@bolyra/sdk 0.2.0 → 0.3.0

package/dist/model-binding.js

@@ -0,0 +1,195 @@
+"use strict";
+// sdk/src/model-binding.ts
+//
+// C7 — ModelInstanceBinding SDK glue.
+//
+// Generates a ZK proof that a tool-call message is cryptographically bound to
+// a specific (model, operator, permission, message) tuple AND that the
+// operator was authorized by an enrolled provider key. See
+// circuits/src/ModelInstanceBinding.circom and spec §5.1 for full semantics.
+//
+// Interim status: the circuit ships as Groth16 (pot16-compatible). PLONK is
+// the long-term target once pot17.ptau is fetched (see circuits/CEREMONY.md).
+// The SDK API stays stable across that migration.
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.bindModelInstance = bindModelInstance;
+exports.verifyModelInstanceBinding = verifyModelInstanceBinding;
+const path = __importStar(require("path"));
+const fs = __importStar(require("fs"));
+const snarkjs = __importStar(require("snarkjs"));
+const errors_1 = require("./errors");
+const prover_1 = require("./prover");
+// BOLYRA_CIRCUITS_DIR env override — see handshake.ts for rationale.
+const DEFAULT_CIRCUIT_DIR = process.env.BOLYRA_CIRCUITS_DIR ?? path.join(__dirname, '../../circuits/build');
+const AGENT_TREE_DEPTH = 20;
+const PROVIDER_TREE_DEPTH = 8;
+function padSiblings(siblings, depth) {
+    if (siblings.length > depth) {
+        throw new errors_1.VerificationError(`Merkle proof has ${siblings.length} siblings but depth is ${depth}`);
+    }
+    const out = siblings.map((s) => s.toString());
+    while (out.length < depth)
+        out.push('0');
+    return out;
+}
+/**
+ * Generate a ModelInstanceBinding ZK proof.
+ *
+ * The proof attests (in zero knowledge):
+ *   - The agent credential is enrolled in the on-chain agent tree.
+ *   - An enrolled provider signed the FULL `credentialCommitment`
+ *     (= Poseidon5(modelHash, opPkAx, opPkAy, permissionBitmask, expiry)),
+ *     which binds permissions and expiry — not just (model, operator).
+ *   - The operator signed the same `credentialCommitment`.
+ *   - The credential satisfies `requiredScopeMask` and is unexpired.
+ *   - The tool-call message digest is bound to this proof.
+ *   - `publicOutputs.providerKeyCommitment` identifies WHICH enrolled provider
+ *     signed (closes the provider-anonymity attack found in codex challenge).
+ *
+ * @example
+ * ```ts
+ * const result = await bindModelInstance({
+ *   credential,
+ *   providerAttestation,
+ *   providerMerkleProof,
+ *   message: BigInt('0x' + sha256(payload).slice(0, 62)), // mod p
+ *   sessionNonce: BigInt(Date.now()),
+ *   requiredScopeMask: 0b101n, // READ_DATA | FINANCIAL_SMALL
+ * });
+ * // Submit result.proof to IdentityRegistry.verifyModelInstanceBinding(...)
+ * ```
+ */
+async function bindModelInstance(input) {
+    const { credential, providerAttestation, providerMerkleProof, message, sessionNonce, requiredScopeMask = 0n, currentTimestamp = BigInt(Math.floor(Date.now() / 1000)), config, backend = 'auto', } = input;
+    const circuitDir = config?.circuitDir ?? DEFAULT_CIRCUIT_DIR;
+    const wasm = path.join(circuitDir, 'ModelInstanceBinding_js/ModelInstanceBinding.wasm');
+    const zkey = path.join(circuitDir, 'ModelInstanceBinding_final.zkey');
+    if (!fs.existsSync(wasm))
+        throw new errors_1.CircuitArtifactNotFoundError(wasm, 'wasm');
+    if (!fs.existsSync(zkey))
+        throw new errors_1.CircuitArtifactNotFoundError(zkey, 'zkey');
+    // Default: single-leaf agent tree (depth 0).
+    const agentMerkleProof = input.agentMerkleProof ?? {
+        length: 0,
+        index: 0,
+        siblings: [],
+    };
+    const witnessInput = {
+        // Credential
+        modelHash: credential.modelHash.toString(),
+        operatorPubkeyAx: credential.operatorPublicKey.x.toString(),
+        operatorPubkeyAy: credential.operatorPublicKey.y.toString(),
+        permissionBitmask: credential.permissionBitmask.toString(),
+        expiryTimestamp: credential.expiryTimestamp.toString(),
+        // Operator signature
+        operatorSigR8x: credential.signature.R8.x.toString(),
+        operatorSigR8y: credential.signature.R8.y.toString(),
+        operatorSigS: credential.signature.S.toString(),
+        // Provider key + signature
+        providerPubkeyAx: providerAttestation.providerPublicKey.x.toString(),
+        providerPubkeyAy: providerAttestation.providerPublicKey.y.toString(),
+        providerSigR8x: providerAttestation.signature.R8.x.toString(),
+        providerSigR8y: providerAttestation.signature.R8.y.toString(),
+        providerSigS: providerAttestation.signature.S.toString(),
+        // Message
+        messagePlaintext: message.toString(),
+        // Agent Merkle proof
+        merkleProofLength: agentMerkleProof.length.toString(),
+        merkleProofIndex: agentMerkleProof.index.toString(),
+        merkleProofSiblings: padSiblings(agentMerkleProof.siblings, AGENT_TREE_DEPTH),
+        // Provider Merkle proof
+        providerMerkleProofLength: providerMerkleProof.length.toString(),
+        providerMerkleProofIndex: providerMerkleProof.index.toString(),
+        providerMerkleProofSiblings: padSiblings(providerMerkleProof.siblings, PROVIDER_TREE_DEPTH),
+        // Public inputs
+        requiredScopeMask: requiredScopeMask.toString(),
+        currentTimestamp: currentTimestamp.toString(),
+        sessionNonce: sessionNonce.toString(),
+        providerRegistryRoot: providerMerkleProof.root.toString(),
+    };
+    let proof;
+    try {
+        proof = await (0, prover_1.proveGroth16)(witnessInput, wasm, zkey, backend);
+    }
+    catch (err) {
+        throw new errors_1.ProofGenerationError('ModelInstanceBinding', err.message ?? String(err));
+    }
+    // Public signal layout (snarkjs emits outputs first, then public inputs in
+    // declaration order). 10 signals post Phase 2 hardening:
+    //   0: agentMerkleRoot
+    //   1: nullifierHash
+    //   2: scopeCommitment
+    //   3: messageHash
+    //   4: modelOperatorFingerprint
+    //   5: providerKeyCommitment      ← which enrolled provider signed
+    //   6: requiredScopeMask
+    //   7: currentTimestamp
+    //   8: sessionNonce
+    //   9: providerRegistryRoot
+    if (proof.publicSignals.length !== 10) {
+        throw new errors_1.VerificationError(`Expected 10 public signals, got ${proof.publicSignals.length}. Verifier may be out of sync with circuit.`);
+    }
+    return {
+        proof,
+        publicOutputs: {
+            agentMerkleRoot: BigInt(proof.publicSignals[0]),
+            nullifierHash: BigInt(proof.publicSignals[1]),
+            scopeCommitment: BigInt(proof.publicSignals[2]),
+            messageHash: BigInt(proof.publicSignals[3]),
+            modelOperatorFingerprint: BigInt(proof.publicSignals[4]),
+            providerKeyCommitment: BigInt(proof.publicSignals[5]),
+            requiredScopeMask: BigInt(proof.publicSignals[6]),
+            currentTimestamp: BigInt(proof.publicSignals[7]),
+            sessionNonce: BigInt(proof.publicSignals[8]),
+            providerRegistryRoot: BigInt(proof.publicSignals[9]),
+        },
+    };
+}
+/**
+ * Verify a ModelInstanceBinding proof off-chain (snarkjs-side).
