@cavos/cli 0.0.1

package/dist/index.js

@@ -0,0 +1,1151 @@
+'use strict';
+
+var starknet = require('starknet');
+var crypto = require('crypto');
+var fs = require('fs');
+var path = require('path');
+var os = require('os');
+
+function _interopNamespace(e) {
+  if (e && e.__esModule) return e;
+  var n = Object.create(null);
+  if (e) {
+    Object.keys(e).forEach(function (k) {
+      if (k !== 'default') {
+        var d = Object.getOwnPropertyDescriptor(e, k);
+        Object.defineProperty(n, k, d.get ? d : {
+          enumerable: true,
+          get: function () { return e[k]; }
+        });
+      }
+    });
+  }
+  n.default = e;
+  return Object.freeze(n);
+}
+
+var fs__namespace = /*#__PURE__*/_interopNamespace(fs);
+var path__namespace = /*#__PURE__*/_interopNamespace(path);
+var os__namespace = /*#__PURE__*/_interopNamespace(os);
+
+// src/CavosAgent.ts
+function getRandomBytes(length) {
+  return new Uint8Array(crypto.randomBytes(length));
+}
+function randomFieldElement() {
+  const bytes = getRandomBytes(32);
+  const hex = Array.from(bytes).map((b) => b.toString(16).padStart(2, "0")).join("");
+  return BigInt("0x" + hex) % 2n ** 251n;
+}
+function base64UrlToBase64(base64url) {
+  return base64url.replace(/-/g, "+").replace(/_/g, "/").padEnd(base64url.length + (4 - base64url.length % 4) % 4, "=");
+}
+function base64UrlToBytes(base64url) {
+  const base64 = base64UrlToBase64(base64url);
+  const buf = Buffer.from(base64, "base64");
+  return new Uint8Array(buf);
+}
+function bytesToU128Limbs(bytes) {
+  const limbs = [];
+  for (let i = 15; i >= 0; i--) {
+    let limb = 0n;
+    for (let j = 0; j < 16; j++) {
+      const byteIdx = i * 16 + j;
+      if (byteIdx < bytes.length) {
+        limb = limb * 256n + BigInt(bytes[byteIdx]);
+      }
+    }
+    limbs.push(starknet.num.toHex(limb));
+  }
+  return limbs;
+}
+function subToFelt(sub) {
+  try {
+    const subBigInt = BigInt(sub);
+    if (subBigInt < 2n ** 251n) {
+      return starknet.num.toHex(subBigInt);
+    }
+  } catch {
+  }
+  return stringToFelt(sub);
+}
+function stringToFelt(str) {
+  const bytes = Buffer.from(str, "utf-8");
+  let result = 0n;
+  for (let i = 0; i < bytes.length && i < 31; i++) {
+    result = result * 256n + BigInt(bytes[i]);
+  }
+  return starknet.num.toHex(result);
+}
+function parseJWT(jwt) {
+  const parts = jwt.split(".");
+  if (parts.length !== 3) {
+    throw new Error("Invalid JWT format");
+  }
+  const payload = JSON.parse(Buffer.from(base64UrlToBase64(parts[1]), "base64").toString("utf-8"));
+  return {
+    sub: payload.sub,
+    nonce: payload.nonce,
+    exp: payload.exp,
+    iss: payload.iss,
+    aud: Array.isArray(payload.aud) ? payload.aud[0] : payload.aud
+  };
+}
+function extractKidFromJwt(jwt) {
+  const parts = jwt.split(".");
+  const header = JSON.parse(Buffer.from(base64UrlToBase64(parts[0]), "base64").toString("utf-8"));
+  return header.kid || "";
+}
+function findClaimOffsets(jwt) {
+  const parts = jwt.split(".");
+  const headerJson = JSON.parse(Buffer.from(base64UrlToBase64(parts[0]), "base64").toString("utf-8"));
+  const payloadJson = JSON.parse(Buffer.from(base64UrlToBase64(parts[1]), "base64").toString("utf-8"));
+  const subValue = payloadJson.sub || "";
+  const nonceValue = payloadJson.nonce || "";
+  const kidValue = headerJson.kid || "";
+  const decodedPayload = Buffer.from(base64UrlToBase64(parts[1]), "base64").toString("utf-8");
+  const decodedHeader = Buffer.from(base64UrlToBase64(parts[0]), "base64").toString("utf-8");
+  const findClaimValueOffset = (decoded, key, value) => {
+    const exactPattern = `"${key}":"${value}"`;
+    let idx = decoded.indexOf(exactPattern);
+    if (idx >= 0) return idx + key.length + 4;
+    const spacedPattern = `"${key}": "${value}"`;
+    idx = decoded.indexOf(spacedPattern);
+    if (idx >= 0) return idx + key.length + 5;
+    const keyPattern = `"${key}"`;
+    idx = decoded.indexOf(keyPattern);
+    if (idx >= 0) {
+      const colonIdx = decoded.indexOf(":", idx + key.length + 2);
+      if (colonIdx >= 0) {
+        const valueQuoteIdx = decoded.indexOf('"', colonIdx + 1);
+        if (valueQuoteIdx >= 0) return valueQuoteIdx + 1;
+      }
+    }
+    return -1;
+  };
+  const subValueStart = findClaimValueOffset(decodedPayload, "sub", subValue);
+  if (subValueStart < 0) throw new Error("Failed to find sub claim in JWT payload");
+  const nonceValueStart = findClaimValueOffset(decodedPayload, "nonce", nonceValue);
+  if (nonceValueStart < 0) throw new Error("Failed to find nonce claim in JWT payload");
+  const kidValueStart = findClaimValueOffset(decodedHeader, "kid", kidValue);
+  if (kidValueStart < 0) throw new Error("Failed to find kid claim in JWT header");
+  return {
+    sub_offset: subValueStart,
+    sub_len: subValue.length,
+    nonce_offset: nonceValueStart,
+    nonce_len: nonceValue.length,
+    kid_offset: kidValueStart,
+    kid_len: kidValue.length
+  };
+}
+function computeMerkleRoot(contracts) {
+  if (contracts.length === 0) return "0x0";
+  let leaves = contracts.map(
+    (c) => starknet.hash.computePoseidonHashOnElements([starknet.num.toHex(c)])
+  );
+  leaves.sort((a, b) => {
+    const aBig = BigInt(a);
+    const bBig = BigInt(b);
+    if (aBig < bBig) return -1;
+    if (aBig > bBig) return 1;
+    return 0;
+  });
+  while (leaves.length > 1) {
+    const nextLevel = [];
+    for (let i = 0; i < leaves.length; i += 2) {
