@cofhe/sdk 0.0.0-alpha-20260409113701

package/dist/permits.cjs

@@ -0,0 +1,1025 @@
+'use strict';
+
+var viem = require('viem');
+var nacl = require('tweetnacl');
+var zod = require('zod');
+var vanilla = require('zustand/vanilla');
+var middleware = require('zustand/middleware');
+var immer = require('immer');
+
+function _interopDefault (e) { return e && e.__esModule ? e : { default: e }; }
+
+var nacl__default = /*#__PURE__*/_interopDefault(nacl);
+
+// permits/permit.ts
+
+// permits/utils.ts
+var fromHexString = (hexString) => {
+  const cleanString = hexString.length % 2 === 1 ? `0${hexString}` : hexString;
+  const arr = cleanString.replace(/^0x/, "").match(/.{1,2}/g);
+  if (!arr)
+    return new Uint8Array();
+  return new Uint8Array(arr.map((byte) => parseInt(byte, 16)));
+};
+var toHexString = (bytes) => bytes.reduce((str, byte) => str + byte.toString(16).padStart(2, "0"), "");
+function toBigInt(value) {
+  if (typeof value === "string") {
+    return BigInt(value);
+  } else if (typeof value === "number") {
+    return BigInt(value);
+  } else if (typeof value === "object") {
+    return BigInt("0x" + toHexString(value));
+  } else {
+    return value;
+  }
+}
+function toBeArray(value) {
+  const bigIntValue = typeof value === "number" ? BigInt(value) : value;
+  const hex = bigIntValue.toString(16);
+  const paddedHex = hex.length % 2 === 0 ? hex : "0" + hex;
+  return fromHexString(paddedHex);
+}
+function isString(value) {
+  if (typeof value !== "string") {
+    throw new Error(`Expected value which is \`string\`, received value of type \`${typeof value}\`.`);
+  }
+}
+function isNumber(value) {
+  const is = typeof value === "number" && !Number.isNaN(value);
+  if (!is) {
+    throw new Error(`Expected value which is \`number\`, received value of type \`${typeof value}\`.`);
+  }
+}
+function isBigIntOrNumber(value) {
+  const is = typeof value === "bigint";
+  if (!is) {
+    try {
+      isNumber(value);
+    } catch (e) {
+      throw new Error(`Value ${value} is not a number or bigint: ${typeof value}`);
+    }
+  }
+}
+
+// permits/sealing.ts
+var PRIVATE_KEY_LENGTH = 64;
+var PUBLIC_KEY_LENGTH = 64;
+var SealingKey = class _SealingKey {
+  /**
+   * The private key used for decryption.
+   */
+  privateKey;
+  /**
+   * The public key used for encryption.
+   */
+  publicKey;
+  /**
+   * Constructs a SealingKey instance with the given private and public keys.
+   *
+   * @param {string} privateKey - The private key used for decryption.
+   * @param {string} publicKey - The public key used for encryption.
+   * @throws Will throw an error if the provided keys lengths do not match
+   *         the required lengths for private and public keys.
+   */
+  constructor(privateKey, publicKey) {
+    if (privateKey.length !== PRIVATE_KEY_LENGTH) {
+      throw new Error(`Private key must be of length ${PRIVATE_KEY_LENGTH}`);
+    }
+    if (publicKey.length !== PUBLIC_KEY_LENGTH) {
+      throw new Error(`Public key must be of length ${PUBLIC_KEY_LENGTH}`);
+    }
+    this.privateKey = privateKey;
+    this.publicKey = publicKey;
+  }
+  unseal = (parsedData) => {
+    const nonce = parsedData.nonce instanceof Uint8Array ? parsedData.nonce : new Uint8Array(parsedData.nonce);
+    const ephemPublicKey = parsedData.public_key instanceof Uint8Array ? parsedData.public_key : new Uint8Array(parsedData.public_key);
+    const dataToDecrypt = parsedData.data instanceof Uint8Array ? parsedData.data : new Uint8Array(parsedData.data);
+    const privateKeyBytes = fromHexString(this.privateKey);
+    const decryptedMessage = nacl__default.default.box.open(dataToDecrypt, nonce, ephemPublicKey, privateKeyBytes);
+    if (!decryptedMessage) {
+      throw new Error("Failed to decrypt message");
+    }
+    return toBigInt(decryptedMessage);
+  };
+  /**
+   * Serializes the SealingKey to a JSON object.
+   */
+  serialize = () => {
+    return {
+      privateKey: this.privateKey,
+      publicKey: this.publicKey
+    };
+  };
+  /**
+   * Deserializes the SealingKey from a JSON object.
+   */
+  static deserialize = (privateKey, publicKey) => {
+    return new _SealingKey(privateKey, publicKey);
+  };
+  /**
+   * Seals (encrypts) the provided message for a receiver with the specified public key.