+ * For on-chain verification, submit the proof to
+ * IdentityRegistry.verifyModelInstanceBinding(...).
+ */
+async function verifyModelInstanceBinding(proof, config) {
+    const circuitDir = config?.circuitDir ?? DEFAULT_CIRCUIT_DIR;
+    const vkeyPath = path.join(circuitDir, 'ModelInstanceBinding_groth16_vkey.json');
+    if (!fs.existsSync(vkeyPath)) {
+        throw new errors_1.CircuitArtifactNotFoundError(vkeyPath, 'vkey');
+    }
+    const vkey = require(vkeyPath);
+    return await snarkjs.groth16.verify(vkey, proof.publicSignals, proof.proof);
+}
+//# sourceMappingURL=model-binding.js.map

package/dist/model-binding.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"model-binding.js","sourceRoot":"","sources":["../src/model-binding.ts"],"names":[],"mappings":";AAAA,2BAA2B;AAC3B,EAAE;AACF,sCAAsC;AACtC,EAAE;AACF,8EAA8E;AAC9E,uEAAuE;AACvE,2DAA2D;AAC3D,6EAA6E;AAC7E,EAAE;AACF,4EAA4E;AAC5E,8EAA8E;AAC9E,kDAAkD;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAiIlD,8CAsHC;AAOD,gEAWC;AAvQD,2CAA6B;AAC7B,uCAAyB;AACzB,iDAAmC;AAEnC,qCAIkB;AAClB,qCAAuD;AAEvD,qEAAqE;AACrE,MAAM,mBAAmB,GACvB,OAAO,CAAC,GAAG,CAAC,mBAAmB,IAAI,IAAI,CAAC,IAAI,CAAC,SAAS,EAAE,sBAAsB,CAAC,CAAC;AAClF,MAAM,gBAAgB,GAAG,EAAE,CAAC;AAC5B,MAAM,mBAAmB,GAAG,CAAC,CAAC;AA0E9B,SAAS,WAAW,CAAC,QAAkB,EAAE,KAAa;IACpD,IAAI,QAAQ,CAAC,MAAM,GAAG,KAAK,EAAE,CAAC;QAC5B,MAAM,IAAI,0BAAiB,CACzB,oBAAoB,QAAQ,CAAC,MAAM,0BAA0B,KAAK,EAAE,CACrE,CAAC;IACJ,CAAC;IACD,MAAM,GAAG,GAAa,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,EAAE,CAAC,CAAC;IACxD,OAAO,GAAG,CAAC,MAAM,GAAG,KAAK;QAAE,GAAG,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;IACzC,OAAO,GAAG,CAAC;AACb,CAAC;AAED;;;;;;;;;;;;;;;;;;;;;;;;;;GA0BG;AACI,KAAK,UAAU,iBAAiB,CACrC,KAA6B;IAE7B,MAAM,EACJ,UAAU,EACV,mBAAmB,EACnB,mBAAmB,EACnB,OAAO,EACP,YAAY,EACZ,iBAAiB,GAAG,EAAE,EACtB,gBAAgB,GAAG,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC,EACxD,MAAM,EACN,OAAO,GAAG,MAAM,GACjB,GAAG,KAAK,CAAC;IAEV,MAAM,UAAU,GAAG,MAAM,EAAE,UAAU,IAAI,mBAAmB,CAAC;IAC7D,MAAM,IAAI,GAAG,IAAI,CAAC,IAAI,CACpB,UAAU,EACV,mDAAmD,CACpD,CAAC;IACF,MAAM,IAAI,GAAG,IAAI,CAAC,IAAI,CAAC,UAAU,EAAE,iCAAiC,CAAC,CAAC;IAEtE,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,IAAI,CAAC;QAAE,MAAM,IAAI,qCAA4B,CAAC,IAAI,EAAE,MAAM,CAAC,CAAC;IAC/E,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,IAAI,CAAC;QAAE,MAAM,IAAI,qCAA4B,CAAC,IAAI,EAAE,MAAM,CAAC,CAAC;IAE/E,6CAA6C;IAC7C,MAAM,gBAAgB,GAAqB,KAAK,CAAC,gBAAgB,IAAI;QACnE,MAAM,EAAE,CAAC;QACT,KAAK,EAAE,CAAC;QACR,QAAQ,EAAE,EAAE;KACb,CAAC;IAEF,MAAM,YAAY,GAAG;QACnB,aAAa;QACb,SAAS,EAAE,UAAU,CAAC,SAAS,CAAC,QAAQ,EAAE;QAC1C,gBAAgB,EAAE,UAAU,CAAC,iBAAiB,CAAC,CAAC,CAAC,QAAQ,EAAE;QAC3D,gBAAgB,EAAE,UAAU,CAAC,iBAAiB,CAAC,CAAC,CAAC,QAAQ,EAAE;QAC3D,iBAAiB,EAAE,UAAU,CAAC,iBAAiB,CAAC,QAAQ,EAAE;QAC1D,eAAe,EAAE,UAAU,CAAC,eAAe,CAAC,QAAQ,EAAE;QAEtD,qBAAqB;QACrB,cAAc,EAAE,UAAU,CAAC,SAAS,CAAC,EAAE,CAAC,CAAC,CAAC,QAAQ,EAAE;QACpD,cAAc,EAAE,UAAU,CAAC,SAAS,CAAC,EAAE,CAAC,CAAC,CAAC,QAAQ,EAAE;QACpD,YAAY,EAAE,UAAU,CAAC,SAAS,CAAC,CAAC,CAAC,QAAQ,EAAE;QAE/C,2BAA2B;QAC3B,gBAAgB,EAAE,mBAAmB,CAAC,iBAAiB,CAAC,CAAC,CAAC,QAAQ,EAAE;QACpE,gBAAgB,EAAE,mBAAmB,CAAC,iBAAiB,CAAC,CAAC,CAAC,QAAQ,EAAE;QACpE,cAAc,EAAE,mBAAmB,CAAC,SAAS,CAAC,EAAE,CAAC,CAAC,CAAC,QAAQ,EAAE;QAC7D,cAAc,EAAE,mBAAmB,CAAC,SAAS,CAAC,EAAE,CAAC,CAAC,CAAC,QAAQ,EAAE;QAC7D,YAAY,EAAE,mBAAmB,CAAC,SAAS,CAAC,CAAC,CAAC,QAAQ,EAAE;QAExD,UAAU;QACV,gBAAgB,EAAE,OAAO,CAAC,QAAQ,EAAE;QAEpC,qBAAqB;QACrB,iBAAiB,EAAE,gBAAgB,CAAC,MAAM,CAAC,QAAQ,EAAE;QACrD,gBAAgB,EAAE,gBAAgB,CAAC,KAAK,CAAC,QAAQ,EAAE;QACnD,mBAAmB,EAAE,WAAW,CAAC,gBAAgB,CAAC,QAAQ,EAAE,gBAAgB,CAAC;QAE7E,wBAAwB;QACxB,yBAAyB,EAAE,mBAAmB,CAAC,MAAM,CAAC,QAAQ,EAAE;QAChE,wBAAwB,EAAE,mBAAmB,CAAC,KAAK,CAAC,QAAQ,EAAE;QAC9D,2BAA2B,EAAE,WAAW,CACtC,mBAAmB,CAAC,QAAQ,EAC5B,mBAAmB,CACpB;QAED,gBAAgB;QAChB,iBAAiB,EAAE,iBAAiB,CAAC,QAAQ,EAAE;QAC/C,gBAAgB,EAAE,gBAAgB,CAAC,QAAQ,EAAE;QAC7C,YAAY,EAAE,YAAY,CAAC,QAAQ,EAAE;QACrC,oBAAoB,EAAE,mBAAmB,CAAC,IAAI,CAAC,QAAQ,EAAE;KAC1D,CAAC;IAEF,IAAI,KAAY,CAAC;IACjB,IAAI,CAAC;QACH,KAAK,GAAG,MAAM,IAAA,qBAAY,EAAC,YAAY,EAAE,IAAI,EAAE,IAAI,EAAE,OAAO,CAAC,CAAC;IAChE,CAAC;IAAC,OAAO,GAAQ,EAAE,CAAC;QAClB,MAAM,IAAI,6BAAoB,CAC5B,sBAAsB,EACtB,GAAG,CAAC,OAAO,IAAI,MAAM,CAAC,GAAG,CAAC,CAC3B,CAAC;IACJ,CAAC;IAED,2EAA2E;IAC3E,yDAAyD;IACzD,uBAAuB;IACvB,qBAAqB;IACrB,uBAAuB;IACvB,mBAAmB;IACnB,gCAAgC;IAChC,mEAAmE;IACnE,yBAAyB;IACzB,wBAAwB;IACxB,oBAAoB;IACpB,4BAA4B;IAC5B,IAAI,KAAK,CAAC,aAAa,CAAC,MAAM,KAAK,EAAE,EAAE,CAAC;QACtC,MAAM,IAAI,0BAAiB,CACzB,mCAAmC,KAAK,CAAC,aAAa,CAAC,MAAM,6CAA6C,CAC3G,CAAC;IACJ,CAAC;IAED,OAAO;QACL,KAAK;QACL,aAAa,EAAE;YACb,eAAe,EAAE,MAAM,CAAC,KAAK,CAAC,aAAa,CAAC,CAAC,CAAC,CAAC;YAC/C,aAAa,EAAE,MAAM,CAAC,KAAK,CAAC,aAAa,CAAC,CAAC,CAAC,CAAC;YAC7C,eAAe,EAAE,MAAM,CAAC,KAAK,CAAC,aAAa,CAAC,CAAC,CAAC,CAAC;YAC/C,WAAW,EAAE,MAAM,CAAC,KAAK,CAAC,aAAa,CAAC,CAAC,CAAC,CAAC;YAC3C,wBAAwB,EAAE,MAAM,CAAC,KAAK,CAAC,aAAa,CAAC,CAAC,CAAC,CAAC;YACxD,qBAAqB,EAAE,MAAM,CAAC,KAAK,CAAC,aAAa,CAAC,CAAC,CAAC,CAAC;YACrD,iBAAiB,EAAE,MAAM,CAAC,KAAK,CAAC,aAAa,CAAC,CAAC,CAAC,CAAC;YACjD,gBAAgB,EAAE,MAAM,CAAC,KAAK,CAAC,aAAa,CAAC,CAAC,CAAC,CAAC;YAChD,YAAY,EAAE,MAAM,CAAC,KAAK,CAAC,aAAa,CAAC,CAAC,CAAC,CAAC;YAC5C,oBAAoB,EAAE,MAAM,CAAC,KAAK,CAAC,aAAa,CAAC,CAAC,CAAC,CAAC;SACrD;KACF,CAAC;AACJ,CAAC;AAED;;;;GAIG;AACI,KAAK,UAAU,0BAA0B,CAC9C,KAAY,EACZ,MAAqB;IAErB,MAAM,UAAU,GAAG,MAAM,EAAE,UAAU,IAAI,mBAAmB,CAAC;IAC7D,MAAM,QAAQ,GAAG,IAAI,CAAC,IAAI,CAAC,UAAU,EAAE,wCAAwC,CAAC,CAAC;IACjF,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,QAAQ,CAAC,EAAE,CAAC;QAC7B,MAAM,IAAI,qCAA4B,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAC;IAC3D,CAAC;IACD,MAAM,IAAI,GAAG,OAAO,CAAC,QAAQ,CAAC,CAAC;IAC/B,OAAO,MAAM,OAAO,CAAC,OAAO,CAAC,MAAM,CAAC,IAAI,EAAE,KAAK,CAAC,aAAa,EAAE,KAAK,CAAC,KAAK,CAAC,CAAC;AAC9E,CAAC"}

package/dist/offchain.d.ts

@@ -0,0 +1,89 @@
+import { ethers } from 'ethers';
+import { Proof, BolyraConfig, HandshakeResult, OffchainVerificationResult, BatchCheckpoint } from './types';
+/**
+ * Verify a handshake off-chain using local snarkjs verification.
+ * Same interface as verifyHandshake but never touches the chain.
+ * Produces a HandshakeResult suitable for batching.
+ *
+ * Gas savings: 0 gas per verification (vs ~300k+ on-chain).
+ * The batch root is posted once for N verifications.
+ */
+export declare function verifyHandshakeOffchain(humanProof: Proof, agentProof: Proof, nonce: bigint, config?: BolyraConfig): Promise<HandshakeResult>;
+/**
+ * Compute the session commitment for a HandshakeResult.
+ * sessionCommitment = Poseidon2(humanNullifier, Poseidon2(agentNullifier, sessionNonce))
+ * This binds all three fields into a single leaf for the batch Merkle tree.
+ */
+export declare function computeSessionCommitment(result: HandshakeResult): Promise<bigint>;
+/**
+ * Accumulates verified handshake sessions and produces a Poseidon Merkle root.
+ * The root can be posted on-chain in a single transaction, amortizing gas
+ * across all sessions in the batch (target: ~100x reduction).
