@cofhe/sdk 0.3.2 → 0.5.0

package/permits/permit.ts

@@ -22,7 +22,6 @@ import {
   validateImportPermit,
   ValidationUtils,
 } from './validation.js';
-import * as z from 'zod';
 import { SignatureUtils } from './signature.js';
 import { GenerateSealingKey, SealingKey } from './sealing.js';
 import { checkPermitValidityOnChain, getAclEIP712Domain } from './onchain-utils.js';
@@ -217,9 +216,9 @@ export const PermitUtils = {
   },
 
   /**
-   * Validate a permit
+   * Validate a permit (schema-level validation)
    */
-  validate: (permit: Permit) => {
+  validateSchema: (permit: Permit) => {
     if (permit.type === 'self') {
       return validateSelfPermit(permit);
     } else if (permit.type === 'sharing') {
@@ -231,12 +230,28 @@ export const PermitUtils = {
     }
   },
 
+  /**
+   * Validate a permit (holistic validation).
+   *
+   * This validates:
+   * - Permit schema (shape + invariants)
+   * - Permit is signed
+   * - Permit is not expired
+   *
+   * For schema-only validation, use `validateSchema(permit)`.
+   */
+  validate: (permit: Permit) => {
+    const validated = PermitUtils.validateSchema(permit);
+    ValidationUtils.assertSignedAndNotExpired(validated as Permit);
+    return validated;
+  },
+
   /**
    * Get the permission object from a permit (for use in contracts)
    */
   getPermission: (permit: Permit, skipValidation = false): Permission => {
     if (!skipValidation) {
-      PermitUtils.validate(permit);
+      PermitUtils.validateSchema(permit);
     }
 
     return {
@@ -308,8 +323,19 @@ export const PermitUtils = {
   },
 
   /**
-   * Check if permit is valid
+   * Check if permit is signed and not expired
    */
+  isSignedAndNotExpired: (permit: Permit) => {
+    return ValidationUtils.isSignedAndNotExpired(permit);
+  },
+
+  /**
+   * Assert that permit is signed and not expired
+   */
+  assertSignedAndNotExpired: (permit: Permit): void => {
+    return ValidationUtils.assertSignedAndNotExpired(permit);
+  },
+
   isValid: (permit: Permit) => {
     return ValidationUtils.isValid(permit);
   },

package/permits/sealing.ts

@@ -1,4 +1,4 @@
-import * as nacl from 'tweetnacl';
+import nacl from 'tweetnacl';
 import { fromHexString, toBeArray, toBigInt, toHexString, isBigIntOrNumber, isString } from './utils.js';
 
 const PRIVATE_KEY_LENGTH = 64;

package/permits/{localstorage.test.ts → test/localstorage.test.ts}

@@ -11,8 +11,8 @@ import {
   setActivePermitHash,
   PermitUtils,
   permitStore,
-} from './index.js';
-import { createMockPermit } from './test-utils.js';
+} from '../index.js';
+import { createMockPermit } from '../test-utils.js';
 
 // Type declarations for happy-dom environment
 declare const localStorage: {

package/permits/{permit.test.ts → test/permit.test.ts}

@@ -4,7 +4,7 @@ import {
   type CreateSelfPermitOptions,
   type CreateSharingPermitOptions,
   type ImportSharedPermitOptions,
-} from './index.js';
+} from '../index.js';
 import { createPublicClient, createWalletClient, http, type PublicClient, type WalletClient } from 'viem';
 import { arbitrumSepolia } from 'viem/chains';
 import { privateKeyToAccount } from 'viem/accounts';
@@ -399,6 +399,29 @@ describe('PermitUtils Tests', () => {
       expect(parsed).not.toHaveProperty('sealingPair');
       expect(parsed).not.toHaveProperty('issuerSignature');
     });
+
+    it('should export sharing permit data with recipient and issuerSignature', async () => {
+      const permit = await PermitUtils.createSharingAndSign(
+        {
+          issuer: bobAddress,
+          recipient: aliceAddress,
+          name: 'Test Sharing Permit',
+        },
+        publicClient,
+        bobWalletClient
+      );
+
+      const exported = PermitUtils.export(permit);
+      const parsed = JSON.parse(exported);
+
+      expect(parsed.name).toBe('Test Sharing Permit');
+      expect(parsed.type).toBe('sharing');
+      expect(parsed.issuer).toBe(bobAddress);
+      expect(parsed.recipient).toBe(aliceAddress);
+      expect(parsed.issuerSignature).toBeDefined();
+      expect(parsed.issuerSignature).not.toBe('0x');
+      expect(parsed).not.toHaveProperty('sealingPair');
+    });
   });
 