+   *
+   * @param {bigint | number} value - The message to be encrypted.
+   * @param {string} publicKey - The public key of the intended recipient.
+   * @returns string - The encrypted message in hexadecimal format.
+   * @static
+   * @throws Will throw if the provided publicKey or value do not meet defined preconditions.
+   */
+  static seal = (value, publicKey) => {
+    isString(publicKey);
+    isBigIntOrNumber(value);
+    const ephemeralKeyPair = nacl__default.default.box.keyPair();
+    const nonce = nacl__default.default.randomBytes(nacl__default.default.box.nonceLength);
+    const encryptedMessage = nacl__default.default.box(toBeArray(value), nonce, fromHexString(publicKey), ephemeralKeyPair.secretKey);
+    return {
+      data: encryptedMessage,
+      public_key: ephemeralKeyPair.publicKey,
+      nonce
+    };
+  };
+};
+var GenerateSealingKey = () => {
+  const sodiumKeypair = nacl__default.default.box.keyPair();
+  return new SealingKey(toHexString(sodiumKeypair.secretKey), toHexString(sodiumKeypair.publicKey));
+};
+var SerializedSealingPair = zod.z.object({
+  privateKey: zod.z.string(),
+  publicKey: zod.z.string()
+});
+var addressSchema = zod.z.string().refine((val) => viem.isAddress(val), {
+  error: "Invalid address"
+}).transform((val) => viem.getAddress(val));
+var addressNotZeroSchema = addressSchema.refine((val) => val !== viem.zeroAddress, {
+  error: "Must not be zeroAddress"
+});
+var bytesSchema = zod.z.custom(
+  (val) => {
+    return typeof val === "string" && viem.isHex(val);
+  },
+  {
+    message: "Invalid hex value"
+  }
+);
+var bytesNotEmptySchema = bytesSchema.refine((val) => val !== "0x", {
+  error: "Must not be empty"
+});
+var DEFAULT_EXPIRATION_FN = () => Math.round(Date.now() / 1e3) + 7 * 24 * 60 * 60;
+var zPermitWithDefaults = zod.z.object({
+  name: zod.z.string().optional().default("Unnamed Permit"),
+  type: zod.z.enum(["self", "sharing", "recipient"]),
+  issuer: addressNotZeroSchema,
+  expiration: zod.z.int().optional().default(DEFAULT_EXPIRATION_FN),
+  recipient: addressSchema.optional().default(viem.zeroAddress),
+  validatorId: zod.z.int().optional().default(0),
+  validatorContract: addressSchema.optional().default(viem.zeroAddress),
+  issuerSignature: bytesSchema.optional().default("0x"),
+  recipientSignature: bytesSchema.optional().default("0x")
+});
+var zPermitWithSealingPair = zPermitWithDefaults.extend({
+  sealingPair: SerializedSealingPair.optional()
+});
+var ExternalValidatorRefinement = [
+  (data) => data.validatorId !== 0 && data.validatorContract !== viem.zeroAddress || data.validatorId === 0 && data.validatorContract === viem.zeroAddress,
+  {
+    error: "Permit external validator :: validatorId and validatorContract must either both be set or both be unset.",
+    path: ["validatorId", "validatorContract"]
+  }
+];
+var RecipientRefinement = [
+  (data) => data.issuer !== data.recipient,
+  {
+    error: "Sharing permit :: issuer and recipient must not be the same",
+    path: ["issuer", "recipient"]
+  }
+];
+var SelfPermitOptionsValidator = zod.z.object({
+  type: zod.z.literal("self").optional().default("self"),
+  issuer: addressNotZeroSchema,
+  name: zod.z.string().optional().default("Unnamed Permit"),
+  expiration: zod.z.int().optional().default(DEFAULT_EXPIRATION_FN),
+  recipient: addressSchema.optional().default(viem.zeroAddress),
+  validatorId: zod.z.int().optional().default(0),
+  validatorContract: addressSchema.optional().default(viem.zeroAddress),
+  issuerSignature: bytesSchema.optional().default("0x"),
+  recipientSignature: bytesSchema.optional().default("0x")
+}).refine(...ExternalValidatorRefinement);
+var SelfPermitValidator = zPermitWithSealingPair.refine((data) => data.type === "self", {
+  error: "Type must be 'self'"
+}).refine((data) => data.recipient === viem.zeroAddress, {
+  error: "Recipient must be zeroAddress"
+}).refine((data) => data.issuerSignature !== "0x", {
+  error: "IssuerSignature must be populated"
+}).refine((data) => data.recipientSignature === "0x", {
+  error: "RecipientSignature must be empty"
+}).refine(...ExternalValidatorRefinement);
+var SharingPermitOptionsValidator = zod.z.object({