+ *
+ * Tree construction: binary Poseidon Merkle tree. If the number of leaves
+ * is not a power of 2, zero-padding is applied to the right.
+ */
+export declare class OffchainVerificationBatch {
+    private sessions;
+    private commitments;
+    private cachedRoot;
+    /** Number of sessions in the batch. */
+    get size(): number;
+    /**
+     * Add a verified handshake result to the batch.
+     * Resets the cached Merkle root (will be recomputed on next getMerkleRoot call).
+     *
+     * @returns The OffchainVerificationResult with batchIndex set.
+     */
+    add(result: HandshakeResult): Promise<OffchainVerificationResult>;
+    /**
+     * Compute the Poseidon Merkle root of all session commitments.
+     * Uses a binary tree with zero-padding to the next power of 2.
+     * Result is cached until a new session is added.
+     */
+    getMerkleRoot(): Promise<bigint>;
+    /**
+     * Get a Merkle inclusion proof for a specific session in the batch.
+     * Returns sibling hashes and path indices (0 = left, 1 = right) from leaf to root.
+     *
+     * @param sessionIndex - Index of the session (from OffchainVerificationResult.batchIndex)
+     * @returns Merkle proof (siblings + pathIndices) or throws if index is out of bounds.
+     */
+    getProofOfInclusion(sessionIndex: number): Promise<{
+        siblings: bigint[];
+        pathIndices: number[];
+    }>;
+    /**
+     * Get the session commitment at a given index.
+     */
+    getCommitment(index: number): bigint;
+    /**
+     * Get all session commitments (for external verification).
+     */
+    getCommitments(): bigint[];
+}
+/**
+ * Post a batch Merkle root on-chain. A single transaction checkpoints N sessions.
+ *
+ * Gas cost: ~50k-80k gas for a single storage write + event emission,
+ * regardless of how many sessions are in the batch.
+ * For 100 sessions: ~500 gas/session vs ~300k gas/session on-chain = ~600x reduction.
+ *
+ * @param batch - The batch to checkpoint
+ * @param signer - An ethers Signer (connected to the target chain)
+ * @param registryAddress - Address of the IdentityRegistry (or a BatchCheckpoint contract)
+ * @returns The BatchCheckpoint with on-chain timestamp
+ */
+export declare function postBatchRoot(batch: OffchainVerificationBatch, signer: ethers.Signer, registryAddress: string): Promise<BatchCheckpoint>;
+/**
+ * Verify a Merkle inclusion proof against a known root.
+ * Useful for verifiers who receive a proof-of-inclusion from a session participant.
+ *
+ * @param leaf - The session commitment (leaf value)
+ * @param siblings - Sibling hashes from the proof
+ * @param pathIndices - Path indices (0 = left, 1 = right)
+ * @param expectedRoot - The expected Merkle root (from on-chain checkpoint)
+ * @returns true if the proof is valid
+ */
+export declare function verifyMerkleInclusion(leaf: bigint, siblings: bigint[], pathIndices: number[], expectedRoot: bigint): Promise<boolean>;
+//# sourceMappingURL=offchain.d.ts.map

package/dist/offchain.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"offchain.d.ts","sourceRoot":"","sources":["../src/offchain.ts"],"names":[],"mappings":"AAGA,OAAO,EAAE,MAAM,EAAE,MAAM,QAAQ,CAAC;AAChC,OAAO,EACL,KAAK,EACL,YAAY,EACZ,eAAe,EACf,0BAA0B,EAC1B,eAAe,EAChB,MAAM,SAAS,CAAC;AAOjB;;;;;;;GAOG;AACH,wBAAsB,uBAAuB,CAC3C,UAAU,EAAE,KAAK,EACjB,UAAU,EAAE,KAAK,EACjB,KAAK,EAAE,MAAM,EACb,MAAM,CAAC,EAAE,YAAY,GACpB,OAAO,CAAC,eAAe,CAAC,CAyD1B;AAED;;;;GAIG;AACH,wBAAsB,wBAAwB,CAAC,MAAM,EAAE,eAAe,GAAG,OAAO,CAAC,MAAM,CAAC,CAGvF;AAED;;;;;;;GAOG;AACH,qBAAa,yBAAyB;IACpC,OAAO,CAAC,QAAQ,CAAyB;IACzC,OAAO,CAAC,WAAW,CAAgB;IACnC,OAAO,CAAC,UAAU,CAAuB;IAEzC,uCAAuC;IACvC,IAAI,IAAI,IAAI,MAAM,CAEjB;IAED;;;;;OAKG;IACG,GAAG,CAAC,MAAM,EAAE,eAAe,GAAG,OAAO,CAAC,0BAA0B,CAAC;IAoBvE;;;;OAIG;IACG,aAAa,IAAI,OAAO,CAAC,MAAM,CAAC;IAatC;;;;;;OAMG;IACG,mBAAmB,CACvB,YAAY,EAAE,MAAM,GACnB,OAAO,CAAC;QAAE,QAAQ,EAAE,MAAM,EAAE,CAAC;QAAC,WAAW,EAAE,MAAM,EAAE,CAAA;KAAE,CAAC;IAUzD;;OAEG;IACH,aAAa,CAAC,KAAK,EAAE,MAAM,GAAG,MAAM;IASpC;;OAEG;IACH,cAAc,IAAI,MAAM,EAAE;CAG3B;AAED;;;;;;;;;;;GAWG;AACH,wBAAsB,aAAa,CACjC,KAAK,EAAE,yBAAyB,EAChC,MAAM,EAAE,MAAM,CAAC,MAAM,EACrB,eAAe,EAAE,MAAM,GACtB,OAAO,CAAC,eAAe,CAAC,CA2B1B;AAsED;;;;;;;;;GASG;AACH,wBAAsB,qBAAqB,CACzC,IAAI,EAAE,MAAM,EACZ,QAAQ,EAAE,MAAM,EAAE,EAClB,WAAW,EAAE,MAAM,EAAE,EACrB,YAAY,EAAE,MAAM,GACnB,OAAO,CAAC,OAAO,CAAC,CAelB"}

package/dist/offchain.js

@@ -0,0 +1,300 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.OffchainVerificationBatch = void 0;
+exports.verifyHandshakeOffchain = verifyHandshakeOffchain;
+exports.computeSessionCommitment = computeSessionCommitment;
+exports.postBatchRoot = postBatchRoot;
+exports.verifyMerkleInclusion = verifyMerkleInclusion;
+const snarkjs = __importStar(require("snarkjs"));
+const path = __importStar(require("path"));
+const fs = __importStar(require("fs"));
+const ethers_1 = require("ethers");
+const errors_1 = require("./errors");
+const utils_1 = require("./utils");
+// Default paths to circuit artifacts (relative to package root)
+const DEFAULT_CIRCUIT_DIR = path.join(__dirname, '../../circuits/build');
+/**
+ * Verify a handshake off-chain using local snarkjs verification.
+ * Same interface as verifyHandshake but never touches the chain.
+ * Produces a HandshakeResult suitable for batching.
