@dexterai/vault 0.3.1 → 0.3.3

package/dist/instructions/index.cjs

@@ -43,11 +43,13 @@ __export(instructions_exports, {
   buildRevokeSessionKeyInstruction: () => buildRevokeSessionKeyInstruction,
   buildRotateDexterAuthorityInstruction: () => buildRotateDexterAuthorityInstruction,
   buildRotatePasskeyInstruction: () => buildRotatePasskeyInstruction,
+  buildSetSwigAtomicFromIdentity: () => buildSetSwigAtomicFromIdentity,
   buildSetSwigAtomicInstruction: () => buildSetSwigAtomicInstruction,
   buildSetSwigInstruction: () => buildSetSwigInstruction,
   buildSettleTabVoucherInstruction: () => buildSettleTabVoucherInstruction,
   buildSettleVoucherInstruction: () => buildSettleVoucherInstruction,
   buildSwigCreationBundle: () => buildSwigCreationBundle,
+  deriveSwigId: () => deriveSwigId,
   deriveSwigWalletAddress: () => deriveSwigWalletAddress,
   deriveVaultPda: () => deriveVaultPda,
   expectedSwigAddressFor: () => expectedSwigAddressFor,
@@ -162,389 +164,12 @@ function buildSetSwigInstruction(p) {
 }
 
 // src/instructions/setSwigAtomic.ts
-var import_web34 = require("@solana/web3.js");
-var SET_SWIG_ATOMIC_DISCRIMINATOR = new Uint8Array([
-  119,
-  111,
-  247,
-  215,
-  190,
-  3,
-  170,
-  23
-]);
-function buildSetSwigAtomicInstruction(params) {
-  if (params.swigId.length !== 32) {
-    throw new Error(`swigId must be 32 bytes, got ${params.swigId.length}`);
-  }
-  if (params.authenticatorData.length < 37) {
-    throw new Error(`authenticatorData must be at least 37 bytes`);
-  }
-  const cdj = params.clientDataJSON;
-  const ad = params.authenticatorData;
-  const dataLen = 8 + // discriminator
-  32 + // swig_id
-  1 + // swig_account_bump
-  1 + // swig_wallet_address_bump
-  32 + // dexter_master_pubkey
-  4 + cdj.length + // client_data_json (len-prefixed)
-  4 + ad.length;
-  const data = new Uint8Array(dataLen);
-  const view = new DataView(data.buffer);
-  let off = 0;
-  data.set(SET_SWIG_ATOMIC_DISCRIMINATOR, off);
-  off += 8;
-  data.set(params.swigId, off);
-  off += 32;
-  data[off++] = params.swigAccountBump;
-  data[off++] = params.swigWalletAddressBump;
-  data.set(params.dexterMasterPubkey.toBytes(), off);
-  off += 32;
-  view.setUint32(off, cdj.length, true);
-  off += 4;
-  data.set(cdj, off);
-  off += cdj.length;
-  view.setUint32(off, ad.length, true);
-  off += 4;
-  data.set(ad, off);
-  off += ad.length;
-  if (off !== dataLen) throw new Error(`internal: byte offset mismatch (${off} vs ${dataLen})`);
-  return new import_web34.TransactionInstruction({
-    programId: DEXTER_VAULT_PROGRAM_ID,
-    keys: [
-      { pubkey: params.vaultPda, isSigner: false, isWritable: true },
-      { pubkey: params.feePayer, isSigner: true, isWritable: true },
-      { pubkey: params.swigAddress, isSigner: false, isWritable: true },
-      { pubkey: params.swigWalletAddress, isSigner: false, isWritable: true },
-      { pubkey: SWIG_PROGRAM_ID, isSigner: false, isWritable: false },
-      { pubkey: import_web34.SystemProgram.programId, isSigner: false, isWritable: false },
-      { pubkey: import_web34.SYSVAR_INSTRUCTIONS_PUBKEY, isSigner: false, isWritable: false }
-    ],
-    data: Buffer.from(data)
-  });
-}
-
-// src/instructions/registerSession.ts
 var import_web35 = require("@solana/web3.js");
-function encodeU64LE(value) {
-  const buf = new Uint8Array(8);
-  new DataView(buf.buffer).setBigUint64(0, value, true);
-  return buf;
-}
-function encodeI64LE(value) {
-  const buf = new Uint8Array(8);
-  new DataView(buf.buffer).setBigInt64(0, value, true);
-  return buf;
-}
-function encodeU32LE(value) {
-  const buf = new Uint8Array(4);
-  new DataView(buf.buffer).setUint32(0, value >>> 0, true);
-  return buf;
-}
-function encodeVecU8(bytes) {
-  const out = new Uint8Array(4 + bytes.length);
-  new DataView(out.buffer).setUint32(0, bytes.length >>> 0, true);
-  out.set(bytes, 4);
-  return out;
-}
-function concatBytes(...parts) {
-  const total = parts.reduce((n, p) => n + p.length, 0);
-  const out = new Uint8Array(total);
-  let o2 = 0;
-  for (const p of parts) {
-    out.set(p, o2);
-    o2 += p.length;
-  }
-  return out;
-}
-function buildRegisterSessionKeyInstruction(args) {
-  if (args.sessionPubkey.length !== 32) {
-    throw new Error(`sessionPubkey must be 32 bytes, got ${args.sessionPubkey.length}`);
-  }
-  const data = concatBytes(
-    DISCRIMINATORS.register_session_key,
-    args.sessionPubkey,
-    encodeU64LE(args.maxAmount),
-    encodeI64LE(args.expiresAt),
-    args.allowedCounterparty.toBytes(),
-    encodeU32LE(args.nonce),
-    encodeVecU8(args.clientDataJSON),
-    encodeVecU8(args.authenticatorData)
-  );
-  return new import_web35.TransactionInstruction({
-    keys: [
-      { pubkey: args.vaultPda, isSigner: false, isWritable: true },
-      { pubkey: INSTRUCTIONS_SYSVAR_ID, isSigner: false, isWritable: false }
-    ],
-    programId: DEXTER_VAULT_PROGRAM_ID,
-    data: Buffer.from(data)
-  });
-}
-
-// src/instructions/revokeSession.ts
-var import_web36 = require("@solana/web3.js");
-function encodeVecU82(bytes) {
-  const out = new Uint8Array(4 + bytes.length);
-  new DataView(out.buffer).setUint32(0, bytes.length >>> 0, true);
-  out.set(bytes, 4);
-  return out;
-}
-function concatBytes2(...parts) {
-  const total = parts.reduce((n, p) => n + p.length, 0);
-  const out = new Uint8Array(total);
-  let o2 = 0;
-  for (const p of parts) {
-    out.set(p, o2);
-    o2 += p.length;
-  }
-  return out;
-}
-function buildRevokeSessionKeyInstruction(args) {
-  const data = concatBytes2(
-    DISCRIMINATORS.revoke_session_key,
-    encodeVecU82(args.clientDataJSON),
-    encodeVecU82(args.authenticatorData)
-  );
-  return new import_web36.TransactionInstruction({
-    keys: [
-      { pubkey: args.vaultPda, isSigner: false, isWritable: true },