+  type: zod.z.literal("sharing").optional().default("sharing"),
+  issuer: addressNotZeroSchema,
+  recipient: addressNotZeroSchema,
+  name: zod.z.string().optional().default("Unnamed Permit"),
+  expiration: zod.z.int().optional().default(DEFAULT_EXPIRATION_FN),
+  validatorId: zod.z.int().optional().default(0),
+  validatorContract: addressSchema.optional().default(viem.zeroAddress),
+  issuerSignature: bytesSchema.optional().default("0x"),
+  recipientSignature: bytesSchema.optional().default("0x")
+}).refine(...RecipientRefinement).refine(...ExternalValidatorRefinement);
+var SharingPermitValidator = zPermitWithSealingPair.refine((data) => data.type === "sharing", {
+  error: "Type must be 'sharing'"
+}).refine((data) => data.recipient !== viem.zeroAddress, {
+  error: "Recipient must not be zeroAddress"
+}).refine((data) => data.issuerSignature !== "0x", {
+  error: "IssuerSignature must be populated"
+}).refine((data) => data.recipientSignature === "0x", {
+  error: "RecipientSignature must be empty"
+}).refine(...ExternalValidatorRefinement);
+var ImportPermitOptionsValidator = zod.z.object({
+  type: zod.z.literal("recipient").optional().default("recipient"),
+  issuer: addressNotZeroSchema,
+  recipient: addressNotZeroSchema,
+  name: zod.z.string().optional().default("Unnamed Permit"),
+  expiration: zod.z.int(),
+  validatorId: zod.z.int().optional().default(0),
+  validatorContract: addressSchema.optional().default(viem.zeroAddress),
+  issuerSignature: bytesNotEmptySchema,
+  recipientSignature: bytesSchema.optional().default("0x")
+}).refine(...ExternalValidatorRefinement);
+var ImportPermitValidator = zPermitWithSealingPair.refine((data) => data.type === "recipient", {
+  error: "Type must be 'recipient'"
+}).refine((data) => data.recipient !== viem.zeroAddress, {
+  error: "Recipient must not be zeroAddress"
+}).refine((data) => data.issuerSignature !== "0x", {
+  error: "IssuerSignature must be populated"
+}).refine((data) => data.recipientSignature !== "0x", {
+  error: "RecipientSignature must be populated"
+}).refine(...ExternalValidatorRefinement);
+var safeParseAndThrowFormatted = (schema, data, message) => {
+  const result = schema.safeParse(data);
+  if (!result.success) {
+    throw new Error(`${message}: ${zod.z.prettifyError(result.error)}`, { cause: result.error });
+  }
+  return result.data;
+};
+var validateSelfPermitOptions = (options) => {
+  return safeParseAndThrowFormatted(SelfPermitOptionsValidator, options, "Invalid self permit options");
+};
+var validateSharingPermitOptions = (options) => {
+  return safeParseAndThrowFormatted(SharingPermitOptionsValidator, options, "Invalid sharing permit options");
+};
+var validateImportPermitOptions = (options) => {
+  return safeParseAndThrowFormatted(ImportPermitOptionsValidator, options, "Invalid import permit options");
+};
+var validateSelfPermit = (permit) => {
+  return safeParseAndThrowFormatted(SelfPermitValidator, permit, "Invalid self permit");
+};
+var validateSharingPermit = (permit) => {
+  return safeParseAndThrowFormatted(SharingPermitValidator, permit, "Invalid sharing permit");
+};
+var validateImportPermit = (permit) => {
+  return safeParseAndThrowFormatted(ImportPermitValidator, permit, "Invalid import permit");
+};
+var ValidationUtils = {
+  /**
+   * Check if permit is expired
+   */
+  isExpired: (permit) => {
+    return permit.expiration < Math.floor(Date.now() / 1e3);
+  },
+  /**
+   * Check if permit is signed by the active party
+   */
+  isSigned: (permit) => {
+    if (permit.type === "self" || permit.type === "sharing") {
+      return permit.issuerSignature !== "0x";
+    }
+    if (permit.type === "recipient") {
+      return permit.recipientSignature !== "0x";
+    }
+    return false;
+  },
+  /**
+   * Checks that a permit is signed and not expired.
+   */
+  isSignedAndNotExpired: (permit) => {
+    if (ValidationUtils.isExpired(permit)) {
+      return { valid: false, error: "expired" };
+    }
+    if (!ValidationUtils.isSigned(permit)) {
+      return { valid: false, error: "not-signed" };
+    }
+    return { valid: true, error: null };
+  },
+  /**
+   * Asserts that a permit is signed and not expired.
