@charterlabs/rhinestone-sdk 0.3.9 → 0.4.2

package/dist/src/jwt-server/express.js

@@ -0,0 +1,24 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.createExpressRouter = createExpressRouter;
+const handlers_1 = require("./handlers");
+function createExpressRouter(config) {
+    // Dynamic import avoidance: we type the router interface manually
+    // so express doesn't need to be installed unless this function is called.
+    // eslint-disable-next-line @typescript-eslint/no-require-imports
+    const { Router } = require('express');
+    const router = Router();
+    const handleAccessToken = (0, handlers_1.createCoreAccessTokenHandler)(config);
+    const handleExtensionToken = (0, handlers_1.createCoreExtensionTokenHandler)(config);
+    router.get('/access-token', async (_req, res) => {
+        const result = await handleAccessToken();
+        res.status(result.status).json(result.body);
+    });
+    router.post('/extension-token', async (req, res) => {
+        const body = req.body;
+        const intentInput = body?.intentInput;
+        const result = await handleExtensionToken(intentInput);
+        res.status(result.status).json(result.body);
+    });
+    return router;
+}

package/dist/src/jwt-server/handlers.d.ts

@@ -0,0 +1,10 @@
+import { type JwtSignerConfig } from './signer';
+export type JwtHandlerConfig = JwtSignerConfig;
+interface HandlerResult {
+    status: number;
+    body: Record<string, unknown>;
+}
+export declare function createCoreAccessTokenHandler(config: JwtHandlerConfig): () => Promise<HandlerResult>;
+export declare function createCoreExtensionTokenHandler(config: JwtHandlerConfig): (intentInput: unknown) => Promise<HandlerResult>;
+export {};
+//# sourceMappingURL=handlers.d.ts.map

package/dist/src/jwt-server/handlers.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"handlers.d.ts","sourceRoot":"","sources":["../../../jwt-server/handlers.ts"],"names":[],"mappings":"AAAA,OAAO,EAAmB,KAAK,eAAe,EAAE,MAAM,UAAU,CAAA;AAGhE,MAAM,MAAM,gBAAgB,GAAG,eAAe,CAAA;AAE9C,UAAU,aAAa;IACrB,MAAM,EAAE,MAAM,CAAA;IACd,IAAI,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAA;CAC9B;AAED,wBAAgB,4BAA4B,CAC1C,MAAM,EAAE,gBAAgB,GACvB,MAAM,OAAO,CAAC,aAAa,CAAC,CAa9B;AAED,wBAAgB,+BAA+B,CAC7C,MAAM,EAAE,gBAAgB,GACvB,CAAC,WAAW,EAAE,OAAO,KAAK,OAAO,CAAC,aAAa,CAAC,CAuBlD"}

package/dist/src/jwt-server/handlers.js

@@ -0,0 +1,41 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.createCoreAccessTokenHandler = createCoreAccessTokenHandler;
+exports.createCoreExtensionTokenHandler = createCoreExtensionTokenHandler;
+const signer_1 = require("./signer");
+const sponsorship_1 = require("./sponsorship");
+function createCoreAccessTokenHandler(config) {
+    const signer = (0, signer_1.createJwtSigner)(config);
+    return async () => {
+        try {
+            const token = await signer.accessToken();
+            return { status: 200, body: { token } };
+        }
+        catch (error) {
+            const message = error instanceof Error ? error.message : 'Internal server error';
+            return { status: 500, body: { error: message } };
+        }
+    };
+}
+function createCoreExtensionTokenHandler(config) {
+    const signer = (0, signer_1.createJwtSigner)(config);
+    return async (intentInput) => {
+        if (intentInput === undefined || intentInput === null) {
+            return {
+                status: 400,
+                body: { error: 'Missing intentInput in request body' },
+            };
+        }
+        try {
+            const token = await signer.getIntentExtensionToken(intentInput);
+            return { status: 200, body: { token } };
+        }
+        catch (error) {
+            if (error instanceof sponsorship_1.SponsorshipDeniedError) {
+                return { status: 403, body: { error: error.message } };
+            }
+            const message = error instanceof Error ? error.message : 'Internal server error';
+            return { status: 500, body: { error: message } };
+        }
+    };
+}

package/dist/src/jwt-server/index.d.ts

@@ -0,0 +1,8 @@
+export { computeIntentInputDigest } from './digest';
+export { createExpressRouter } from './express';
+export type { JwtHandlerConfig } from './handlers';
+export { jcsCanonicalise } from './jcs';
+export { createJwtSigner, type JwtCredentials, type JwtSignerConfig, } from './signer';
+export { SponsorshipDeniedError, type SponsorshipFilter, shouldSponsor, } from './sponsorship';
+export { createAccessTokenHandler, createExtensionTokenHandler, } from './web';
+//# sourceMappingURL=index.d.ts.map

package/dist/src/jwt-server/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../jwt-server/index.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,wBAAwB,EAAE,MAAM,UAAU,CAAA;AACnD,OAAO,EAAE,mBAAmB,EAAE,MAAM,WAAW,CAAA;AAC/C,YAAY,EAAE,gBAAgB,EAAE,MAAM,YAAY,CAAA;AAClD,OAAO,EAAE,eAAe,EAAE,MAAM,OAAO,CAAA;AACvC,OAAO,EACL,eAAe,EACf,KAAK,cAAc,EACnB,KAAK,eAAe,GACrB,MAAM,UAAU,CAAA;AACjB,OAAO,EACL,sBAAsB,EACtB,KAAK,iBAAiB,EACtB,aAAa,GACd,MAAM,eAAe,CAAA;AACtB,OAAO,EACL,wBAAwB,EACxB,2BAA2B,GAC5B,MAAM,OAAO,CAAA"}

