@cofhe/sdk 0.0.0-alpha-20260409113701

package/core/decrypt/tnSealOutputV2.ts

@@ -0,0 +1,324 @@
+import { type Permission, type EthEncryptedData } from '@/permits';
+
+import { CofheError, CofheErrorCode } from '../error.js';
+import { type DecryptPollCallbackFunction } from '../types.js';
+import { computeMinuteRampPollIntervalMs } from './polling.js';
+
+// Polling configuration
+const POLL_INTERVAL_MS = 1000; // 1 second
+const POLL_MAX_INTERVAL_MS = 10_000; // 10 seconds
+const POLL_TIMEOUT_MS = 5 * 60 * 1000; // 5 minutes
+
+// V2 API response types
+type SealOutputSubmitResponse = {
+  request_id: string;
+};
+
+type SealOutputStatusResponse = {
+  request_id: string;
+  status: 'PROCESSING' | 'COMPLETED';
+  submitted_at: string;
+  completed_at?: string;
+  is_succeed?: boolean;
+  sealed?: {
+    data: number[];
+    public_key: number[];
+    nonce: number[];
+  };
+  signature?: string;
+  encryption_type?: number;
+  error_message?: string | null;
+};
+
+/**
+ * Converts a number array to Uint8Array
+ */
+function numberArrayToUint8Array(arr: number[]): Uint8Array {
+  return new Uint8Array(arr);
+}
+
+/**
+ * Converts the sealed data from the API response to EthEncryptedData
+ */
+function convertSealedData(sealed: SealOutputStatusResponse['sealed']): EthEncryptedData {
+  if (!sealed) {
+    throw new CofheError({
+      code: CofheErrorCode.SealOutputReturnedNull,
+      message: 'Sealed data is missing from completed response',
+    });
+  }
+
+  return {
+    data: numberArrayToUint8Array(sealed.data),
+    public_key: numberArrayToUint8Array(sealed.public_key),
+    nonce: numberArrayToUint8Array(sealed.nonce),
+  };
+}
+
+/**
+ * Submits a sealoutput request to the v2 API and returns the request_id
+ */
+async function submitSealOutputRequest(
+  thresholdNetworkUrl: string,
+  ctHash: bigint | string,
+  chainId: number,
+  permission: Permission
+): Promise<string> {
+  const body = {
+    ct_tempkey: BigInt(ctHash).toString(16).padStart(64, '0'),
+    host_chain_id: chainId,
+    permit: permission,
+  };
+
+  let response: Response;
+  try {
+    response = await fetch(`${thresholdNetworkUrl}/v2/sealoutput`, {
+      method: 'POST',
+      headers: {
+        'Content-Type': 'application/json',
+      },
+      body: JSON.stringify(body),
+    });
+  } catch (e) {
+    throw new CofheError({
+      code: CofheErrorCode.SealOutputFailed,
+      message: `sealOutput request failed`,
+      hint: 'Ensure the threshold network URL is valid and reachable.',
+      cause: e instanceof Error ? e : undefined,
+      context: {
+        thresholdNetworkUrl,
+        body,
+      },
+    });
+  }
+
+  // Handle non-200 status codes
+  if (!response.ok) {
+    let errorMessage = `HTTP ${response.status}`;
+    try {
+      const errorBody = await response.json();
+      errorMessage = errorBody.error_message || errorBody.message || errorMessage;
+    } catch {
+      // Ignore JSON parse errors, use status text
+      errorMessage = response.statusText || errorMessage;
+    }
+
+    throw new CofheError({
+      code: CofheErrorCode.SealOutputFailed,
+      message: `sealOutput request failed: ${errorMessage}`,
+      hint: 'Check the threshold network URL and request parameters.',
+      context: {
+        thresholdNetworkUrl,
+        status: response.status,
+        statusText: response.statusText,
+        body,
+      },
+    });
+  }
+
+  let submitResponse: SealOutputSubmitResponse;
+  try {
