@cloakedagent/sdk 0.1.0

package/dist/relayer.js

@@ -0,0 +1,225 @@
+"use strict";
+/**
+ * Relayer Client for Truly Private Cloaked Agent Creation
+ *
+ * Handles communication with the backend relayer service for creating
+ * agents without the user's wallet signing any on-chain transaction.
+ *
+ * Security:
+ * - Agent Key encrypted with NaCl box (X25519) - decrypted client-side
+ * - User's wallet only signs "Cloak Private Agent" message for secret derivation
+ * - User's wallet NEVER appears in any on-chain transaction
+ *
+ * Economics:
+ * - User sends total (0.01 SOL fee + funding) to relayer via Privacy Cash
+ * - Relayer keeps 0.01 SOL fee, forwards rest to vault
+ */
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.getRelayerStatus = getRelayerStatus;
+exports.createPrivateAgentViaRelayer = createPrivateAgentViaRelayer;
+exports.freezePrivateViaRelayer = freezePrivateViaRelayer;
+exports.unfreezePrivateViaRelayer = unfreezePrivateViaRelayer;
+exports.updateConstraintsPrivateViaRelayer = updateConstraintsPrivateViaRelayer;
+exports.withdrawPrivateViaRelayer = withdrawPrivateViaRelayer;
+exports.closePrivateViaRelayer = closePrivateViaRelayer;
+exports.cosignSpendViaRelayer = cosignSpendViaRelayer;
+exports.getRelayerPublicKey = getRelayerPublicKey;
+const web3_js_1 = require("@solana/web3.js");
+const tweetnacl_1 = __importDefault(require("tweetnacl"));
+const bs58_1 = __importDefault(require("bs58"));
+const zk_1 = require("./zk");
+const config_1 = require("./config");
+/**
+ * Handle relayer API error responses
+ */
+async function handleRelayerError(response, defaultMessage) {
+    const error = await response.json().catch(() => ({ error: "Unknown error" }));
+    throw new Error(error.error || `${defaultMessage}: ${response.status}`);
+}
+/**
+ * Make a POST request to a relayer endpoint and return the signature
+ */
+async function postRelayerOperation(endpoint, params, apiUrl) {
+    const baseUrl = apiUrl || (0, config_1.getBackendUrl)();
+    const response = await fetch(`${baseUrl}/api/relayer/${endpoint}`, {
+        method: "POST",
+        headers: { "Content-Type": "application/json" },
+        body: JSON.stringify(params),
+    });
+    if (!response.ok) {
+        await handleRelayerError(response, "Relayer request failed");
+    }
+    const result = await response.json();
+    return result.signature;
+}
+/**
+ * Get relayer status
+ *
+ * @param apiUrl - Optional API URL (defaults to CLOAK_API_URL or localhost:3645)
+ * @returns Relayer status including balance and readiness
+ */
+async function getRelayerStatus(apiUrl) {
+    const baseUrl = apiUrl || (0, config_1.getBackendUrl)();
+    const response = await fetch(`${baseUrl}/api/relayer/status`);
+    if (!response.ok) {
+        await handleRelayerError(response, "Relayer status check failed");
+    }
+    return response.json();
+}
+/**
+ * Create a Cloaked Agent via relayer
+ *
+ * The relayer signs and pays for the transaction, ensuring the user's wallet
+ * never appears on-chain. The Agent Key is encrypted and only the user can decrypt it.
+ *
+ * Flow:
+ * 1. User sends total (fee + funding) to relayer via Privacy Cash
+ * 2. Call this function with the deposit tx signature
+ * 3. Relayer keeps 0.01 SOL fee, forwards rest to vault
+ * 4. Relayer creates agent, encrypts Agent Key for user
+ *
+ * @param masterSecret - Master secret derived from wallet signature
+ * @param nonce - Agent index (0, 1, 2, ...)
+ * @param options - Agent creation options
+ * @param depositSignature - Privacy Cash tx signature to relayer
+ * @param depositAmount - Total lamports sent (fee + vault funding)
+ * @param apiUrl - Optional API URL
+ * @returns Agent Key and PDA addresses
+ */
+async function createPrivateAgentViaRelayer(masterSecret, nonce, options, depositSignature, depositAmount, apiUrl) {
+    const baseUrl = apiUrl || (0, config_1.getBackendUrl)();
+    const { commitment } = await (0, zk_1.deriveAgentSecrets)(masterSecret, nonce);
+    const commitmentBytes = (0, zk_1.commitmentToBytes)(commitment);
+    const encryptionKeypair = tweetnacl_1.default.box.keyPair();
+    const body = {
+        ownerCommitment: Array.from(commitmentBytes),
+        maxPerTx: options.maxPerTx ?? 0,
+        dailyLimit: options.dailyLimit ?? 0,
+        totalLimit: options.totalLimit ?? 0,
+        expiresAt: options.expiresAt ? Math.floor(options.expiresAt.getTime() / 1000) : 0,
+        clientPublicKey: Array.from(encryptionKeypair.publicKey),
+        depositSignature,
+        depositAmount,
+    };
+    const response = await fetch(`${baseUrl}/api/relayer/create-private`, {
+        method: "POST",
+        headers: { "Content-Type": "application/json" },
+        body: JSON.stringify(body),
+    });
+    if (!response.ok) {
+        await handleRelayerError(response, "Relayer request failed");
+    }
+    const result = await response.json();
+    // Decrypt Agent Key
+    const agentKey = decryptAgentKey(result.encryptedAgentKey, result.nonce, encryptionKeypair.secretKey);
+    return {
+        agentKey,
+        agentStatePda: new web3_js_1.PublicKey(result.agentStatePda),
+        vaultPda: new web3_js_1.PublicKey(result.vaultPda),
+        delegate: new web3_js_1.PublicKey(result.delegate),
+        signature: result.signature,
+    };
+}
+/**
+ * Freeze a private agent via relayer
+ */
+async function freezePrivateViaRelayer(params, apiUrl) {
+    return postRelayerOperation("freeze-private", params, apiUrl);
+}
+/**
+ * Unfreeze a private agent via relayer
+ */
+async function unfreezePrivateViaRelayer(params, apiUrl) {
+    return postRelayerOperation("unfreeze-private", params, apiUrl);
+}
+/**
+ * Update constraints for a private agent via relayer
+ */
+async function updateConstraintsPrivateViaRelayer(params, apiUrl) {
+    return postRelayerOperation("update-constraints-private", params, apiUrl);
+}
+/**
+ * Withdraw from a private agent via relayer
+ */
+async function withdrawPrivateViaRelayer(params, apiUrl) {
+    return postRelayerOperation("withdraw-private", params, apiUrl);
+}
+/**
+ * Close a private agent via relayer
+ */
+async function closePrivateViaRelayer(params, apiUrl) {
+    return postRelayerOperation("close-private", params, apiUrl);
+}
+/**
+ * Co-sign and submit a spend transaction via relayer
+ *
+ * The SDK builds the transaction, delegate signs, then sends to relayer.
