@dexterai/vault 0.1.0

package/dist/precompile/index.d.ts

@@ -0,0 +1,45 @@
+import { TransactionInstruction } from '@solana/web3.js';
+
+/**
+ * SIMD-0075 secp256r1 precompile builder + WebAuthn precompile message
+ * assembler.
+ *
+ * Place a secp256r1 verify instruction IMMEDIATELY before any vault
+ * instruction that takes a passkey-signed op (set_swig, register_session_key,
+ * revoke_session_key, request_withdrawal, finalize_withdrawal, force_release,
+ * rotate_passkey, prove_passkey). The vault program reads
+ * SYSVAR_INSTRUCTIONS to introspect the sibling and rejects unless it
+ * verifies.
+ */
+
+declare const SIGNATURE_OFFSETS_SERIALIZED_SIZE = 14;
+declare const SIGNATURE_SERIALIZED_SIZE = 64;
+declare const COMPRESSED_PUBKEY_SERIALIZED_SIZE = 33;
+declare const PRECOMPILE_DATA_START = 2;
+declare function buildSecp256r1VerifyInstruction(publicKey: Uint8Array, // 33-byte compressed P-256
+signature: Uint8Array, // 64-byte (r||s)
+message: Uint8Array): TransactionInstruction;
+/**
+ * Build the bytes the precompile verifies against the WebAuthn signature:
+ *   authenticatorData || SHA-256(clientDataJSON)
+ *
+ * Works in Node (via `node:crypto`) and the browser (via SubtleCrypto).
+ */
+declare function buildPrecompileMessage(clientDataJSON: Uint8Array, authenticatorData: Uint8Array): Promise<Uint8Array>;
+
+/**
+ * Solana Ed25519 sigverify precompile builder.
+ *
+ * Layout matches solana-sdk/sdk/src/ed25519_instruction.rs byte-for-byte:
+ *   u8 numSigs + u8 padding + 14-byte SignatureOffsets +
+ *   contiguous pubkey(32) || signature(64) || message
+ *
+ * Place this BEFORE vault::settle_tab_voucher (or any future ix needing
+ * session-key verification) in the same tx.
+ */
+
+declare function buildEd25519VerifyInstruction(pubkey: Uint8Array, // 32 bytes
+signature: Uint8Array, // 64 bytes
+message: Uint8Array): TransactionInstruction;
+
+export { COMPRESSED_PUBKEY_SERIALIZED_SIZE, PRECOMPILE_DATA_START, SIGNATURE_OFFSETS_SERIALIZED_SIZE, SIGNATURE_SERIALIZED_SIZE, buildEd25519VerifyInstruction, buildPrecompileMessage, buildSecp256r1VerifyInstruction };