+ *
+ * Gas savings: 0 gas per verification (vs ~300k+ on-chain).
+ * The batch root is posted once for N verifications.
+ */
+async function verifyHandshakeOffchain(humanProof, agentProof, nonce, config) {
+    const circuitDir = config?.circuitDir ?? DEFAULT_CIRCUIT_DIR;
+    // Validate proof structure
+    if (!humanProof || !humanProof.proof || !Array.isArray(humanProof.publicSignals)) {
+        throw new errors_1.VerificationError('Invalid humanProof structure: expected { proof: object, publicSignals: string[] }.');
+    }
+    if (!agentProof || !agentProof.proof || !Array.isArray(agentProof.publicSignals)) {
+        throw new errors_1.VerificationError('Invalid agentProof structure: expected { proof: object, publicSignals: string[] }.');
+    }
+    if (humanProof.publicSignals.length < 2) {
+        throw new errors_1.VerificationError(`humanProof has ${humanProof.publicSignals.length} public signals, expected at least 2.`);
+    }
+    if (agentProof.publicSignals.length < 3) {
+        throw new errors_1.VerificationError(`agentProof has ${agentProof.publicSignals.length} public signals, expected at least 3.`);
+    }
+    // Load verification keys
+    const humanVkeyPath = path.join(circuitDir, 'HumanUniqueness_vkey.json');
+    if (!fs.existsSync(humanVkeyPath)) {
+        throw new errors_1.CircuitArtifactNotFoundError(humanVkeyPath, 'vkey');
+    }
+    const agentVkeyPath = path.join(circuitDir, 'AgentPolicy_groth16_vkey.json');
+    if (!fs.existsSync(agentVkeyPath)) {
+        throw new errors_1.CircuitArtifactNotFoundError(agentVkeyPath, 'vkey');
+    }
+    // Verify both proofs locally (no on-chain interaction)
+    const humanVkey = require(humanVkeyPath);
+    const humanValid = await snarkjs.groth16.verify(humanVkey, humanProof.publicSignals, humanProof.proof);
+    const agentVkey = require(agentVkeyPath);
+    const agentValid = await snarkjs.groth16.verify(agentVkey, agentProof.publicSignals, agentProof.proof);
+    return {
+        humanNullifier: BigInt(humanProof.publicSignals[1]),
+        agentNullifier: BigInt(agentProof.publicSignals[1]),
+        sessionNonce: nonce,
+        scopeCommitment: BigInt(agentProof.publicSignals[2]),
+        verified: humanValid && agentValid,
+    };
+}
+/**
+ * Compute the session commitment for a HandshakeResult.
+ * sessionCommitment = Poseidon2(humanNullifier, Poseidon2(agentNullifier, sessionNonce))
+ * This binds all three fields into a single leaf for the batch Merkle tree.
+ */
+async function computeSessionCommitment(result) {
+    const inner = await (0, utils_1.poseidon2)(result.agentNullifier, result.sessionNonce);
+    return (0, utils_1.poseidon2)(result.humanNullifier, inner);
+}
+/**
+ * Accumulates verified handshake sessions and produces a Poseidon Merkle root.
+ * The root can be posted on-chain in a single transaction, amortizing gas
+ * across all sessions in the batch (target: ~100x reduction).
+ *
+ * Tree construction: binary Poseidon Merkle tree. If the number of leaves
+ * is not a power of 2, zero-padding is applied to the right.
+ */
+class OffchainVerificationBatch {
+    sessions = [];
+    commitments = [];
+    cachedRoot = null;
+    /** Number of sessions in the batch. */
+    get size() {
+        return this.sessions.length;
+    }
+    /**
+     * Add a verified handshake result to the batch.
+     * Resets the cached Merkle root (will be recomputed on next getMerkleRoot call).
+     *
+     * @returns The OffchainVerificationResult with batchIndex set.
+     */
+    async add(result) {
+        if (!result.verified) {
+            throw new errors_1.VerificationError('Cannot add unverified handshake to batch. Verify the handshake first.');
+        }
+        const batchIndex = this.sessions.length;
+        const commitment = await computeSessionCommitment(result);
+        this.sessions.push(result);
+        this.commitments.push(commitment);
+        this.cachedRoot = null; // invalidate cache
+        return {
+            ...result,
+            batchIndex,
+        };
+    }
+    /**
+     * Compute the Poseidon Merkle root of all session commitments.
+     * Uses a binary tree with zero-padding to the next power of 2.
+     * Result is cached until a new session is added.
+     */
+    async getMerkleRoot() {
+        if (this.sessions.length === 0) {
+            return 0n;
+        }
+        if (this.cachedRoot !== null) {
+            return this.cachedRoot;
+        }
+        this.cachedRoot = await buildPoseidonMerkleRoot(this.commitments);
+        return this.cachedRoot;
+    }
+    /**
+     * Get a Merkle inclusion proof for a specific session in the batch.
+     * Returns sibling hashes and path indices (0 = left, 1 = right) from leaf to root.
+     *
+     * @param sessionIndex - Index of the session (from OffchainVerificationResult.batchIndex)
+     * @returns Merkle proof (siblings + pathIndices) or throws if index is out of bounds.
+     */
+    async getProofOfInclusion(sessionIndex) {
+        if (sessionIndex < 0 || sessionIndex >= this.sessions.length) {
+            throw new errors_1.VerificationError(`Session index ${sessionIndex} out of bounds (batch has ${this.sessions.length} sessions).`);
+        }
+        return buildPoseidonMerkleProof(this.commitments, sessionIndex);
+    }
+    /**
+     * Get the session commitment at a given index.
+     */
+    getCommitment(index) {
+        if (index < 0 || index >= this.commitments.length) {
+            throw new errors_1.VerificationError(`Index ${index} out of bounds (batch has ${this.commitments.length} sessions).`);
+        }
+        return this.commitments[index];
+    }
+    /**
+     * Get all session commitments (for external verification).
+     */
+    getCommitments() {
+        return [...this.commitments];
+    }
+}
+exports.OffchainVerificationBatch = OffchainVerificationBatch;
+/**
+ * Post a batch Merkle root on-chain. A single transaction checkpoints N sessions.
+ *
+ * Gas cost: ~50k-80k gas for a single storage write + event emission,
+ * regardless of how many sessions are in the batch.
+ * For 100 sessions: ~500 gas/session vs ~300k gas/session on-chain = ~600x reduction.
+ *
+ * @param batch - The batch to checkpoint
+ * @param signer - An ethers Signer (connected to the target chain)
+ * @param registryAddress - Address of the IdentityRegistry (or a BatchCheckpoint contract)
+ * @returns The BatchCheckpoint with on-chain timestamp
+ */
+async function postBatchRoot(batch, signer, registryAddress) {
+    if (batch.size === 0) {
+        throw new errors_1.VerificationError('Cannot post empty batch root on-chain.');
+    }
+    const root = await batch.getMerkleRoot();
+    // ABI for the postBatchRoot function on the BatchCheckpoint extension contract.