+      if (i + 1 < leaves.length) {
+        const left = leaves[i];
+        const right = leaves[i + 1];
+        const leftBig = BigInt(left);
+        const rightBig = BigInt(right);
+        if (leftBig < rightBig) {
+          nextLevel.push(starknet.hash.computePoseidonHashOnElements([left, right]));
+        } else {
+          nextLevel.push(starknet.hash.computePoseidonHashOnElements([right, left]));
+        }
+      } else {
+        nextLevel.push(leaves[i]);
+      }
+    }
+    leaves = nextLevel;
+  }
+  return leaves[0];
+}
+function computeMerkleProof(contracts, targetContract) {
+  if (contracts.length === 0) return [];
+  let leaves = contracts.map(
+    (c) => starknet.hash.computePoseidonHashOnElements([starknet.num.toHex(c)])
+  );
+  leaves.sort((a, b) => {
+    const aBig = BigInt(a);
+    const bBig = BigInt(b);
+    if (aBig < bBig) return -1;
+    if (aBig > bBig) return 1;
+    return 0;
+  });
+  const targetLeaf = starknet.hash.computePoseidonHashOnElements([starknet.num.toHex(targetContract)]);
+  let targetIdx = leaves.indexOf(targetLeaf);
+  if (targetIdx === -1) return [];
+  const proof = [];
+  let currentLevel = [...leaves];
+  while (currentLevel.length > 1) {
+    const nextLevel = [];
+    let nextTargetIdx = -1;
+    for (let i = 0; i < currentLevel.length; i += 2) {
+      if (i + 1 < currentLevel.length) {
+        const left = currentLevel[i];
+        const right = currentLevel[i + 1];
+        if (i === targetIdx || i + 1 === targetIdx) {
+          proof.push(i === targetIdx ? right : left);
+          nextTargetIdx = Math.floor(i / 2);
+        }
+        const leftBig = BigInt(left);
+        const rightBig = BigInt(right);
+        if (leftBig < rightBig) {
+          nextLevel.push(starknet.hash.computePoseidonHashOnElements([left, right]));
+        } else {
+          nextLevel.push(starknet.hash.computePoseidonHashOnElements([right, left]));
+        }
+      } else {
+        if (i === targetIdx) {
+          nextTargetIdx = Math.floor(i / 2);
+        }
+        nextLevel.push(currentLevel[i]);
+      }
+    }
+    currentLevel = nextLevel;
+    targetIdx = nextTargetIdx;
+  }
+  return proof;
+}
+
+// src/utils/constants.ts
+var OAUTH_JWT_V1_MAGIC = "0x4f415554485f4a57545f5631";
+var SESSION_V1_MAGIC = "0x53455353494f4e5f5631";
+var STARK_CURVE_ORDER = BigInt("0x800000000000010ffffffffffffffffb781126dcae7b2321e66a241adc64d2f");
+var TOKENS_SEPOLIA = {
+  STRK: "0x04718f5a0Fc34cC1AF16A1cdee98fFB20C31f5cD61D6Ab07201858f4287c938D",
+  ETH: "0x049d36570d4e46f48e99674bd3fcc84644ddd6b96f7c741b1562b82f9e004dc7"
+};
+var TOKENS_MAINNET = {
+  STRK: "0x04718f5a0Fc34cC1AF16A1cdee98fFB20C31f5cD61D6Ab07201858f4287c938D",
+  ETH: "0x049d36570d4e46f48e99674bd3fcc84644ddd6b96f7c741b1562b82f9e004dc7"
+};
+var DEFAULT_RPC = {
+  mainnet: "https://starknet-mainnet.g.alchemy.com/starknet/version/rpc/v0_10/dql5pMT88iueZWl7L0yzT56uVk0EBU4L",
+  sepolia: "https://starknet-sepolia.g.alchemy.com/starknet/version/rpc/v0_10/dql5pMT88iueZWl7L0yzT56uVk0EBU4L"
+};
+var DEFAULT_OAUTH_CONFIG_SEPOLIA = {
+  jwksRegistryAddress: "0x05a19f14719dec9e27eb2aa38c5b68277bdb5c41570e548504722f737a3da6c6",
+  cavosAccountClassHash: "0x40f4075372d7b9b964910755dcdf96935280c8b675272f656b2d43d1ae4bbf4"
+};
+var DEFAULT_OAUTH_CONFIG_MAINNET = {
+  jwksRegistryAddress: "0x07787f624d6869ae306dc17b49174b284dbadd1e999c1c8733ce72eb7ac518c2",
+  cavosAccountClassHash: "0x40f4075372d7b9b964910755dcdf96935280c8b675272f656b2d43d1ae4bbf4"
+};
+var DEFAULT_BACKEND_URL = "https://cavos.xyz";
+var DEFAULT_PAYMASTER_KEY = "c37c52b7-ea5a-4426-8121-329a78354b0b";
+
+// src/core/SessionKeyManager.ts
+function generateSessionKeyPair() {
+  const randomBytes2 = getRandomBytes(32);
+  let pk = BigInt("0x" + Array.from(randomBytes2).map((b) => b.toString(16).padStart(2, "0")).join(""));
+  pk = pk % (STARK_CURVE_ORDER - 1n) + 1n;
+  const privateKey = "0x" + pk.toString(16);
+  const publicKey = starknet.ec.starkCurve.getStarkKey(privateKey);
+  return { privateKey, publicKey };
+}
+function buildSessionSignature(transactionHash, sessionPrivateKey, sessionPubKey, calls, policy) {
+  const signature = starknet.ec.starkCurve.sign(transactionHash, sessionPrivateKey);
+  const sig = [
+    SESSION_V1_MAGIC,
+    starknet.num.toHex(signature.r),
+    starknet.num.toHex(signature.s),
+    sessionPubKey
+  ];
+  if (calls && policy?.allowedContracts?.length) {
+    for (const call of calls) {
+      const proof = computeMerkleProof(policy.allowedContracts, call.contractAddress);
+      sig.push(starknet.num.toHex(proof.length));
+      sig.push(...proof);
+    }
+  }
+  return sig;
+}
+async function buildJWTSignatureData(transactionHash, session, salt, backendUrl) {
+  const { jwt, sessionPrivateKey, sessionPubKey, nonceParams, jwtClaims } = session;
+  const signature = starknet.ec.starkCurve.sign(transactionHash, sessionPrivateKey);
+  const jwtParts = jwt.split(".");
+  const rsaSignature = base64UrlToBytes(jwtParts[2]);
+  const rsaLimbs = bytesToU128Limbs(rsaSignature);
+  const signedData = `${jwtParts[0]}.${jwtParts[1]}`;
+  const signedDataBytes = Buffer.from(signedData, "utf-8");
+  const offsets = findClaimOffsets(jwt);
+  const jwt_sub_felt = subToFelt(jwtClaims.sub);
+  const salt_hex = starknet.num.toHex(salt);
+  const packedBytes = [];
+  const PACK_SIZE = 31;
+  for (let i = 0; i < signedDataBytes.length; i += PACK_SIZE) {
+    let chunk = 0n;