-      { pubkey: INSTRUCTIONS_SYSVAR_ID, isSigner: false, isWritable: false }
-    ],
-    programId: DEXTER_VAULT_PROGRAM_ID,
-    data: Buffer.from(data)
-  });
-}
-
-// src/instructions/settleVoucher.ts
-var import_web37 = require("@solana/web3.js");
-function encodeU64(value) {
-  const out = Buffer.alloc(8);
-  out.writeBigUInt64LE(value, 0);
-  return out;
-}
-function encodeBool(value) {
-  return Buffer.from([value ? 1 : 0]);
-}
-function buildSettleVoucherInstruction(p) {
-  const argsBuf = Buffer.concat([encodeU64(p.amount), encodeBool(p.increment)]);
-  const data = Buffer.concat([Buffer.from(DISCRIMINATORS.settle_voucher), argsBuf]);
-  return new import_web37.TransactionInstruction({
-    programId: DEXTER_VAULT_PROGRAM_ID,
-    keys: [
-      { pubkey: p.vaultPda, isSigner: false, isWritable: true },
-      { pubkey: p.dexterAuthority, isSigner: true, isWritable: false }
-    ],
-    data
-  });
-}
-
-// src/instructions/settleTabVoucher.ts
-var import_web39 = require("@solana/web3.js");
 
-// src/instructions/withdraw.ts
-var import_web38 = require("@solana/web3.js");
-function encodeBytesVec2(buf) {
-  const out = Buffer.alloc(4 + buf.length);
-  out.writeUInt32LE(buf.length, 0);
-  Buffer.from(buf).copy(out, 4);
-  return out;
-}
-function encodeU642(value) {
-  const out = Buffer.alloc(8);
-  out.writeBigUInt64LE(value, 0);
-  return out;
-}
-function encodeI64(value) {
-  const out = Buffer.alloc(8);
-  out.writeBigInt64LE(value, 0);
-  return out;
-}
-function encodePubkey2(key) {
-  return Buffer.from(key.toBytes());
-}
-function deriveSwigWalletAddress(swigAddress) {
-  const [pda] = import_web38.PublicKey.findProgramAddressSync(
-    [Buffer.from("swig-wallet-address"), swigAddress.toBuffer()],
-    SWIG_PROGRAM_ID
-  );
-  return pda;
-}
-function buildRequestWithdrawalInstruction(p) {
-  const argsBuf = Buffer.concat([
-    encodeU642(p.amount),
-    encodePubkey2(p.destination),
-    encodeI64(p.signedAt),
-    encodeBytesVec2(p.clientDataJSON),
-    encodeBytesVec2(p.authenticatorData)
-  ]);
-  const data = Buffer.concat([Buffer.from(DISCRIMINATORS.request_withdrawal), argsBuf]);
-  return new import_web38.TransactionInstruction({
-    programId: DEXTER_VAULT_PROGRAM_ID,
-    keys: [
-      { pubkey: p.vaultPda, isSigner: false, isWritable: true },
-      { pubkey: import_web38.SYSVAR_INSTRUCTIONS_PUBKEY, isSigner: false, isWritable: false }
-    ],
-    data
-  });
-}
-function buildFinalizeWithdrawalInstruction(p) {
-  const argsBuf = Buffer.concat([
-    encodeBytesVec2(p.clientDataJSON),
-    encodeBytesVec2(p.authenticatorData)
-  ]);
-  const data = Buffer.concat([Buffer.from(DISCRIMINATORS.finalize_withdrawal), argsBuf]);
-  const swigWalletAddress = deriveSwigWalletAddress(p.swigAddress);
-  return new import_web38.TransactionInstruction({
-    programId: DEXTER_VAULT_PROGRAM_ID,
-    keys: [
-      { pubkey: p.swigAddress, isSigner: false, isWritable: false },
-      { pubkey: swigWalletAddress, isSigner: false, isWritable: false },
-      { pubkey: p.vaultPda, isSigner: false, isWritable: true },
-      { pubkey: import_web38.SYSVAR_INSTRUCTIONS_PUBKEY, isSigner: false, isWritable: false }
-    ],
-    data
-  });
-}
-function buildForceReleaseInstruction(p) {
-  const argsBuf = Buffer.concat([
-    encodeBytesVec2(p.clientDataJSON),
-    encodeBytesVec2(p.authenticatorData)
-  ]);
-  const data = Buffer.concat([Buffer.from(DISCRIMINATORS.force_release), argsBuf]);
-  return new import_web38.TransactionInstruction({
-    programId: DEXTER_VAULT_PROGRAM_ID,
-    keys: [
-      { pubkey: p.vaultPda, isSigner: false, isWritable: true },
-      { pubkey: import_web38.SYSVAR_INSTRUCTIONS_PUBKEY, isSigner: false, isWritable: false }
-    ],
-    data
-  });
-}
-
-// src/instructions/settleTabVoucher.ts
-function encodeFixedBytes2(buf, len) {
-  if (buf.length !== len) {
-    throw new Error(`expected ${len} bytes, got ${buf.length}`);
-  }
-  return Buffer.from(buf);
-}
-function encodeU643(value) {
-  const out = Buffer.alloc(8);
-  out.writeBigUInt64LE(value, 0);
-  return out;
-}
-function encodeU322(value) {
-  const out = Buffer.alloc(4);
-  out.writeUInt32LE(value >>> 0, 0);
-  return out;
-}
-function buildSettleTabVoucherInstruction(p) {
-  if (p.channelId.length !== 32) {
-    throw new Error(`channelId must be 32 bytes, got ${p.channelId.length}`);
-  }
-  const argsBuf = Buffer.concat([
-    encodeFixedBytes2(p.channelId, 32),
-    encodeU643(p.cumulativeAmount),
-    encodeU322(p.sequenceNumber)
-  ]);
-  const data = Buffer.concat([Buffer.from(DISCRIMINATORS.settle_tab_voucher), argsBuf]);
-  const swigWalletAddress = deriveSwigWalletAddress(p.swigAddress);
-  return new import_web39.TransactionInstruction({
-    programId: DEXTER_VAULT_PROGRAM_ID,
-    keys: [
-      { pubkey: p.swigAddress, isSigner: false, isWritable: false },
-      { pubkey: swigWalletAddress, isSigner: false, isWritable: false },
-      { pubkey: p.vaultPda, isSigner: false, isWritable: true },
-      { pubkey: p.dexterAuthority, isSigner: true, isWritable: false },
-      { pubkey: import_web39.SYSVAR_INSTRUCTIONS_PUBKEY, isSigner: false, isWritable: false }
-    ],
-    data
-  });
-}
-
-// src/instructions/rotate.ts
-var import_web310 = require("@solana/web3.js");
-function encodeBytesVec3(buf) {
-  const out = Buffer.alloc(4 + buf.length);
-  out.writeUInt32LE(buf.length, 0);
-  Buffer.from(buf).copy(out, 4);
-  return out;
-}
-function encodeFixedBytes3(buf, len) {
-  if (buf.length !== len) {
-    throw new Error(`expected ${len} bytes, got ${buf.length}`);
-  }
-  return Buffer.from(buf);
-}
-function encodePubkey3(key) {
-  return Buffer.from(key.toBytes());
-}
-function buildRotatePasskeyInstruction(p) {
-  const argsBuf = Buffer.concat([
-    encodeFixedBytes3(p.newPasskeyPubkey, 33),
-    encodeBytesVec3(p.clientDataJSON),