+    // function postBatchRoot(uint256 root, uint256 sessionCount) external
+    const abi = [
+        'function postBatchRoot(uint256 root, uint256 sessionCount) external',
+        'event BatchRootPosted(uint256 indexed root, uint256 sessionCount, uint256 timestamp)',
+    ];
+    const contract = new ethers_1.ethers.Contract(registryAddress, abi, signer);
+    const tx = await contract.postBatchRoot(root, batch.size);
+    const receipt = await tx.wait();
+    const timestamp = receipt?.blockNumber
+        ? (await signer.provider.getBlock(receipt.blockNumber))?.timestamp ?? Math.floor(Date.now() / 1000)
+        : Math.floor(Date.now() / 1000);
+    return {
+        root,
+        timestamp,
+        sessionCount: batch.size,
+    };
+}
+// ============ Internal Merkle Tree Helpers ============
+/**
+ * Pad leaves array to the next power of 2 with zeros.
+ */
+function padToPowerOfTwo(leaves) {
+    if (leaves.length === 0)
+        return [0n];
+    let size = 1;
+    while (size < leaves.length) {
+        size *= 2;
+    }
+    const padded = [...leaves];
+    while (padded.length < size) {
+        padded.push(0n);
+    }
+    return padded;
+}
+/**
+ * Build a Poseidon Merkle root from a list of leaf commitments.
+ * Binary tree, zero-padded to next power of 2.
+ */
+async function buildPoseidonMerkleRoot(leaves) {
+    let layer = padToPowerOfTwo(leaves);
+    while (layer.length > 1) {
+        const nextLayer = [];
+        for (let i = 0; i < layer.length; i += 2) {
+            nextLayer.push(await (0, utils_1.poseidon2)(layer[i], layer[i + 1]));
+        }
+        layer = nextLayer;
+    }
+    return layer[0];
+}
+/**
+ * Build a Merkle inclusion proof for a specific leaf index.
+ * Returns siblings and path indices (0 = leaf is on the left, 1 = leaf is on the right).
+ */
+async function buildPoseidonMerkleProof(leaves, index) {
+    const padded = padToPowerOfTwo(leaves);
+    const siblings = [];
+    const pathIndices = [];
+    let layer = padded;
+    let currentIndex = index;
+    while (layer.length > 1) {
+        const siblingIndex = currentIndex % 2 === 0 ? currentIndex + 1 : currentIndex - 1;
+        siblings.push(layer[siblingIndex]);
+        pathIndices.push(currentIndex % 2); // 0 = left, 1 = right
+        // Build next layer
+        const nextLayer = [];
+        for (let i = 0; i < layer.length; i += 2) {
+            nextLayer.push(await (0, utils_1.poseidon2)(layer[i], layer[i + 1]));
+        }
+        layer = nextLayer;
+        currentIndex = Math.floor(currentIndex / 2);
+    }
+    return { siblings, pathIndices };
+}
+/**
+ * Verify a Merkle inclusion proof against a known root.
+ * Useful for verifiers who receive a proof-of-inclusion from a session participant.
+ *
+ * @param leaf - The session commitment (leaf value)
+ * @param siblings - Sibling hashes from the proof
+ * @param pathIndices - Path indices (0 = left, 1 = right)
+ * @param expectedRoot - The expected Merkle root (from on-chain checkpoint)
+ * @returns true if the proof is valid
+ */
+async function verifyMerkleInclusion(leaf, siblings, pathIndices, expectedRoot) {
+    if (siblings.length !== pathIndices.length) {
+        return false;
+    }
+    let current = leaf;
+    for (let i = 0; i < siblings.length; i++) {
+        if (pathIndices[i] === 0) {
+            current = await (0, utils_1.poseidon2)(current, siblings[i]);
+        }
+        else {
+            current = await (0, utils_1.poseidon2)(siblings[i], current);
+        }
+    }
+    return current === expectedRoot;
+}
+//# sourceMappingURL=offchain.js.map

package/dist/offchain.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"offchain.js","sourceRoot":"","sources":["../src/offchain.