+ * Relayer adds its signature as fee payer and submits to the network.
+ *
+ * @param transactionBase64 - Base64 encoded partially-signed transaction
+ * @param apiUrl - Optional API URL
+ * @returns Transaction signature
+ */
+async function cosignSpendViaRelayer(transactionBase64, apiUrl) {
+    const baseUrl = apiUrl || (0, config_1.getBackendUrl)();
+    const response = await fetch(`${baseUrl}/api/relayer/cosign-spend`, {
+        method: "POST",
+        headers: { "Content-Type": "application/json" },
+        body: JSON.stringify({ transaction: transactionBase64 }),
+    });
+    if (!response.ok) {
+        const errorData = await response.json().catch(() => ({ error: "Unknown error" }));
+        const message = errorData.error || `Relayer cosign failed: ${response.status}`;
+        const err = new Error(message);
+        err.code = errorData.code;
+        throw err;
+    }
+    const result = await response.json();
+    return result.signature;
+}
+/**
+ * Get the relayer public key for use as fee payer
+ * Uses lightweight /pubkey endpoint that doesn't require RPC calls
+ *
+ * @param apiUrl - Optional API URL
+ * @returns Relayer public key
+ */
+async function getRelayerPublicKey(apiUrl) {
+    const baseUrl = apiUrl || (0, config_1.getBackendUrl)();
+    try {
+        const response = await fetch(`${baseUrl}/api/relayer/pubkey`);
+        if (response.ok) {
+            const data = await response.json();
+            return new web3_js_1.PublicKey(data.address);
+        }
+    }
+    catch {
+        // Fall back to status endpoint
+    }
+    const status = await getRelayerStatus(apiUrl);
+    return new web3_js_1.PublicKey(status.address);
+}
+/**
+ * Decrypt Agent Key received from relayer
+ *
+ * @param encryptedBase58 - Base58 encoded encrypted data (ephemeral pubkey + ciphertext)
+ * @param nonceBase58 - Base58 encoded nonce
+ * @param secretKey - Client's X25519 secret key
+ * @returns Decrypted Agent Key
+ */
+function decryptAgentKey(encryptedBase58, nonceBase58, secretKey) {
+    const encrypted = bs58_1.default.decode(encryptedBase58);
+    const nonce = bs58_1.default.decode(nonceBase58);
+    // First 32 bytes are the ephemeral public key, rest is ciphertext
+    const ephemeralPublicKey = encrypted.slice(0, 32);
+    const ciphertext = encrypted.slice(32);
+    const decrypted = tweetnacl_1.default.box.open(ciphertext, nonce, ephemeralPublicKey, secretKey);
+    if (!decrypted) {
+        throw new Error("Failed to decrypt Agent Key - invalid encryption");
+    }
+    return new TextDecoder().decode(decrypted);
+}
+//# sourceMappingURL=relayer.js.map

package/dist/relayer.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"relayer.js","sourceRoot":"","sources":["../src/relayer.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;;;;GAcG;;;;;AAkFH,4CASC;AAsBD,oEAoDC;AA+BD,0DAKC;AAKD,8DAKC;AAKD,gFAKC;AAKD,8DAKC;AAKD,wDAKC;AAYD,sDAqBC;AASD,kDAeC;AAxSD,6CAA4C;AAC5C,0DAA6B;AAC7B,gDAAwB;AACxB,6BAA6D;AAC7D,qCAAyC;AAuCzC;;GAEG;AACH,KAAK,UAAU,kBAAkB,CAAC,QAAkB,EAAE,cAAsB;IAC1E,MAAM,KAAK,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,CAAC,EAAE,KAAK,EAAE,eAAe,EAAE,CAAC,CAAuB,CAAC;IACpG,MAAM,IAAI,KAAK,CAAC,KAAK,CAAC,KAAK,IAAI,GAAG,cAAc,KAAK,QAAQ,CAAC,MAAM,EAAE,CAAC,CAAC;AAC1E,CAAC;AAED;;GAEG;AACH,KAAK,UAAU,oBAAoB,CACjC,QAAgB,EAChB,MAAS,EACT,MAAe;IAEf,MAAM,OAAO,GAAG,MAAM,IAAI,IAAA,sBAAa,GAAE,CAAC;IAC1C,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,GAAG,OAAO,gBAAgB,QAAQ,EAAE,EAAE;QACjE,MAAM,EAAE,MAAM;QACd,OAAO,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE;QAC/C,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC;KAC7B,CAAC,CAAC;IAEH,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;QACjB,MAAM,kBAAkB,CAAC,QAAQ,EAAE,wBAAwB,CAAC,CAAC;IAC/D,CAAC;IAED,MAAM,MAAM,GAAG,MAAM,QAAQ,CAAC,IAAI,EAA2B,CAAC;IAC9D,OAAO,MAAM,CAAC,SAAS,CAAC;AAC1B,CAAC;AAED;;;;;GAKG;AACI,KAAK,UAAU,gBAAgB,CAAC,MAAe;IACpD,MAAM,OAAO,GAAG,MAAM,IAAI,IAAA,sBAAa,GAAE,CAAC;IAC1C,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,GAAG,OAAO,qBAAqB,CAAC,CAAC;IAE9D,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;QACjB,MAAM,kBAAkB,CAAC,QAAQ,EAAE,6BAA6B,CAAC,CAAC;IACpE,CAAC;IAED,OAAO,QAAQ,CAAC,IAAI,EAA4B,CAAC;AACnD,CAAC;AAED;;;;;;;;;;;;;;;;;;;GAmBG;AACI,KAAK,UAAU,4BAA4B,CAChD,YAAoB,EACpB,KAAa,EACb,OAAuC,EACvC,gBAAwB,EACxB,aAAqB,EACrB,MAAe;IAEf,MAAM,OAAO,GAAG,MAAM,IAAI,IAAA,sBAAa,GAAE,CAAC;IAE1C,MAAM,EAAE,UAAU,EAAE,GAAG,MAAM,IAAA,uBAAkB,EAAC,YAAY,EAAE,KAAK,CAAC,CAAC;IACrE,MAAM,eAAe,GAAG,IAAA,sBAAiB,EAAC,UAAU,CAAC,CAAC;IAEtD,MAAM,iBAAiB,GAAG,mBAAI,CAAC,GAAG,CAAC,OAAO,EAAE,CAAC;IAE7C,MAAM,IAAI,GAAG;QACX,eAAe,EAAE,KAAK,CAAC,IAAI,CAAC,eAAe,CAAC;QAC5C,QAAQ,EAAE,OAAO,CAAC,QAAQ,IAAI,CAAC;QAC/B,UAAU,EAAE,OAAO,CAAC,UAAU,IAAI,CAAC;QACnC,UAAU,EAAE,OAAO,CAAC,UAAU,IAAI,CAAC;QACnC,SAAS,EAAE,OAAO,CAAC,SAAS,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,SAAS,CAAC,OAAO,EAAE,GAAG,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC;QACjF,eAAe,EAAE,KAAK,CAAC,IAAI,CAAC,iBAAiB,CAAC,SAAS,CAAC;QACxD,gBAAgB;QAChB,aAAa;KACd,CAAC;IAEF,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,GAAG,OAAO,6BAA6B,EAAE;QACpE,MAAM,EAAE,MAAM;QACd,OAAO,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE;QAC/C,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC;KAC3B,CAAC,CAAC;IAEH,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;QACjB,MAAM,kBAAkB,CAAC,QAAQ,EAAE,wBAAwB,CAAC,CAAC;IAC/D,CAAC;IAED,MAAM,MAAM,GAAG,MAAM,QAAQ,CAAC,IAAI,EAA2B,CAAC;IAE9D,oBAAoB;IACpB,MAAM,QAAQ,GAAG,eAAe,CAC9B,MAAM,CAAC,iBAAiB,EACxB,MAAM,CAAC,KAAK,EACZ,iBAAiB,CAAC,SAAS,CAC5B,CAAC;IAEF,OAAO;QACL,QAAQ;QACR,aAAa,EAAE,IAAI,mBAAS,CAAC,MAAM,CAAC,aAAa,CAAC;QAClD,QAAQ,EAAE,IAAI,mBAAS,CAAC,MAAM,CAAC,QAAQ,CAAC;QACxC,QAAQ,EAAE,IAAI,mBAAS,CAAC,MAAM,CAAC,QAAQ,CAAC;QACxC,SAAS,EAAE,MAAM,CAAC,SAAS;KAC5B,CAAC;AACJ,CAAC;AA4BD;;GAEG;AACI,KAAK,UAAU,uBAAuB,CAC3C,MAA8B,EAC9B,MAAe;IAEf,OAAO,oBAAoB,CAAC,gBAAgB,EAAE,MAAM,EAAE,MAAM,CAAC,CAAC;AAChE,CAAC;AAED;;GAEG;AACI,KAAK,UAAU,yBAAyB,CAC7C,MAA8B,EAC9B,MAAe;IAEf,OAAO,oBAAoB,CAAC,kBAAkB,EAAE,MAAM,EAAE,MAAM,CAAC,CAAC;AAClE,CAAC;AAED;;GAEG;AACI,KAAK,UAAU,kCAAkC,CACtD,MAAsC,EACtC,MAAe;IAEf,OAAO,oBAAoB,CAAC,4BAA4B,EAAE,MAAM,EAAE,MAAM,CAAC,CAAC;AAC5E,CAAC;AAED;;GAEG;AACI,KAAK,UAAU,yBAAyB,CAC7C,MAA6B,EAC7B,MAAe;IAEf,OAAO,oBAAoB,CAAC,kBAAkB,EAAE,MAAM,EAAE,MAAM,CAAC,CAAC;AAClE,CAAC;AAED;;GAEG;AACI,KAAK,UAAU,sBAAsB,CAC1C,MAA0B,EAC1B,MAAe;IAEf,OAAO,oBAAoB,CAAC,eAAe,EAAE,MAAM,EAAE,MAAM,CAAC,CAAC;AAC/D,CAAC;AAED;;;;;;;;;GASG;AACI,KAAK,UAAU,qBAAqB,CACzC,iBAAyB,EACzB,MAAe;IAEf,MAAM,OAAO,GAAG,MAAM,IAAI,IAAA,sBAAa,GAAE,CAAC;IAC1C,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,GAAG,OAAO,2BAA2B,EAAE;QAClE,MAAM,EAAE,MAAM;QACd,OAAO,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE;QAC/C,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,EAAE,WAAW,EAAE,iBAAiB,EAAE,CAAC;KACzD,CAAC,CAAC;IAEH,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;QACjB,MAAM,SAAS,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,CAAC,EAAE,KAAK,EAAE,eAAe,EAAE,CAAC,CAAsC,CAAC;QACvH,MAAM,OAAO,GAAG,SAAS,CAAC,KAAK,IAAI,0BAA0B,QAAQ,CAAC,MAAM,EAAE,CAAC;QAC/E,MAAM,GAAG,GAAG,IAAI,KAAK,CAAC,OAAO,CAAC,CAAC;QAC9B,GAAiC,CAAC,IAAI,GAAG,SAAS,CAAC,IAAI,CAAC;QACzD,MAAM,GAAG,CAAC;IACZ,CAAC;IAED,MAAM,MAAM,GAAG,MAAM,QAAQ,CAAC,IAAI,EAA2B,CAAC;IAC9D,OAAO,MAAM,CAAC,SAAS,CAAC;AAC1B,CAAC;AAED;;;;;;GAMG;AACI,KAAK,UAAU,mBAAmB,CAAC,MAAe;IACvD,MAAM,OAAO,GAAG,MAAM,IAAI,IAAA,sBAAa,GAAE,CAAC;IAE1C,IAAI,CAAC;QACH,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,GAAG,OAAO,qBAAqB,CAAC,CAAC;QAC9D,IAAI,QAAQ,CAAC,EAAE,EAAE,CAAC;YAChB,MAAM,IAAI,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAyB,CAAC;YAC1D,OAAO,IAAI,mBAAS,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;QACrC,CAAC;IACH,CAAC;IAAC,MAAM,CAAC;QACP,+BAA+B;IACjC,CAAC;IAED,MAAM,MAAM,GAAG,MAAM,gBAAgB,CAAC,MAAM,CAAC,CAAC;IAC9C,OAAO,IAAI,mBAAS,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;AACvC,CAAC;AAED;;;;;;;GAOG;AACH,SAAS,eAAe,CACtB,eAAuB,EACvB,WAAmB,EACnB,SAAqB;IAErB,MAAM,SAAS,GAAG,cAAI,CAAC,MAAM,CAAC,eAAe,CAAC,CAAC;IAC/C,MAAM,KAAK,GAAG,cAAI,CAAC,MAAM,CAAC,WAAW,CAAC,CAAC;IAEvC,kEAAkE;IAClE,MAAM,kBAAkB,GAAG,SAAS,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;IAClD,MAAM,UAAU,GAAG,SAAS,CAAC,KAAK,CAAC,EAAE,CAAC,CAAC;IAEvC,MAAM,SAAS,GAAG,mBAAI,CAAC,GAAG,CAAC,IAAI,CAAC,UAAU,EAAE,KAAK,EAAE,kBAAkB,EAAE,SAAS,CAAC,CAAC;IAElF,IAAI,CAAC,SAAS,EAAE,CAAC;QACf,MAAM,IAAI,KAAK,CAAC,kDAAkD,CAAC,CAAC;IACtE,CAAC;IAED,OAAO,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;AAC7C,CAAC"}

package/dist/signer.d.ts

@@ -0,0 +1,18 @@
+import { Keypair, PublicKey, Transaction, VersionedTransaction } from "@solana/web3.js";
+/**
+ * Signer interface - matches Anchor's Wallet interface exactly.
+ * This allows the SDK to work with both:
+ * - Frontend: useAnchorWallet() already returns this interface
+ * - Backend/MCP: Use keypairToSigner() to adapt a Keypair
+ */
+export interface Signer {
+    publicKey: PublicKey;
+    signTransaction<T extends Transaction | VersionedTransaction>(tx: T): Promise<T>;
+    signAllTransactions<T extends Transaction | VersionedTransaction>(txs: T[]): Promise<T[]>;
+}
+/**
+ * Adapt a Keypair to the Signer interface.
+ * Use this in backend code or MCP tools where you have a Keypair.
+ */
+export declare function keypairToSigner(keypair: Keypair): Signer;
+//# sourceMappingURL=signer.d.ts.map

package/dist/signer.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"signer.d.ts","sourceRoot":"","sources":["../src/signer.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,OAAO,EAAE,SAAS,EAAE,WAAW,EAAE,oBAAoB,EAAE,MAAM,iBAAiB,CAAC;AAExF;;;;;GAKG;AACH,MAAM,WAAW,MAAM;IACrB,SAAS,EAAE,SAAS,CAAC;IACrB,eAAe,CAAC,CAAC,SAAS,WAAW,GAAG,oBAAoB,EAAE,EAAE,EAAE,CAAC,GAAG,OAAO,CAAC,CAAC,CAAC,CAAC;IACjF,mBAAmB,CAAC,CAAC,SAAS,WAAW,GAAG,oBAAoB,EAAE,GAAG,EAAE,CAAC,EAAE,GAAG,OAAO,CAAC,CAAC,EAAE,CAAC,CAAC;CAC3F;AAED;;;GAGG;AACH,wBAAgB,eAAe,CAAC,OAAO,EAAE,OAAO,GAAG,MAAM,CAsBxD"}

package/dist/signer.js

@@ -0,0 +1,34 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.keypairToSigner = keypairToSigner;
+const web3_js_1 = require("@solana/web3.js");
+/**
+ * Adapt a Keypair to the Signer interface.
+ * Use this in backend code or MCP tools where you have a Keypair.