package/dist/src/jwt-server/index.js

@@ -0,0 +1,18 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.createExtensionTokenHandler = exports.createAccessTokenHandler = exports.shouldSponsor = exports.SponsorshipDeniedError = exports.createJwtSigner = exports.jcsCanonicalise = exports.createExpressRouter = exports.computeIntentInputDigest = void 0;
+// biome-ignore lint/performance/noBarrelFile: subpath entry point for @rhinestone/sdk/jwt-server
+var digest_1 = require("./digest");
+Object.defineProperty(exports, "computeIntentInputDigest", { enumerable: true, get: function () { return digest_1.computeIntentInputDigest; } });
+var express_1 = require("./express");
+Object.defineProperty(exports, "createExpressRouter", { enumerable: true, get: function () { return express_1.createExpressRouter; } });
+var jcs_1 = require("./jcs");
+Object.defineProperty(exports, "jcsCanonicalise", { enumerable: true, get: function () { return jcs_1.jcsCanonicalise; } });
+var signer_1 = require("./signer");
+Object.defineProperty(exports, "createJwtSigner", { enumerable: true, get: function () { return signer_1.createJwtSigner; } });
+var sponsorship_1 = require("./sponsorship");
+Object.defineProperty(exports, "SponsorshipDeniedError", { enumerable: true, get: function () { return sponsorship_1.SponsorshipDeniedError; } });
+Object.defineProperty(exports, "shouldSponsor", { enumerable: true, get: function () { return sponsorship_1.shouldSponsor; } });
+var web_1 = require("./web");
+Object.defineProperty(exports, "createAccessTokenHandler", { enumerable: true, get: function () { return web_1.createAccessTokenHandler; } });
+Object.defineProperty(exports, "createExtensionTokenHandler", { enumerable: true, get: function () { return web_1.createExtensionTokenHandler; } });

package/dist/src/jwt-server/jcs.d.ts

@@ -0,0 +1,12 @@
+/**
+ * RFC 8785 JSON Canonicalization Scheme (JCS).
+ *
+ * Produces a deterministic JSON serialization by:
+ * 1. Sorting object keys lexicographically (Unicode code-point order)
+ * 2. Using ES2015+ `JSON.stringify` number serialization (IEEE 754 → shortest round-trip)
+ * 3. No whitespace
+ *
+ * Reference: https://www.rfc-editor.org/rfc/rfc8785
+ */
+export declare function jcsCanonicalise(value: unknown): string;
+//# sourceMappingURL=jcs.d.ts.map

package/dist/src/jwt-server/jcs.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"jcs.d.ts","sourceRoot":"","sources":["../../../jwt-server/jcs.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAEH,wBAAgB,eAAe,CAAC,KAAK,EAAE,OAAO,GAAG,MAAM,CAEtD"}

package/dist/src/jwt-server/jcs.js

@@ -0,0 +1,60 @@
+"use strict";
+/**
+ * RFC 8785 JSON Canonicalization Scheme (JCS).
+ *
+ * Produces a deterministic JSON serialization by:
+ * 1. Sorting object keys lexicographically (Unicode code-point order)
+ * 2. Using ES2015+ `JSON.stringify` number serialization (IEEE 754 → shortest round-trip)
+ * 3. No whitespace
+ *
+ * Reference: https://www.rfc-editor.org/rfc/rfc8785
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.jcsCanonicalise = jcsCanonicalise;
+function jcsCanonicalise(value) {
+    return serialize(value);
+}
+function serialize(value) {
+    if (value === null || value === undefined) {
+        return 'null';
+    }
+    switch (typeof value) {
+        case 'boolean':
+            return value ? 'true' : 'false';
+        case 'number':
+            if (!Number.isFinite(value)) {
+                throw new Error(`JCS: non-finite number: ${value}`);
+            }
+            // ES2015 Number-to-String satisfies RFC 8785 §3.2.2.3
+            return Object.is(value, -0) ? '0' : String(value);
+        case 'string':
+            return JSON.stringify(value);
+        case 'bigint':
+            // BigInt is not valid JSON; coerce to bare decimal string.
+            // Values above MAX_SAFE_INTEGER are rejected because downstream
+            // JSON parsers using IEEE 754 doubles would silently lose precision,
+            // producing a different digest.
+            if (value > BigInt(Number.MAX_SAFE_INTEGER) ||
+                value < BigInt(-Number.MAX_SAFE_INTEGER)) {
+                throw new Error(`JCS: BigInt ${value} exceeds safe integer range — convert to string before calling`);
+            }
+            return String(value);
+        default:
+            break;
+    }
+    if (Array.isArray(value)) {
+        const items = value.map((item) => serialize(item));
+        return `[${items.join(',')}]`;
+    }
+    // Object — sort keys by Unicode code-point order
+    const obj = value;
+    const keys = Object.keys(obj).sort();
+    const members = [];
+    for (const key of keys) {
+        const v = obj[key];
+        if (v === undefined)
+            continue; // skip undefined properties
+        members.push(`${JSON.stringify(key)}:${serialize(v)}`);
+    }
+    return `{${members.join(',')}}`;
+}

package/dist/src/jwt-server/signer.d.ts

@@ -0,0 +1,18 @@
+import { type SponsorshipFilter } from './sponsorship';
+export interface JwtCredentials {
+    privateKey: JsonWebKey;
+    integratorId: string;
+    projectId: string;
+    appId: string;
+    keyId: string;
+    audience?: string;
+}
+export interface JwtSignerConfig {
+    jwt: JwtCredentials;
+    shouldSponsor?: SponsorshipFilter;
+}
+export declare function createJwtSigner(config: JwtSignerConfig): {
+    accessToken: () => Promise<string>;
+    getIntentExtensionToken: (intentInput: unknown) => Promise<string>;
+};
+//# sourceMappingURL=signer.d.ts.map