   describe('updateName', () => {
@@ -459,6 +482,17 @@ describe('PermitUtils Tests', () => {
       expect(validation.valid).toBe(true);
       expect(validation.error).toBeNull();
     });
+
+    it('should throw on validate() for expired signed permit', async () => {
+      const expiredPermit = PermitUtils.createSelf({
+        issuer: bobAddress,
+        name: 'Expired Permit',
+        expiration: Math.floor(Date.now() / 1000) - 3600,
+      });
+
+      const signedExpiredPermit = await PermitUtils.sign(expiredPermit, publicClient, bobWalletClient);
+      expect(() => PermitUtils.validate(signedExpiredPermit)).toThrow('Permit is expired');
+    });
   });
 
   describe('real contract interactions', () => {

package/permits/{sealing.test.ts → test/sealing.test.ts}

@@ -1,5 +1,5 @@
 import { describe, it, expect } from 'vitest';
-import { SealingKey, GenerateSealingKey } from './index.js';
+import { SealingKey, GenerateSealingKey } from '../index.js';
 
 describe('SealingKey', () => {
   it('should create a SealingKey with valid keys', () => {

package/permits/{store.test.ts → test/store.test.ts}

@@ -13,9 +13,9 @@ import {
   getActivePermitHash,
   setActivePermitHash,
   PermitUtils,
-} from './index.js';
+} from '../index.js';
 
-import { createMockPermit } from './test-utils.js';
+import { createMockPermit } from '../test-utils.js';
 
 describe('Storage Tests', () => {
   const chainId = 1;

package/permits/{validation.test.ts → test/validation.test.ts}

@@ -11,8 +11,8 @@ import {
   type CreateSelfPermitOptions,
   type CreateSharingPermitOptions,
   type ImportSharedPermitOptions,
-} from './index.js';
-import { createMockPermit } from './test-utils.js';
+} from '../index.js';
+import { createMockPermit } from '../test-utils.js';
 
 describe('Validation Tests', () => {
   describe('validateSelfPermitOptions', () => {
@@ -247,14 +247,14 @@ describe('Validation Tests', () => {
       });
     });
 