+   *
+   * Throws `Error` with message:
+   * - `Permit is expired`
+   * - `Permit is not signed`
+   */
+  assertSignedAndNotExpired: (permit) => {
+    const result = ValidationUtils.isSignedAndNotExpired(permit);
+    if (result.valid)
+      return;
+    if (result.error === "expired") {
+      throw new Error("Permit is expired");
+    }
+    if (result.error === "not-signed") {
+      throw new Error("Permit is not signed");
+    }
+    throw new Error("Permit is invalid");
+  },
+  isValid: (permit) => {
+    const schema = permit.type === "self" ? SelfPermitValidator : permit.type === "sharing" ? SharingPermitValidator : permit.type === "recipient" ? ImportPermitValidator : null;
+    if (schema == null)
+      return { valid: false, error: "invalid-schema" };
+    const schemaResult = schema.safeParse(permit);
+    if (!schemaResult.success)
+      return { valid: false, error: "invalid-schema" };
+    return ValidationUtils.isSignedAndNotExpired(permit);
+  }
+};
+
+// permits/signature.ts
+var PermitSignatureAllFields = [
+  { name: "issuer", type: "address" },
+  { name: "expiration", type: "uint64" },
+  { name: "recipient", type: "address" },
+  { name: "validatorId", type: "uint256" },
+  { name: "validatorContract", type: "address" },
+  { name: "sealingKey", type: "bytes32" },
+  { name: "issuerSignature", type: "bytes" }
+];
+var SignatureTypes = {
+  PermissionedV2IssuerSelf: [
+    "issuer",
+    "expiration",
+    "recipient",
+    "validatorId",
+    "validatorContract",
+    "sealingKey"
+  ],
+  PermissionedV2IssuerShared: [
+    "issuer",
+    "expiration",
+    "recipient",
+    "validatorId",
+    "validatorContract"
+  ],
+  PermissionedV2Recipient: ["sealingKey", "issuerSignature"]
+};
+var getSignatureTypesAndMessage = (primaryType, fields, values) => {
+  const types = {
+    [primaryType]: PermitSignatureAllFields.filter((fieldType) => fields.includes(fieldType.name))
+  };
+  const message = {};
+  fields.forEach((field) => {
+    if (field in values) {
+      message[field] = values[field];
+    }
+  });
+  return { types, primaryType, message };
+};
+var SignatureUtils = {
+  /**
+   * Get signature parameters for a permit
+   */
+  getSignatureParams: (permit, primaryType) => {
+    return getSignatureTypesAndMessage(primaryType, SignatureTypes[primaryType], permit);
+  },
+  /**
+   * Determine the required signature type based on permit type
+   */
+  getPrimaryType: (permitType) => {
+    if (permitType === "self")
+      return "PermissionedV2IssuerSelf";
+    if (permitType === "sharing")
+      return "PermissionedV2IssuerShared";
+    if (permitType === "recipient")
+      return "PermissionedV2Recipient";
+    throw new Error(`Unknown permit type: ${permitType}`);
+  }
+};
+
+// core/consts.ts
+var TASK_MANAGER_ADDRESS = "0xeA30c4B8b44078Bbf8a6ef5b9f1eC1626C7848D9";
+
+// permits/onchain-utils.ts
+var getAclAddress = async (publicClient) => {
+  const ACL_IFACE = "function acl() view returns (address)";
+  const aclAbi = viem.parseAbi([ACL_IFACE]);
+  return await publicClient.readContract({
+    address: TASK_MANAGER_ADDRESS,
+    abi: aclAbi,
+    functionName: "acl"
+  });
+};
+var getAclEIP712Domain = async (publicClient) => {
+  const aclAddress = await getAclAddress(publicClient);
+  const EIP712_DOMAIN_IFACE = "function eip712Domain() public view returns (bytes1 fields, string name, string version, uint256 chainId, address verifyingContract, bytes32 salt, uint256[] extensions)";
+  const domainAbi = viem.parseAbi([EIP712_DOMAIN_IFACE]);
+  const domain = await publicClient.readContract({
+    address: aclAddress,
+    abi: domainAbi,
+    functionName: "eip712Domain"
+  });
+  const [_fields, name, version, chainId, verifyingContract, _salt, _extensions] = domain;
+  return {
+    name,
+    version,
+    chainId: Number(chainId),
+    verifyingContract
+  };
+};
+var checkPermitValidityOnChain = async (permission, publicClient) => {
+  const aclAddress = await getAclAddress(publicClient);
+  try {
+    await publicClient.simulateContract({
+      address: aclAddress,
+      abi: checkPermitValidityAbi,
+      functionName: "checkPermitValidity",
+      args: [
+        {
+          issuer: permission.issuer,
+          expiration: BigInt(permission.expiration),
+          recipient: permission.recipient,
+          validatorId: BigInt(permission.validatorId),
+          validatorContract: permission.validatorContract,