package/dist/src/jwt-server/signer.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"signer.d.ts","sourceRoot":"","sources":["../../../jwt-server/signer.ts"],"names":[],"mappings":"AAEA,OAAO,EAGL,KAAK,iBAAiB,EACvB,MAAM,eAAe,CAAA;AAEtB,MAAM,WAAW,cAAc;IAC7B,UAAU,EAAE,UAAU,CAAA;IACtB,YAAY,EAAE,MAAM,CAAA;IACpB,SAAS,EAAE,MAAM,CAAA;IACjB,KAAK,EAAE,MAAM,CAAA;IACb,KAAK,EAAE,MAAM,CAAA;IACb,QAAQ,CAAC,EAAE,MAAM,CAAA;CAClB;AAED,MAAM,WAAW,eAAe;IAC9B,GAAG,EAAE,cAAc,CAAA;IACnB,aAAa,CAAC,EAAE,iBAAiB,CAAA;CAClC;AAeD,wBAAgB,eAAe,CAAC,MAAM,EAAE,eAAe,GAAG;IACxD,WAAW,EAAE,MAAM,OAAO,CAAC,MAAM,CAAC,CAAA;IAClC,uBAAuB,EAAE,CAAC,WAAW,EAAE,OAAO,KAAK,OAAO,CAAC,MAAM,CAAC,CAAA;CACnE,CAoEA"}

package/dist/src/jwt-server/signer.js

@@ -0,0 +1,71 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.createJwtSigner = createJwtSigner;
+const jose_1 = require("jose");
+const digest_1 = require("./digest");
+const sponsorship_1 = require("./sponsorship");
+function pickAlg(jwk) {
+    if (jwk.kty === 'EC') {
+        if (jwk.crv === 'P-256')
+            return 'ES256';
+        if (jwk.crv === 'P-384')
+            return 'ES384';
+        if (jwk.crv === 'P-521')
+            return 'ES512';
+        throw new Error(`Unsupported EC curve: ${jwk.crv}`);
+    }
+    if (jwk.kty === 'RSA')
+        return 'RS256';
+    throw new Error(`Unsupported JWK kty: ${jwk.kty}`);
+}
+function createJwtSigner(config) {
+    const { jwt: { privateKey, integratorId, projectId, appId, keyId, audience = 'rhinestone-api', }, shouldSponsor: filters, } = config;
+    const alg = pickAlg(privateKey);
+    let cachedKey = null;
+    async function getKey() {
+        if (!cachedKey) {
+            cachedKey = (await (0, jose_1.importJWK)(privateKey, alg));
+        }
+        return cachedKey;
+    }
+    async function accessToken() {
+        const key = await getKey();
+        return new jose_1.SignJWT({ typ: 'access', app_id: appId })
+            .setProtectedHeader({ alg, kid: keyId })
+            .setIssuer(integratorId)
+            .setSubject(projectId)
+            .setAudience(audience)
+            .setIssuedAt()
+            .setExpirationTime('1h')
+            .sign(key);
+    }
+    async function getIntentExtensionToken(intentInput) {
+        if (filters) {
+            const allowed = await (0, sponsorship_1.shouldSponsor)(intentInput, filters);
+            if (!allowed) {
+                throw new sponsorship_1.SponsorshipDeniedError();
+            }
+        }
+        const key = await getKey();
+        const digest = await (0, digest_1.computeIntentInputDigest)(intentInput);
+        return new jose_1.SignJWT({
+            typ: 'intent_extension',
+            app_id: appId,
+            jti: crypto.randomUUID(),
+            policy: {
+                sponsorship: {
+                    scope: 'intent',
+                    intent_input: { digest },
+                },
+            },
+        })
+            .setProtectedHeader({ alg, kid: keyId })
+            .setIssuer(integratorId)
+            .setSubject(projectId)
+            .setAudience(audience)
+            .setIssuedAt()
+            .setExpirationTime('5m')
+            .sign(key);
+    }
+    return { accessToken, getIntentExtensionToken };
+}

package/dist/src/jwt-server/sponsorship.d.ts

@@ -0,0 +1,19 @@
+import type { Address, Hex } from 'viem';
+export declare class SponsorshipDeniedError extends Error {
+    constructor();
+}
+type MaybeAsync<T> = T | Promise<T>;
+export interface SponsorshipFilter {
+    chain?: (chain: {
+        id: number;
+    }) => MaybeAsync<boolean>;
+    account?: (address: Address) => MaybeAsync<boolean>;
+    calls?: (calls: {
+        to: Address;
+        value: bigint;
+        data: Hex;
+    }[]) => MaybeAsync<boolean>;
+}
+export declare function shouldSponsor(intentInput: unknown, filters: SponsorshipFilter): Promise<boolean>;
+export {};
+//# sourceMappingURL=sponsorship.d.ts.map

package/dist/src/jwt-server/sponsorship.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"sponsorship.d.ts","sourceRoot":"","sources":["../../../jwt-server/sponsorship.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,OAAO,EAAE,GAAG,EAAE,MAAM,MAAM,CAAA;AAExC,qBAAa,sBAAuB,SAAQ,KAAK;;CAKhD;AAED,KAAK,UAAU,CAAC,CAAC,IAAI,CAAC,GAAG,OAAO,CAAC,CAAC,CAAC,CAAA;AAEnC,MAAM,WAAW,iBAAiB;IAChC,KAAK,CAAC,EAAE,CAAC,KAAK,EAAE;QAAE,EAAE,EAAE,MAAM,CAAA;KAAE,KAAK,UAAU,CAAC,OAAO,CAAC,CAAA;IACtD,OAAO,CAAC,EAAE,CAAC,OAAO,EAAE,OAAO,KAAK,UAAU,CAAC,OAAO,CAAC,CAAA;IACnD,KAAK,CAAC,EAAE,CACN,KAAK,EAAE;QAAE,EAAE,EAAE,OAAO,CAAC;QAAC,KAAK,EAAE,MAAM,CAAC;QAAC,IAAI,EAAE,GAAG,CAAA;KAAE,EAAE,KAC/C,UAAU,CAAC,OAAO,CAAC,CAAA;CACzB;AAiDD,wBAAsB,aAAa,CACjC,WAAW,EAAE,OAAO,EACpB,OAAO,EAAE,iBAAiB,GACzB,OAAO,CAAC,OAAO,CAAC,CAclB"}