package/dist/precompile/index.js

@@ -0,0 +1,149 @@
+// src/precompile/secp256r1.ts
+import { TransactionInstruction } from "@solana/web3.js";
+
+// src/constants/index.ts
+import { PublicKey } from "@solana/web3.js";
+var DEXTER_VAULT_PROGRAM_ID = new PublicKey(
+  "Hg3wRaydFtJhYrdvYrKECacpJYDsC9Px7yKmpncj2fhc"
+);
+var SWIG_PROGRAM_ID = new PublicKey(
+  "swigypWHEksbC64pWKwah1WTeh9JXwx8H1rJHLdbQMB"
+);
+var SECP256R1_PROGRAM_ID = new PublicKey(
+  "Secp256r1SigVerify1111111111111111111111111"
+);
+var ED25519_PROGRAM_ID = new PublicKey(
+  "Ed25519SigVerify111111111111111111111111111"
+);
+var INSTRUCTIONS_SYSVAR_ID = new PublicKey(
+  "Sysvar1nstructions1111111111111111111111111"
+);
+var VAULT_SEED_PREFIX = Buffer.from("vault");
+var DISCRIMINATORS = Object.freeze({
+  initialize_vault: Uint8Array.from([48, 191, 163, 44, 71, 129, 63, 164]),
+  set_swig: Uint8Array.from([253, 229, 89, 206, 192, 118, 137, 165]),
+  settle_voucher: Uint8Array.from([144, 176, 128, 220, 156, 79, 41, 54]),
+  request_withdrawal: Uint8Array.from([251, 85, 121, 205, 56, 201, 12, 177]),
+  finalize_withdrawal: Uint8Array.from([178, 87, 206, 68, 201, 186, 164, 232]),
+  force_release: Uint8Array.from([122, 190, 243, 252, 54, 202, 208, 234]),
+  rotate_passkey: Uint8Array.from([28, 134, 49, 89, 196, 34, 58, 174]),
+  rotate_dexter_authority: Uint8Array.from([145, 60, 4, 119, 180, 205, 236, 134]),
+  prove_passkey: Uint8Array.from([35, 175, 41, 143, 201, 118, 49, 184]),
+  settle_tab_voucher: Uint8Array.from([173, 22, 98, 31, 110, 129, 59, 161]),
+  register_session_key: Uint8Array.from([69, 94, 60, 44, 49, 199, 183, 233]),
+  revoke_session_key: Uint8Array.from([81, 192, 32, 110, 104, 116, 144, 151])
+});
+var OTS_SESSION_REGISTER_V1_DOMAIN = (() => {
+  const buf = new Uint8Array(32);
+  buf.set(new TextEncoder().encode("OTS_SESSION_REGISTER_V1"), 0);
+  return buf;
+})();
+var OTS_SESSION_REVOKE_V1_DOMAIN = (() => {
+  const buf = new Uint8Array(32);
+  buf.set(new TextEncoder().encode("OTS_SESSION_REVOKE_V1"), 0);
+  return buf;
+})();
+
+// src/precompile/secp256r1.ts
+var SIGNATURE_OFFSETS_SERIALIZED_SIZE = 14;
+var SIGNATURE_SERIALIZED_SIZE = 64;
+var COMPRESSED_PUBKEY_SERIALIZED_SIZE = 33;
+var PRECOMPILE_DATA_START = 2;
+function buildSecp256r1VerifyInstruction(publicKey, signature, message) {
+  if (publicKey.length !== COMPRESSED_PUBKEY_SERIALIZED_SIZE) {
+    throw new Error(`expected ${COMPRESSED_PUBKEY_SERIALIZED_SIZE}-byte pubkey`);
+  }
+  if (signature.length !== SIGNATURE_SERIALIZED_SIZE) {
+    throw new Error(`expected ${SIGNATURE_SERIALIZED_SIZE}-byte signature`);
+  }
+  const signatureOffset = PRECOMPILE_DATA_START + SIGNATURE_OFFSETS_SERIALIZED_SIZE;
+  const publicKeyOffset = signatureOffset + SIGNATURE_SERIALIZED_SIZE;
+  const messageOffset = publicKeyOffset + COMPRESSED_PUBKEY_SERIALIZED_SIZE;
+  const messageSize = message.length;
+  const totalLen = messageOffset + messageSize;
+  const data = Buffer.alloc(totalLen);
+  data[0] = 1;
+  data[1] = 0;