+    submitResponse = (await response.json()) as SealOutputSubmitResponse;
+  } catch (e) {
+    throw new CofheError({
+      code: CofheErrorCode.SealOutputFailed,
+      message: `Failed to parse sealOutput submit response`,
+      cause: e instanceof Error ? e : undefined,
+      context: {
+        thresholdNetworkUrl,
+        body,
+      },
+    });
+  }
+
+  if (!submitResponse.request_id) {
+    throw new CofheError({
+      code: CofheErrorCode.SealOutputFailed,
+      message: `sealOutput submit response missing request_id`,
+      context: {
+        thresholdNetworkUrl,
+        body,
+        submitResponse,
+      },
+    });
+  }
+
+  return submitResponse.request_id;
+}
+
+/**
+ * Polls for the sealoutput status until completed or timeout
+ */
+async function pollSealOutputStatus(
+  thresholdNetworkUrl: string,
+  requestId: string,
+  onPoll?: DecryptPollCallbackFunction
+): Promise<EthEncryptedData> {
+  const startTime = Date.now();
+  let attemptIndex = 0;
+  let completed = false;
+
+  while (!completed) {
+    const elapsedMs = Date.now() - startTime;
+    const intervalMs = computeMinuteRampPollIntervalMs(elapsedMs, {
+      minIntervalMs: POLL_INTERVAL_MS,
+      maxIntervalMs: POLL_MAX_INTERVAL_MS,
+    });
+    onPoll?.({
+      operation: 'sealoutput',
+      requestId,
+      attemptIndex,
+      elapsedMs,
+      intervalMs,
+      timeoutMs: POLL_TIMEOUT_MS,
+    });
+
+    // Check timeout
+    if (elapsedMs > POLL_TIMEOUT_MS) {
+      throw new CofheError({
+        code: CofheErrorCode.SealOutputFailed,
+        message: `sealOutput polling timed out after ${POLL_TIMEOUT_MS}ms`,
+        hint: 'The request may still be processing. Try again later.',
+        context: {
+          thresholdNetworkUrl,
+          requestId,
+          timeoutMs: POLL_TIMEOUT_MS,
+        },
+      });
+    }
+
+    let response: Response;
+    try {
+      response = await fetch(`${thresholdNetworkUrl}/v2/sealoutput/${requestId}`, {
+        method: 'GET',
+        headers: {
+          'Content-Type': 'application/json',
+        },
+      });
+    } catch (e) {
+      throw new CofheError({
+        code: CofheErrorCode.SealOutputFailed,
+        message: `sealOutput status poll failed`,
+        hint: 'Ensure the threshold network URL is valid and reachable.',
+        cause: e instanceof Error ? e : undefined,
+        context: {
+          thresholdNetworkUrl,
+          requestId,
+        },
+      });
+    }
+
+    // Handle 404 - request not found
+    if (response.status === 404) {
+      throw new CofheError({
+        code: CofheErrorCode.SealOutputFailed,
+        message: `sealOutput request not found: ${requestId}`,
+        hint: 'The request may have expired or been invalid.',
+        context: {
+          thresholdNetworkUrl,
+          requestId,
+        },
+      });
+    }
+
+    // Handle other non-200 status codes
+    if (!response.ok) {
+      let errorMessage = `HTTP ${response.status}`;
+      try {
+        const errorBody = await response.json();
+        errorMessage = errorBody.error_message || errorBody.message || errorMessage;
+      } catch {
+        errorMessage = response.statusText || errorMessage;
+      }
+
+      throw new CofheError({
+        code: CofheErrorCode.SealOutputFailed,
+        message: `sealOutput status poll failed: ${errorMessage}`,
+        context: {
+          thresholdNetworkUrl,
+          requestId,
+          status: response.status,