+    const end = Math.min(i + PACK_SIZE, signedDataBytes.length);
+    for (let j = i; j < end; j++) {
+      chunk = chunk * 256n + BigInt(signedDataBytes[j]);
+    }
+    packedBytes.push(starknet.num.toHex(chunk));
+  }
+  const kid = extractKidFromJwt(jwt);
+  const iss = jwtClaims.iss;
+  const modulusLimbs = await fetchModulusForKid(kid, iss, backendUrl);
+  const { n_prime, r_sq } = calculateMontgomeryConstants(modulusLimbs);
+  const sig = [
+    OAUTH_JWT_V1_MAGIC,
+    starknet.num.toHex(signature.r),
+    starknet.num.toHex(signature.s),
+    sessionPubKey,
+    starknet.num.toHex(nonceParams.validUntil),
+    starknet.num.toHex(nonceParams.randomness),
+    jwt_sub_felt,
+    session.nonce,
+    starknet.num.toHex(jwtClaims.exp),
+    stringToFelt(kid),
+    stringToFelt(jwtClaims.iss),
+    stringToFelt(jwtClaims.aud),
+    salt_hex,
+    starknet.num.toHex(offsets.sub_offset),
+    starknet.num.toHex(offsets.sub_len),
+    starknet.num.toHex(offsets.nonce_offset),
+    starknet.num.toHex(offsets.nonce_len),
+    starknet.num.toHex(offsets.kid_offset),
+    starknet.num.toHex(offsets.kid_len),
+    starknet.num.toHex(16),
+    ...rsaLimbs,
+    starknet.num.toHex(16),
+    ...n_prime,
+    starknet.num.toHex(16),
+    ...r_sq,
+    starknet.num.toHex(signedDataBytes.length),
+    ...packedBytes
+  ];
+  sig.push(starknet.num.toHex(nonceParams.validAfter));
+  const policy = session.sessionPolicy;
+  if (policy) {
+    const merkleRoot = policy.allowedContracts.length > 0 ? computeMerkleRoot(policy.allowedContracts) : "0x0";
+    sig.push(merkleRoot);
+    sig.push(starknet.num.toHex(policy.maxCallsPerTx));
+    sig.push(starknet.num.toHex(policy.spendingLimits.length));
+    for (const limit of policy.spendingLimits) {
+      sig.push(starknet.num.toHex(limit.token));
+      const limitBig = BigInt(limit.limit);
+      sig.push(starknet.num.toHex(limitBig & (1n << 128n) - 1n));
+      sig.push(starknet.num.toHex(limitBig >> 128n));
+    }
+  } else {
+    sig.push("0x0");
+    sig.push(starknet.num.toHex(10));
+    sig.push(starknet.num.toHex(0));
+  }
+  return sig;
+}
+async function fetchModulusForKid(kid, issuer, backendUrl) {
+  let jwksUrl = "https://www.googleapis.com/oauth2/v3/certs";
+  if (issuer === "https://appleid.apple.com") {
+    jwksUrl = "https://appleid.apple.com/auth/keys";
+  } else if (issuer === "https://cavos.app/firebase") {
+    jwksUrl = `${backendUrl}/api/jwks/firebase`;
+  }
+  const response = await fetch(jwksUrl);
+  const data = await response.json();
+  const jwks = data.jwks || data;
+  if (!jwks.keys || !Array.isArray(jwks.keys)) {
+    throw new Error(`Invalid JWKS response from ${jwksUrl}`);
+  }
+  const key = jwks.keys.find((k) => k.kid === kid);
+  if (!key || !key.n) {
+    throw new Error(`Key not found for kid: ${kid}`);
+  }
+  const modulusBytes = base64UrlToBytes(key.n);
+  const limbs = bytesToU128Limbs(modulusBytes);
+  return limbs.map((l) => BigInt(l));
+}
+function calculateMontgomeryConstants(n_limbs) {
+  let n = 0n;
+  for (let i = 0; i < n_limbs.length; i++) {
+    n += n_limbs[i] * (1n << BigInt(i) * 128n);
+  }
+  const R = 1n << 2048n;
+  function modInverse(a, mod) {
+    let t = 0n, newt = 1n, r = mod, newr = a;
+    while (newr !== 0n) {
+      const q = r / newr;
+      [t, newt] = [newt, t - q * newt];
+      [r, newr] = [newr, r - q * newr];
+    }
+    if (r > 1n) throw new Error("n is not invertible");
+    if (t < 0n) t += mod;
+    return t;
+  }
+  const n_inv = modInverse(n, R);
+  const n_prime_val = (R - n_inv) % R;
+  const r_sq_val = R * R % n;
+  const toLimbs = (val) => {
+    const limbs = [];
+    for (let i = 0; i < 16; i++) {
+      const limb = val >> BigInt(i) * 128n & (1n << 128n) - 1n;
+      limbs.push(starknet.num.toHex(limb));
+    }
+    return limbs;
+  };
+  return { n_prime: toLimbs(n_prime_val), r_sq: toLimbs(r_sq_val) };
+}
+function computeNonce(params) {
+  return starknet.hash.computePoseidonHashOnElements([
+    params.sessionPubKey,
+    starknet.num.toHex(params.validUntil),
+    starknet.num.toHex(params.randomness)
+  ]);
+}
+function generateNonceParams(sessionPubKey, currentTimestamp, sessionDurationSeconds = 86400n, renewalGraceSeconds = 172800n) {
+  const randomness = randomFieldElement();
+  return {
+    sessionPubKey,
+    validAfter: currentTimestamp,
+    validUntil: currentTimestamp + sessionDurationSeconds,
+    renewalDeadline: currentTimestamp + renewalGraceSeconds,
+    randomness
+  };
+}
+function computeAddressSeed(sub, salt, walletName) {
+  const subFeltVal = subToFelt(sub);
+  let saltFelt = starknet.num.toHex(salt);
+  if (walletName) {
+    const nameFelt = stringToFelt(walletName);
+    saltFelt = starknet.hash.computePoseidonHashOnElements([saltFelt, nameFelt]);
+  }
+  return starknet.hash.computePoseidonHashOnElements([subFeltVal, saltFelt]);
+}
+function computeContractAddress(sub, salt, classHash, jwksRegistryAddress, walletName) {
+  const addressSeed = computeAddressSeed(sub, salt, walletName);
+  const constructorCalldata = [addressSeed, jwksRegistryAddress];
+  return starknet.hash.calculateContractAddressFromHash(
+    addressSeed,
+    classHash,
+    constructorCalldata,
+    0
+  );
+}
+async function isDeployed(provider, address) {
+  try {
+    const classHash = await provider.getClassHashAt(address, "latest");
+    return !!classHash;
+  } catch {
+    return false;
+  }
+}
+async function getSessionStatus(provider, walletAddress, sessionPubKey) {