+  data.writeUInt16LE(signatureOffset, PRECOMPILE_DATA_START + 0);
+  data.writeUInt16LE(65535, PRECOMPILE_DATA_START + 2);
+  data.writeUInt16LE(publicKeyOffset, PRECOMPILE_DATA_START + 4);
+  data.writeUInt16LE(65535, PRECOMPILE_DATA_START + 6);
+  data.writeUInt16LE(messageOffset, PRECOMPILE_DATA_START + 8);
+  data.writeUInt16LE(messageSize, PRECOMPILE_DATA_START + 10);
+  data.writeUInt16LE(65535, PRECOMPILE_DATA_START + 12);
+  Buffer.from(signature).copy(data, signatureOffset);
+  Buffer.from(publicKey).copy(data, publicKeyOffset);
+  Buffer.from(message).copy(data, messageOffset);
+  return new TransactionInstruction({
+    keys: [],
+    programId: SECP256R1_PROGRAM_ID,
+    data
+  });
+}
+async function buildPrecompileMessage(clientDataJSON, authenticatorData) {
+  const subtle = globalThis.crypto?.subtle;
+  let clientDataHash;
+  if (subtle) {
+    const buf = await subtle.digest("SHA-256", clientDataJSON);
+    clientDataHash = new Uint8Array(buf);
+  } else {
+    const { createHash } = await import("crypto");
+    clientDataHash = createHash("sha256").update(clientDataJSON).digest();
+  }
+  const out = new Uint8Array(authenticatorData.length + 32);
+  out.set(authenticatorData, 0);
+  out.set(clientDataHash, authenticatorData.length);
+  return out;
+}
+
+// src/precompile/ed25519.ts
+import { TransactionInstruction as TransactionInstruction2 } from "@solana/web3.js";
+function buildEd25519VerifyInstruction(pubkey, signature, message) {
+  if (pubkey.length !== 32) throw new Error("pubkey must be 32 bytes");
+  if (signature.length !== 64) throw new Error("signature must be 64 bytes");
+  const NUM_SIG = 1;
+  const PADDING = 0;
+  const HEADER_LEN = 2;
+  const OFFSETS_LEN = 14;
+  const DATA_START = HEADER_LEN + OFFSETS_LEN;
+  const data = Buffer.alloc(DATA_START + pubkey.length + signature.length + message.length);
+  let off = 0;
+  data.writeUInt8(NUM_SIG, off);
+  off += 1;
+  data.writeUInt8(PADDING, off);
+  off += 1;
+  const pubkeyOffset = DATA_START;
+  const signatureOffset = pubkeyOffset + pubkey.length;
+  const messageOffset = signatureOffset + signature.length;
+  data.writeUInt16LE(signatureOffset, off);
+  off += 2;
+  data.writeUInt16LE(65535, off);
+  off += 2;
+  data.writeUInt16LE(pubkeyOffset, off);
+  off += 2;
+  data.writeUInt16LE(65535, off);
+  off += 2;
+  data.writeUInt16LE(messageOffset, off);
+  off += 2;
+  data.writeUInt16LE(message.length, off);
+  off += 2;
+  data.writeUInt16LE(65535, off);
+  off += 2;
+  Buffer.from(pubkey).copy(data, pubkeyOffset);
+  Buffer.from(signature).copy(data, signatureOffset);
+  Buffer.from(message).copy(data, messageOffset);
+  return new TransactionInstruction2({
+    programId: ED25519_PROGRAM_ID,
+    keys: [],
+    data
+  });
+}
+export {
+  COMPRESSED_PUBKEY_SERIALIZED_SIZE,
+  PRECOMPILE_DATA_START,
+  SIGNATURE_OFFSETS_SERIALIZED_SIZE,
+  SIGNATURE_SERIALIZED_SIZE,
+  buildEd25519VerifyInstruction,
+  buildPrecompileMessage,
+  buildSecp256r1VerifyInstruction
+};