-    encodeBytesVec3(p.authenticatorData)
-  ]);
-  const data = Buffer.concat([Buffer.from(DISCRIMINATORS.rotate_passkey), argsBuf]);
-  return new import_web310.TransactionInstruction({
-    programId: DEXTER_VAULT_PROGRAM_ID,
-    keys: [
-      { pubkey: p.vaultPda, isSigner: false, isWritable: true },
-      { pubkey: import_web310.SYSVAR_INSTRUCTIONS_PUBKEY, isSigner: false, isWritable: false }
-    ],
-    data
-  });
-}
-function buildRotateDexterAuthorityInstruction(p) {
-  const data = Buffer.concat([
-    Buffer.from(DISCRIMINATORS.rotate_dexter_authority),
-    encodePubkey3(p.newDexterAuthority)
-  ]);
-  return new import_web310.TransactionInstruction({
-    programId: DEXTER_VAULT_PROGRAM_ID,
-    keys: [
-      { pubkey: p.vaultPda, isSigner: false, isWritable: true },
-      { pubkey: p.currentDexterAuthority, isSigner: true, isWritable: false }
-    ],
-    data
-  });
-}
-
-// src/instructions/provePasskey.ts
-var import_web311 = require("@solana/web3.js");
-function encodeBytesVec4(buf) {
-  const out = Buffer.alloc(4 + buf.length);
-  out.writeUInt32LE(buf.length, 0);
-  Buffer.from(buf).copy(out, 4);
-  return out;
-}
-function encodeFixedBytes4(buf, len) {
-  if (buf.length !== len) {
-    throw new Error(`expected ${len} bytes, got ${buf.length}`);
-  }
-  return Buffer.from(buf);
-}
-function buildProvePasskeyInstruction(p) {
-  const argsBuf = Buffer.concat([
-    encodeFixedBytes4(p.challenge, 32),
-    encodeBytesVec4(p.clientDataJSON),
-    encodeBytesVec4(p.authenticatorData)
-  ]);
-  const data = Buffer.concat([Buffer.from(DISCRIMINATORS.prove_passkey), argsBuf]);
-  return new import_web311.TransactionInstruction({
-    programId: DEXTER_VAULT_PROGRAM_ID,
-    keys: [
-      { pubkey: p.vaultPda, isSigner: false, isWritable: false },
-      { pubkey: import_web311.SYSVAR_INSTRUCTIONS_PUBKEY, isSigner: false, isWritable: false }
-    ],
-    data
-  });
-}
-
-// src/instructions/swigBundle.ts
-var import_node_crypto = require("crypto");
-var import_kit = require("@swig-wallet/kit");
-var import_lib = require("@swig-wallet/lib");
+// src/instructions/swigBundle.ts
+var import_node_crypto = require("crypto");
+var import_kit = require("@swig-wallet/kit");
+var import_lib = require("@swig-wallet/lib");
 
 // node_modules/@solana/addresses/node_modules/@solana/errors/dist/index.node.mjs
 var SOLANA_ERROR__BLOCK_HEIGHT_EXCEEDED = 1;
@@ -4412,650 +4037,1054 @@ var SolanaErrorMessages5 = {
   [SOLANA_ERROR__TRANSACTION__SIGNATURES_MISSING5]: "Transaction is missing signatures for addresses: $addresses.",
   [SOLANA_ERROR__TRANSACTION__VERSION_NUMBER_OUT_OF_RANGE5]: "Transaction version must be in the range [0, 127]. `$actualVersion` given"
 };
-var START_INDEX5 = "i";
-var TYPE5 = "t";
-function getHumanReadableErrorMessage5(code, context = {}) {
-  const messageFormatString = SolanaErrorMessages5[code];
-  if (messageFormatString.length === 0) {
-    return "";
+var START_INDEX5 = "i";
+var TYPE5 = "t";
+function getHumanReadableErrorMessage5(code, context = {}) {
+  const messageFormatString = SolanaErrorMessages5[code];
+  if (messageFormatString.length === 0) {
+    return "";
+  }
+  let state;
+  function commitStateUpTo(endIndex) {
+    if (state[TYPE5] === 2) {
+      const variableName = messageFormatString.slice(state[START_INDEX5] + 1, endIndex);
+      fragments.push(
+        variableName in context ? (
+          // eslint-disable-next-line @typescript-eslint/restrict-template-expressions
+          `${context[variableName]}`
+        ) : `$${variableName}`
+      );
+    } else if (state[TYPE5] === 1) {
+      fragments.push(messageFormatString.slice(state[START_INDEX5], endIndex));
+    }
+  }
+  const fragments = [];
+  messageFormatString.split("").forEach((char, ii) => {
+    if (ii === 0) {
+      state = {
+        [START_INDEX5]: 0,
+        [TYPE5]: messageFormatString[0] === "\\" ? 0 : messageFormatString[0] === "$" ? 2 : 1
+        /* Text */
+      };
+      return;
+    }
+    let nextState;
+    switch (state[TYPE5]) {
+      case 0:
+        nextState = {
+          [START_INDEX5]: ii,
+          [TYPE5]: 1
+          /* Text */
+        };
+        break;
+      case 1:
+        if (char === "\\") {
+          nextState = {
+            [START_INDEX5]: ii,
+            [TYPE5]: 0
+            /* EscapeSequence */
+          };
+        } else if (char === "$") {
+          nextState = {
+            [START_INDEX5]: ii,
+            [TYPE5]: 2
+            /* Variable */
+          };
+        }
+        break;
+      case 2:
+        if (char === "\\") {
+          nextState = {
+            [START_INDEX5]: ii,
+            [TYPE5]: 0
+            /* EscapeSequence */
+          };
+        } else if (char === "$") {
+          nextState = {
+            [START_INDEX5]: ii,
+            [TYPE5]: 2
+            /* Variable */
+          };
+        } else if (!char.match(/\w/)) {
+          nextState = {
+            [START_INDEX5]: ii,
+            [TYPE5]: 1
+            /* Text */
+          };
+        }
+        break;
+    }
+    if (nextState) {
+      if (state !== nextState) {
+        commitStateUpTo(ii);
+      }
+      state = nextState;
+    }
+  });
+  commitStateUpTo();
+  return fragments.join("");
+}
+function getErrorMessage5(code, context = {}) {
+  if (process.env.NODE_ENV !== "production") {
+    return getHumanReadableErrorMessage5(code, context);
+  } else {
+    let decodingAdviceMessage = `Solana error #${code}; Decode this error by running \`npx @solana/errors decode -- ${code}`;
+    if (Object.keys(context).length) {
+      decodingAdviceMessage += ` '${encodeContextObject5(context)}'`;
+    }
+    return `${decodingAdviceMessage}\``;
+  }
+}
+var SolanaError5 = class extends Error {
+  /**
+   * Indicates the root cause of this {@link SolanaError}, if any.