+ */
+function keypairToSigner(keypair) {
+    return {
+        publicKey: keypair.publicKey,
+        async signTransaction(tx) {
+            if (tx instanceof web3_js_1.Transaction) {
+                tx.partialSign(keypair);
+            }
+            else {
+                tx.sign([keypair]);
+            }
+            return tx;
+        },
+        async signAllTransactions(txs) {
+            return txs.map((tx) => {
+                if (tx instanceof web3_js_1.Transaction) {
+                    tx.partialSign(keypair);
+                }
+                else {
+                    tx.sign([keypair]);
+                }
+                return tx;
+            });
+        },
+    };
+}
+//# sourceMappingURL=signer.js.map

package/dist/signer.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"signer.js","sourceRoot":"","sources":["../src/signer.ts"],"names":[],"mappings":";;AAkBA,0CAsBC;AAxCD,6CAAwF;AAcxF;;;GAGG;AACH,SAAgB,eAAe,CAAC,OAAgB;IAC9C,OAAO;QACL,SAAS,EAAE,OAAO,CAAC,SAAS;QAC5B,KAAK,CAAC,eAAe,CAA+C,EAAK;YACvE,IAAI,EAAE,YAAY,qBAAW,EAAE,CAAC;gBAC9B,EAAE,CAAC,WAAW,CAAC,OAAO,CAAC,CAAC;YAC1B,CAAC;iBAAM,CAAC;gBACN,EAAE,CAAC,IAAI,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC;YACrB,CAAC;YACD,OAAO,EAAE,CAAC;QACZ,CAAC;QACD,KAAK,CAAC,mBAAmB,CAA+C,GAAQ;YAC9E,OAAO,GAAG,CAAC,GAAG,CAAC,CAAC,EAAE,EAAE,EAAE;gBACpB,IAAI,EAAE,YAAY,qBAAW,EAAE,CAAC;oBAC9B,EAAE,CAAC,WAAW,CAAC,OAAO,CAAC,CAAC;gBAC1B,CAAC;qBAAM,CAAC;oBACN,EAAE,CAAC,IAAI,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC;gBACrB,CAAC;gBACD,OAAO,EAAE,CAAC;YACZ,CAAC,CAAC,CAAC;QACL,CAAC;KACF,CAAC;AACJ,CAAC"}

package/dist/token.d.ts

@@ -0,0 +1,320 @@
+import { Connection, Keypair, PublicKey } from "@solana/web3.js";
+import { TokenState, CreateTokenOptions, ConstraintOptions, SpendOptions, SpendResult } from "./types";
+import { Signer } from "./signer";
+/**
+ * CloakToken - Represents a Cloak payment token
+ *
+ * A Cloak token is a Solana keypair where:
+ * - The private key is the "token code" (what users save)
+ * - The derived PDA holds the SOL balance
+ * - Signing with the keypair authorizes redemptions
+ *
+ * Two modes of operation:
+ * - Agent mode (via constructor): Has token code, can spend
+ * - Owner mode (via forOwner): No token code, can manage (freeze/unfreeze/update/close)
+ */
+export declare class CloakToken {
+    private keypair;
+    private delegatePubkey;
+    private connection;
+    private _pda;
+    private _bump;
+    private _ownerCommitment;
+    private _agentSecret;
+    private _nonce;
+    private _tokenStatePda;
+    private _vaultPda;
+    /**
+     * Create a CloakToken from a token code (agent mode - can spend)
+     * @param tokenCode - Base58 encoded secret key
+     * @param rpcUrl - Solana RPC endpoint URL
+     */
+    constructor(tokenCode: string, rpcUrl: string);
+    /**
+     * Create a CloakToken for owner management (freeze, unfreeze, update, close, withdraw, deposit)
+     * Does NOT have delegate keypair - cannot spend.
+     * Use this when you have the delegate's public key but not the token code.
+     *
+     * @param delegatePubkey - Public key of the delegate (from URL or on-chain data)
+     * @param rpcUrl - Solana RPC endpoint URL
+     */
+    static forOwner(delegatePubkey: PublicKey | string, rpcUrl: string): CloakToken;
+    /**
+     * Create a CloakToken for private owner management (ZK proof-based)
+     * Uses the master secret and nonce to derive the agent secret and find the token.
+     *
+     * @param masterSecret - Master secret derived from wallet signature
+     * @param nonce - Agent index (0, 1, 2, ...)
+     * @param rpcUrl - Solana RPC endpoint URL
+     * @returns CloakToken instance for private management
+     */
+    static forPrivateOwner(masterSecret: bigint, nonce: number, rpcUrl: string): Promise<CloakToken>;
+    /**
+     * Check if this token is in private mode
+     */
+    get isPrivateMode(): boolean;
+    /**
+     * Get the owner commitment (private mode only)
+     */
+    get ownerCommitment(): Uint8Array | null;
+    /**
+     * The token's public key (used to derive PDA)
+     */
+    get publicKey(): PublicKey;
+    /**
+     * The PDA that holds this token's SOL balance
+     */
+    get pda(): PublicKey;
+    /**
+     * The bump seed used for PDA derivation
+     */
+    get bump(): number;
+    /**
+     * Get the TokenState PDA address for this delegate
+     */
+    get tokenStatePda(): PublicKey;
+    /**
+     * Get the Vault PDA address for this token
+     */
+    get vaultPda(): PublicKey;
+    /**
+     * Get the current SOL balance of this token
+     * @returns Balance in SOL
+     */
+    getBalance(): Promise<number>;
+    /**
+     * Get the current balance in lamports
+     * @returns Balance in lamports
+     */
+    getBalanceLamports(): Promise<number>;
+    /**
+     * Generate a new random Cloak token
+     * @param rpcUrl - Solana RPC endpoint URL
+     * @returns New token instance and its token code
+     */
+    static generate(rpcUrl: string): {
+        token: CloakToken;
+        tokenCode: string;
+    };
+    /**
+     * Derive the PDA for any public key (without needing full token)
+     * @param publicKey - Token's public key
+     * @returns The PDA address
+     */
+    static derivePda(publicKey: PublicKey): PublicKey;
+    /**
+     * Derive PDA with bump
+     * @param publicKey - Token's public key
+     * @returns The PDA address and bump
+     */
+    static derivePdaWithBump(publicKey: PublicKey): [PublicKey, number];
+    /**
+     * Derive TokenState PDA for a delegate
+     */
+    static deriveTokenStatePda(delegate: PublicKey): PublicKey;
+    /**
+     * Derive Vault PDA from TokenState PDA
+     */
+    static deriveVaultPda(tokenStatePda: PublicKey): PublicKey;
+    /**
+     * Create a new Cloak token with constraints on-chain
+     * @param connection - Solana connection
+     * @param owner - Owner wallet (Signer - can be wallet adapter or wrapped Keypair)
+     * @param options - Token creation options
+     * @returns New CloakToken instance and token code
+     */
+    static create(connection: Connection, owner: Signer, options: CreateTokenOptions): Promise<{
+        token: CloakToken;
+        tokenCode: string;
+        signature: string;
+    }>;
+    /**
+     * Fetch full token state from on-chain
+     * @returns TokenState with all constraints and spending info
+     */
+    getState(): Promise<TokenState>;
+    /**
+     * Spend from vault to destination (delegate signs)
+     * Requires agent mode (token code) - throws if in owner mode.