+          sealingKey: permission.sealingKey,
+          issuerSignature: permission.issuerSignature,
+          recipientSignature: permission.recipientSignature
+        }
+      ]
+    });
+    return true;
+  } catch (err) {
+    if (err instanceof viem.BaseError) {
+      const revertError = err.walk((err2) => err2 instanceof viem.ContractFunctionRevertedError);
+      if (revertError instanceof viem.ContractFunctionRevertedError) {
+        const errorName = revertError.data?.errorName ?? "";
+        throw new Error(errorName);
+      }
+    }
+    const customErrorName = extractCustomErrorFromDetails(err, checkPermitValidityAbi);
+    if (customErrorName) {
+      throw new Error(customErrorName);
+    }
+    const hhDetailsData = extractReturnData(err);
+    if (hhDetailsData != null) {
+      const decoded = viem.decodeErrorResult({
+        abi: checkPermitValidityAbi,
+        data: hhDetailsData
+      });
+      throw new Error(decoded.errorName);
+    }
+    throw err;
+  }
+};
+function extractCustomErrorFromDetails(err, abi) {
+  const anyErr = err;
+  const details = anyErr?.details ?? anyErr?.cause?.details;
+  if (typeof details === "string") {
+    const customErrorMatch = details.match(/reverted with custom error '(\w+)\(\)'/);
+    if (customErrorMatch) {
+      const errorName = customErrorMatch[1];
+      const errorExists = abi.some((item) => item.type === "error" && item.name === errorName);
+      if (errorExists) {
+        return errorName;
+      }
+    }
+  }
+  return void 0;
+}
+function extractReturnData(err) {
+  const anyErr = err;
+  const s = anyErr?.details ?? anyErr?.cause?.details ?? anyErr?.shortMessage ?? anyErr?.message ?? String(err);
+  return s.match(/return data:\s*(0x[a-fA-F0-9]+)/)?.[1];
+}
+var checkPermitValidityAbi = [
+  {
+    type: "function",
+    name: "checkPermitValidity",
+    inputs: [
+      {
+        name: "permission",
+        type: "tuple",
+        internalType: "struct Permission",
+        components: [
+          {
+            name: "issuer",
+            type: "address",
+            internalType: "address"
+          },
+          {
+            name: "expiration",
+            type: "uint64",
+            internalType: "uint64"
+          },
+          {
+            name: "recipient",
+            type: "address",
+            internalType: "address"
+          },
+          {
+            name: "validatorId",
+            type: "uint256",
+            internalType: "uint256"
+          },
+          {
+            name: "validatorContract",
+            type: "address",
+            internalType: "address"
+          },
+          {
+            name: "sealingKey",
+            type: "bytes32",
+            internalType: "bytes32"
+          },
+          {
+            name: "issuerSignature",
+            type: "bytes",
+            internalType: "bytes"
+          },
+          {
+            name: "recipientSignature",
+            type: "bytes",
+            internalType: "bytes"
+          }
+        ]
+      }
+    ],
+    outputs: [
+      {
+        name: "",
+        type: "bool",
+        internalType: "bool"
+      }
+    ],
+    stateMutability: "view"
+  },
+  {
+    type: "error",
+    name: "PermissionInvalid_Disabled",
+    inputs: []
+  },
+  {
+    type: "error",
+    name: "PermissionInvalid_Expired",
+    inputs: []
+  },
+  {
+    type: "error",
+    name: "PermissionInvalid_IssuerSignature",
+    inputs: []
+  },
+  {
+    type: "error",
+    name: "PermissionInvalid_RecipientSignature",
+    inputs: []
+  }
+];
+
+// permits/permit.ts
+var PermitUtils = {
+  /**
+   * Create a self permit for personal use
+   */
+  createSelf: (options) => {
+    const validation = validateSelfPermitOptions(options);
+    const sealingPair = GenerateSealingKey();
+    const permit = {
+      hash: PermitUtils.getHash(validation),
+      ...validation,
+      sealingPair,
+      _signedDomain: void 0
+    };
+    return permit;
+  },
+  /**
+   * Create a sharing permit to be shared with another user
+   */
+  createSharing: (options) => {
+    const validation = validateSharingPermitOptions(options);
+    const sealingPair = GenerateSealingKey();
+    const permit = {
+      hash: PermitUtils.getHash(validation),
+      ...validation,
+      sealingPair,
+      _signedDomain: void 0
+    };
+    return permit;
+  },
+  /**
+   * Import a shared permit from various input formats