+   *
+   * For example, a transaction error might have an instruction error as its root cause. In this
+   * case, you will be able to access the instruction error on the transaction error as `cause`.
+   */
+  cause = this.cause;
+  /**
+   * Contains context that can assist in understanding or recovering from a {@link SolanaError}.
+   */
+  context;
+  constructor(...[code, contextAndErrorOptions]) {
+    let context;
+    let errorOptions;
+    if (contextAndErrorOptions) {
+      const { cause, ...contextRest } = contextAndErrorOptions;
+      if (cause) {
+        errorOptions = { cause };
+      }
+      if (Object.keys(contextRest).length > 0) {
+        context = contextRest;
+      }
+    }
+    const message = getErrorMessage5(code, context);
+    super(message, errorOptions);
+    this.context = {
+      __code: code,
+      ...context
+    };
+    this.name = "SolanaError";
+  }
+};
+
+// node_modules/@solana/rpc-transport-http/dist/index.node.mjs
+var DISALLOWED_HEADERS = {
+  accept: true,
+  "content-length": true,
+  "content-type": true
+};
+var FORBIDDEN_HEADERS = /* @__PURE__ */ Object.assign(
+  {
+    "accept-charset": true,
+    "access-control-request-headers": true,
+    "access-control-request-method": true,
+    connection: true,
+    "content-length": true,
+    cookie: true,
+    date: true,
+    dnt: true,
+    expect: true,
+    host: true,
+    "keep-alive": true,
+    origin: true,
+    "permissions-policy": true,
+    // Prefix matching is implemented in code, below.
+    // 'proxy-': true,
+    // 'sec-': true,
+    referer: true,
+    te: true,
+    trailer: true,
+    "transfer-encoding": true,
+    upgrade: true,
+    via: true
+  },
+  void 0
+);
+function assertIsAllowedHttpRequestHeaders(headers) {
+  const badHeaders = Object.keys(headers).filter((headerName) => {
+    const lowercaseHeaderName = headerName.toLowerCase();
+    return DISALLOWED_HEADERS[headerName.toLowerCase()] === true || FORBIDDEN_HEADERS[headerName.toLowerCase()] === true || lowercaseHeaderName.startsWith("proxy-") || lowercaseHeaderName.startsWith("sec-");
+  });
+  if (badHeaders.length > 0) {
+    throw new SolanaError5(SOLANA_ERROR__RPC__TRANSPORT_HTTP_HEADER_FORBIDDEN5, {
+      headers: badHeaders
+    });
+  }
+}
+function normalizeHeaders(headers) {
+  const out = {};
+  for (const headerName in headers) {
+    out[headerName.toLowerCase()] = headers[headerName];
+  }
+  return out;
+}
+function createHttpTransport(config) {
+  if (process.env.NODE_ENV !== "production" && false) ;
+  const { fromJson, headers, toJson, url } = config;
+  if (process.env.NODE_ENV !== "production" && headers) {
+    assertIsAllowedHttpRequestHeaders(headers);
+  }
+  let dispatcherConfig;
+  if ("dispatcher_NODE_ONLY" in config) {
+    dispatcherConfig = { dispatcher: config.dispatcher_NODE_ONLY };
+  }
+  const customHeaders = headers && normalizeHeaders(headers);
+  return async function makeHttpRequest({
+    payload,
+    signal
+  }) {
+    const body = toJson ? toJson(payload) : JSON.stringify(payload);
+    const requestInfo = {
+      ...dispatcherConfig,
+      body,
+      headers: {
+        ...customHeaders,
+        // Keep these headers lowercase so they will override any user-supplied headers above.