-    describe('isValid', () => {
+    describe('isSignedAndNotExpired', () => {
       it('should return valid for valid permit', async () => {
         const permit = {
           ...(await createMockPermit()),
           expiration: Math.floor(Date.now() / 1000) + 3600,
           issuerSignature: '0x1234567890abcdef' as `0x${string}`,
         };
-        const result = ValidationUtils.isValid(permit);
+        const result = ValidationUtils.isSignedAndNotExpired(permit);
         expect(result.valid).toBe(true);
         expect(result.error).toBeNull();
       });
@@ -265,7 +265,7 @@ describe('Validation Tests', () => {
           expiration: Math.floor(Date.now() / 1000) - 3600,
           issuerSignature: '0x1234567890abcdef' as `0x${string}`,
         };
-        const result = ValidationUtils.isValid(permit);
+        const result = ValidationUtils.isSignedAndNotExpired(permit);
         expect(result.valid).toBe(false);
         expect(result.error).toBe('expired');
       });
@@ -276,10 +276,86 @@ describe('Validation Tests', () => {
           expiration: Math.floor(Date.now() / 1000) + 3600,
           issuerSignature: '0x' as `0x${string}`,
         };
-        const result = ValidationUtils.isValid(permit);
+        const result = ValidationUtils.isSignedAndNotExpired(permit);
         expect(result.valid).toBe(false);
         expect(result.error).toBe('not-signed');
       });
     });
+
+    describe('assertSignedAndNotExpired', () => {
+      it('should not throw for valid permit', async () => {
+        const permit = {
+          ...(await createMockPermit()),
+          expiration: Math.floor(Date.now() / 1000) + 3600,
+          issuerSignature: '0x1234567890abcdef' as `0x${string}`,
+        };
+        expect(() => ValidationUtils.assertSignedAndNotExpired(permit)).not.toThrow();
+      });
+
+      it('should throw for expired permit', async () => {
+        const permit = {
+          ...(await createMockPermit()),
+          expiration: Math.floor(Date.now() / 1000) - 3600,
+          issuerSignature: '0x1234567890abcdef' as `0x${string}`,
+        };
+        expect(() => ValidationUtils.assertSignedAndNotExpired(permit)).toThrow('Permit is expired');
+      });
+
+      it('should throw for unsigned permit', async () => {
+        const permit = {
+          ...(await createMockPermit()),
+          expiration: Math.floor(Date.now() / 1000) + 3600,
+          issuerSignature: '0x' as `0x${string}`,
+        };
+        expect(() => ValidationUtils.assertSignedAndNotExpired(permit)).toThrow('Permit is not signed');
+      });
+    });
+
+    describe('isValid', () => {
+      it('should return invalid-schema for schema-invalid permit', async () => {
+        const permit = {
+          ...(await createMockPermit()),
+          type: 'self' as const,
+          expiration: Math.floor(Date.now() / 1000) + 3600,
+          issuerSignature: '0x1234567890abcdef' as `0x${string}`,
+          // Self permits must have recipient == zeroAddress per schema.
+          recipient: '0x70997970C51812dc3A010C7d01b50e0d17dc79C8' as `0x${string}`,
+        };
+
+        const result = ValidationUtils.isValid(permit as unknown as Permit);
+        expect(result.valid).toBe(false);
+        expect(result.error).toBe('invalid-schema');
+      });
+
+      it('should return expired for expired but otherwise schema-valid permit', async () => {
+        const permit = {
+          ...(await createMockPermit()),
+          type: 'self' as const,
+          expiration: Math.floor(Date.now() / 1000) - 3600,
+          issuerSignature: '0x1234567890abcdef' as `0x${string}`,
+          recipient: '0x0000000000000000000000000000000000000000' as `0x${string}`,
+          recipientSignature: '0x' as `0x${string}`,
+        };
+
+        const result = ValidationUtils.isValid(permit as unknown as Permit);
+        expect(result.valid).toBe(false);
+        expect(result.error).toBe('expired');
+      });
+
+      it('should return valid for schema-valid, signed, non-expired permit', async () => {
+        const permit = {
+          ...(await createMockPermit()),
+          type: 'self' as const,
+          expiration: Math.floor(Date.now() / 1000) + 3600,
+          issuerSignature: '0x1234567890abcdef' as `0x${string}`,
+          recipient: '0x0000000000000000000000000000000000000000' as `0x${string}`,
+          recipientSignature: '0x' as `0x${string}`,
+        };
+
+        const result = ValidationUtils.isValid(permit as unknown as Permit);
+        expect(result.valid).toBe(true);
+        expect(result.error).toBeNull();
+      });
+    });
   });
 });

package/permits/types.ts

@@ -189,7 +189,7 @@ export type PermitHashFields = Pick<
  */
 export interface ValidationResult {
   valid: boolean;
-  error: string | null;
+  error: 'invalid-schema' | 'expired' | 'not-signed' | null;
 }
 
 /**

package/permits/validation.ts

@@ -273,9 +273,9 @@ export const ValidationUtils = {
   },
 
   /**
-   * Overall validity checker of a permit
+   * Checks that a permit is signed and not expired.
    */
-  isValid: (permit: Permit): ValidationResult => {
+  isSignedAndNotExpired: (permit: Permit): ValidationResult => {
     if (ValidationUtils.isExpired(permit)) {
       return { valid: false, error: 'expired' };
     }
@@ -284,4 +284,44 @@ export const ValidationUtils = {
     }
     return { valid: true, error: null };
   },
+
+  /**
+   * Asserts that a permit is signed and not expired.
+   *
+   * Throws `Error` with message:
+   * - `Permit is expired`
+   * - `Permit is not signed`
+   */
+  assertSignedAndNotExpired: (permit: Permit): void => {
+    const result = ValidationUtils.isSignedAndNotExpired(permit);
+    if (result.valid) return;
+
+    if (result.error === 'expired') {
+      throw new Error('Permit is expired');
+    }
+    if (result.error === 'not-signed') {
+      throw new Error('Permit is not signed');
+    }
+
+    // Should be unreachable, but keeps this future-proof.
+    throw new Error('Permit is invalid');
+  },
+
+  isValid: (permit: Permit): ValidationResult => {
+    const schema =
+      permit.type === 'self'
+        ? SelfPermitValidator
+        : permit.type === 'sharing'
+          ? SharingPermitValidator
+          : permit.type === 'recipient'
+            ? ImportPermitValidator
+            : null;
+
+    if (schema == null) return { valid: false, error: 'invalid-schema' };
+
+    const schemaResult = schema.safeParse(permit);
+    if (!schemaResult.success) return { valid: false, error: 'invalid-schema' };
+
+    return ValidationUtils.isSignedAndNotExpired(permit);
+  },
 };