package/dist/reader/index.cjs

@@ -0,0 +1,121 @@
+"use strict";
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+
+// src/reader/index.ts
+var reader_exports = {};
+__export(reader_exports, {
+  readVaultFull: () => readVaultFull,
+  readVaultOnchain: () => readVaultOnchain
+});
+module.exports = __toCommonJS(reader_exports);
+
+// src/reader/accountReader.ts
+var import_web3 = require("@solana/web3.js");
+var VERSION_OFFSET = 8;
+var SWIG_ADDRESS_OFFSET = 43;
+var PENDING_VOUCHER_COUNT_OFFSET = 79;
+var PENDING_WITHDRAWAL_TAG_OFFSET = 83;
+var PENDING_WITHDRAWAL_AMOUNT_OFFSET = 84;
+var PENDING_WITHDRAWAL_DESTINATION_OFFSET = 92;
+var PENDING_WITHDRAWAL_REQUESTED_AT_OFFSET = 124;
+var PENDING_WITHDRAWAL_BODY_LEN = 48;
+var PENDING_WITHDRAWAL_BODY_START = PENDING_WITHDRAWAL_TAG_OFFSET + 1;
+var IDENTITY_CLAIM_LEN = 32;
+var PUBKEY_LEN = 32;
+var ACTIVE_SESSION_BODY_LEN = 92;
+var EMPTY_FULL = {
+  exists: false,
+  version: 0,
+  swigAddress: null,
+  dexterAuthority: null,
+  pendingVoucherCount: 0,
+  activeSession: null
+};
+async function readVaultOnchain(conn, vaultPda) {
+  const account = await conn.getAccountInfo(vaultPda, "confirmed");
+  if (!account) {
+    return { exists: false, pendingVoucherCount: 0, pendingWithdrawal: null };
+  }
+  const data = account.data;
+  const pendingVoucherCount = data.readUInt32LE(PENDING_VOUCHER_COUNT_OFFSET);
+  let pendingWithdrawal = null;
+  if (data[PENDING_WITHDRAWAL_TAG_OFFSET] === 1) {
+    pendingWithdrawal = {
+      amount: data.readBigUInt64LE(PENDING_WITHDRAWAL_AMOUNT_OFFSET).toString(),
+      destination: new import_web3.PublicKey(
+        data.subarray(
+          PENDING_WITHDRAWAL_DESTINATION_OFFSET,
+          PENDING_WITHDRAWAL_DESTINATION_OFFSET + 32
+        )
+      ).toBase58(),
+      requestedAt: Number(data.readBigInt64LE(PENDING_WITHDRAWAL_REQUESTED_AT_OFFSET))
+    };
+  }
+  return { exists: true, pendingVoucherCount, pendingWithdrawal };
+}
+async function readVaultFull(conn, vaultPda) {
+  const account = await conn.getAccountInfo(vaultPda, "confirmed");
+  if (!account) return EMPTY_FULL;
+  const data = account.data;
+  if (data.length < SWIG_ADDRESS_OFFSET + PUBKEY_LEN) return EMPTY_FULL;
+  const version = data.readUInt8(VERSION_OFFSET);
+  const swigAddress = new import_web3.PublicKey(
+    data.subarray(SWIG_ADDRESS_OFFSET, SWIG_ADDRESS_OFFSET + PUBKEY_LEN)
+  ).toBase58();
+  const pendingVoucherCount = data.readUInt32LE(PENDING_VOUCHER_COUNT_OFFSET);
+  const withdrawalTag = data[PENDING_WITHDRAWAL_TAG_OFFSET];
+  const afterWithdrawal = PENDING_WITHDRAWAL_BODY_START + (withdrawalTag === 1 ? PENDING_WITHDRAWAL_BODY_LEN : 0);
+  const dexterAuthorityOffset = afterWithdrawal + IDENTITY_CLAIM_LEN;
+  if (data.length < dexterAuthorityOffset + PUBKEY_LEN) {
+    return { ...EMPTY_FULL, exists: true, version, swigAddress, pendingVoucherCount };
+  }
+  const dexterAuthority = new import_web3.PublicKey(
+    data.subarray(dexterAuthorityOffset, dexterAuthorityOffset + PUBKEY_LEN)
+  ).toBase58();
+  const activeSessionTagOffset = dexterAuthorityOffset + PUBKEY_LEN;
+  let activeSession = null;
+  if (data.length > activeSessionTagOffset && data[activeSessionTagOffset] === 1) {
+    const bodyStart = activeSessionTagOffset + 1;
+    if (data.length >= bodyStart + ACTIVE_SESSION_BODY_LEN) {
+      activeSession = {
+        sessionPubkey: new Uint8Array(data.subarray(bodyStart, bodyStart + 32)),
+        maxAmount: data.readBigUInt64LE(bodyStart + 32),
+        expiresAt: Number(data.readBigInt64LE(bodyStart + 40)),
+        allowedCounterparty: new import_web3.PublicKey(
+          data.subarray(bodyStart + 48, bodyStart + 80)
+        ).toBase58(),
+        nonce: data.readUInt32LE(bodyStart + 80),
+        spent: data.readBigUInt64LE(bodyStart + 84)
+      };
+    }
+  }
+  return {
+    exists: true,
+    version,
+    swigAddress,
+    dexterAuthority,
+    pendingVoucherCount,
+    activeSession
+  };
+}
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  readVaultFull,
+  readVaultOnchain
+});