+   */
+  importShared: (options) => {
+    let parsedOptions;
+    if (typeof options === "string") {
+      try {
+        parsedOptions = JSON.parse(options);
+      } catch (error) {
+        throw new Error(`Failed to parse JSON string: ${error}`);
+      }
+    } else if (typeof options === "object" && options !== null) {
+      parsedOptions = options;
+    } else {
+      throw new Error("Invalid input type, expected ImportSharedPermitOptions, object, or string");
+    }
+    if (parsedOptions.type != null && parsedOptions.type !== "sharing") {
+      throw new Error(`Invalid permit type <${parsedOptions.type}>, must be "sharing"`);
+    }
+    const validation = validateImportPermitOptions({ ...parsedOptions, type: "recipient" });
+    const sealingPair = GenerateSealingKey();
+    const permit = {
+      hash: PermitUtils.getHash(validation),
+      ...validation,
+      sealingPair,
+      _signedDomain: void 0
+    };
+    return permit;
+  },
+  /**
+   * Sign a permit with the provided wallet client
+   */
+  sign: async (permit, publicClient, walletClient) => {
+    if (walletClient == null || walletClient.account == null) {
+      throw new Error(
+        "Missing walletClient, you must pass in a `walletClient` for the connected user to create a permit signature"
+      );
+    }
+    const primaryType = SignatureUtils.getPrimaryType(permit.type);
+    const domain = await getAclEIP712Domain(publicClient);
+    const { types, message } = SignatureUtils.getSignatureParams(PermitUtils.getPermission(permit, true), primaryType);
+    const signature = await walletClient.signTypedData({
+      domain,
+      types,
+      primaryType,
+      message,
+      account: walletClient.account
+    });
+    let updatedPermit;
+    if (permit.type === "self" || permit.type === "sharing") {
+      updatedPermit = {
+        ...permit,
+        issuerSignature: signature,
+        _signedDomain: domain
+      };
+    } else {
+      updatedPermit = {
+        ...permit,
+        recipientSignature: signature,
+        _signedDomain: domain
+      };
+    }
+    return updatedPermit;
+  },
+  /**
+   * Create and sign a self permit in one operation
+   */
+  createSelfAndSign: async (options, publicClient, walletClient) => {
+    const permit = PermitUtils.createSelf(options);
+    return PermitUtils.sign(permit, publicClient, walletClient);
+  },
+  /**
+   * Create and sign a sharing permit in one operation
+   */
+  createSharingAndSign: async (options, publicClient, walletClient) => {
+    const permit = PermitUtils.createSharing(options);
+    return PermitUtils.sign(permit, publicClient, walletClient);
+  },
+  /**
+   * Import and sign a shared permit in one operation from various input formats
+   */
+  importSharedAndSign: async (options, publicClient, walletClient) => {
+    const permit = PermitUtils.importShared(options);
+    return PermitUtils.sign(permit, publicClient, walletClient);
+  },
+  /**
+   * Deserialize a permit from serialized data
+   */
+  deserialize: (data) => {
+    return {
+      ...data,
+      sealingPair: SealingKey.deserialize(data.sealingPair.privateKey, data.sealingPair.publicKey)
+    };
+  },
+  /**
+   * Serialize a permit for storage
+   */
+  serialize: (permit) => {
+    return {
+      hash: permit.hash,
+      name: permit.name,
+      type: permit.type,
+      issuer: permit.issuer,
+      expiration: permit.expiration,
+      recipient: permit.recipient,
+      validatorId: permit.validatorId,
+      validatorContract: permit.validatorContract,
+      issuerSignature: permit.issuerSignature,
+      recipientSignature: permit.recipientSignature,
+      _signedDomain: permit._signedDomain,
+      sealingPair: permit.sealingPair.serialize()
+    };
+  },
+  /**
+   * Validate a permit (schema-level validation)
+   */
+  validateSchema: (permit) => {
+    if (permit.type === "self") {
+      return validateSelfPermit(permit);
+    } else if (permit.type === "sharing") {
+      return validateSharingPermit(permit);
+    } else if (permit.type === "recipient") {
+      return validateImportPermit(permit);
+    } else {
+      throw new Error("Invalid permit type");
+    }
+  },
+  /**
+   * Validate a permit (holistic validation).
+   *
+   * This validates:
+   * - Permit schema (shape + invariants)
+   * - Permit is signed
+   * - Permit is not expired
+   *
+   * For schema-only validation, use `validateSchema(permit)`.