package/web/const.ts

@@ -0,0 +1,2 @@
+export const hasDOM =
+  typeof (globalThis as any)?.document !== 'undefined' && typeof (globalThis as any)?.window !== 'undefined';

package/web/index.ts

@@ -10,16 +10,18 @@ import {
   type FheKeyDeserializer,
   type EncryptableItem,
   fheTypeToString,
+  TFHE_RS_SAFE_SERIALIZATION_SIZE_LIMIT,
 } from '@/core';
 
 // Import web-specific storage (internal use only)
-import { createWebStorage } from './storage.js';
+import { createSsrStorage, createWebStorage } from './storage.js';
 
 // Import worker manager
 import { getWorkerManager, terminateWorker, areWorkersAvailable } from './workerManager.js';
 
 // Import tfhe for web
 import init, { init_panic_hook, TfheCompactPublicKey, ProvenCompactCiphertextList, CompactPkeCrs } from 'tfhe';
+import { hasDOM } from './const';
 
 /**
  * Internal function to initialize TFHE for web
@@ -45,12 +47,20 @@ const fromHexString = (hexString: string): Uint8Array => {
   return new Uint8Array(arr.map((byte) => parseInt(byte, 16)));
 };
 
+const _deserializeTfhePublicKey = (buff: string): TfheCompactPublicKey => {
+  return TfheCompactPublicKey.safe_deserialize(fromHexString(buff), TFHE_RS_SAFE_SERIALIZATION_SIZE_LIMIT);
+};
+
+const _deserializeCompactPkeCrs = (buff: string): CompactPkeCrs => {
+  return CompactPkeCrs.safe_deserialize(fromHexString(buff), TFHE_RS_SAFE_SERIALIZATION_SIZE_LIMIT);
+};
+
 /**
  * Serializer for TFHE public keys
  * Validates that the buffer can be deserialized into a TfheCompactPublicKey
  */
 const tfhePublicKeyDeserializer: FheKeyDeserializer = (buff: string): void => {
-  TfheCompactPublicKey.deserialize(fromHexString(buff));
+  _deserializeTfhePublicKey(buff);
 };
 
 /**
@@ -58,7 +68,7 @@ const tfhePublicKeyDeserializer: FheKeyDeserializer = (buff: string): void => {
  * Validates that the buffer can be deserialized into ZkCompactPkePublicParams
  */
 const compactPkeCrsDeserializer: FheKeyDeserializer = (buff: string): void => {
-  CompactPkeCrs.deserialize(fromHexString(buff));
+  _deserializeCompactPkeCrs(buff);
 };
 
 /**
@@ -66,9 +76,9 @@ const compactPkeCrsDeserializer: FheKeyDeserializer = (buff: string): void => {
  * This is used internally by the SDK to create encrypted inputs
  */
 const zkBuilderAndCrsGenerator: ZkBuilderAndCrsGenerator = (fhe: string, crs: string) => {
-  const fhePublicKey = TfheCompactPublicKey.deserialize(fromHexString(fhe));
+  const fhePublicKey = _deserializeTfhePublicKey(fhe);
   const zkBuilder = ProvenCompactCiphertextList.builder(fhePublicKey);
-  const zkCrs = CompactPkeCrs.deserialize(fromHexString(crs));
+  const zkCrs = _deserializeCompactPkeCrs(crs);
 
   return { zkBuilder, zkCrs };
 };
@@ -103,7 +113,8 @@ export function createCofheConfig(config: CofheInputConfig): CofheConfig {
   return createCofheConfigBase({
     environment: 'web',
     ...config,
-    fheKeyStorage: config.fheKeyStorage === null ? null : config.fheKeyStorage ?? createWebStorage(),
+    fheKeyStorage:
+      config.fheKeyStorage === null ? null : config.fheKeyStorage ?? (hasDOM ? createWebStorage() : createSsrStorage()),
   });
 }
 