package/dist/src/jwt-server/sponsorship.js

@@ -0,0 +1,56 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.SponsorshipDeniedError = void 0;
+exports.shouldSponsor = shouldSponsor;
+class SponsorshipDeniedError extends Error {
+    constructor() {
+        super('Sponsorship denied');
+        this.name = 'SponsorshipDeniedError';
+    }
+}
+exports.SponsorshipDeniedError = SponsorshipDeniedError;
+function parseIntentInput(intentInput) {
+    if (typeof intentInput !== 'object' || intentInput === null) {
+        throw new Error('intentInput must be a non-null object');
+    }
+    const input = intentInput;
+    const chainId = input.destinationChainId;
+    if (typeof chainId !== 'number') {
+        throw new Error('intentInput.destinationChainId must be a number');
+    }
+    const account = input.account;
+    if (typeof account !== 'object' || account === null) {
+        throw new Error('intentInput.account must be a non-null object');
+    }
+    const address = account.address;
+    if (typeof address !== 'string') {
+        throw new Error('intentInput.account.address must be a string');
+    }
+    const executions = input.destinationExecutions;
+    if (!Array.isArray(executions)) {
+        throw new Error('intentInput.destinationExecutions must be an array');
+    }
+    const calls = executions.map((exec) => ({
+        to: exec.to,
+        value: BigInt(exec.value),
+        data: exec.data,
+    }));
+    return {
+        chain: { id: chainId },
+        account: address,
+        calls,
+    };
+}
+async function shouldSponsor(intentInput, filters) {
+    const parsed = parseIntentInput(intentInput);
+    if (filters.chain && !(await filters.chain(parsed.chain))) {
+        return false;
+    }
+    if (filters.account && !(await filters.account(parsed.account))) {
+        return false;
+    }
+    if (filters.calls && !(await filters.calls(parsed.calls))) {
+        return false;
+    }
+    return true;
+}

package/dist/src/jwt-server/web.d.ts

@@ -0,0 +1,4 @@
+import { type JwtHandlerConfig } from './handlers';
+export declare function createAccessTokenHandler(config: JwtHandlerConfig): (req: Request) => Promise<Response>;
+export declare function createExtensionTokenHandler(config: JwtHandlerConfig): (req: Request) => Promise<Response>;
+//# sourceMappingURL=web.d.ts.map

package/dist/src/jwt-server/web.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"web.d.ts","sourceRoot":"","sources":["../../../jwt-server/web.ts"],"names":[],"mappings":"AAAA,OAAO,EAGL,KAAK,gBAAgB,EACtB,MAAM,YAAY,CAAA;AAEnB,wBAAgB,wBAAwB,CACtC,MAAM,EAAE,gBAAgB,GACvB,CAAC,GAAG,EAAE,OAAO,KAAK,OAAO,CAAC,QAAQ,CAAC,CAOrC;AAED,wBAAgB,2BAA2B,CACzC,MAAM,EAAE,gBAAgB,GACvB,CAAC,GAAG,EAAE,OAAO,KAAK,OAAO,CAAC,QAAQ,CAAC,CAerC"}

package/dist/src/jwt-server/web.js

@@ -0,0 +1,27 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.createAccessTokenHandler = createAccessTokenHandler;
+exports.createExtensionTokenHandler = createExtensionTokenHandler;
+const handlers_1 = require("./handlers");
+function createAccessTokenHandler(config) {
+    const handle = (0, handlers_1.createCoreAccessTokenHandler)(config);
+    return async () => {
+        const result = await handle();
+        return Response.json(result.body, { status: result.status });
+    };
+}
+function createExtensionTokenHandler(config) {
+    const handle = (0, handlers_1.createCoreExtensionTokenHandler)(config);
+    return async (req) => {
+        let intentInput;
+        try {
+            const body = await req.json();
+            intentInput = body.intentInput;
+        }
+        catch {
+            return Response.json({ error: 'Invalid JSON body' }, { status: 400 });
+        }
+        const result = await handle(intentInput);
+        return Response.json(result.body, { status: result.status });
+    };
+}

package/dist/src/modules/validators/core.d.ts

@@ -12,6 +12,9 @@ interface WebauthnCredential {
     pubKey: PublicKey | Hex | Uint8Array;
     authenticatorId: string;
 }
+type MultiFactorValidatorDataOptions = {
+    useWebAuthnPrecompile?: boolean;
+};
 declare const OWNABLE_VALIDATOR_ADDRESS: Address;
 declare const ENS_VALIDATOR_ADDRESS: Address;
 declare const WEBAUTHN_VALIDATOR_ADDRESS: Address;
@@ -23,9 +26,10 @@ declare function getValidator(owners: OwnerSet): Module;
 declare function getOwnableValidator(threshold: number, owners: Address[], address?: Address): Module;
 declare function getENSValidator(threshold: number, owners: Address[], ownerExpirations: number[], address?: Address): Module;
 declare function getWebAuthnValidator(threshold: number, webAuthnCredentials: WebauthnCredential[], address?: Address): Module;
-declare function getMultiFactorValidator(threshold: number, validators: (OwnableValidatorConfig | ENSValidatorConfig | WebauthnValidatorConfig | null)[]): Module;
+declare function getMultiFactorSubValidatorData(validator: OwnableValidatorConfig | ENSValidatorConfig | WebauthnValidatorConfig, options?: MultiFactorValidatorDataOptions): Hex;
+declare function getMultiFactorValidator(threshold: number, validators: (OwnableValidatorConfig | ENSValidatorConfig | WebauthnValidatorConfig | null)[], options?: MultiFactorValidatorDataOptions): Module;
 declare function getSocialRecoveryValidator(guardians: Account[], threshold?: number): Module;
 declare function supportsEip712(validator: Module): boolean;
-export { OWNABLE_VALIDATOR_ADDRESS, ENS_VALIDATOR_ADDRESS, WEBAUTHN_VALIDATOR_ADDRESS, MULTI_FACTOR_VALIDATOR_ADDRESS, WEBAUTHN_V0_VALIDATOR_ADDRESS, SMART_SESSION_EMISSARY_ADDRESS, SMART_SESSION_EMISSARY_ADDRESS_DEV, getOwnerValidator, getOwnableValidator, getENSValidator, getWebAuthnValidator, getMultiFactorValidator, getSocialRecoveryValidator, getValidator, getMockSignature, supportsEip712, };
+export { OWNABLE_VALIDATOR_ADDRESS, ENS_VALIDATOR_ADDRESS, WEBAUTHN_VALIDATOR_ADDRESS, MULTI_FACTOR_VALIDATOR_ADDRESS, WEBAUTHN_V0_VALIDATOR_ADDRESS, SMART_SESSION_EMISSARY_ADDRESS, SMART_SESSION_EMISSARY_ADDRESS_DEV, getOwnerValidator, getOwnableValidator, getENSValidator, getWebAuthnValidator, getMultiFactorValidator, getSocialRecoveryValidator, getValidator, getMockSignature, getMultiFactorSubValidatorData, supportsEip712, };
 export type { WebauthnCredential };
 //# sourceMappingURL=core.d.ts.map