+  try {
+    const result = await provider.callContract({
+      contractAddress: walletAddress,
+      entrypoint: "get_session",
+      calldata: [sessionPubKey]
+    }, "latest");
+    const nonce = BigInt(result[0]);
+    const validUntil = BigInt(result[2]);
+    const renewalDeadline = BigInt(result[3]);
+    const registered = nonce !== 0n;
+    if (!registered) {
+      return { registered: false, expired: false, canRenew: false };
+    }
+    const block = await provider.getBlock("latest");
+    const now = BigInt(block.timestamp);
+    const expired = now >= validUntil;
+    const canRenew = expired && now < renewalDeadline;
+    return { registered, expired, canRenew, validUntil, renewalDeadline };
+  } catch {
+    return { registered: false, expired: false, canRenew: false };
+  }
+}
+async function deployAccount(provider, session, classHash, jwksRegistryAddress, salt, paymasterApiKey, network, backendUrl) {
+  const deployed = await isDeployed(provider, session.walletAddress);
+  if (deployed) return "already-deployed";
+  const constructorCalldata = [
+    starknet.num.toHex(session.addressSeed),
+    starknet.num.toHex(jwksRegistryAddress)
+  ];
+  const baseUrl = network === "mainnet" ? "https://starknet.api.avnu.fi" : "https://sepolia.api.avnu.fi";
+  const buildResponse = await fetch(`${baseUrl}/paymaster/v1/build-typed-data`, {
+    method: "POST",
+    headers: {
+      "Content-Type": "application/json",
+      "api-key": paymasterApiKey
+    },
+    body: JSON.stringify({
+      userAddress: session.walletAddress,
+      calls: [],
+      accountClassHash: classHash,
+      accountCalldata: constructorCalldata
+    })
+  });
+  if (!buildResponse.ok) {
+    const errText = await buildResponse.text();
+    if (errText.includes("already deployed")) return "already-deployed";
+    throw new Error(`Deploy build-typed-data failed: ${errText}`);
+  }
+  const paymasterTypedData = await buildResponse.json();
+  const messageHash = computeTypedDataHash(paymasterTypedData, session.walletAddress);
+  const signature = await buildJWTSignatureData(messageHash, session, salt, backendUrl);
+  const executeResponse = await fetch(`${baseUrl}/paymaster/v1/execute`, {
+    method: "POST",
+    headers: {
+      "Content-Type": "application/json",
+      "api-key": paymasterApiKey
+    },
+    body: JSON.stringify({
+      userAddress: session.walletAddress,
+      typedData: JSON.stringify(paymasterTypedData),
+      signature
+    })
+  });
+  if (!executeResponse.ok) {
+    const errText = await executeResponse.text();
+    if (errText.includes("already deployed")) return "already-deployed";
+    throw new Error(`Deploy execute failed: ${errText}`);
+  }
+  const result = await executeResponse.json();
+  await provider.waitForTransaction(result.transactionHash);
+  return result.transactionHash;
+}
+async function execute(provider, session, calls, salt, paymasterApiKey, network, backendUrl) {
+  const callsArray = Array.isArray(calls) ? calls : [calls];
+  const status = await getSessionStatus(provider, session.walletAddress, session.sessionPubKey);
+  if (!status.registered) {
+    return executeWithAVNU(provider, session, callsArray, salt, paymasterApiKey, network, backendUrl, true);
+  }
+  if (status.expired && status.canRenew) {
+    throw new Error("SESSION_RENEWABLE: Session expired but can be renewed. Call renewSession() first.");
+  }
+  if (status.expired && !status.canRenew) {
+    throw new Error("SESSION_EXPIRED: Session expired outside grace period. Please login again.");
+  }
+  return executeWithAVNU(provider, session, callsArray, salt, paymasterApiKey, network, backendUrl, false);
+}
+async function executeWithAVNU(provider, session, calls, salt, paymasterApiKey, network, backendUrl, forceJWT) {
+  const baseUrl = network === "mainnet" ? "https://starknet.api.avnu.fi" : "https://sepolia.api.avnu.fi";
+  const formattedCalls = calls.map((call) => ({
+    contractAddress: call.contractAddress,
+    entrypoint: call.entrypoint,
+    calldata: call.calldata ? call.calldata.map((c) => starknet.num.toHex(c)) : []
+  }));
+  const buildResponse = await fetch(`${baseUrl}/paymaster/v1/build-typed-data`, {
+    method: "POST",
+    headers: {
+      "Content-Type": "application/json",
+      "api-key": paymasterApiKey
+    },
+    body: JSON.stringify({
+      userAddress: session.walletAddress,
+      calls: formattedCalls
+    })
+  });
+  if (!buildResponse.ok) {
+    throw new Error(`Build typed data failed: ${await buildResponse.text()}`);
+  }
+  const paymasterTypedData = await buildResponse.json();
+  const messageHash = computeTypedDataHash(paymasterTypedData, session.walletAddress);
+  const signature = forceJWT ? await buildJWTSignatureData(messageHash, session, salt, backendUrl) : buildSessionSignature(
+    messageHash,
+    session.sessionPrivateKey,
+    session.sessionPubKey,
+    calls.map((c) => ({ contractAddress: c.contractAddress })),
+    session.sessionPolicy
+  );
+  const executeResponse = await fetch(`${baseUrl}/paymaster/v1/execute`, {
+    method: "POST",
+    headers: {
+      "Content-Type": "application/json",
+      "api-key": paymasterApiKey
+    },
+    body: JSON.stringify({
+      userAddress: session.walletAddress,
+      typedData: JSON.stringify(paymasterTypedData),
+      signature
+    })
+  });
+  if (!executeResponse.ok) {
+    const errorText = await executeResponse.text();