+     *
+     * Two fee payment modes:
+     *
+     * 1. **With feePayer (standard mode)**: User's wallet pays tx fee directly
+     *    - No relayer involved
+     *    - Normal tx fee (~5k lamports) paid by user wallet
+     *    - Vault only pays the amount to destination
+     *
+     * 2. **Without feePayer (agent/MCP mode)**: Relayer pays, vault reimburses
+     *    - Relayer fronts the tx fee
+     *    - Vault reimburses relayer 10k lamports
+     *    - Delegate doesn't need any SOL
+     *
+     * @param options - Spend options (destination, amount, optional feePayer)
+     * @returns Spend result with signature and remaining balances
+     */
+    spend(options: SpendOptions): Promise<SpendResult>;
+    /**
+     * Spend with user-provided fee payer (no relayer)
+     */
+    private spendWithFeePayer;
+    /**
+     * Spend via relayer (relayer pays, vault reimburses)
+     */
+    private spendViaRelayer;
+    /**
+     * Deposit SOL to vault (anyone can call)
+     * @param depositor - Signer of the depositor (wallet adapter or wrapped Keypair)
+     * @param amount - Amount in lamports
+     * @returns Transaction signature
+     */
+    deposit(depositor: Signer, amount: number): Promise<string>;
+    /**
+     * Freeze token (owner only) - emergency stop
+     * @param owner - Owner signer (wallet adapter or wrapped Keypair)
+     * @returns Transaction signature
+     */
+    freeze(owner: Signer): Promise<string>;
+    /**
+     * Unfreeze token (owner only)
+     * @param owner - Owner signer (wallet adapter or wrapped Keypair)
+     * @returns Transaction signature
+     */
+    unfreeze(owner: Signer): Promise<string>;
+    /**
+     * Update token constraints (owner only)
+     * @param owner - Owner signer (wallet adapter or wrapped Keypair)
+     * @param options - New constraint values (null = no change)
+     * @returns Transaction signature
+     */
+    updateConstraints(owner: Signer, options: ConstraintOptions): Promise<string>;
+    /**
+     * Close token and reclaim all funds to owner (owner only)
+     * @param owner - Owner signer (wallet adapter or wrapped Keypair)
+     * @returns Transaction signature
+     */
+    close(owner: Signer): Promise<string>;
+    /**
+     * Withdraw from vault to any destination (owner only, no constraints)
+     * Works even if token is frozen or expired - owner has full control
+     * Preserves privacy by allowing withdrawal to any wallet
+     * @param owner - Owner signer (wallet adapter or wrapped Keypair)
+     * @param amount - Amount in lamports to withdraw
+     * @param destination - Destination wallet (any PublicKey)
+     * @returns Transaction signature
+     */
+    withdraw(owner: Signer, amount: number, destination: PublicKey): Promise<string>;
+    /**
+     * Create a new Cloak token in private mode (no wallet linked on-chain)
+     *
+     * @param connection - Solana connection
+     * @param payer - Payer for transaction fees (can be any signer)
+     * @param masterSecret - Master secret derived from wallet signature
+     * @param nonce - Agent index (0, 1, 2, ...)
+     * @param options - Token creation options
+     * @returns New CloakToken instance (with private mode) and token code
+     */
+    static createPrivate(connection: Connection, payer: Signer, masterSecret: bigint, nonce: number, options: Omit<CreateTokenOptions, "delegate">): Promise<{
+        token: CloakToken;
+        tokenCode: string;
+        signature: string;
+    }>;
+    /**
+     * Create a new Cloak token via relayer (truly private - user wallet never signs on-chain)
+     *
+     * This is the most private mode of operation:
+     * 1. User signs message to derive master secret (client-side only)
+     * 2. User sends total (fee + funding) to relayer via Privacy Cash
+     * 3. Relayer keeps 0.01 SOL fee, forwards rest to vault
+     * 4. Relayer creates the agent on-chain (generates delegate)
+     * 5. TokenCode encrypted for user (only user can decrypt)
+     * 6. User's wallet NEVER appears in any on-chain transaction
+     *
+     * @param masterSecret - Master secret derived from wallet signature
+     * @param nonce - Agent index (0, 1, 2, ...)
+     * @param options - Token creation options
+     * @param depositSignature - Privacy Cash tx signature to relayer
+     * @param depositAmount - Total lamports sent (fee + vault funding)
+     * @param rpcUrl - Solana RPC endpoint URL
+     * @param apiUrl - Optional backend API URL
+     * @returns New CloakToken instance (with private mode) and token code
+     */
+    static createPrivateViaRelayer(masterSecret: bigint, nonce: number, options: Omit<CreateTokenOptions, "delegate" | "initialDeposit">, depositSignature: string, depositAmount: number, rpcUrl: string, apiUrl?: string): Promise<{
+        token: CloakToken;
+        tokenCode: string;
+        signature: string;
+        vaultPda: PublicKey;
+    }>;
+    /**
+     * Create a new Cloak token using your own relayer keypair (no backend needed, no fees)
+     *
+     * This is for technical users who want to:
+     * - Use their own funded keypair as a relayer
+     * - Pay their own rent (no 0.01 SOL fee to our relayer)
+     * - Have full control over the creation process
+     * - Fund vault separately via Privacy Cash for anonymity
+     *
+     * Flow:
+     * 1. User signs message to derive master secret (client-side only)
+     * 2. User provides a funded Keypair to pay rent
+     * 3. Creates agent directly on-chain (relayerKeypair signs and pays)
+     * 4. User's main wallet NEVER appears in any on-chain transaction
+     * 5. Fund vault separately via Privacy Cash for complete anonymity
+     *
+     * @param masterSecret - Master secret derived from wallet signature
+     * @param nonce - Agent index (0, 1, 2, ...)