package/dist/src/modules/validators/core.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"core.d.ts","sourceRoot":"","sources":["../../../../modules/validators/core.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,KAAK,OAAO,EACZ,KAAK,OAAO,EAKZ,KAAK,GAAG,EAKT,MAAM,MAAM,CAAA;AAGb,OAAO,KAAK,EACV,kBAAkB,EAClB,sBAAsB,EACtB,QAAQ,EACR,uBAAuB,EACvB,uBAAuB,EACxB,MAAM,aAAa,CAAA;AAEpB,OAAO,EAA4B,KAAK,MAAM,EAAE,MAAM,WAAW,CAAA;AAEjE,QAAA,MAAM,kCAAkC,EAAE,OACI,CAAA;AAC9C,QAAA,MAAM,8BAA8B,EAAE,OACQ,CAAA;AAE9C,UAAU,SAAS;IACjB,MAAM,CAAC,EAAE,MAAM,GAAG,SAAS,CAAA;IAC3B,CAAC,EAAE,MAAM,CAAA;IACT,CAAC,EAAE,MAAM,CAAA;CACV;AAED,UAAU,kBAAkB;IAC1B,MAAM,EAAE,SAAS,GAAG,GAAG,GAAG,UAAU,CAAA;IACpC,eAAe,EAAE,MAAM,CAAA;CACxB;AAED,QAAA,MAAM,yBAAyB,EAAE,OACa,CAAA;AAC9C,QAAA,MAAM,qBAAqB,EAAE,OACiB,CAAA;AAC9C,QAAA,MAAM,0BAA0B,EAAE,OACY,CAAA;AAG9C,QAAA,MAAM,8BAA8B,EAAE,OACQ,CAAA;AAO9C,QAAA,MAAM,6BAA6B,EAAE,OACS,CAAA;AAO9C,iBAAS,iBAAiB,CAAC,MAAM,EAAE,uBAAuB,UAKzD;AAED,iBAAS,gBAAgB,CAAC,QAAQ,EAAE,QAAQ,GAAG,GAAG,CAmDjD;AAED,iBAAS,YAAY,CAAC,MAAM,EAAE,QAAQ,UA2BrC;AAED,iBAAS,mBAAmB,CAC1B,SAAS,EAAE,MAAM,EACjB,MAAM,EAAE,OAAO,EAAE,EACjB,OAAO,CAAC,EAAE,OAAO,GAChB,MAAM,CAiBR;AAED,iBAAS,eAAe,CACtB,SAAS,EAAE,MAAM,EACjB,MAAM,EAAE,OAAO,EAAE,EACjB,gBAAgB,EAAE,MAAM,EAAE,EAC1B,OAAO,CAAC,EAAE,OAAO,GAChB,MAAM,CAsCR;AAED,iBAAS,oBAAoB,CAC3B,SAAS,EAAE,MAAM,EACjB,mBAAmB,EAAE,kBAAkB,EAAE,EACzC,OAAO,CAAC,EAAE,OAAO,GAChB,MAAM,CA4DR;AAED,iBAAS,uBAAuB,CAC9B,SAAS,EAAE,MAAM,EACjB,UAAU,EAAE,CACR,sBAAsB,GACtB,kBAAkB,GAClB,uBAAuB,GACvB,IAAI,CACP,EAAE,GACF,MAAM,CAgDR;AAED,iBAAS,0BAA0B,CACjC,SAAS,EAAE,OAAO,EAAE,EACpB,SAAS,SAAI,GACZ,MAAM,CAsBR;AAeD,iBAAS,cAAc,CAAC,SAAS,EAAE,MAAM,WAUxC;AAED,OAAO,EACL,yBAAyB,EACzB,qBAAqB,EACrB,0BAA0B,EAC1B,8BAA8B,EAC9B,6BAA6B,EAC7B,8BAA8B,EAC9B,kCAAkC,EAClC,iBAAiB,EACjB,mBAAmB,EACnB,eAAe,EACf,oBAAoB,EACpB,uBAAuB,EACvB,0BAA0B,EAC1B,YAAY,EACZ,gBAAgB,EAChB,cAAc,GACf,CAAA;AACD,YAAY,EAAE,kBAAkB,EAAE,CAAA"}