+    if (errorText.includes("Session expired")) {
+      throw new Error("SESSION_EXPIRED: Session has expired. Call renewSession() first.");
+    }
+    throw new Error(`Execute failed: ${errorText}`);
+  }
+  const result = await executeResponse.json();
+  return result.transactionHash;
+}
+async function renewSession(provider, oldSession, newSession, paymasterApiKey, network) {
+  const policy = newSession.sessionPolicy;
+  const allowedContractsRoot = policy?.allowedContracts?.length ? computeMerkleRoot(policy.allowedContracts) : "0x0";
+  const maxCallsPerTx = policy?.maxCallsPerTx ?? 10;
+  const message = starknet.hash.computePoseidonHashOnElements([
+    newSession.sessionPubKey,
+    newSession.nonce,
+    starknet.num.toHex(newSession.nonceParams.validAfter),
+    starknet.num.toHex(newSession.nonceParams.validUntil),
+    starknet.num.toHex(newSession.nonceParams.renewalDeadline),
+    allowedContractsRoot,
+    starknet.num.toHex(maxCallsPerTx)
+  ]);
+  const oldSignature = starknet.ec.starkCurve.sign(message, oldSession.sessionPrivateKey);
+  const spendingCalldata = [];
+  if (policy?.spendingLimits?.length) {
+    spendingCalldata.push(starknet.num.toHex(policy.spendingLimits.length));
+    for (const limit of policy.spendingLimits) {
+      spendingCalldata.push(starknet.num.toHex(limit.token));
+      const limitBig = BigInt(limit.limit);
+      spendingCalldata.push(starknet.num.toHex(limitBig & (1n << 128n) - 1n));
+      spendingCalldata.push(starknet.num.toHex(limitBig >> 128n));
+    }
+  } else {
+    spendingCalldata.push(starknet.num.toHex(0));
+  }
+  const renewCall = {
+    contractAddress: oldSession.walletAddress,
+    entrypoint: "renew_session",
+    calldata: [
+      oldSession.sessionPubKey,
+      starknet.num.toHex(oldSignature.r),
+      starknet.num.toHex(oldSignature.s),
+      newSession.sessionPubKey,
+      newSession.nonce,
+      starknet.num.toHex(newSession.nonceParams.validAfter),
+      starknet.num.toHex(newSession.nonceParams.validUntil),
+      starknet.num.toHex(newSession.nonceParams.renewalDeadline),
+      allowedContractsRoot,
+      starknet.num.toHex(maxCallsPerTx),
+      ...spendingCalldata
+    ]
+  };
+  const baseUrl = network === "mainnet" ? "https://starknet.api.avnu.fi" : "https://sepolia.api.avnu.fi";
+  const buildResponse = await fetch(`${baseUrl}/paymaster/v1/build-typed-data`, {
+    method: "POST",
+    headers: {
+      "Content-Type": "application/json",
+      "api-key": paymasterApiKey
+    },
+    body: JSON.stringify({
+      userAddress: oldSession.walletAddress,
+      calls: [{
+        contractAddress: renewCall.contractAddress,
+        entrypoint: renewCall.entrypoint,
+        calldata: renewCall.calldata
+      }]
+    })
+  });
+  if (!buildResponse.ok) {
+    throw new Error(`Renew build-typed-data failed: ${await buildResponse.text()}`);
+  }
+  const paymasterTypedData = await buildResponse.json();
+  const messageHash = computeTypedDataHash(paymasterTypedData, oldSession.walletAddress);
+  const signature = buildSessionSignature(
+    messageHash,
+    oldSession.sessionPrivateKey,
+    oldSession.sessionPubKey
+  );
+  const executeResponse = await fetch(`${baseUrl}/paymaster/v1/execute`, {
+    method: "POST",
+    headers: {
+      "Content-Type": "application/json",
+      "api-key": paymasterApiKey
+    },
+    body: JSON.stringify({
+      userAddress: oldSession.walletAddress,
+      typedData: JSON.stringify(paymasterTypedData),
+      signature
+    })
+  });
+  if (!executeResponse.ok) {
+    const errorText = await executeResponse.text();
+    if (errorText.includes("Renewal period expired")) {
+      throw new Error("Grace period expired. Please login again.");
+    }
+    throw new Error(`Renew session failed: ${errorText}`);
+  }
+  const result = await executeResponse.json();
+  return result.transactionHash;
+}
+async function revokeSession(provider, session, sessionKeyToRevoke, salt, paymasterApiKey, network, backendUrl) {
+  const revokeCall = {
+    contractAddress: session.walletAddress,
+    entrypoint: "revoke_session",
+    calldata: [sessionKeyToRevoke]
+  };
+  return execute(provider, session, [revokeCall], salt, paymasterApiKey, network, backendUrl);
+}
+async function emergencyRevokeAllSessions(provider, session, salt, paymasterApiKey, network, backendUrl) {
+  const revokeCall = {
+    contractAddress: session.walletAddress,
+    entrypoint: "emergency_revoke",
+    calldata: []
+  };
+  return execute(provider, session, [revokeCall], salt, paymasterApiKey, network, backendUrl);
+}
+async function getBalance(provider, tokenAddress, walletAddress) {
+  const result = await provider.callContract({
+    contractAddress: tokenAddress,
+    entrypoint: "balanceOf",
+    calldata: [walletAddress]
+  });
+  const low = BigInt(result[0]);
+  const high = BigInt(result[1]);
+  return low + (high << 128n);
+}
+function computeTypedDataHash(paymasterTypedData, address) {
+  return starknet.typedData.getMessageHash(paymasterTypedData, address);
+}
+
+// src/auth/FirebaseAuth.ts
+async function firebaseLogin(backendUrl, appId, email, password, nonce) {
+  const response = await fetch(`${backendUrl}/api/oauth/firebase/login`, {
+    method: "POST",
+    headers: { "Content-Type": "application/json" },
+    body: JSON.stringify({ email, password, nonce, app_id: appId })
+  });
+  if (!response.ok) {
+    const error = await response.json().catch(() => ({ error: "Login failed" }));