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAyBA,0DA8DC;AAOD,4DAGC;AAmHD,sCA+BC;AAgFD,sDAoBC;AAvVD,iDAAmC;AACnC,2CAA6B;AAC7B,uCAAyB;AACzB,mCAAgC;AAQhC,qCAA2E;AAC3E,mCAAoC;AAEpC,gEAAgE;AAChE,MAAM,mBAAmB,GAAG,IAAI,CAAC,IAAI,CAAC,SAAS,EAAE,sBAAsB,CAAC,CAAC;AAEzE;;;;;;;GAOG;AACI,KAAK,UAAU,uBAAuB,CAC3C,UAAiB,EACjB,UAAiB,EACjB,KAAa,EACb,MAAqB;IAErB,MAAM,UAAU,GAAG,MAAM,EAAE,UAAU,IAAI,mBAAmB,CAAC;IAE7D,2BAA2B;IAC3B,IAAI,CAAC,UAAU,IAAI,CAAC,UAAU,CAAC,KAAK,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,UAAU,CAAC,aAAa,CAAC,EAAE,CAAC;QACjF,MAAM,IAAI,0BAAiB,CACzB,oFAAoF,CACrF,CAAC;IACJ,CAAC;IACD,IAAI,CAAC,UAAU,IAAI,CAAC,UAAU,CAAC,KAAK,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,UAAU,CAAC,aAAa,CAAC,EAAE,CAAC;QACjF,MAAM,IAAI,0BAAiB,CACzB,oFAAoF,CACrF,CAAC;IACJ,CAAC;IACD,IAAI,UAAU,CAAC,aAAa,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACxC,MAAM,IAAI,0BAAiB,CACzB,kBAAkB,UAAU,CAAC,aAAa,CAAC,MAAM,uCAAuC,CACzF,CAAC;IACJ,CAAC;IACD,IAAI,UAAU,CAAC,aAAa,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACxC,MAAM,IAAI,0BAAiB,CACzB,kBAAkB,UAAU,CAAC,aAAa,CAAC,MAAM,uCAAuC,CACzF,CAAC;IACJ,CAAC;IAED,yBAAyB;IACzB,MAAM,aAAa,GAAG,IAAI,CAAC,IAAI,CAAC,UAAU,EAAE,2BAA2B,CAAC,CAAC;IACzE,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,aAAa,CAAC,EAAE,CAAC;QAClC,MAAM,IAAI,qCAA4B,CAAC,aAAa,EAAE,MAAM,CAAC,CAAC;IAChE,CAAC;IACD,MAAM,aAAa,GAAG,IAAI,CAAC,IAAI,CAAC,UAAU,EAAE,+BAA+B,CAAC,CAAC;IAC7E,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,aAAa,CAAC,EAAE,CAAC;QAClC,MAAM,IAAI,qCAA4B,CAAC,aAAa,EAAE,MAAM,CAAC,CAAC;IAChE,CAAC;IAED,uDAAuD;IACvD,MAAM,SAAS,GAAG,OAAO,CAAC,aAAa,CAAC,CAAC;IACzC,MAAM,UAAU,GAAG,MAAM,OAAO,CAAC,OAAO,CAAC,MAAM,CAC7C,SAAS,EACT,UAAU,CAAC,aAAa,EACxB,UAAU,CAAC,KAAK,CACjB,CAAC;IAEF,MAAM,SAAS,GAAG,OAAO,CAAC,aAAa,CAAC,CAAC;IACzC,MAAM,UAAU,GAAG,MAAM,OAAO,CAAC,OAAO,CAAC,MAAM,CAC7C,SAAS,EACT,UAAU,CAAC,aAAa,EACxB,UAAU,CAAC,KAAK,CACjB,CAAC;IAEF,OAAO;QACL,cAAc,EAAE,MAAM,CAAC,UAAU,CAAC,aAAa,CAAC,CAAC,CAAC,CAAC;QACnD,cAAc,EAAE,MAAM,CAAC,UAAU,CAAC,aAAa,CAAC,CAAC,CAAC,CAAC;QACnD,YAAY,EAAE,KAAK;QACnB,eAAe,EAAE,MAAM,CAAC,UAAU,CAAC,aAAa,CAAC,CAAC,CAAC,CAAC;QACpD,QAAQ,EAAE,UAAU,IAAI,UAAU;KACnC,CAAC;AACJ,CAAC;AAED;;;;GAIG;AACI,KAAK,UAAU,wBAAwB,CAAC,MAAuB;IACpE,MAAM,KAAK,GAAG,MAAM,IAAA,iBAAS,EAAC,MAAM,CAAC,cAAc,EAAE,MAAM,CAAC,YAAY,CAAC,CAAC;IAC1E,OAAO,IAAA,iBAAS,EAAC,MAAM,CAAC,cAAc,EAAE,KAAK,CAAC,CAAC;AACjD,CAAC;AAED;;;;;;;GAOG;AACH,MAAa,yBAAyB;IAC5B,QAAQ,GAAsB,EAAE,CAAC;IACjC,WAAW,GAAa,EAAE,CAAC;IAC3B,UAAU,GAAkB,IAAI,CAAC;IAEzC,uCAAuC;IACvC,IAAI,IAAI;QACN,OAAO,IAAI,CAAC,QAAQ,CAAC,MAAM,CAAC;IAC9B,CAAC;IAED;;;;;OAKG;IACH,KAAK,CAAC,GAAG,CAAC,MAAuB;QAC/B,IAAI,CAAC,MAAM,CAAC,QAAQ,EAAE,CAAC;YACrB,MAAM,IAAI,0BAAiB,CACzB,uEAAuE,CACxE,CAAC;QACJ,CAAC;QAED,MAAM,UAAU,GAAG,IAAI,CAAC,QAAQ,CAAC,MAAM,CAAC;QACxC,MAAM,UAAU,GAAG,MAAM,wBAAwB,CAAC,MAAM,CAAC,CAAC;QAE1D,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;QAC3B,IAAI,CAAC,WAAW,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;QAClC,IAAI,CAAC,UAAU,GAAG,IAAI,CAAC,CAAC,mBAAmB;QAE3C,OAAO;YACL,GAAG,MAAM;YACT,UAAU;SACX,CAAC;IACJ,CAAC;IAED;;;;OAIG;IACH,KAAK,CAAC,aAAa;QACjB,IAAI,IAAI,CAAC,QAAQ,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YAC/B,OAAO,EAAE,CAAC;QACZ,CAAC;QAED,IAAI,IAAI,CAAC,UAAU,KAAK,IAAI,EAAE,CAAC;YAC7B,OAAO,IAAI,CAAC,UAAU,CAAC;QACzB,CAAC;QAED,IAAI,CAAC,UAAU,GAAG,MAAM,uBAAuB,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC;QAClE,OAAO,IAAI,CAAC,UAAU,CAAC;IACzB,CAAC;IAED;;;;;;OAMG;IACH,KAAK,CAAC,mBAAmB,CACvB,YAAoB;QAEpB,IAAI,YAAY,GAAG,CAAC,IAAI,YAAY,IAAI,IAAI,CAAC,QAAQ,CAAC,MAAM,EAAE,CAAC;YAC7D,MAAM,IAAI,0BAAiB,CACzB,iBAAiB,YAAY,6BAA6B,IAAI,CAAC,QAAQ,CAAC,MAAM,aAAa,CAC5F,CAAC;QACJ,CAAC;QAED,OAAO,wBAAwB,CAAC,IAAI,CAAC,WAAW,EAAE,YAAY,CAAC,CAAC;IAClE,CAAC;IAED;;OAEG;IACH,aAAa,CAAC,KAAa;QACzB,IAAI,KAAK,GAAG,CAAC,IAAI,KAAK,IAAI,IAAI,CAAC,WAAW,CAAC,MAAM,EAAE,CAAC;YAClD,MAAM,IAAI,0BAAiB,CACzB,SAAS,KAAK,6BAA6B,IAAI,CAAC,WAAW,CAAC,MAAM,aAAa,CAChF,CAAC;QACJ,CAAC;QACD,OAAO,IAAI,CAAC,WAAW,CAAC,KAAK,CAAC,CAAC;IACjC,CAAC;IAED;;OAEG;IACH,cAAc;QACZ,OAAO,CAAC,GAAG,IAAI,CAAC,WAAW,CAAC,CAAC;IAC/B,CAAC;CACF;AA3FD,8DA2FC;AAED;;;;;;;;;;;GAWG;AACI,KAAK,UAAU,aAAa,CACjC,KAAgC,EAChC,MAAqB,EACrB,eAAuB;IAEvB,IAAI,KAAK,CAAC,IAAI,KAAK,CAAC,EAAE,CAAC;QACrB,MAAM,IAAI,0BAAiB,CAAC,wCAAwC,CAAC,CAAC;IACxE,CAAC;IAED,MAAM,IAAI,GAAG,MAAM,KAAK,CAAC,aAAa,EAAE,CAAC;IAEzC,gFAAgF;IAChF,sEAAsE;IACtE,MAAM,GAAG,GAAG;QACV,qEAAqE;QACrE,sFAAsF;KACvF,CAAC;IAEF,MAAM,QAAQ,GAAG,IAAI,eAAM,CAAC,QAAQ,CAAC,eAAe,EAAE,GAAG,EAAE,MAAM,CAAC,CAAC;IACnE,MAAM,EAAE,GAAG,MAAM,QAAQ,CAAC,aAAa,CAAC,IAAI,EAAE,KAAK,CAAC,IAAI,CAAC,CAAC;IAC1D,MAAM,OAAO,GAAG,MAAM,EAAE,CAAC,IAAI,EAAE,CAAC;IAEhC,MAAM,SAAS,GAAG,OAAO,EAAE,WAAW;QACpC,CAAC,CAAC,CAAC,MAAM,MAAM,CAAC,QAAS,CAAC,QAAQ,CAAC,OAAO,CAAC,WAAW,CAAC,CAAC,EAAE,SAAS,IAAI,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC;QACpG,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;IAElC,OAAO;QACL,