+{"version":3,"file":"core.d.ts","sourceRoot":"","sources":["../../../../modules/validators/core.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,KAAK,OAAO,EACZ,KAAK,OAAO,EAKZ,KAAK,GAAG,EAKT,MAAM,MAAM,CAAA;AAOb,OAAO,KAAK,EACV,kBAAkB,EAClB,sBAAsB,EACtB,QAAQ,EACR,uBAAuB,EACvB,uBAAuB,EACxB,MAAM,aAAa,CAAA;AAEpB,OAAO,EAA4B,KAAK,MAAM,EAAE,MAAM,WAAW,CAAA;AAEjE,QAAA,MAAM,kCAAkC,EAAE,OACI,CAAA;AAC9C,QAAA,MAAM,8BAA8B,EAAE,OACQ,CAAA;AAE9C,UAAU,SAAS;IACjB,MAAM,CAAC,EAAE,MAAM,GAAG,SAAS,CAAA;IAC3B,CAAC,EAAE,MAAM,CAAA;IACT,CAAC,EAAE,MAAM,CAAA;CACV;AAED,UAAU,kBAAkB;IAC1B,MAAM,EAAE,SAAS,GAAG,GAAG,GAAG,UAAU,CAAA;IACpC,eAAe,EAAE,MAAM,CAAA;CACxB;AAED,KAAK,+BAA+B,GAAG;IACrC,qBAAqB,CAAC,EAAE,OAAO,CAAA;CAChC,CAAA;AAED,QAAA,MAAM,yBAAyB,EAAE,OACa,CAAA;AAC9C,QAAA,MAAM,qBAAqB,EAAE,OACiB,CAAA;AAC9C,QAAA,MAAM,0BAA0B,EAAE,OACY,CAAA;AAG9C,QAAA,MAAM,8BAA8B,EAAE,OACQ,CAAA;AAO9C,QAAA,MAAM,6BAA6B,EAAE,OACS,CAAA;AAO9C,iBAAS,iBAAiB,CAAC,MAAM,EAAE,uBAAuB,UAKzD;AAED,iBAAS,gBAAgB,CAAC,QAAQ,EAAE,QAAQ,GAAG,GAAG,CAwDjD;AAED,iBAAS,YAAY,CAAC,MAAM,EAAE,QAAQ,UA2BrC;AAsBD,iBAAS,mBAAmB,CAC1B,SAAS,EAAE,MAAM,EACjB,MAAM,EAAE,OAAO,EAAE,EACjB,OAAO,CAAC,EAAE,OAAO,GAChB,MAAM,CAiBR;AAED,iBAAS,eAAe,CACtB,SAAS,EAAE,MAAM,EACjB,MAAM,EAAE,OAAO,EAAE,EACjB,gBAAgB,EAAE,MAAM,EAAE,EAC1B,OAAO,CAAC,EAAE,OAAO,GAChB,MAAM,CAsCR;AAED,iBAAS,oBAAoB,CAC3B,SAAS,EAAE,MAAM,EACjB,mBAAmB,EAAE,kBAAkB,EAAE,EACzC,OAAO,CAAC,EAAE,OAAO,GAChB,MAAM,CAwCR;AAqBD,iBAAS,8BAA8B,CACrC,SAAS,EACL,sBAAsB,GACtB,kBAAkB,GAClB,uBAAuB,EAC3B,OAAO,GAAE,+BAAoC,GAC5C,GAAG,CAaL;AAED,iBAAS,uBAAuB,CAC9B,SAAS,EAAE,MAAM,EACjB,UAAU,EAAE,CACR,sBAAsB,GACtB,kBAAkB,GAClB,uBAAuB,GACvB,IAAI,CACP,EAAE,EACH,OAAO,GAAE,+BAAoC,GAC5C,MAAM,CAgDR;AAED,iBAAS,0BAA0B,CACjC,SAAS,EAAE,OAAO,EAAE,EACpB,SAAS,SAAI,GACZ,MAAM,CAsBR;AAeD,iBAAS,cAAc,CAAC,SAAS,EAAE,MAAM,WAUxC;AAED,OAAO,EACL,yBAAyB,EACzB,qBAAqB,EACrB,0BAA0B,EAC1B,8BAA8B,EAC9B,6BAA6B,EAC7B,8BAA8B,EAC9B,kCAAkC,EAClC,iBAAiB,EACjB,mBAAmB,EACnB,eAAe,EACf,oBAAoB,EACpB,uBAAuB,EACvB,0BAA0B,EAC1B,YAAY,EACZ,gBAAgB,EAChB,8BAA8B,EAC9B,cAAc,GACf,CAAA;AACD,YAAY,EAAE,kBAAkB,EAAE,CAAA"}