+    if (error.error === "email_not_verified") {
+      throw new Error("Email not verified. Please verify your email on agent.cavos.xyz first.");
+    }
+    throw new Error(error.error || "Login failed");
+  }
+  const { jwt } = await response.json();
+  const claims = parseJWT(jwt);
+  if (claims.nonce !== nonce) {
+    throw new Error("JWT nonce mismatch. Possible replay attack.");
+  }
+  return { jwt, claims };
+}
+async function validateApp(backendUrl, appId, network) {
+  try {
+    const response = await fetch(
+      `${backendUrl}/api/apps/${appId}/validate?network=${network}`
+    );
+    if (!response.ok) return { allowed: true };
+    const result = await response.json();
+    return { allowed: result.allowed !== false, appSalt: result.app_salt };
+  } catch {
+    return { allowed: true };
+  }
+}
+var CAVOS_DIR = path__namespace.join(os__namespace.homedir(), ".cavos");
+var SESSIONS_DIR = path__namespace.join(CAVOS_DIR, "sessions");
+var CONFIG_FILE = path__namespace.join(CAVOS_DIR, "config.json");
+function ensureDir(dir) {
+  if (!fs__namespace.existsSync(dir)) {
+    fs__namespace.mkdirSync(dir, { recursive: true, mode: 448 });
+  }
+}
+function saveSession(appId, session) {
+  ensureDir(SESSIONS_DIR);
+  const stored = {
+    sessionPrivateKey: session.sessionPrivateKey,
+    sessionPubKey: session.sessionPubKey,
+    nonceParams: {
+      sessionPubKey: session.nonceParams.sessionPubKey,
+      validAfter: session.nonceParams.validAfter.toString(),
+      validUntil: session.nonceParams.validUntil.toString(),
+      renewalDeadline: session.nonceParams.renewalDeadline.toString(),
+      randomness: session.nonceParams.randomness.toString()
+    },
+    nonce: session.nonce,
+    jwt: session.jwt,
+    jwtClaims: session.jwtClaims,
+    walletAddress: session.walletAddress,
+    addressSeed: session.addressSeed,
+    sessionPolicy: session.sessionPolicy ? {
+      spendingLimits: session.sessionPolicy.spendingLimits.map((sl) => ({
+        token: sl.token,
+        limit: sl.limit.toString()
+      })),
+      allowedContracts: session.sessionPolicy.allowedContracts,
+      maxCallsPerTx: session.sessionPolicy.maxCallsPerTx
+    } : void 0,
+    appSalt: session.appSalt,
+    walletName: session.walletName
+  };
+  const filePath = path__namespace.join(SESSIONS_DIR, `${appId}.json`);
+  fs__namespace.writeFileSync(filePath, JSON.stringify(stored, null, 2), { mode: 384 });
+}
+function loadSession(appId) {
+  const filePath = path__namespace.join(SESSIONS_DIR, `${appId}.json`);
+  if (!fs__namespace.existsSync(filePath)) return null;
+  try {
+    const stored = JSON.parse(fs__namespace.readFileSync(filePath, "utf-8"));
+    return {
+      sessionPrivateKey: stored.sessionPrivateKey,
+      sessionPubKey: stored.sessionPubKey,
+      nonceParams: {
+        sessionPubKey: stored.nonceParams.sessionPubKey,
+        validAfter: BigInt(stored.nonceParams.validAfter),
+        validUntil: BigInt(stored.nonceParams.validUntil),
+        renewalDeadline: BigInt(stored.nonceParams.renewalDeadline),
+        randomness: BigInt(stored.nonceParams.randomness)
+      },
+      nonce: stored.nonce,
+      jwt: stored.jwt,
+      jwtClaims: stored.jwtClaims,
+      walletAddress: stored.walletAddress,
+      addressSeed: stored.addressSeed,
+      sessionPolicy: stored.sessionPolicy ? {
+        spendingLimits: stored.sessionPolicy.spendingLimits.map((sl) => ({
+          token: sl.token,
+          limit: BigInt(sl.limit)
+        })),
+        allowedContracts: stored.sessionPolicy.allowedContracts,
+        maxCallsPerTx: stored.sessionPolicy.maxCallsPerTx
+      } : void 0,
+      appSalt: stored.appSalt,
+      walletName: stored.walletName
+    };
+  } catch {
+    return null;
+  }
+}
+function deleteSession(appId) {
+  const filePath = path__namespace.join(SESSIONS_DIR, `${appId}.json`);
+  if (fs__namespace.existsSync(filePath)) {
+    fs__namespace.unlinkSync(filePath);
+  }
+}
+path__namespace.join(CAVOS_DIR, "policy.json");
+function saveConfig(config) {
+  ensureDir(CAVOS_DIR);
+  const existing = loadConfig();
+  const merged = { ...existing, ...config };
+  fs__namespace.writeFileSync(CONFIG_FILE, JSON.stringify(merged, null, 2), { mode: 384 });
+}
+function loadConfig() {
+  if (!fs__namespace.existsSync(CONFIG_FILE)) return {};
+  try {
+    return JSON.parse(fs__namespace.readFileSync(CONFIG_FILE, "utf-8"));
+  } catch {
+    return {};
+  }
+}
+
+// src/CavosAgent.ts
+var CavosAgent = class {
+  constructor(config) {
+    this.session = null;
+    this.appSalt = null;
+    const network = config.network ?? "sepolia";
+    const backendUrl = config.backendUrl ?? DEFAULT_BACKEND_URL;
+    const rpcUrl = config.starknetRpcUrl ?? DEFAULT_RPC[network];
+    this.config = { ...config, network, backendUrl };
+    this.provider = new starknet.RpcProvider({ nodeUrl: rpcUrl });
+    const envToken = process.env.CAVOS_TOKEN || process.env.CAVOS_SESSION_TOKEN;
+    if (envToken) {
+      try {
+        const sessionData = JSON.parse(Buffer.from(envToken, "base64").toString());
+        this.session = sessionData;
+        this.appSalt = sessionData.appSalt ?? null;
+      } catch (e) {
+        console.warn(`[CavosAgent] Failed to parse session token: ${e}`);
+      }
+    } else {
+      this.restoreSession();
+    }
+  }
+  // ============ Auth ============
+  /**
+   * Login with Firebase email/password.