+        accept: "application/json",
+        "content-length": body.length.toString(),
+        "content-type": "application/json; charset=utf-8"
+      },
+      method: "POST",
+      signal
+    };
+    const response = await fetch(url, requestInfo);
+    if (!response.ok) {
+      throw new SolanaError5(SOLANA_ERROR__RPC__TRANSPORT_HTTP_ERROR5, {
+        headers: response.headers,
+        message: response.statusText,
+        statusCode: response.status
+      });
+    }
+    if (fromJson) {
+      return fromJson(await response.text(), payload);
+    }
+    return await response.json();
+  };
+}
+var SOLANA_RPC_METHODS = [
+  "getAccountInfo",
+  "getBalance",
+  "getBlock",
+  "getBlockCommitment",
+  "getBlockHeight",
+  "getBlockProduction",
+  "getBlocks",
+  "getBlocksWithLimit",
+  "getBlockTime",
+  "getClusterNodes",
+  "getEpochInfo",
+  "getEpochSchedule",
+  "getFeeForMessage",
+  "getFirstAvailableBlock",
+  "getGenesisHash",
+  "getHealth",
+  "getHighestSnapshotSlot",
+  "getIdentity",
+  "getInflationGovernor",
+  "getInflationRate",
+  "getInflationReward",
+  "getLargestAccounts",
+  "getLatestBlockhash",
+  "getLeaderSchedule",
+  "getMaxRetransmitSlot",
+  "getMaxShredInsertSlot",
+  "getMinimumBalanceForRentExemption",
+  "getMultipleAccounts",
+  "getProgramAccounts",
+  "getRecentPerformanceSamples",
+  "getRecentPrioritizationFees",
+  "getSignaturesForAddress",
+  "getSignatureStatuses",
+  "getSlot",
+  "getSlotLeader",
+  "getSlotLeaders",
+  "getStakeMinimumDelegation",
+  "getSupply",
+  "getTokenAccountBalance",
+  "getTokenAccountsByDelegate",
+  "getTokenAccountsByOwner",
+  "getTokenLargestAccounts",
+  "getTokenSupply",
+  "getTransaction",
+  "getTransactionCount",
+  "getVersion",
+  "getVoteAccounts",
+  "index",
+  "isBlockhashValid",
+  "minimumLedgerSlot",
+  "requestAirdrop",
+  "sendTransaction",
+  "simulateTransaction"
+];
+function isSolanaRequest(payload) {
+  return isJsonRpcPayload(payload) && SOLANA_RPC_METHODS.includes(payload.method);
+}
+function createHttpTransportForSolanaRpc(config) {
+  return createHttpTransport({
+    ...config,
+    fromJson: (rawResponse, payload) => isSolanaRequest(payload) ? parseJsonWithBigInts(rawResponse) : JSON.parse(rawResponse),
+    toJson: (payload) => isSolanaRequest(payload) ? stringifyJsonWithBigints(payload) : JSON.stringify(payload)
+  });
+}
+
+// node_modules/@solana/rpc/dist/index.node.mjs
+var import_events = require("events");
+
+// node_modules/@solana/fast-stable-stringify/dist/index.node.mjs
+var objToString = Object.prototype.toString;
+var objKeys = Object.keys || function(obj) {
+  const keys = [];
+  for (const name in obj) {
+    keys.push(name);
+  }
+  return keys;
+};
+function stringify(val, isArrayProp) {
+  let i, max, str, keys, key, propVal, toStr;
+  if (val === true) {
+    return "true";
+  }
+  if (val === false) {
+    return "false";
+  }
+  switch (typeof val) {
+    case "object":
+      if (val === null) {
+        return null;
+      } else if ("toJSON" in val && typeof val.toJSON === "function") {
+        return stringify(val.toJSON(), isArrayProp);
+      } else {
+        toStr = objToString.call(val);
+        if (toStr === "[object Array]") {
+          str = "[";
+          max = val.length - 1;
+          for (i = 0; i < max; i++) {
+            str += stringify(val[i], true) + ",";
+          }
+          if (max > -1) {
+            str += stringify(val[i], true);
+          }
+          return str + "]";
+        } else if (toStr === "[object Object]") {
+          keys = objKeys(val).sort();
+          max = keys.length;
+          str = "";
+          i = 0;
+          while (i < max) {
+            key = keys[i];
+            propVal = stringify(val[key], false);
+            if (propVal !== void 0) {
+              if (str) {
+                str += ",";
+              }
+              str += JSON.stringify(key) + ":" + propVal;
+            }
+            i++;
+          }
+          return "{" + str + "}";
+        } else {
+          return JSON.stringify(val);
+        }
+      }
+    case "function":
+    case "undefined":
+      return isArrayProp ? null : void 0;
+    case "bigint":
+      return `${val.toString()}n`;
+    case "string":
+      return JSON.stringify(val);
+    default:
+      return isFinite(val) ? val : null;
+  }
+}
+function index_default(val) {
+  const returnVal = stringify(val, false);
+  if (returnVal !== void 0) {
+    return "" + returnVal;
+  }
+}
+
+// node_modules/@solana/rpc/dist/index.node.mjs
+function createSolanaJsonRpcIntegerOverflowError(methodName, keyPath, value) {
+  let argumentLabel = "";
+  if (typeof keyPath[0] === "number") {
+    const argPosition = keyPath[0] + 1;
+    const lastDigit = argPosition % 10;
+    const lastTwoDigits = argPosition % 100;
+    if (lastDigit == 1 && lastTwoDigits != 11) {
+      argumentLabel = argPosition + "st";
+    } else if (lastDigit == 2 && lastTwoDigits != 12) {
+      argumentLabel = argPosition + "nd";
+    } else if (lastDigit == 3 && lastTwoDigits != 13) {
+      argumentLabel = argPosition + "rd";
+    } else {
+      argumentLabel = argPosition + "th";
+    }
+  } else {
+    argumentLabel = `\`${keyPath[0].toString()}\``;
+  }
+  const path = keyPath.length > 1 ? keyPath.slice(1).map((pathPart) => typeof pathPart === "number" ? `[${pathPart}]` : pathPart).join(".") : void 0;
+  const error = new SolanaError4(SOLANA_ERROR__RPC__INTEGER_OVERFLOW4, {
+    argumentLabel,
+    keyPath,
+    methodName,
+    optionalPathLabel: path ? ` at path \`${path}\`` : "",
+    value,
+    ...path !== void 0 ? { path } : void 0
+  });
+  safeCaptureStackTrace2(error, createSolanaJsonRpcIntegerOverflowError);
+  return error;
+}
+var DEFAULT_RPC_CONFIG = {
+  defaultCommitment: "confirmed",
+  onIntegerOverflow(request, keyPath, value) {