+   */
+  validate: (permit) => {
+    const validated = PermitUtils.validateSchema(permit);
+    ValidationUtils.assertSignedAndNotExpired(validated);
+    return validated;
+  },
+  /**
+   * Get the permission object from a permit (for use in contracts)
+   */
+  getPermission: (permit, skipValidation = false) => {
+    if (!skipValidation) {
+      PermitUtils.validateSchema(permit);
+    }
+    return {
+      issuer: permit.issuer,
+      expiration: permit.expiration,
+      recipient: permit.recipient,
+      validatorId: permit.validatorId,
+      validatorContract: permit.validatorContract,
+      sealingKey: `0x${permit.sealingPair.publicKey}`,
+      issuerSignature: permit.issuerSignature,
+      recipientSignature: permit.recipientSignature
+    };
+  },
+  /**
+   * Get a stable hash for the permit (used as key in storage)
+   */
+  getHash: (permit) => {
+    const data = JSON.stringify({
+      type: permit.type,
+      issuer: permit.issuer,
+      expiration: permit.expiration,
+      recipient: permit.recipient,
+      validatorId: permit.validatorId,
+      validatorContract: permit.validatorContract
+    });
+    return viem.keccak256(viem.toHex(data));
+  },
+  /**
+   * Export permit data for sharing (removes sensitive fields)
+   */
+  export: (permit) => {
+    const cleanedPermit = {
+      name: permit.name,
+      type: permit.type,
+      issuer: permit.issuer,
+      expiration: permit.expiration
+    };
+    if (permit.recipient !== viem.zeroAddress)
+      cleanedPermit.recipient = permit.recipient;
+    if (permit.validatorId !== 0)
+      cleanedPermit.validatorId = permit.validatorId;
+    if (permit.validatorContract !== viem.zeroAddress)
+      cleanedPermit.validatorContract = permit.validatorContract;
+    if (permit.type === "sharing" && permit.issuerSignature !== "0x")
+      cleanedPermit.issuerSignature = permit.issuerSignature;
+    return JSON.stringify(cleanedPermit, void 0, 2);
+  },
+  /**
+   * Unseal encrypted data using the permit's sealing key
+   */
+  unseal: (permit, ciphertext) => {
+    return permit.sealingPair.unseal(ciphertext);
+  },
+  /**
+   * Check if permit is expired
+   */
+  isExpired: (permit) => {
+    return ValidationUtils.isExpired(permit);
+  },
+  /**
+   * Check if permit is signed
+   */
+  isSigned: (permit) => {
+    return ValidationUtils.isSigned(permit);
+  },
+  /**
+   * Check if permit is signed and not expired
+   */
+  isSignedAndNotExpired: (permit) => {
+    return ValidationUtils.isSignedAndNotExpired(permit);
+  },
+  /**
+   * Assert that permit is signed and not expired
+   */
+  assertSignedAndNotExpired: (permit) => {
+    return ValidationUtils.assertSignedAndNotExpired(permit);
+  },
+  isValid: (permit) => {
+    return ValidationUtils.isValid(permit);
+  },
+  /**
+   * Update permit name (returns new permit instance)
+   */
+  updateName: (permit, name) => {
+    return { ...permit, name };
+  },
+  /**
+   * Fetch EIP712 domain from the blockchain
+   */
+  fetchEIP712Domain: async (publicClient) => {
+    return getAclEIP712Domain(publicClient);
+  },
+  /**
+   * Check if permit's signed domain matches the provided domain
+   */
+  matchesDomain: (permit, domain) => {
+    return permit._signedDomain?.name === domain.name && permit._signedDomain?.version === domain.version && permit._signedDomain?.verifyingContract === domain.verifyingContract && permit._signedDomain?.chainId === domain.chainId;
+  },
+  /**
+   * Check if permit's signed domain is valid for the current chain
+   */
+  checkSignedDomainValid: async (permit, publicClient) => {
+    if (permit._signedDomain == null)
+      return false;
+    const domain = await getAclEIP712Domain(publicClient);
+    return PermitUtils.matchesDomain(permit, domain);
+  },
+  /**
+   * Check if permit passes the on-chain validation
+   */
+  checkValidityOnChain: async (permit, publicClient) => {
+    const permission = PermitUtils.getPermission(permit);
+    return checkPermitValidityOnChain(permission, publicClient);
+  }
+};
+var PERMIT_STORE_DEFAULTS = {
+  permits: {},
+  activePermitHash: {}
+};
+var _permitStore = vanilla.createStore()(
+  middleware.persist(() => PERMIT_STORE_DEFAULTS, { name: "cofhesdk-permits" })
+);
+var clearStaleStore = () => {
+  const state = _permitStore.getState();
+  const hasExpectedStructure = state && typeof state === "object" && "permits" in state && "activePermitHash" in state && typeof state.permits === "object" && typeof state.activePermitHash === "object";
+  if (hasExpectedStructure)
+    return;
+  _permitStore.setState({ permits: {}, activePermitHash: {} });
+};
+var getPermit = (chainId, account, hash) => {
+  clearStaleStore();
+  if (chainId == null || account == null || hash == null)
+    return;