+          statusText: response.statusText,
+        },
+      });
+    }
+
+    let statusResponse: SealOutputStatusResponse;
+    try {
+      statusResponse = (await response.json()) as SealOutputStatusResponse;
+    } catch (e) {
+      throw new CofheError({
+        code: CofheErrorCode.SealOutputFailed,
+        message: `Failed to parse sealOutput status response`,
+        cause: e instanceof Error ? e : undefined,
+        context: {
+          thresholdNetworkUrl,
+          requestId,
+        },
+      });
+    }
+
+    // Check if completed
+    if (statusResponse.status === 'COMPLETED') {
+      // Check if succeeded
+      if (statusResponse.is_succeed === false) {
+        const errorMessage = statusResponse.error_message || 'Unknown error';
+        throw new CofheError({
+          code: CofheErrorCode.SealOutputFailed,
+          message: `sealOutput request failed: ${errorMessage}`,
+          context: {
+            thresholdNetworkUrl,
+            requestId,
+            statusResponse,
+          },
+        });
+      }
+
+      // Check if sealed data exists
+      if (!statusResponse.sealed) {
+        throw new CofheError({
+          code: CofheErrorCode.SealOutputReturnedNull,
+          message: `sealOutput request completed but returned no sealed data`,
+          context: {
+            thresholdNetworkUrl,
+            requestId,
+            statusResponse,
+          },
+        });
+      }
+
+      // Convert and return the sealed data
+      return convertSealedData(statusResponse.sealed);
+    }
+
+    // Still processing, wait before next poll
+    await new Promise((resolve) => setTimeout(resolve, intervalMs));
+    attemptIndex += 1;
+  }
+
+  // This should never be reached, but TypeScript requires it
+  throw new CofheError({
+    code: CofheErrorCode.SealOutputFailed,
+    message: 'Polling loop exited unexpectedly',
+    context: {
+      thresholdNetworkUrl,
+      requestId,
+    },
+  });
+}
+
+export async function tnSealOutputV2(params: {
+  ctHash: bigint | string;
+  chainId: number;
+  permission: Permission;
+  thresholdNetworkUrl: string;
+  onPoll?: DecryptPollCallbackFunction;
+}): Promise<EthEncryptedData> {
+  const { thresholdNetworkUrl, ctHash, chainId, permission, onPoll } = params;
+
+  // Step 1: Submit the request and get request_id
+  const requestId = await submitSealOutputRequest(thresholdNetworkUrl, ctHash, chainId, permission);
+
+  // Step 2: Poll for status until completed
+  return await pollSealOutputStatus(thresholdNetworkUrl, requestId, onPoll);
+}

package/core/decrypt/verifyDecryptResult.ts

@@ -0,0 +1,52 @@
+import {
+  encodePacked,
+  isAddressEqual,
+  keccak256,
+  parseAbi,
+  recoverAddress,
+  zeroAddress,
+  type Address,
+  type Hex,
+  type PublicClient,
+} from 'viem';
+import { TASK_MANAGER_ADDRESS } from '../consts.js';
+
+const decryptResultSignerAbi = parseAbi(['function decryptResultSigner() view returns (address)']);
+
+/**
+ * Verifies a decrypt result signature **locally** (no `ctHash`/plaintext sent over RPC).
+ *
+ * This matches the TaskManager contract logic:
+ *   - messageHash = keccak256(abi.encodePacked(ctHash, result))
+ *   - recovered = ecrecover(messageHash, signature)
+ *   - recovered must equal the on-chain configured `decryptResultSigner`
+ *
+ * The only on-chain read performed is `TaskManager.decryptResultSigner()` (via `eth_call`).
+ *
+ * Works with both production and mock deployments.