+    throw createSolanaJsonRpcIntegerOverflowError(request.methodName, keyPath, value);
+  }
+};
+var e2 = class extends globalThis.AbortController {
+  constructor(...t) {
+    super(...t), (0, import_events.setMaxListeners)(Number.MAX_SAFE_INTEGER, this.signal);
   }
-  let state;
-  function commitStateUpTo(endIndex) {
-    if (state[TYPE5] === 2) {
-      const variableName = messageFormatString.slice(state[START_INDEX5] + 1, endIndex);
-      fragments.push(
-        variableName in context ? (
-          // eslint-disable-next-line @typescript-eslint/restrict-template-expressions
-          `${context[variableName]}`
-        ) : `$${variableName}`
-      );
-    } else if (state[TYPE5] === 1) {
-      fragments.push(messageFormatString.slice(state[START_INDEX5], endIndex));
+};
+var EXPLICIT_ABORT_TOKEN;
+function createExplicitAbortToken() {
+  return process.env.NODE_ENV !== "production" ? {
+    EXPLICIT_ABORT_TOKEN: "This object is thrown from the request that underlies a series of coalesced requests when the last request in that series aborts"
+  } : {};
+}
+function getRpcTransportWithRequestCoalescing(transport, getDeduplicationKey) {
+  let coalescedRequestsByDeduplicationKey;
+  return async function makeCoalescedHttpRequest(request) {
+    const { payload, signal } = request;
+    const deduplicationKey = getDeduplicationKey(payload);
+    if (deduplicationKey === void 0) {
+      return await transport(request);
+    }
+    if (!coalescedRequestsByDeduplicationKey) {
+      queueMicrotask(() => {
+        coalescedRequestsByDeduplicationKey = void 0;
+      });
+      coalescedRequestsByDeduplicationKey = {};
+    }
+    if (coalescedRequestsByDeduplicationKey[deduplicationKey] == null) {
+      const abortController = new e2();
+      const responsePromise = (async () => {
+        try {
+          return await transport({
+            ...request,
+            signal: abortController.signal
+          });
+        } catch (e22) {
+          if (e22 === (EXPLICIT_ABORT_TOKEN ||= createExplicitAbortToken())) {
+            return;
+          }
+          throw e22;
+        }
+      })();
+      coalescedRequestsByDeduplicationKey[deduplicationKey] = {
+        abortController,
+        numConsumers: 0,
+        responsePromise
+      };
+    }
+    const coalescedRequest = coalescedRequestsByDeduplicationKey[deduplicationKey];
+    coalescedRequest.numConsumers++;
+    if (signal) {
+      const responsePromise = coalescedRequest.responsePromise;
+      return await new Promise((resolve, reject) => {
+        const handleAbort = (e22) => {
+          signal.removeEventListener("abort", handleAbort);
+          coalescedRequest.numConsumers -= 1;
+          queueMicrotask(() => {
+            if (coalescedRequest.numConsumers === 0) {
+              const abortController = coalescedRequest.abortController;
+              abortController.abort(EXPLICIT_ABORT_TOKEN ||= createExplicitAbortToken());
+            }
+          });
+          reject(e22.target.reason);
+        };
+        signal.addEventListener("abort", handleAbort);
+        responsePromise.then(resolve).catch(reject).finally(() => {
+          signal.removeEventListener("abort", handleAbort);
+        });
+      });
+    } else {
+      return await coalescedRequest.responsePromise;
     }
+  };
+}
+function getSolanaRpcPayloadDeduplicationKey(payload) {
+  return isJsonRpcPayload(payload) ? index_default([payload.method, payload.params]) : void 0;
+}
+function normalizeHeaders2(headers) {
+  const out = {};
+  for (const headerName in headers) {
+    out[headerName.toLowerCase()] = headers[headerName];
+  }
+  return out;
+}
+function createDefaultRpcTransport(config) {
+  return pipe(
+    createHttpTransportForSolanaRpc({
+      ...config,
+      headers: {
+        ...{
+          // Keep these headers lowercase so they will be overridden by any user-supplied headers below.
+          "accept-encoding": (
+            // Natively supported by Node LTS v20.18.0 and above.
+            "br,gzip,deflate"
+          )
+          // Brotli, gzip, and Deflate, in that order.
+        },
+        ...config.headers ? normalizeHeaders2(config.headers) : void 0,
+        ...{
+          // Keep these headers lowercase so they will override any user-supplied headers above.
+          "solana-client": `js/${"2.3.0"}`
+        }
+      }
+    }),
+    (transport) => getRpcTransportWithRequestCoalescing(transport, getSolanaRpcPayloadDeduplicationKey)
+  );
+}
+function createSolanaRpc(clusterUrl, config) {
+  return createSolanaRpcFromTransport(createDefaultRpcTransport({ url: clusterUrl, ...config }));
+}
+function createSolanaRpcFromTransport(transport) {
+  return createRpc({
+    api: createSolanaRpcApi(DEFAULT_RPC_CONFIG),
+    transport
+  });
+}
+
+// src/instructions/swigBundle.ts
+var bs58Module = __toESM(require("bs58"), 1);
+var import_web34 = require("@solana/web3.js");
+var bs58 = bs58Module.default ?? bs58Module;
+var SWIG_ID_DOMAIN = "dexter-swig-id:v1:";
+var DEFAULT_SESSION_TTL_SECONDS = BigInt(30 * 24 * 60 * 60);
+var DEFAULT_SPEND_LIMIT_ATOMIC = BigInt(1e9);
+var SWIG_PROGRAM_EXEC_PREFIX = new Uint8Array([
+  178,
+  87,
+  206,
+  68,
+  201,
+  186,
+  164,
+  232
+]);
+var SWIG_PROGRAM_EXEC_PREFIX_SETTLE_TAB = new Uint8Array([
+  173,
+  22,
+  98,
+  31,
+  110,
+  129,
+  59,
+  161
+]);
+var SWIG_PROGRAM_EXEC_MARKERS = [
+  SWIG_PROGRAM_EXEC_PREFIX,
+  SWIG_PROGRAM_EXEC_PREFIX_SETTLE_TAB
+];
+function deriveSwigId(identitySeed, hmacKey) {
+  if (hmacKey.length !== 32) {
+    throw new Error(`hmacKey must be 32 bytes, got ${hmacKey.length}`);
   }
-  const fragments = [];
-  messageFormatString.split("").forEach((char, ii) => {
-    if (ii === 0) {
-      state = {
-        [START_INDEX5]: 0,
-        [TYPE5]: messageFormatString[0] === "\\" ? 0 : messageFormatString[0] === "$" ? 2 : 1