+  const savedPermit = _permitStore.getState().permits[chainId]?.[account]?.[hash];
+  if (savedPermit == null)
+    return;
+  return PermitUtils.deserialize(savedPermit);
+};
+var getActivePermit = (chainId, account) => {
+  clearStaleStore();
+  if (chainId == null || account == null)
+    return;
+  const activePermitHash = _permitStore.getState().activePermitHash[chainId]?.[account];
+  return getPermit(chainId, account, activePermitHash);
+};
+var getPermits = (chainId, account) => {
+  clearStaleStore();
+  if (chainId == null || account == null)
+    return {};
+  return Object.entries(_permitStore.getState().permits[chainId]?.[account] ?? {}).reduce(
+    (acc, [hash, permit]) => {
+      if (permit == void 0)
+        return acc;
+      return { ...acc, [hash]: PermitUtils.deserialize(permit) };
+    },
+    {}
+  );
+};
+var setPermit = (chainId, account, permit) => {
+  clearStaleStore();
+  _permitStore.setState(
+    immer.produce((state) => {
+      if (state.permits[chainId] == null)
+        state.permits[chainId] = {};
+      if (state.permits[chainId][account] == null)
+        state.permits[chainId][account] = {};
+      state.permits[chainId][account][permit.hash] = PermitUtils.serialize(permit);
+    })
+  );
+};
+var removePermit = (chainId, account, hash) => {
+  clearStaleStore();
+  _permitStore.setState(
+    immer.produce((state) => {
+      if (state.permits[chainId] == null)
+        state.permits[chainId] = {};
+      if (state.activePermitHash[chainId] == null)
+        state.activePermitHash[chainId] = {};
+      const accountPermits = state.permits[chainId][account];
+      if (accountPermits == null)
+        return;
+      if (accountPermits[hash] == null)
+        return;
+      if (state.activePermitHash[chainId][account] === hash) {
+        state.activePermitHash[chainId][account] = void 0;
+      }
+      accountPermits[hash] = void 0;
+    })
+  );
+};
+var getActivePermitHash = (chainId, account) => {
+  clearStaleStore();
+  if (chainId == null || account == null)
+    return void 0;
+  return _permitStore.getState().activePermitHash[chainId]?.[account];
+};
+var setActivePermitHash = (chainId, account, hash) => {
+  clearStaleStore();
+  _permitStore.setState(
+    immer.produce((state) => {
+      if (state.activePermitHash[chainId] == null)
+        state.activePermitHash[chainId] = {};
+      state.activePermitHash[chainId][account] = hash;
+    })
+  );
+};
+var removeActivePermitHash = (chainId, account) => {
+  clearStaleStore();
+  _permitStore.setState(
+    immer.produce((state) => {
+      if (state.activePermitHash[chainId])
+        state.activePermitHash[chainId][account] = void 0;
+    })
+  );
+};
+var resetStore = () => {
+  clearStaleStore();
+  _permitStore.setState({ permits: {}, activePermitHash: {} });
+};
+var permitStore = {
+  store: _permitStore,
+  getPermit,
+  getActivePermit,
+  getPermits,
+  setPermit,
+  removePermit,
+  getActivePermitHash,
+  setActivePermitHash,
+  removeActivePermitHash,
+  resetStore
+};
+
+exports.GenerateSealingKey = GenerateSealingKey;
+exports.ImportPermitOptionsValidator = ImportPermitOptionsValidator;
+exports.ImportPermitValidator = ImportPermitValidator;
+exports.PERMIT_STORE_DEFAULTS = PERMIT_STORE_DEFAULTS;
+exports.PermitUtils = PermitUtils;
+exports.SealingKey = SealingKey;
+exports.SelfPermitOptionsValidator = SelfPermitOptionsValidator;
+exports.SelfPermitValidator = SelfPermitValidator;
+exports.SharingPermitOptionsValidator = SharingPermitOptionsValidator;
+exports.SharingPermitValidator = SharingPermitValidator;
+exports.SignatureTypes = SignatureTypes;
+exports.SignatureUtils = SignatureUtils;
+exports.ValidationUtils = ValidationUtils;
+exports._permitStore = _permitStore;
+exports.addressNotZeroSchema = addressNotZeroSchema;
+exports.addressSchema = addressSchema;
+exports.bytesNotEmptySchema = bytesNotEmptySchema;
+exports.bytesSchema = bytesSchema;
+exports.clearStaleStore = clearStaleStore;
+exports.getActivePermit = getActivePermit;
+exports.getActivePermitHash = getActivePermitHash;
+exports.getPermit = getPermit;
+exports.getPermits = getPermits;
+exports.getSignatureTypesAndMessage = getSignatureTypesAndMessage;
+exports.permitStore = permitStore;
+exports.removeActivePermitHash = removeActivePermitHash;
+exports.removePermit = removePermit;
+exports.resetStore = resetStore;
+exports.setActivePermitHash = setActivePermitHash;
+exports.setPermit = setPermit;
+exports.validateImportPermit = validateImportPermit;
+exports.validateImportPermitOptions = validateImportPermitOptions;
+exports.validateSelfPermit = validateSelfPermit;
+exports.validateSelfPermitOptions = validateSelfPermitOptions;
+exports.validateSharingPermit = validateSharingPermit;
+exports.validateSharingPermitOptions = validateSharingPermitOptions;