM,IAAA,iBAAS,EAAC,SAAS,CAAC,CAAC,EAAE,SAAS,CAAC,CAAC,CAAC,CAAC;IAC7D,OAAO,EAAE,MAAM,EAAE,SAAS,EAAE,UAAU,EAAE,CAAC;AAC3C,CAAC;AAED;;;;;;;;;;;;;;;;;;;GAmBG;AACI,KAAK,UAAU,qBAAqB,CACzC,SAAiB,EACjB,kBAAmC,EACnC,WAAyB,EACzB,eAAuB;IAEvB,MAAM,OAAO,GAAG,oBAAoB,CAAC,WAAW,CAAC,CAAC;IAClD,6BAA6B,CAAC,OAAO,CAAC,CAAC;IAEvC,MAAM,iBAAiB,GAAG,MAAM,IAAA,uBAAe,EAC7C,OAAO,kBAAkB,KAAK,QAAQ;QACpC,CAAC,CAAC,kBAAkB;QACpB,CAAC,CAAC,MAAM,CAAC,IAAI,GAAG,kBAAkB,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC,CACtD,CAAC;IAEF,MAAM,UAAU,GAAG,MAAM,IAAA,iBAAS,EAChC,SAAS,EACT,iBAAiB,CAAC,CAAC,EACnB,iBAAiB,CAAC,CAAC,EACnB,OAAO,EACP,eAAe,CAChB,CAAC;IAEF,MAAM,SAAS,GAAG,MAAM,IAAA,iBAAS,EAAC,kBAAkB,EAAE,UAAU,CAAC,CAAC;IAElE,OAAO;QACL,SAAS;QACT,iBAAiB;QACjB,iBAAiB,EAAE,OAAO;QAC1B,eAAe;QACf,SAAS;QACT,UAAU;KACX,CAAC;AACJ,CAAC;AAED,+DAA+D;AAC/D,SAAgB,oBAAoB,CAAC,WAAyB;IAC5D,IAAI,OAAO,GAAG,EAAE,CAAC;IACjB,KAAK,MAAM,CAAC,IAAI,WAAW,EAAE,CAAC;QAC5B,OAAO,IAAI,EAAE,IAAI,MAAM,CAAC,CAAC,CAAC,CAAC;IAC7B,CAAC;IACD,OAAO,OAAO,CAAC;AACjB,CAAC;AAED,2EAA2E;AAC3E,SAAgB,6BAA6B,CAAC,OAAe;IAC3D,MAAM,IAAI,GAAG,CAAC,OAAO,IAAI,EAAE,CAAC,GAAG,EAAE,CAAC;IAClC,MAAM,IAAI,GAAG,CAAC,OAAO,IAAI,EAAE,CAAC,GAAG,EAAE,CAAC;IAClC,MAAM,IAAI,GAAG,CAAC,OAAO,IAAI,EAAE,CAAC,GAAG,EAAE,CAAC;IAElC,IAAI,IAAI,IAAI,CAAC,IAAI,EAAE,CAAC;QAClB,MAAM,IAAI,+BAAsB,CAC9B,+DAA+D,CAChE,CAAC;IACJ,CAAC;IACD,IAAI,IAAI,IAAI,CAAC,IAAI,EAAE,CAAC;QAClB,MAAM,IAAI,+BAAsB,CAC9B,8DAA8D,CAC/D,CAAC;IACJ,CAAC;IACD,IAAI,IAAI,IAAI,CAAC,IAAI,EAAE,CAAC;QAClB,MAAM,IAAI,+BAAsB,CAC9B,2DAA2D,CAC5D,CAAC;IACJ,CAAC;AACH,CAAC"}

package/dist/index.d.ts

@@ -0,0 +1,7 @@
+export type { HumanIdentity, AgentCredential, HandshakeResult, DelegationResult, Proof, BolyraConfig, } from './types';
+export { Permission } from './types';
+export { createHumanIdentity, createAgentCredential, permissionsToBitmask, validateCumulativeBitEncoding, } from './identity';
+export { proveHandshake, verifyHandshake } from './handshake';
+export { delegate, verifyDelegation } from './delegation';
+export { BolyraError, ProofGenerationError, VerificationError, InvalidPermissionError, ExpiredCredentialError, ScopeEscalationError, StaleProofError, } from './errors';
+//# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AACA,YAAY,EACV,aAAa,EACb,eAAe,EACf,eAAe,EACf,gBAAgB,EAChB,KAAK,EACL,YAAY,GACb,MAAM,SAAS,CAAC;AAGjB,OAAO,EAAE,UAAU,EAAE,MAAM,SAAS,CAAC;AAGrC,OAAO,EACL,mBAAmB,EACnB,qBAAqB,EACrB,oBAAoB,EACpB,6BAA6B,GAC9B,MAAM,YAAY,CAAC;AAGpB,OAAO,EAAE,cAAc,EAAE,eAAe,EAAE,MAAM,aAAa,CAAC;AAG9D,OAAO,EAAE,QAAQ,EAAE,gBAAgB,EAAE,MAAM,cAAc,CAAC;AAG1D,OAAO,EACL,WAAW,EACX,oBAAoB,EACpB,iBAAiB,EACjB,sBAAsB,EACtB,sBAAsB,EACtB,oBAAoB,EACpB,eAAe,GAChB,MAAM,UAAU,CAAC"}