+     * @param options - Token creation options
+     * @param relayerKeypair - User's own funded keypair (pays rent ~0.00138 SOL)
+     * @param rpcUrl - Solana RPC endpoint URL
+     * @returns New CloakToken instance (with private mode) and token code
+     */
+    static createPrivateWithRelayer(masterSecret: bigint, nonce: number, options: Omit<CreateTokenOptions, "delegate" | "initialDeposit">, relayerKeypair: Keypair, rpcUrl: string): Promise<{
+        token: CloakToken;
+        tokenCode: string;
+        signature: string;
+        vaultPda: PublicKey;
+    }>;
+    /**
+     * Helper to get a dummy wallet for read-only operations
+     */
+    private getDummyWallet;
+    /**
+     * Freeze token using ZK proof (private mode only)
+     * Uses relayer to submit transaction - vault pays for fees
+     * @param apiUrl - Optional API URL for relayer
+     * @returns Transaction signature
+     */
+    freezePrivate(apiUrl?: string): Promise<string>;
+    /**
+     * Unfreeze token using ZK proof (private mode only)
+     * Uses relayer to submit transaction - vault pays for fees
+     * @param apiUrl - Optional API URL for relayer
+     * @returns Transaction signature
+     */
+    unfreezePrivate(apiUrl?: string): Promise<string>;
+    /**
+     * Update constraints using ZK proof (private mode only)
+     * Uses relayer to submit transaction - vault pays for fees
+     * @param options - New constraint values (undefined = no change)
+     * @param apiUrl - Optional API URL for relayer
+     * @returns Transaction signature
+     */
+    updateConstraintsPrivate(options: ConstraintOptions, apiUrl?: string): Promise<string>;
+    /**
+     * Close token and reclaim funds using ZK proof (private mode only)
+     * Uses relayer to submit transaction - vault pays for fees
+     * @param destination - Destination for remaining funds
+     * @param apiUrl - Optional API URL for relayer
+     * @returns Transaction signature
+     */
+    closePrivate(destination: PublicKey, apiUrl?: string): Promise<string>;
+    /**
+     * Withdraw using ZK proof (private mode only)
+     * Uses relayer to submit transaction - vault pays for fees
+     * @param amount - Amount in lamports to withdraw
+     * @param destination - Destination for funds
+     * @param apiUrl - Optional API URL for relayer
+     * @returns Transaction signature
+     */
+    withdrawPrivate(amount: number, destination: PublicKey, apiUrl?: string): Promise<string>;
+}
+//# sourceMappingURL=token.d.ts.map

package/dist/token.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"token.d.ts","sourceRoot":"","sources":["../src/token.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,UAAU,EACV,OAAO,EACP,SAAS,EAIV,MAAM,iBAAiB,CAAC;AAKzB,OAAO,EACL,UAAU,EACV,kBAAkB,EAClB,iBAAiB,EACjB,YAAY,EACZ,WAAW,EACZ,MAAM,SAAS,CAAC;AACjB,OAAO,EAAE,MAAM,EAAmB,MAAM,UAAU,CAAC;AAyBnD;;;;;;;;;;;GAWG;AACH,qBAAa,UAAU;IACrB,OAAO,CAAC,OAAO,CAAiB;IAChC,OAAO,CAAC,cAAc,CAAY;IAClC,OAAO,CAAC,UAAU,CAAa;IAC/B,OAAO,CAAC,IAAI,CAAY;IACxB,OAAO,CAAC,KAAK,CAAS;IAGtB,OAAO,CAAC,gBAAgB,CAA2B;IACnD,OAAO,CAAC,YAAY,CAAuB;IAC3C,OAAO,CAAC,MAAM,CAAuB;IAGrC,OAAO,CAAC,cAAc,CAA0B;IAChD,OAAO,CAAC,SAAS,CAA0B;IAE3C;;;;OAIG;gBACS,SAAS,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM;IAoB7C;;;;;;;OAOG;IACH,MAAM,CAAC,QAAQ,CAAC,cAAc,EAAE,SAAS,GAAG,MAAM,EAAE,MAAM,EAAE,MAAM,GAAG,