+   * Generates session keys, authenticates, and persists the session.
+   */
+  async login(email, password, walletName) {
+    const { appId, network, backendUrl } = this.config;
+    const { allowed, appSalt } = await validateApp(backendUrl, appId, network);
+    if (!allowed) {
+      throw new Error("App not allowed or subscription limit reached.");
+    }
+    this.appSalt = appSalt ?? "0x0";
+    const { privateKey, publicKey } = generateSessionKeyPair();
+    const now = BigInt(Math.floor(Date.now() / 1e3));
+    const duration = BigInt(this.config.sessionDuration ?? 86400);
+    const grace = BigInt(this.config.renewalGracePeriod ?? 172800);
+    const nonceParams = generateNonceParams(publicKey, now, duration, grace);
+    const nonce = computeNonce(nonceParams);
+    const { jwt, claims } = await firebaseLogin(backendUrl, appId, email, password, nonce);
+    const oauthConfig = network === "mainnet" ? DEFAULT_OAUTH_CONFIG_MAINNET : DEFAULT_OAUTH_CONFIG_SEPOLIA;
+    const addressSeed = computeAddressSeed(claims.sub, this.appSalt, walletName);
+    const walletAddress = computeContractAddress(
+      claims.sub,
+      this.appSalt,
+      oauthConfig.cavosAccountClassHash,
+      oauthConfig.jwksRegistryAddress,
+      walletName
+    );
+    this.session = {
+      jwt,
+      sessionPrivateKey: privateKey,
+      sessionPubKey: publicKey,
+      nonce,
+      nonceParams,
+      jwtClaims: claims,
+      walletAddress,
+      addressSeed,
+      appSalt: this.appSalt,
+      sessionPolicy: this.config.policy,
+      walletName
+    };
+    saveSession(appId, this.session);
+    saveConfig({ defaultAppId: appId, network });
+  }
+  /**
+   * Login using a pre-existing JWT token.
+   * Useful for non-interactive agents or CI/CD.
+   */
+  async loginWithJWT(jwt, walletName) {
+    const { appId, network, backendUrl } = this.config;
+    const { allowed, appSalt } = await validateApp(backendUrl, appId, network);
+    if (!allowed) {
+      throw new Error("App not allowed or subscription limit reached.");
+    }
+    this.appSalt = appSalt ?? "0x0";
+    const claims = parseJWT(jwt);
+    const { privateKey, publicKey } = generateSessionKeyPair();
+    const now = BigInt(Math.floor(Date.now() / 1e3));
+    const duration = BigInt(this.config.sessionDuration ?? 86400);
+    const grace = BigInt(this.config.renewalGracePeriod ?? 172800);
+    const nonceParams = generateNonceParams(publicKey, now, duration, grace);
+    const nonce = computeNonce(nonceParams);
+    const oauthConfig = network === "mainnet" ? DEFAULT_OAUTH_CONFIG_MAINNET : DEFAULT_OAUTH_CONFIG_SEPOLIA;
+    const addressSeed = computeAddressSeed(claims.sub, this.appSalt, walletName);
+    const walletAddress = computeContractAddress(
+      claims.sub,
+      this.appSalt,
+      oauthConfig.cavosAccountClassHash,
+      oauthConfig.jwksRegistryAddress,
+      walletName
+    );
+    this.session = {
+      jwt,
+      sessionPrivateKey: privateKey,
+      sessionPubKey: publicKey,
+      nonce,
+      nonceParams,
+      jwtClaims: claims,
+      walletAddress,
+      addressSeed,
+      appSalt: this.appSalt,
+      sessionPolicy: this.config.policy,
+      walletName
+    };
+    saveSession(appId, this.session);
+    saveConfig({ defaultAppId: appId, network });
+  }
+  /**
+   * Check if the agent has a valid session.
+   */
+  isAuthenticated() {
+    return this.session !== null;
+  }
+  /**
+   * Get the wallet address.
+   */
+  getAddress() {
+    return this.session?.walletAddress ?? null;
+  }
+  /**
+   * Logout — clear the persisted session.
+   */
+  logout() {
+    deleteSession(this.config.appId);
+    this.session = null;
+    this.appSalt = null;
+  }
+  // ============ Transactions ============
+  /**
+   * Execute one or more calls via paymaster.
+   * Handles session registration automatically on first call.
+   */
+  async execute(calls) {
+    this.ensureSession();
+    return execute(
+      this.provider,
+      this.session,
+      calls,
+      this.getSalt(),
+      this.getPaymasterKey(),
+      this.config.network,
+      this.config.backendUrl
+    );
+  }
+  /**
+   * Transfer ERC-20 tokens.