package/dist/index.js

@@ -0,0 +1,30 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.StaleProofError = exports.ScopeEscalationError = exports.ExpiredCredentialError = exports.InvalidPermissionError = exports.VerificationError = exports.ProofGenerationError = exports.BolyraError = exports.verifyDelegation = exports.delegate = exports.verifyHandshake = exports.proveHandshake = exports.validateCumulativeBitEncoding = exports.permissionsToBitmask = exports.createAgentCredential = exports.createHumanIdentity = exports.Permission = void 0;
+// Permission enum
+var types_1 = require("./types");
+Object.defineProperty(exports, "Permission", { enumerable: true, get: function () { return types_1.Permission; } });
+// Identity creation
+var identity_1 = require("./identity");
+Object.defineProperty(exports, "createHumanIdentity", { enumerable: true, get: function () { return identity_1.createHumanIdentity; } });
+Object.defineProperty(exports, "createAgentCredential", { enumerable: true, get: function () { return identity_1.createAgentCredential; } });
+Object.defineProperty(exports, "permissionsToBitmask", { enumerable: true, get: function () { return identity_1.permissionsToBitmask; } });
+Object.defineProperty(exports, "validateCumulativeBitEncoding", { enumerable: true, get: function () { return identity_1.validateCumulativeBitEncoding; } });
+// Handshake (v0.2 — real proof generation via snarkjs)
+var handshake_1 = require("./handshake");
+Object.defineProperty(exports, "proveHandshake", { enumerable: true, get: function () { return handshake_1.proveHandshake; } });
+Object.defineProperty(exports, "verifyHandshake", { enumerable: true, get: function () { return handshake_1.verifyHandshake; } });
+// Delegation (stubs — coming in v0.3)
+var delegation_1 = require("./delegation");
+Object.defineProperty(exports, "delegate", { enumerable: true, get: function () { return delegation_1.delegate; } });
+Object.defineProperty(exports, "verifyDelegation", { enumerable: true, get: function () { return delegation_1.verifyDelegation; } });
+// Errors
+var errors_1 = require("./errors");
+Object.defineProperty(exports, "BolyraError", { enumerable: true, get: function () { return errors_1.BolyraError; } });
+Object.defineProperty(exports, "ProofGenerationError", { enumerable: true, get: function () { return errors_1.ProofGenerationError; } });
+Object.defineProperty(exports, "VerificationError", { enumerable: true, get: function () { return errors_1.VerificationError; } });
+Object.defineProperty(exports, "InvalidPermissionError", { enumerable: true, get: function () { return errors_1.InvalidPermissionError; } });
+Object.defineProperty(exports, "ExpiredCredentialError", { enumerable: true, get: function () { return errors_1.ExpiredCredentialError; } });
+Object.defineProperty(exports, "ScopeEscalationError", { enumerable: true, get: function () { return errors_1.ScopeEscalationError; } });
+Object.defineProperty(exports, "StaleProofError", { enumerable: true, get: function () { return errors_1.StaleProofError; } });
+//# sourceMappingURL=index.js.map

package/dist/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":";;;AAUA,kBAAkB;AAClB,iCAAqC;AAA5B,mGAAA,UAAU,OAAA;AAEnB,oBAAoB;AACpB,uCAKoB;AAJlB,+GAAA,mBAAmB,OAAA;AACnB,iHAAA,qBAAqB,OAAA;AACrB,gHAAA,oBAAoB,OAAA;AACpB,yHAAA,6BAA6B,OAAA;AAG/B,uDAAuD;AACvD,yCAA8D;AAArD,2GAAA,cAAc,OAAA;AAAE,4GAAA,eAAe,OAAA;AAExC,sCAAsC;AACtC,2CAA0D;AAAjD,sGAAA,QAAQ,OAAA;AAAE,8GAAA,gBAAgB,OAAA;AAEnC,SAAS;AACT,mCAQkB;AAPhB,qGAAA,WAAW,OAAA;AACX,8GAAA,oBAAoB,OAAA;AACpB,2GAAA,iBAAiB,OAAA;AACjB,gHAAA,sBAAsB,OAAA;AACtB,gHAAA,sBAAsB,OAAA;AACtB,8GAAA,oBAAoB,OAAA;AACpB,yGAAA,eAAe,OAAA"}