package/dist/reader/index.d.cts

@@ -0,0 +1,41 @@
+import { Connection, PublicKey } from '@solana/web3.js';
+import { VaultStateFull, VaultOnchainState } from '../types.cjs';
+
+/**
+ * Vault account decoders (Anchor v2 layout).
+ *
+ * Two entry points sharing one byte layout:
+ *  - readVaultOnchain → slim {exists, pendingVoucherCount, pendingWithdrawal}
+ *  - readVaultFull    → full incl. swigAddress + dexterAuthority + activeSession
+ *
+ * v2 layout (programs/dexter-vault/src/state.rs::Vault):
+ *      0     8   discriminator
+ *      8     1   version u8 (= 2)
+ *      9     1   bump u8
+ *     10    33   passkey_pubkey
+ *     43    32   swig_address
+ *     75     4   cooling_off_seconds u32
+ *     79     4   pending_voucher_count u32
+ *     83     1   pending_withdrawal Option tag
+ *            48  pending_withdrawal body (if tag==1):
+ *                  8  amount u64
+ *                 32  destination
+ *                  8  requested_at i64
+ *    132/84  32  identity_claim    (132 if withdrawal present, else 84)
+ *    164/116 32  dexter_authority  (164 if withdrawal present, else 116)
+ *    196/148  1  active_session Option tag
+ *            92  session body (if tag==1):
+ *                32 session_pubkey
+ *                 8 max_amount u64
+ *                 8 expires_at i64
+ *                32 allowed_counterparty
+ *                 4 nonce u32
+ *                 8 spent u64
+ */
+
+/** Slim read — the shape dexter-api's existing /status routes return. */
+declare function readVaultOnchain(conn: Connection, vaultPda: PublicKey): Promise<VaultOnchainState>;
+/** Full read — adds swigAddress, dexterAuthority, activeSession. The /tab/settle path. */
+declare function readVaultFull(conn: Connection, vaultPda: PublicKey): Promise<VaultStateFull>;
+
+export { readVaultFull, readVaultOnchain };

package/dist/reader/index.d.ts

@@ -0,0 +1,41 @@
+import { Connection, PublicKey } from '@solana/web3.js';
+import { VaultStateFull, VaultOnchainState } from '../types.js';
+
+/**
+ * Vault account decoders (Anchor v2 layout).
+ *
+ * Two entry points sharing one byte layout:
+ *  - readVaultOnchain → slim {exists, pendingVoucherCount, pendingWithdrawal}
+ *  - readVaultFull    → full incl. swigAddress + dexterAuthority + activeSession
+ *
+ * v2 layout (programs/dexter-vault/src/state.rs::Vault):
+ *      0     8   discriminator
+ *      8     1   version u8 (= 2)
+ *      9     1   bump u8
+ *     10    33   passkey_pubkey
+ *     43    32   swig_address
+ *     75     4   cooling_off_seconds u32
+ *     79     4   pending_voucher_count u32
+ *     83     1   pending_withdrawal Option tag
+ *            48  pending_withdrawal body (if tag==1):
+ *                  8  amount u64
+ *                 32  destination
+ *                  8  requested_at i64
+ *    132/84  32  identity_claim    (132 if withdrawal present, else 84)
+ *    164/116 32  dexter_authority  (164 if withdrawal present, else 116)
+ *    196/148  1  active_session Option tag
+ *            92  session body (if tag==1):
+ *                32 session_pubkey
+ *                 8 max_amount u64
+ *                 8 expires_at i64
+ *                32 allowed_counterparty
+ *                 4 nonce u32
+ *                 8 spent u64
+ */
+
+/** Slim read — the shape dexter-api's existing /status routes return. */
+declare function readVaultOnchain(conn: Connection, vaultPda: PublicKey): Promise<VaultOnchainState>;
+/** Full read — adds swigAddress, dexterAuthority, activeSession. The /tab/settle path. */
+declare function readVaultFull(conn: Connection, vaultPda: PublicKey): Promise<VaultStateFull>;
+
+export { readVaultFull, readVaultOnchain };