+ */
+export async function verifyDecryptResult(
+  handle: bigint | string,
+  cleartext: bigint,
+  signature: Hex,
+  publicClient: PublicClient
+): Promise<boolean> {
+  const expectedSigner = await publicClient.readContract({
+    address: TASK_MANAGER_ADDRESS,
+    abi: decryptResultSignerAbi,
+    functionName: 'decryptResultSigner',
+    args: [],
+  });
+
+  if (isAddressEqual(expectedSigner, zeroAddress)) return true;
+
+  const ctHash = BigInt(handle);
+  const messageHash = keccak256(encodePacked(['uint256', 'uint256'], [ctHash, cleartext]));
+
+  try {
+    const recovered = await recoverAddress({ hash: messageHash, signature });
+    return isAddressEqual(recovered, expectedSigner);
+  } catch {
+    return false;
+  }
+}

package/core/encrypt/MockZkVerifierAbi.ts

@@ -0,0 +1,106 @@
+export const MockZkVerifierAbi = [
+  {
+    type: 'function',
+    name: 'exists',
+    inputs: [],
+    outputs: [{ name: '', type: 'bool', internalType: 'bool' }],
+    stateMutability: 'pure',
+  },
+  {
+    type: 'function',
+    name: 'insertCtHash',
+    inputs: [
+      { name: 'ctHash', type: 'uint256', internalType: 'uint256' },
+      { name: 'value', type: 'uint256', internalType: 'uint256' },
+    ],
+    outputs: [],
+    stateMutability: 'nonpayable',
+  },
+  {
+    type: 'function',
+    name: 'insertPackedCtHashes',
+    inputs: [
+      { name: 'ctHashes', type: 'uint256[]', internalType: 'uint256[]' },
+      { name: 'values', type: 'uint256[]', internalType: 'uint256[]' },
+    ],
+    outputs: [],
+    stateMutability: 'nonpayable',
+  },
+  {
+    type: 'function',
+    name: 'zkVerify',
+    inputs: [
+      { name: 'value', type: 'uint256', internalType: 'uint256' },
+      { name: 'utype', type: 'uint8', internalType: 'uint8' },
+      { name: 'user', type: 'address', internalType: 'address' },
+      { name: 'securityZone', type: 'uint8', internalType: 'uint8' },
+      { name: '', type: 'uint256', internalType: 'uint256' },
+    ],
+    outputs: [
+      {
+        name: '',
+        type: 'tuple',
+        internalType: 'struct EncryptedInput',
+        components: [
+          { name: 'ctHash', type: 'uint256', internalType: 'uint256' },
+          { name: 'securityZone', type: 'uint8', internalType: 'uint8' },
+          { name: 'utype', type: 'uint8', internalType: 'uint8' },
+          { name: 'signature', type: 'bytes', internalType: 'bytes' },
+        ],
+      },
+    ],
+    stateMutability: 'nonpayable',
+  },
+  {
+    type: 'function',
+    name: 'zkVerifyCalcCtHash',
+    inputs: [
+      { name: 'value', type: 'uint256', internalType: 'uint256' },
+      { name: 'utype', type: 'uint8', internalType: 'uint8' },
+      { name: 'user', type: 'address', internalType: 'address' },
+      { name: 'securityZone', type: 'uint8', internalType: 'uint8' },
+      { name: '', type: 'uint256', internalType: 'uint256' },
+    ],
+    outputs: [{ name: 'ctHash', type: 'uint256', internalType: 'uint256' }],
+    stateMutability: 'view',
+  },
+  {
+    type: 'function',
+    name: 'zkVerifyCalcCtHashesPacked',
+    inputs: [
+      { name: 'values', type: 'uint256[]', internalType: 'uint256[]' },
+      { name: 'utypes', type: 'uint8[]', internalType: 'uint8[]' },
+      { name: 'user', type: 'address', internalType: 'address' },
+      { name: 'securityZone', type: 'uint8', internalType: 'uint8' },
+      { name: 'chainId', type: 'uint256', internalType: 'uint256' },
+    ],
+    outputs: [{ name: 'ctHashes', type: 'uint256[]', internalType: 'uint256[]' }],
+    stateMutability: 'view',
+  },
+  {
+    type: 'function',
+    name: 'zkVerifyPacked',
+    inputs: [
+      { name: 'values', type: 'uint256[]', internalType: 'uint256[]' },
+      { name: 'utypes', type: 'uint8[]', internalType: 'uint8[]' },
+      { name: 'user', type: 'address', internalType: 'address' },
+      { name: 'securityZone', type: 'uint8', internalType: 'uint8' },
+      { name: 'chainId', type: 'uint256', internalType: 'uint256' },
+    ],
+    outputs: [
+      {
+        name: 'inputs',
+        type: 'tuple[]',
+        internalType: 'struct EncryptedInput[]',
+        components: [
+          { name: 'ctHash', type: 'uint256', internalType: 'uint256' },
+          { name: 'securityZone', type: 'uint8', internalType: 'uint8' },
+          { name: 'utype', type: 'uint8', internalType: 'uint8' },
+          { name: 'signature', type: 'bytes', internalType: 'bytes' },
+        ],
+      },
+    ],
+    stateMutability: 'nonpayable',
+  },
+  { type: 'error', name: 'InvalidInputs', inputs: [] },
+] as const;