IAAI;QACJ,SAAS;QACT,YAAY,EAAE,KAAK,CAAC,IAAI;KACzB,CAAC;AACJ,CAAC;AAED,yDAAyD;AAEzD;;GAEG;AACH,SAAS,eAAe,CAAC,MAAgB;IACvC,IAAI,MAAM,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,CAAC,EAAE,CAAC,CAAC;IACrC,IAAI,IAAI,GAAG,CAAC,CAAC;IACb,OAAO,IAAI,GAAG,MAAM,CAAC,MAAM,EAAE,CAAC;QAC5B,IAAI,IAAI,CAAC,CAAC;IACZ,CAAC;IACD,MAAM,MAAM,GAAG,CAAC,GAAG,MAAM,CAAC,CAAC;IAC3B,OAAO,MAAM,CAAC,MAAM,GAAG,IAAI,EAAE,CAAC;QAC5B,MAAM,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IAClB,CAAC;IACD,OAAO,MAAM,CAAC;AAChB,CAAC;AAED;;;GAGG;AACH,KAAK,UAAU,uBAAuB,CAAC,MAAgB;IACrD,IAAI,KAAK,GAAG,eAAe,CAAC,MAAM,CAAC,CAAC;IAEpC,OAAO,KAAK,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACxB,MAAM,SAAS,GAAa,EAAE,CAAC;QAC/B,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,IAAI,CAAC,EAAE,CAAC;YACzC,SAAS,CAAC,IAAI,CAAC,MAAM,IAAA,iBAAS,EAAC,KAAK,CAAC,CAAC,CAAC,EAAE,KAAK,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC;QAC1D,CAAC;QACD,KAAK,GAAG,SAAS,CAAC;IACpB,CAAC;IAED,OAAO,KAAK,CAAC,CAAC,CAAC,CAAC;AAClB,CAAC;AAED;;;GAGG;AACH,KAAK,UAAU,wBAAwB,CACrC,MAAgB,EAChB,KAAa;IAEb,MAAM,MAAM,GAAG,eAAe,CAAC,MAAM,CAAC,CAAC;IACvC,MAAM,QAAQ,GAAa,EAAE,CAAC;IAC9B,MAAM,WAAW,GAAa,EAAE,CAAC;IAEjC,IAAI,KAAK,GAAG,MAAM,CAAC;IACnB,IAAI,YAAY,GAAG,KAAK,CAAC;IAEzB,OAAO,KAAK,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACxB,MAAM,YAAY,GAAG,YAAY,GAAG,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,YAAY,GAAG,CAAC,CAAC,CAAC,CAAC,YAAY,GAAG,CAAC,CAAC;QAClF,QAAQ,CAAC,IAAI,CAAC,KAAK,CAAC,YAAY,CAAC,CAAC,CAAC;QACnC,WAAW,CAAC,IAAI,CAAC,YAAY,GAAG,CAAC,CAAC,CAAC,CAAC,sBAAsB;QAE1D,mBAAmB;QACnB,MAAM,SAAS,GAAa,EAAE,CAAC;QAC/B,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,IAAI,CAAC,EAAE,CAAC;YACzC,SAAS,CAAC,IAAI,CAAC,MAAM,IAAA,iBAAS,EAAC,KAAK,CAAC,CAAC,CAAC,EAAE,KAAK,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC;QAC1D,CAAC;QACD,KAAK,GAAG,SAAS,CAAC;QAClB,YAAY,GAAG,IAAI,CAAC,KAAK,CAAC,YAAY,GAAG,CAAC,CAAC,CAAC;IAC9C,CAAC;IAED,OAAO,EAAE,QAAQ,EAAE,WAAW,EAAE,CAAC;AACnC,CAAC;AAED;;;;;;;;;GASG;AACI,KAAK,UAAU,qBAAqB,CACzC,IAAY,EACZ,QAAkB,EAClB,WAAqB,EACrB,YAAoB;IAEpB,IAAI,QAAQ,CAAC,MAAM,KAAK,WAAW,CAAC,MAAM,EAAE,CAAC;QAC3C,OAAO,KAAK,CAAC;IACf,CAAC;IAED,IAAI,OAAO,GAAG,IAAI,CAAC;IACnB,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,QAAQ,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QACzC,IAAI,WAAW,CAAC,CAAC,CAAC,KAAK,CAAC,EAAE,CAAC;YACzB,OAAO,GAAG,MAAM,IAAA,iBAAS,EAAC,OAAO,EAAE,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAC;QAClD,CAAC;aAAM,CAAC;YACN,OAAO,GAAG,MAAM,IAAA,iBAAS,EAAC,QAAQ,CAAC,CAAC,CAAC,EAAE,OAAO,CAAC,CAAC;QAClD,CAAC;IACH,CAAC;IAED,OAAO,OAAO,KAAK,YAAY,CAAC;AAClC,CAAC"}

package/dist/prover.d.ts

@@ -0,0 +1,21 @@
+import { Proof } from './types';
+/**
+ * Prover backend selection.
+ *   - 'auto'       : use rapidsnark if available, else snarkjs
+ *   - 'rapidsnark' : require rapidsnark, throw if missing
+ *   - 'snarkjs'    : always use snarkjs (slower, pure JS)
+ */
+export type ProverBackend = 'auto' | 'rapidsnark' | 'snarkjs';
+/**
+ * Generate a Groth16 proof using the fastest available backend.
+ * rapidsnark is ~5x faster than snarkjs but requires the native binary.
+ *
+ * @param input - Circuit input (string-encoded bigints)
+ * @param wasmPath - Path to circuit_js/circuit.wasm (witness generator)
+ * @param zkeyPath - Path to circuit_final.zkey
+ * @param backend - 'auto' (default), 'rapidsnark', or 'snarkjs'
+ */
+export declare function proveGroth16(input: Record<string, unknown>, wasmPath: string, zkeyPath: string, backend?: ProverBackend): Promise<Proof>;
+/** Returns the active backend that would be used (for diagnostics/logging). */
+export declare function activeProverBackend(backend?: ProverBackend): 'rapidsnark' | 'snarkjs';
+//# sourceMappingURL=prover.d.ts.map

package/dist/prover.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"prover.d.ts","sourceRoot":"","sources":["../src/prover.ts"],"names":[],"mappings":"AAQA,OAAO,EAAE,KAAK,EAAE,MAAM,SAAS,CAAC;AAEhC;;;;;GAKG;AACH,MAAM,MAAM,aAAa,GAAG,MAAM,GAAG,YAAY,GAAG,SAAS,CAAC;AAqH9D;;;;;;;;GAQG;AACH,wBAAsB,YAAY,CAChC,KAAK,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAC9B,QAAQ,EAAE,MAAM,EAChB,QAAQ,EAAE,MAAM,EAChB,OAAO,GAAE,aAAsB,GAC9B,OAAO,CAAC,KAAK,CAAC,CAuBhB;AAED,+EAA+E;AAC/E,wBAAgB,mBAAmB,CAAC,OAAO,GAAE,aAAsB,GAAG,YAAY,GAAG,SAAS,CAI7F"}