package/dist/reader/index.js

@@ -0,0 +1,93 @@
+// src/reader/accountReader.ts
+import { PublicKey } from "@solana/web3.js";
+var VERSION_OFFSET = 8;
+var SWIG_ADDRESS_OFFSET = 43;
+var PENDING_VOUCHER_COUNT_OFFSET = 79;
+var PENDING_WITHDRAWAL_TAG_OFFSET = 83;
+var PENDING_WITHDRAWAL_AMOUNT_OFFSET = 84;
+var PENDING_WITHDRAWAL_DESTINATION_OFFSET = 92;
+var PENDING_WITHDRAWAL_REQUESTED_AT_OFFSET = 124;
+var PENDING_WITHDRAWAL_BODY_LEN = 48;
+var PENDING_WITHDRAWAL_BODY_START = PENDING_WITHDRAWAL_TAG_OFFSET + 1;
+var IDENTITY_CLAIM_LEN = 32;
+var PUBKEY_LEN = 32;
+var ACTIVE_SESSION_BODY_LEN = 92;
+var EMPTY_FULL = {
+  exists: false,
+  version: 0,
+  swigAddress: null,
+  dexterAuthority: null,
+  pendingVoucherCount: 0,
+  activeSession: null
+};
+async function readVaultOnchain(conn, vaultPda) {
+  const account = await conn.getAccountInfo(vaultPda, "confirmed");
+  if (!account) {
+    return { exists: false, pendingVoucherCount: 0, pendingWithdrawal: null };
+  }
+  const data = account.data;
+  const pendingVoucherCount = data.readUInt32LE(PENDING_VOUCHER_COUNT_OFFSET);
+  let pendingWithdrawal = null;
+  if (data[PENDING_WITHDRAWAL_TAG_OFFSET] === 1) {
+    pendingWithdrawal = {
+      amount: data.readBigUInt64LE(PENDING_WITHDRAWAL_AMOUNT_OFFSET).toString(),
+      destination: new PublicKey(
+        data.subarray(
+          PENDING_WITHDRAWAL_DESTINATION_OFFSET,
+          PENDING_WITHDRAWAL_DESTINATION_OFFSET + 32
+        )
+      ).toBase58(),
+      requestedAt: Number(data.readBigInt64LE(PENDING_WITHDRAWAL_REQUESTED_AT_OFFSET))
+    };
+  }
+  return { exists: true, pendingVoucherCount, pendingWithdrawal };
+}
+async function readVaultFull(conn, vaultPda) {
+  const account = await conn.getAccountInfo(vaultPda, "confirmed");
+  if (!account) return EMPTY_FULL;
+  const data = account.data;
+  if (data.length < SWIG_ADDRESS_OFFSET + PUBKEY_LEN) return EMPTY_FULL;
+  const version = data.readUInt8(VERSION_OFFSET);
+  const swigAddress = new PublicKey(
+    data.subarray(SWIG_ADDRESS_OFFSET, SWIG_ADDRESS_OFFSET + PUBKEY_LEN)
+  ).toBase58();
+  const pendingVoucherCount = data.readUInt32LE(PENDING_VOUCHER_COUNT_OFFSET);
+  const withdrawalTag = data[PENDING_WITHDRAWAL_TAG_OFFSET];
+  const afterWithdrawal = PENDING_WITHDRAWAL_BODY_START + (withdrawalTag === 1 ? PENDING_WITHDRAWAL_BODY_LEN : 0);
+  const dexterAuthorityOffset = afterWithdrawal + IDENTITY_CLAIM_LEN;
+  if (data.length < dexterAuthorityOffset + PUBKEY_LEN) {
+    return { ...EMPTY_FULL, exists: true, version, swigAddress, pendingVoucherCount };
+  }
+  const dexterAuthority = new PublicKey(
+    data.subarray(dexterAuthorityOffset, dexterAuthorityOffset + PUBKEY_LEN)
+  ).toBase58();
+  const activeSessionTagOffset = dexterAuthorityOffset + PUBKEY_LEN;
+  let activeSession = null;
+  if (data.length > activeSessionTagOffset && data[activeSessionTagOffset] === 1) {
+    const bodyStart = activeSessionTagOffset + 1;
+    if (data.length >= bodyStart + ACTIVE_SESSION_BODY_LEN) {
+      activeSession = {
+        sessionPubkey: new Uint8Array(data.subarray(bodyStart, bodyStart + 32)),
+        maxAmount: data.readBigUInt64LE(bodyStart + 32),
+        expiresAt: Number(data.readBigInt64LE(bodyStart + 40)),
+        allowedCounterparty: new PublicKey(
+          data.subarray(bodyStart + 48, bodyStart + 80)
+        ).toBase58(),
+        nonce: data.readUInt32LE(bodyStart + 80),
+        spent: data.readBigUInt64LE(bodyStart + 84)
+      };
+    }
+  }
+  return {
+    exists: true,
+    version,
+    swigAddress,
+    dexterAuthority,
+    pendingVoucherCount,
+    activeSession
+  };
+}
+export {
+  readVaultFull,
+  readVaultOnchain
+};