-        /* Text */
-      };
-      return;
-    }
-    let nextState;
-    switch (state[TYPE5]) {
-      case 0:
-        nextState = {
-          [START_INDEX5]: ii,
-          [TYPE5]: 1
-          /* Text */
+  return (0, import_node_crypto.createHmac)("sha256", Buffer.from(hmacKey)).update(SWIG_ID_DOMAIN).update(Buffer.from(identitySeed)).digest();
+}
+async function buildSwigCreationBundle(params) {
+  const {
+    feePayer,
+    dexterMasterPubkey,
+    identitySeed,
+    hmacKey,
+    sessionTtlSeconds = DEFAULT_SESSION_TTL_SECONDS,
+    spendLimitAtomic = DEFAULT_SPEND_LIMIT_ATOMIC
+  } = params;
+  const swigId = deriveSwigId(identitySeed, hmacKey);
+  const swigPda = await (0, import_kit.findSwigPda)(swigId);
+  const swigAddressStr = String(swigPda);
+  const feePayerBytes = bs58.decode(feePayer);
+  const vaultProgramIdBytes = Uint8Array.from(DEXTER_VAULT_PROGRAM_ID.toBytes());
+  const dexterPubkeyBytes = bs58.decode(dexterMasterPubkey);
+  const bootstrapAuthorityInfo = (0, import_lib.createEd25519AuthorityInfo)(feePayerBytes);
+  const bootstrapActions = import_lib.Actions.set().manageAuthority().get();
+  const vaultAuthorityInfo = (0, import_lib.createProgramExecAuthorityInfo)(
+    vaultProgramIdBytes,
+    SWIG_PROGRAM_EXEC_PREFIX
+  );
+  const vaultActions = import_lib.Actions.set().all().get();
+  const vaultTabSettleAuthorityInfo = (0, import_lib.createProgramExecAuthorityInfo)(
+    vaultProgramIdBytes,
+    SWIG_PROGRAM_EXEC_PREFIX_SETTLE_TAB
+  );
+  const vaultTabSettleActions = import_lib.Actions.set().all().get();
+  const sessionAuthorityInfo = (0, import_lib.createEd25519SessionAuthorityInfo)(
+    dexterPubkeyBytes,
+    sessionTtlSeconds
+  );
+  const sessionActions = import_lib.Actions.set().tokenLimit({ mint: bs58.decode(USDC_MAINNET), amount: spendLimitAtomic }).programAll().get();
+  const builder = (0, import_lib.getCreateSwigWithMultipleAuthoritiesInstructionContextBuilder)({
+    payer: address(feePayer),
+    swigAddress: address(swigAddressStr),
+    id: swigId,
+    actions: bootstrapActions,
+    authorityInfo: bootstrapAuthorityInfo,
+    options: {}
+  }).addAuthority(vaultAuthorityInfo, vaultActions).addAuthority(sessionAuthorityInfo, sessionActions).addAuthority(vaultTabSettleAuthorityInfo, vaultTabSettleActions);
+  const contexts = await builder.getInstructionContexts();
+  const instructions = contexts.flatMap((ctx) => (0, import_kit.getInstructionsFromContext)(ctx));
+  return {
+    swigAddress: swigAddressStr,
+    swigIdBase58: bs58.encode(swigId),
+    instructions
+  };
+}
+async function expectedSwigAddressFor(identitySeed, hmacKey) {
+  const swigId = deriveSwigId(identitySeed, hmacKey);
+  return String(await (0, import_kit.findSwigPda)(swigId));
+}
+async function verifySwigIsOurs(params) {
+  const { swigAddress, identitySeed, hmacKey, dexterMasterPubkey, rpcEndpoint } = params;
+  const expected = await expectedSwigAddressFor(identitySeed, hmacKey);
+  if (swigAddress !== expected) {
+    return {
+      ok: false,
+      reason: `swig_address_mismatch: expected ${expected}, got ${swigAddress}`
+    };
+  }
+  try {
+    const rpc = createSolanaRpc(rpcEndpoint);
+    const swig = await (0, import_kit.fetchNullableSwig)(rpc, address(swigAddress));
+    if (swig) {
+      const ourRoles = swig.findRolesByAuthorityAddress(bs58.decode(dexterMasterPubkey));
+      if (!ourRoles || ourRoles.length === 0) {
+        return {
+          ok: false,
+          reason: "swig_missing_session_master_role"
         };
-        break;
-      case 1:
-        if (char === "\\") {
-          nextState = {
-            [START_INDEX5]: ii,
-            [TYPE5]: 0
-            /* EscapeSequence */
-          };
-        } else if (char === "$") {
-          nextState = {
-            [START_INDEX5]: ii,
-            [TYPE5]: 2
-            /* Variable */
-          };
-        }
-        break;
-      case 2:
-        if (char === "\\") {
-          nextState = {
-            [START_INDEX5]: ii,
-            [TYPE5]: 0
-            /* EscapeSequence */
-          };
-        } else if (char === "$") {
-          nextState = {
-            [START_INDEX5]: ii,
-            [TYPE5]: 2
-            /* Variable */
-          };
-        } else if (!char.match(/\w/)) {
-          nextState = {
-            [START_INDEX5]: ii,
-            [TYPE5]: 1
-            /* Text */
-          };
-        }
-        break;
-    }
-    if (nextState) {
-      if (state !== nextState) {
-        commitStateUpTo(ii);
       }
-      state = nextState;
     }
+  } catch {
+  }
+  return { ok: true };
+}
+function deriveVaultPda(supabaseUserId) {
+  if (supabaseUserId.length !== 16) {
+    throw new Error("supabaseUserId must be 16 bytes (UUID v4)");
+  }
+  const [pda, bump] = import_web34.PublicKey.findProgramAddressSync(
+    [Buffer.from("vault"), Buffer.from(supabaseUserId)],
+    DEXTER_VAULT_PROGRAM_ID
+  );
+  return { pda, bump };
+}
+
+// src/instructions/setSwigAtomic.ts
+var SET_SWIG_ATOMIC_DISCRIMINATOR = new Uint8Array([
+  119,
+  111,
+  247,
+  215,
+  190,
+  3,
+  170,
+  23
+]);
+function buildSetSwigAtomicInstruction(params) {
+  if (params.swigId.length !== 32) {
+    throw new Error(`swigId must be 32 bytes, got ${params.swigId.length}`);
+  }
+  if (params.authenticatorData.length < 37) {
+    throw new Error(`authenticatorData must be at least 37 bytes`);
+  }
+  const cdj = params.clientDataJSON;
+  const ad = params.authenticatorData;
+  const dataLen = 8 + // discriminator
+  32 + // swig_id
+  1 + // swig_account_bump
+  1 + // swig_wallet_address_bump
+  32 + // dexter_master_pubkey
+  4 + cdj.length + // client_data_json (len-prefixed)
+  4 + ad.length;
+  const data = new Uint8Array(dataLen);
+  const view = new DataView(data.buffer);
+  let off = 0;
+  data.set(SET_SWIG_ATOMIC_DISCRIMINATOR, off);