+   */
+  async transfer(tokenAddress, to, amount) {
+    const low = starknet.num.toHex(amount & (1n << 128n) - 1n);
+    const high = starknet.num.toHex(amount >> 128n);
+    return this.execute({
+      contractAddress: tokenAddress,
+      entrypoint: "transfer",
+      calldata: [to, low, high]
+    });
+  }
+  /**
+   * Approve ERC-20 spending.
+   */
+  async approve(tokenAddress, spender, amount) {
+    const low = starknet.num.toHex(amount & (1n << 128n) - 1n);
+    const high = starknet.num.toHex(amount >> 128n);
+    return this.execute({
+      contractAddress: tokenAddress,
+      entrypoint: "approve",
+      calldata: [spender, low, high]
+    });
+  }
+  /**
+   * Deploy the account contract.
+   */
+  async deploy() {
+    this.ensureSession();
+    const oauthConfig = this.config.network === "mainnet" ? DEFAULT_OAUTH_CONFIG_MAINNET : DEFAULT_OAUTH_CONFIG_SEPOLIA;
+    return deployAccount(
+      this.provider,
+      this.session,
+      oauthConfig.cavosAccountClassHash,
+      oauthConfig.jwksRegistryAddress,
+      this.getSalt(),
+      this.getPaymasterKey(),
+      this.config.network,
+      this.config.backendUrl
+    );
+  }
+  // ============ Queries ============
+  /**
+   * Get ERC-20 balance.
+   */
+  async getBalance(tokenAddress) {
+    this.ensureSession();
+    const tokens = this.config.network === "mainnet" ? TOKENS_MAINNET : TOKENS_SEPOLIA;
+    const token = tokenAddress ?? tokens.STRK;
+    return getBalance(this.provider, token, this.session.walletAddress);
+  }
+  /**
+   * Check if the account is deployed.
+   */
+  async isDeployed() {
+    this.ensureSession();
+    return isDeployed(this.provider, this.session.walletAddress);
+  }
+  /**
+   * Get on-chain session status.
+   */
+  async getSessionStatus() {
+    this.ensureSession();
+    return getSessionStatus(this.provider, this.session.walletAddress, this.session.sessionPubKey);
+  }
+  // ============ Session Management ============
+  /**
+   * Renew the current session (if in grace period).
+   */
+  async renewSession() {
+    this.ensureSession();
+    const oldSession = this.session;
+    const { privateKey, publicKey } = generateSessionKeyPair();
+    const now = BigInt(Math.floor(Date.now() / 1e3));
+    const duration = BigInt(this.config.sessionDuration ?? 86400);
+    const grace = BigInt(this.config.renewalGracePeriod ?? 172800);
+    const nonceParams = generateNonceParams(publicKey, now, duration, grace);
+    const nonce = computeNonce(nonceParams);
+    const txHash = await renewSession(
+      this.provider,
+      oldSession,
+      { sessionPubKey: publicKey, nonce, nonceParams, sessionPolicy: this.config.policy },
+      this.getPaymasterKey(),
+      this.config.network
+    );
+    this.session = {
+      ...oldSession,
+      sessionPrivateKey: privateKey,
+      sessionPubKey: publicKey,
+      nonce,
+      nonceParams,
+      sessionPolicy: this.config.policy
+    };
+    saveSession(this.config.appId, this.session);
+    return txHash;
+  }
+  /**
+   * Revoke a specific session key (defaults to current).
+   */
+  async revokeSession(sessionKey) {
+    this.ensureSession();
+    const keyToRevoke = sessionKey ?? this.session.sessionPubKey;
+    return revokeSession(
+      this.provider,
+      this.session,
+      keyToRevoke,
+      this.getSalt(),
+      this.getPaymasterKey(),
+      this.config.network,
+      this.config.backendUrl
+    );
+  }
+  /**
+   * Emergency revoke all sessions.
+   */
+  async emergencyRevokeAll() {
+    this.ensureSession();
+    return emergencyRevokeAllSessions(
+      this.provider,
+      this.session,
+      this.getSalt(),
+      this.getPaymasterKey(),
+      this.config.network,
+      this.config.backendUrl
+    );
+  }
+  // ============ Internals ============
+  ensureSession() {
+    if (!this.session) {
+      throw new Error("Not authenticated. Call login() first.");
+    }
+  }
+  getSalt() {
+    return this.appSalt ?? "0x0";
+  }
+  getPaymasterKey() {
+    return this.config.paymasterApiKey ?? DEFAULT_PAYMASTER_KEY;
+  }
+  restoreSession() {
+    const stored = loadSession(this.config.appId);
+    if (!stored) return;
+    this.session = {
+      jwt: stored.jwt ?? "",
+      sessionPrivateKey: stored.sessionPrivateKey,
+      sessionPubKey: stored.sessionPubKey,
+      nonce: stored.nonce,
+      nonceParams: stored.nonceParams,
+      jwtClaims: stored.jwtClaims ?? { sub: "", nonce: "", exp: 0, iss: "", aud: "" },
+      walletAddress: stored.walletAddress ?? "",
+      addressSeed: stored.addressSeed ?? "",
+      sessionPolicy: stored.sessionPolicy,
+      appSalt: stored.appSalt,
+      walletName: stored.walletName
+    };
+    this.appSalt = stored.appSalt ?? null;
+  }
+};
+
+exports.CavosAgent = CavosAgent;
+exports.TOKENS_MAINNET = TOKENS_MAINNET;
+exports.TOKENS_SEPOLIA = TOKENS_SEPOLIA;
+exports.buildJWTSignatureData = buildJWTSignatureData;
+exports.buildSessionSignature = buildSessionSignature;
+exports.computeAddressSeed = computeAddressSeed;
+exports.computeContractAddress = computeContractAddress;
+exports.computeMerkleProof = computeMerkleProof;
+exports.computeMerkleRoot = computeMerkleRoot;
+exports.computeNonce = computeNonce;
+exports.generateNonceParams = generateNonceParams;
+exports.generateSessionKeyPair = generateSessionKeyPair;
+//# sourceMappingURL=index.js.map
+//# sourceMappingURL=index.js.map