package/dist/signers/node/index.cjs

@@ -0,0 +1,62 @@
+"use strict";
+var __create = Object.create;
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __getProtoOf = Object.getPrototypeOf;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__getProtoOf(mod)) : {}, __copyProps(
+  // If the importer is in node compatibility mode or this is not an ESM
+  // file that has been converted to a CommonJS file using a Babel-
+  // compatible transform (i.e. "__esModule" has not been set), then set
+  // "default" to the CommonJS "module.exports" for node compatibility.
+  isNodeMode || !mod || !mod.__esModule ? __defProp(target, "default", { value: mod, enumerable: true }) : target,
+  mod
+));
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+
+// src/signers/node/index.ts
+var node_exports = {};
+__export(node_exports, {
+  NodeEd25519Signer: () => NodeEd25519Signer
+});
+module.exports = __toCommonJS(node_exports);
+var import_tweetnacl = __toESM(require("tweetnacl"), 1);
+var NodeEd25519Signer = class {
+  keypair;
+  /**
+   * @param secretKey 32-byte seed OR 64-byte nacl secret-key buffer
+   *                  (seed || pubkey). Both shapes are accepted.
+   */
+  constructor(secretKey) {
+    if (secretKey.length === 32) {
+      this.keypair = import_tweetnacl.default.sign.keyPair.fromSeed(secretKey);
+    } else if (secretKey.length === 64) {
+      this.keypair = import_tweetnacl.default.sign.keyPair.fromSecretKey(secretKey);
+    } else {
+      throw new Error(`NodeEd25519Signer: secretKey must be 32 or 64 bytes, got ${secretKey.length}`);
+    }
+  }
+  get publicKey() {
+    return this.keypair.publicKey;
+  }
+  async sign(message) {
+    return import_tweetnacl.default.sign.detached(message, this.keypair.secretKey);
+  }
+};
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  NodeEd25519Signer
+});

package/dist/signers/node/index.d.cts

@@ -0,0 +1,21 @@
+import { Ed25519Signer } from '../types.cjs';
+
+/**
+ * Node Ed25519 signer — wraps a secret-key seed with tweetnacl.
+ *
+ * Used by dexter-api as its dexter-authority signer (the server-held
+ * session master) and by dexter-vault tests as a deterministic stand-in.
+ */
+
+declare class NodeEd25519Signer implements Ed25519Signer {
+    private readonly keypair;
+    /**
+     * @param secretKey 32-byte seed OR 64-byte nacl secret-key buffer
+     *                  (seed || pubkey). Both shapes are accepted.
+     */
+    constructor(secretKey: Uint8Array);
+    get publicKey(): Uint8Array;
+    sign(message: Uint8Array): Promise<Uint8Array>;
+}
+
+export { NodeEd25519Signer };