package/dist/src/modules/validators/core.js

@@ -9,9 +9,11 @@ exports.getMultiFactorValidator = getMultiFactorValidator;
 exports.getSocialRecoveryValidator = getSocialRecoveryValidator;
 exports.getValidator = getValidator;
 exports.getMockSignature = getMockSignature;
+exports.getMultiFactorSubValidatorData = getMultiFactorSubValidatorData;
 exports.supportsEip712 = supportsEip712;
 const viem_1 = require("viem");
 const error_1 = require("../../accounts/error");
+const mfa_webauthn_1 = require("../../accounts/signing/mfa-webauthn");
 const common_1 = require("../common");
 const SMART_SESSION_EMISSARY_ADDRESS_DEV = '0x60731de80d78548875f8a67c4fec2a8660194e0c';
 exports.SMART_SESSION_EMISSARY_ADDRESS_DEV = SMART_SESSION_EMISSARY_ADDRESS_DEV;
@@ -53,7 +55,9 @@ function getMockSignature(ownerSet) {
         case 'multi-factor': {
             const mockValidators = ownerSet.validators.map((validator, index) => {
                 const validatorModule = getValidator(validator);
-                const signature = getMockSignature(validator);
+                const signature = validator.type === 'passkey'
+                    ? (0, mfa_webauthn_1.extractMfaWebAuthnSignatureFromPasskeySignature)(getMockSignature(validator))
+                    : getMockSignature(validator);
                 return {
                     packedValidatorAndId: (0, viem_1.encodePacked)(['bytes12', 'address'], [
                         (0, viem_1.pad)((0, viem_1.toHex)(index), {
@@ -97,6 +101,22 @@ function getValidator(owners) {
         }
     }
 }
+function getPublicKey(webAuthnCredential) {
+    if (typeof webAuthnCredential.pubKey === 'string' ||
+        webAuthnCredential.pubKey instanceof Uint8Array) {
+        // It's a P256Credential
+        const { x, y, prefix } = parsePublicKey(webAuthnCredential.pubKey);
+        if (prefix && prefix !== 4) {
+            throw new Error('Only uncompressed public keys are supported');
+        }
+        return {
+            x,
+            y,
+        };
+    }
+    // It's already a PublicKey
+    return webAuthnCredential.pubKey;
+}
 function getOwnableValidator(threshold, owners, address) {
     return {
         address: address ?? OWNABLE_VALIDATOR_ADDRESS,
@@ -143,24 +163,6 @@ function getENSValidator(threshold, owners, ownerExpirations, address) {
     };
 }
 function getWebAuthnValidator(threshold, webAuthnCredentials, address) {
-    function getPublicKey(webAuthnCredential) {
-        if (typeof webAuthnCredential.pubKey === 'string' ||
-            webAuthnCredential.pubKey instanceof Uint8Array) {
-            // It's a P256Credential
-            const { x, y, prefix } = parsePublicKey(webAuthnCredential.pubKey);
-            if (prefix && prefix !== 4) {
-                throw new Error('Only uncompressed public keys are supported');
-            }
-            return {
-                x,
-                y,
-            };
-        }
-        else {
-            // It's already a PublicKey
-            return webAuthnCredential.pubKey;
-        }
-    }
     const publicKeys = webAuthnCredentials.map(getPublicKey);
     return {
         address: address ?? WEBAUTHN_VALIDATOR_ADDRESS,
@@ -197,7 +199,30 @@ function getWebAuthnValidator(threshold, webAuthnCredentials, address) {
         type: common_1.MODULE_TYPE_ID_VALIDATOR,
     };
 }
-function getMultiFactorValidator(threshold, validators) {
+function getWebAuthnMfaValidatorData(threshold, webAuthnCredentials, options = {}) {
+    return (0, mfa_webauthn_1.encodeMfaWebAuthnValidatorData)({
+        usePrecompile: options.useWebAuthnPrecompile ?? false,
+        threshold,
+        credentials: webAuthnCredentials.map((credential) => {
+            const publicKey = getPublicKey(credential);
+            return {
+                pubKeyX: publicKey.x,
+                pubKeyY: publicKey.y,
+                requireUV: false,
+            };
+        }),
+    });
+}
+function getMultiFactorSubValidatorData(validator, options = {}) {
+    if (validator.type === 'passkey') {
+        return getWebAuthnMfaValidatorData(validator.threshold ?? 1, validator.accounts.map((account) => ({
+            pubKey: account.publicKey,
+            authenticatorId: account.id,
+        })), options);
+    }
+    return getValidator(validator).initData;
+}
+function getMultiFactorValidator(threshold, validators, options = {}) {
     return {
         address: MULTI_FACTOR_VALIDATOR_ADDRESS,
         initData: (0, viem_1.encodePacked)(['uint8', 'bytes'], [
@@ -229,7 +254,7 @@ function getMultiFactorValidator(threshold, validators) {
                             }),
                             validatorModule.address,
                         ]),
-                        data: validatorModule.initData,
+                        data: getMultiFactorSubValidatorData(validator, options),
                     };
                 })
                     .filter((validator) => validator !== null),

package/dist/src/modules/validators/index.d.ts

@@ -1,4 +1,4 @@
 import { getMockSignature, getOwnerValidator, MULTI_FACTOR_VALIDATOR_ADDRESS, OWNABLE_VALIDATOR_ADDRESS, SMART_SESSION_EMISSARY_ADDRESS, WEBAUTHN_VALIDATOR_ADDRESS } from './core';
-import { buildMockSignature, getEnableSessionCall, getPermissionId, getSmartSessionValidator } from './smart-sessions';
-export { OWNABLE_VALIDATOR_ADDRESS, WEBAUTHN_VALIDATOR_ADDRESS, MULTI_FACTOR_VALIDATOR_ADDRESS, SMART_SESSION_EMISSARY_ADDRESS, getOwnerValidator, getSmartSessionValidator, getEnableSessionCall, getPermissionId, getMockSignature, buildMockSignature, };
+import { buildMockSignature, DUMMY_PRECLAIMOP_SELECTOR, DUMMY_PRECLAIMOP_TARGET, getEnableSessionCall, getPermissionId, getSmartSessionValidator, isSessionEnabled, packSignature } from './smart-sessions';
+export { OWNABLE_VALIDATOR_ADDRESS, WEBAUTHN_VALIDATOR_ADDRESS, MULTI_FACTOR_VALIDATOR_ADDRESS, SMART_SESSION_EMISSARY_ADDRESS, DUMMY_PRECLAIMOP_TARGET, DUMMY_PRECLAIMOP_SELECTOR, getOwnerValidator, getSmartSessionValidator, getEnableSessionCall, getPermissionId, getMockSignature, buildMockSignature, isSessionEnabled, packSignature, };
 //# sourceMappingURL=index.d.ts.map

package/dist/src/modules/validators/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../../modules/validators/index.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,gBAAgB,EAChB,iBAAiB,EACjB,8BAA8B,EAC9B,yBAAyB,EACzB,8BAA8B,EAC9B,0BAA0B,EAC3B,MAAM,QAAQ,CAAA;AACf,OAAO,EACL,kBAAkB,EAClB,oBAAoB,EACpB,eAAe,EACf,wBAAwB,EACzB,MAAM,kBAAkB,CAAA;AAEzB,OAAO,EACL,yBAAyB,EACzB,0BAA0B,EAC1B,8BAA8B,EAC9B,8BAA8B,EAC9B,iBAAiB,EACjB,wBAAwB,EACxB,oBAAoB,EACpB,eAAe,EACf,gBAAgB,EAChB,kBAAkB,GACnB,CAAA"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../../modules/validators/index.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,gBAAgB,EAChB,iBAAiB,EACjB,8BAA8B,EAC9B,yBAAyB,EACzB,8BAA8B,EAC9B,0BAA0B,EAC3B,MAAM,QAAQ,CAAA;AACf,OAAO,EACL,kBAAkB,EAClB,yBAAyB,EACzB,uBAAuB,EACvB,oBAAoB,EACpB,eAAe,EACf,wBAAwB,EACxB,gBAAgB,EAChB,aAAa,EACd,MAAM,kBAAkB,CAAA;AAEzB,OAAO,EACL,yBAAyB,EACzB,0BAA0B,EAC1B,8BAA8B,EAC9B,8BAA8B,EAC9B,uBAAuB,EACvB,yBAAyB,EACzB,iBAAiB,EACjB,wBAAwB,EACxB,oBAAoB,EACpB,eAAe,EACf,gBAAgB,EAChB,kBAAkB,EAClB,gBAAgB,EAChB,aAAa,GACd,CAAA"}