UAAU;IAwB/E;;;;;;;;OAQG;WACU,eAAe,CAC1B,YAAY,EAAE,MAAM,EACpB,KAAK,EAAE,MAAM,EACb,MAAM,EAAE,MAAM,GACb,OAAO,CAAC,UAAU,CAAC;IA2CtB;;OAEG;IACH,IAAI,aAAa,IAAI,OAAO,CAE3B;IAED;;OAEG;IACH,IAAI,eAAe,IAAI,UAAU,GAAG,IAAI,CAEvC;IAED;;OAEG;IACH,IAAI,SAAS,IAAI,SAAS,CAEzB;IAED;;OAEG;IACH,IAAI,GAAG,IAAI,SAAS,CAEnB;IAED;;OAEG;IACH,IAAI,IAAI,IAAI,MAAM,CAEjB;IAED;;OAEG;IACH,IAAI,aAAa,IAAI,SAAS,CAU7B;IAED;;OAEG;IACH,IAAI,QAAQ,IAAI,SAAS,CAWxB;IAED;;;OAGG;IACG,UAAU,IAAI,OAAO,CAAC,MAAM,CAAC;IAKnC;;;OAGG;IACG,kBAAkB,IAAI,OAAO,CAAC,MAAM,CAAC;IAI3C;;;;OAIG;IACH,MAAM,CAAC,QAAQ,CAAC,MAAM,EAAE,MAAM,GAAG;QAAE,KAAK,EAAE,UAAU,CAAC;QAAC,SAAS,EAAE,MAAM,CAAA;KAAE;IAOzE;;;;OAIG;IACH,MAAM,CAAC,SAAS,CAAC,SAAS,EAAE,SAAS,GAAG,SAAS;IAQjD;;;;OAIG;IACH,MAAM,CAAC,iBAAiB,CAAC,SAAS,EAAE,SAAS,GAAG,CAAC,SAAS,EAAE,MAAM,CAAC;IAOnE;;OAEG;IACH,MAAM,CAAC,mBAAmB,CAAC,QAAQ,EAAE,SAAS,GAAG,SAAS;IAQ1D;;OAEG;IACH,MAAM,CAAC,cAAc,CAAC,aAAa,EAAE,SAAS,GAAG,SAAS;IAQ1D;;;;;;OAMG;WACU,MAAM,CACjB,UAAU,EAAE,UAAU,EACtB,KAAK,EAAE,MAAM,EACb,OAAO,EAAE,kBAAkB,GAC1B,OAAO,CAAC;QAAE,KAAK,EAAE,UAAU,CAAC;QAAC,SAAS,EAAE,MAAM,CAAC;QAAC,SAAS,EAAE,MAAM,CAAA;KAAE,CAAC;IA2DvE;;;OAGG;IACG,QAAQ,IAAI,OAAO,CAAC,UAAU,CAAC;IAoFrC;;;;;;;;;;;;;;;;;;OAkBG;IACG,KAAK,CAAC,OAAO,EAAE,YAAY,GAAG,OAAO,CAAC,WAAW,CAAC;IAiBxD;;OAEG;YACW,iBAAiB;IAiD/B;;OAEG;YACW,eAAe;IAwD7B;;;;;OAKG;IACG,OAAO,CAAC,SAAS,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;IAwBjE;;;;OAIG;IACG,MAAM,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;IAqB5C;;;;OAIG;IACG,QAAQ,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;IAqB9C;;;;;OAKG;IACG,iBAAiB,CAAC,KAAK,EAAE,MAAM,EAAE,OAAO,EAAE,iBAAiB,GAAG,OAAO,CAAC,MAAM,CAAC;IA6BnF;;;;OAIG;IACG,KAAK,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;IAwB3C;;;;;;;;OAQG;IACG,QAAQ,CAAC,KAAK,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,WAAW,EAAE,SAAS,GAAG,OAAO,CAAC,MAAM,CAAC;IA6BtF;;;;;;;;;OASG;WACU,aAAa,CACxB,UAAU,EAAE,UAAU,EACtB,KAAK,EAAE,MAAM,EACb,YAAY,EAAE,MAAM,EACpB,KAAK,EAAE,MAAM,EACb,OAAO,EAAE,IAAI,CAAC,kBAAkB,EAAE,UAAU,CAAC,GAC5C,OAAO,CAAC;QAAE,KAAK,EAAE,UAAU,CAAC;QAAC,SAAS,EAAE,MAAM,CAAC;QAAC,SAAS,EAAE,MAAM,CAAA;KAAE,CAAC;IAoEvE;;;;;;;;;;;;;;;;;;;OAmBG;WACU,uBAAuB,CAClC,YAAY,EAAE,MAAM,EACpB,KAAK,EAAE,MAAM,EACb,OAAO,EAAE,IAAI,CAAC,kBAAkB,EAAE,UAAU,GAAG,gBAAgB,CAAC,EAChE,gBAAgB,EAAE,MAAM,EACxB,aAAa,EAAE,MAAM,EACrB,MAAM,EAAE,MAAM,EACd,MAAM,CAAC,EAAE,MAAM,GACd,OAAO,CAAC;QAAE,KAAK,EAAE,UAAU,CAAC;QAAC,SAAS,EAAE,MAAM,CAAC;QAAC,SAAS,EAAE,MAAM,CAAC;QAAC,QAAQ,EAAE,SAAS,CAAA;KAAE,CAAC;IAkC5F;;;;;;;;;;;;;;;;;;;;;;OAsBG;WACU,wBAAwB,CACnC,YAAY,EAAE,MAAM,EACpB,KAAK,EAAE,MAAM,EACb,OAAO,EAAE,IAAI,CAAC,kBAAkB,EAAE,UAAU,GAAG,gBAAgB,CAAC,EAChE,cAAc,EAAE,OAAO,EACvB,MAAM,EAAE,MAAM,GACb,OAAO,CAAC;QAAE,KAAK,EAAE,UAAU,CAAC;QAAC,SAAS,EAAE,MAAM,CAAC;QAAC,SAAS,EAAE,MAAM,CAAC;QAAC,QAAQ,EAAE,SAAS,CAAA;KAAE,CAAC;IA4D5F;;OAEG;IACH,OAAO,CAAC,cAAc;IAWtB;;;;;OAKG;IACG,aAAa,CAAC,MAAM,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;IAyBrD;;;;;OAKG;IACG,eAAe,CAAC,MAAM,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;IAyBvD;;;;;;OAMG;IACG,wBAAwB,CAAC,OAAO,EAAE,iBAAiB,EAAE,MAAM,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;IA+B5F;;;;;;OAMG;IACG,YAAY,CAAC,WAAW,EAAE,SAAS,EAAE,MAAM,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;IA0B5E;;;;;;;OAOG;IACG,eAAe,CAAC,MAAM,EAAE,MAAM,EAAE,WAAW,EAAE,SAAS,EAAE,MAAM,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;CA0BhG"}