package/dist/signers/node/index.d.ts

@@ -0,0 +1,21 @@
+import { Ed25519Signer } from '../types.js';
+
+/**
+ * Node Ed25519 signer — wraps a secret-key seed with tweetnacl.
+ *
+ * Used by dexter-api as its dexter-authority signer (the server-held
+ * session master) and by dexter-vault tests as a deterministic stand-in.
+ */
+
+declare class NodeEd25519Signer implements Ed25519Signer {
+    private readonly keypair;
+    /**
+     * @param secretKey 32-byte seed OR 64-byte nacl secret-key buffer
+     *                  (seed || pubkey). Both shapes are accepted.
+     */
+    constructor(secretKey: Uint8Array);
+    get publicKey(): Uint8Array;
+    sign(message: Uint8Array): Promise<Uint8Array>;
+}
+
+export { NodeEd25519Signer };

package/dist/signers/node/index.js

@@ -0,0 +1,27 @@
+// src/signers/node/index.ts
+import nacl from "tweetnacl";
+var NodeEd25519Signer = class {
+  keypair;
+  /**
+   * @param secretKey 32-byte seed OR 64-byte nacl secret-key buffer
+   *                  (seed || pubkey). Both shapes are accepted.
+   */
+  constructor(secretKey) {
+    if (secretKey.length === 32) {
+      this.keypair = nacl.sign.keyPair.fromSeed(secretKey);
+    } else if (secretKey.length === 64) {
+      this.keypair = nacl.sign.keyPair.fromSecretKey(secretKey);
+    } else {
+      throw new Error(`NodeEd25519Signer: secretKey must be 32 or 64 bytes, got ${secretKey.length}`);
+    }
+  }
+  get publicKey() {
+    return this.keypair.publicKey;
+  }
+  async sign(message) {
+    return nacl.sign.detached(message, this.keypair.secretKey);
+  }
+};
+export {
+  NodeEd25519Signer
+};

package/dist/signers/types.cjs

@@ -0,0 +1,18 @@
+"use strict";
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+
+// src/signers/types.ts
+var types_exports = {};
+module.exports = __toCommonJS(types_exports);

package/dist/signers/types.d.cts

@@ -0,0 +1,34 @@
+/**
+ * Signer abstractions.
+ *
+ * Ed25519Signer is shipped with a Node implementation in v0.1.
+ * PasskeySigner is shipped as INTERFACE ONLY in v0.1 — the WebAuthn
+ * implementation is tracked as task #235 ("@dexterai/vault v0.2 —
+ * BrowserPasskeySigner") and must lift from dexter-fe/app/lib/passkey.ts +
+ * dexter-fe/app/lib/passkey-anon.ts. Until v0.2 ships, dexter-fe stays on
+ * its hand-rolled passkey ceremony.
+ */
+interface Ed25519Signer {
+    /** 32-byte public key. */
+    readonly publicKey: Uint8Array;
+    /** Produce a 64-byte detached signature over `message`. */
+    sign(message: Uint8Array): Promise<Uint8Array>;
+}
+interface PasskeySigner {
+    /** Opaque credential ID handed back to the platform authenticator. */
+    readonly credentialId: Uint8Array;
+    /**
+     * Run the WebAuthn assertion ceremony over `challenge` and return the
+     * three things the precompile needs.
+     *
+     * Implementation: TASK #235. dexter-fe currently ships an equivalent
+     * function in app/lib/passkey.ts (`signOperation`) — the lift target.
+     */
+    sign(challenge: Uint8Array): Promise<{
+        signature: Uint8Array;
+        clientDataJSON: Uint8Array;
+        authenticatorData: Uint8Array;
+    }>;
+}
+
+export type { Ed25519Signer, PasskeySigner };