@@ -159,3 +170,6 @@ export function createCofheClientWithCustomWorker(
     zkProveWorkerFn: customZkProveWorkerFn,
   });
 }
+
+export { createSsrStorage };
+export { hasDOM } from './const';

package/web/storage.ts

@@ -1,15 +1,19 @@
 import type { IStorage } from '@/core';
 import { constructClient } from 'iframe-shared-storage';
+import { hasDOM } from './const';
 /**
- * Creates a web storage implementation using IndexedDB
+ * Creates a web storage implementation using IndexedDB.
+ * Must only be called in a browser environment (requires `document` for iframe injection).
  * @returns IStorage implementation for browser environments
  */
-export const createWebStorage = (): IStorage => {
+export const createWebStorage = (opts = { enableLog: false }): IStorage => {
+  if (!hasDOM) throw new Error('createWebStorage can only be used in a browser environment');
+
   const client = constructClient({
     iframe: {
       src: 'https://iframe-shared-storage.vercel.app/hub.html',
       messagingOptions: {
-        enableLog: 'both',
+        enableLog: opts.enableLog ? 'both' : undefined,
       },
 
       iframeReadyTimeoutMs: 30_000, // if the iframe is not initied during this interval AND a reuqest is made, such request will throw an error
@@ -32,3 +36,14 @@ export const createWebStorage = (): IStorage => {
     },
   };
 };
+
+export function createSsrStorage(): IStorage {
+  // TODO: consider doing something like wagmi's cookies storage for SSR - this in-memory storage will not persist across requests, but it also won't throw errors if accessed in SSR (e.g. during getServerSideProps in Next.js)
+  // https://wagmi.sh/react/guides/ssr#_1-set-up-cookie-storage
+  console.warn('using no-op server-side SSR storage');
+  return {
+    getItem: async () => null,
+    setItem: async () => {},
+    removeItem: async () => {},
+  };
+}

package/web/{client.web.test.ts → test/client.web.test.ts}

@@ -6,7 +6,7 @@ import { arbitrumSepolia as viemArbitrumSepolia } from 'viem/chains';
 import type { PublicClient, WalletClient } from 'viem';
 import { createPublicClient, createWalletClient, http } from 'viem';
 import { privateKeyToAccount } from 'viem/accounts';
-import { createCofheClient, createCofheConfig } from './index.js';
+import { createCofheClient, createCofheConfig } from '../index.js';
 
 // Real test setup - runs in browser
 const TEST_PRIVATE_KEY = '0xac0974bec39a17e36ba4a6b4d238ff944bacb478cbed5efcae784d7bf4f2ff80';
@@ -141,7 +141,19 @@ describe('@cofhe/web - Client', () => {
       expect(builder).toBeDefined();
       expect(typeof builder.setChainId).toBe('function');
       expect(typeof builder.setAccount).toBe('function');
+      expect(typeof builder.onPoll).toBe('function');
       expect(typeof builder.execute).toBe('function');
     }, 30000);
+
+    it('should create decryptForTx builder after connection', async () => {
+      await cofheClient.connect(publicClient, walletClient);
+
+      const builder = cofheClient.decryptForTx('0x123');
+
+      expect(builder).toBeDefined();
+      expect(typeof builder.setChainId).toBe('function');
+      expect(typeof builder.setAccount).toBe('function');
+      expect(typeof builder.onPoll).toBe('function');
+    }, 30000);
   });
 });

package/web/test/config.web.test.ts

@@ -0,0 +1,16 @@
+import { arbSepolia } from '@/chains';
+
+import { describe, it, expect } from 'vitest';
+import { createCofheConfig } from '../index.js';
+
+describe('@cofhe/web - Config', () => {
+  it('should automatically inject IndexedDB storage as default', () => {
+    const config = createCofheConfig({
+      supportedChains: [arbSepolia],
+    });
+
+    expect(config.fheKeyStorage).toBeDefined();
+    expect(config.fheKeyStorage).not.toBeNull();
+    expect(config.supportedChains).toEqual([arbSepolia]);
+  });
+});