package/dist/src/modules/validators/index.js

@@ -1,6 +1,6 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.buildMockSignature = exports.getMockSignature = exports.getPermissionId = exports.getEnableSessionCall = exports.getSmartSessionValidator = exports.getOwnerValidator = exports.SMART_SESSION_EMISSARY_ADDRESS = exports.MULTI_FACTOR_VALIDATOR_ADDRESS = exports.WEBAUTHN_VALIDATOR_ADDRESS = exports.OWNABLE_VALIDATOR_ADDRESS = void 0;
+exports.packSignature = exports.isSessionEnabled = exports.buildMockSignature = exports.getMockSignature = exports.getPermissionId = exports.getEnableSessionCall = exports.getSmartSessionValidator = exports.getOwnerValidator = exports.DUMMY_PRECLAIMOP_SELECTOR = exports.DUMMY_PRECLAIMOP_TARGET = exports.SMART_SESSION_EMISSARY_ADDRESS = exports.MULTI_FACTOR_VALIDATOR_ADDRESS = exports.WEBAUTHN_VALIDATOR_ADDRESS = exports.OWNABLE_VALIDATOR_ADDRESS = void 0;
 const core_1 = require("./core");
 Object.defineProperty(exports, "getMockSignature", { enumerable: true, get: function () { return core_1.getMockSignature; } });
 Object.defineProperty(exports, "getOwnerValidator", { enumerable: true, get: function () { return core_1.getOwnerValidator; } });
@@ -10,6 +10,10 @@ Object.defineProperty(exports, "SMART_SESSION_EMISSARY_ADDRESS", { enumerable: t
 Object.defineProperty(exports, "WEBAUTHN_VALIDATOR_ADDRESS", { enumerable: true, get: function () { return core_1.WEBAUTHN_VALIDATOR_ADDRESS; } });
 const smart_sessions_1 = require("./smart-sessions");
 Object.defineProperty(exports, "buildMockSignature", { enumerable: true, get: function () { return smart_sessions_1.buildMockSignature; } });
+Object.defineProperty(exports, "DUMMY_PRECLAIMOP_SELECTOR", { enumerable: true, get: function () { return smart_sessions_1.DUMMY_PRECLAIMOP_SELECTOR; } });
+Object.defineProperty(exports, "DUMMY_PRECLAIMOP_TARGET", { enumerable: true, get: function () { return smart_sessions_1.DUMMY_PRECLAIMOP_TARGET; } });
 Object.defineProperty(exports, "getEnableSessionCall", { enumerable: true, get: function () { return smart_sessions_1.getEnableSessionCall; } });
 Object.defineProperty(exports, "getPermissionId", { enumerable: true, get: function () { return smart_sessions_1.getPermissionId; } });
 Object.defineProperty(exports, "getSmartSessionValidator", { enumerable: true, get: function () { return smart_sessions_1.getSmartSessionValidator; } });
+Object.defineProperty(exports, "isSessionEnabled", { enumerable: true, get: function () { return smart_sessions_1.isSessionEnabled; } });
+Object.defineProperty(exports, "packSignature", { enumerable: true, get: function () { return smart_sessions_1.packSignature; } });

package/dist/src/modules/validators/policies/claim/permit2.d.ts

@@ -0,0 +1,55 @@
+import { type Address, type Hex } from 'viem';
+import type { Permit2ClaimPolicy } from '../../../../types';
+/** Typed representation of the Permit2 message fields used for calldata building */
+export interface Permit2ClaimMessage {
+    permitted: readonly {
+        token: Address;
+        amount: bigint;
+    }[];
+    spender: Address;
+    nonce: bigint;
+    deadline: bigint;
+    mandate: {
+        target: {
+            recipient: Address;
+            tokenOut: readonly {
+                token: Address;
+                amount: bigint;
+            }[];
+            targetChain: bigint;
+            fillExpiry: bigint;
+        };
+        minGas: bigint;
+        originOps: {
+            vt: Hex;
+            ops: readonly {
+                to: Address;
+                value: bigint;
+                data: Hex;
+            }[];
+        };
+        destOps: {
+            vt: Hex;
+            ops: readonly {
+                to: Address;
+                value: bigint;
+                data: Hex;
+            }[];
+        };
+        q: Hex;
+    };
+}
+/**
+ * Builds the policySpecificData calldata for a Permit2ClaimPolicy EIP-1271 check.
+ *
+ * Format (derived from Permit2ClaimPolicy.sol calldata layout):
+ *   Header:  [spender:20][nonce:32][deadline:32]
+ *   TokenIn: expanded [count:1][token:32][amount:32]... OR pre-computed hash [32]
+ *   Mandate: if any target check enabled — expanded target + minGas:16 + ops hashes + q
+ *            else — pre-computed mandateHash [32]
+ *
+ */
+export declare function buildPermit2ClaimPolicyCalldata(policy: Permit2ClaimPolicy, message: Permit2ClaimMessage): Hex;
+export declare const PERMIT2_CLAIM_POLICY_ADDRESS: Address;
+export declare function encodePermit2ClaimPolicyInitData(policy: Permit2ClaimPolicy): Hex;
+//# sourceMappingURL=permit2.d.ts.map