+  off += 8;
+  data.set(params.swigId, off);
+  off += 32;
+  data[off++] = params.swigAccountBump;
+  data[off++] = params.swigWalletAddressBump;
+  data.set(params.dexterMasterPubkey.toBytes(), off);
+  off += 32;
+  view.setUint32(off, cdj.length, true);
+  off += 4;
+  data.set(cdj, off);
+  off += cdj.length;
+  view.setUint32(off, ad.length, true);
+  off += 4;
+  data.set(ad, off);
+  off += ad.length;
+  if (off !== dataLen) throw new Error(`internal: byte offset mismatch (${off} vs ${dataLen})`);
+  return new import_web35.TransactionInstruction({
+    programId: DEXTER_VAULT_PROGRAM_ID,
+    keys: [
+      { pubkey: params.vaultPda, isSigner: false, isWritable: true },
+      { pubkey: params.feePayer, isSigner: true, isWritable: true },
+      { pubkey: params.swigAddress, isSigner: false, isWritable: true },
+      { pubkey: params.swigWalletAddress, isSigner: false, isWritable: true },
+      { pubkey: SWIG_PROGRAM_ID, isSigner: false, isWritable: false },
+      { pubkey: import_web35.SystemProgram.programId, isSigner: false, isWritable: true },
+      { pubkey: import_web35.SYSVAR_INSTRUCTIONS_PUBKEY, isSigner: false, isWritable: false }
+    ],
+    data: Buffer.from(data)
   });
-  commitStateUpTo();
-  return fragments.join("");
 }
-function getErrorMessage5(code, context = {}) {
-  if (process.env.NODE_ENV !== "production") {
-    return getHumanReadableErrorMessage5(code, context);
-  } else {
-    let decodingAdviceMessage = `Solana error #${code}; Decode this error by running \`npx @solana/errors decode -- ${code}`;
-    if (Object.keys(context).length) {
-      decodingAdviceMessage += ` '${encodeContextObject5(context)}'`;
-    }
-    return `${decodingAdviceMessage}\``;
+function buildSetSwigAtomicFromIdentity(params) {
+  const swigId = Uint8Array.from(
+    deriveSwigId(params.identitySeed, params.hmacKey)
+  );
+  const [swigAddress, swigAccountBump] = import_web35.PublicKey.findProgramAddressSync(
+    [Buffer.from(swigId)],
+    SWIG_PROGRAM_ID
+  );
+  const [swigWalletAddress, swigWalletAddressBump] = import_web35.PublicKey.findProgramAddressSync(
+    [swigAddress.toBytes()],
+    SWIG_PROGRAM_ID
+  );
+  return buildSetSwigAtomicInstruction({
+    vaultPda: params.vaultPda,
+    swigAddress,
+    swigWalletAddress,
+    feePayer: params.feePayer,
+    dexterMasterPubkey: params.dexterMasterPubkey,
+    swigId,
+    swigAccountBump,
+    swigWalletAddressBump,
+    clientDataJSON: params.clientDataJSON,
+    authenticatorData: params.authenticatorData
+  });
+}
+
+// src/instructions/registerSession.ts
+var import_web36 = require("@solana/web3.js");
+function encodeU64LE(value) {
+  const buf = new Uint8Array(8);
+  new DataView(buf.buffer).setBigUint64(0, value, true);
+  return buf;
+}
+function encodeI64LE(value) {
+  const buf = new Uint8Array(8);
+  new DataView(buf.buffer).setBigInt64(0, value, true);
+  return buf;
+}
+function encodeU32LE(value) {
+  const buf = new Uint8Array(4);
+  new DataView(buf.buffer).setUint32(0, value >>> 0, true);
+  return buf;
+}
+function encodeVecU8(bytes) {
+  const out = new Uint8Array(4 + bytes.length);
+  new DataView(out.buffer).setUint32(0, bytes.length >>> 0, true);
+  out.set(bytes, 4);
+  return out;
+}
+function concatBytes(...parts) {
+  const total = parts.reduce((n, p) => n + p.length, 0);
+  const out = new Uint8Array(total);
+  let o2 = 0;
+  for (const p of parts) {
+    out.set(p, o2);
+    o2 += p.length;
   }
+  return out;
 }
-var SolanaError5 = class extends Error {
-  /**
-   * Indicates the root cause of this {@link SolanaError}, if any.
-   *
-   * For example, a transaction error might have an instruction error as its root cause. In this
-   * case, you will be able to access the instruction error on the transaction error as `cause`.
-   */
-  cause = this.cause;
-  /**
-   * Contains context that can assist in understanding or recovering from a {@link SolanaError}.
-   */
-  context;
-  constructor(...[code, contextAndErrorOptions]) {
-    let context;
-    let errorOptions;
-    if (contextAndErrorOptions) {
-      const { cause, ...contextRest } = contextAndErrorOptions;
-      if (cause) {
-        errorOptions = { cause };
-      }
-      if (Object.keys(contextRest).length > 0) {
-        context = contextRest;
-      }
-    }
-    const message = getErrorMessage5(code, context);
-    super(message, errorOptions);
-    this.context = {
-      __code: code,
-      ...context
-    };
-    this.name = "SolanaError";
+function buildRegisterSessionKeyInstruction(args) {
+  if (args.sessionPubkey.length !== 32) {
+    throw new Error(`sessionPubkey must be 32 bytes, got ${args.sessionPubkey.length}`);
   }
-};
-
-// node_modules/@solana/rpc-transport-http/dist/index.node.mjs
-var DISALLOWED_HEADERS = {
-  accept: true,
-  "content-length": true,
-  "content-type": true
-};
-var FORBIDDEN_HEADERS = /* @__PURE__ */ Object.assign(
-  {
-    "accept-charset": true,
-    "access-control-request-headers": true,
-    "access-control-request-method": true,
-    connection: true,
-    "content-length": true,
-    cookie: true,
-    date: true,
-    dnt: true,
-    expect: true,
-    host: true,
-    "keep-alive": true,
-    origin: true,
-    "permissions-policy": true,
-    // Prefix matching is implemented in code, below.
-    // 'proxy-': true,
-    // 'sec-': true,
-    referer: true,
-    te: true,
-    trailer: true,
-    "transfer-encoding": true,
-    upgrade: true,
-    via: true
-  },
-  void 0
-);
-function assertIsAllowedHttpRequestHeaders(headers) {
-  const badHeaders = Object.keys(headers).filter((headerName) => {
-    const lowercaseHeaderName = headerName.toLowerCase();
-    return DISALLOWED_HEADERS[headerName.toLowerCase()] === true || FORBIDDEN_HEADERS[headerName.toLowerCase()] === true || lowercaseHeaderName.startsWith("proxy-") || lowercaseHeaderName.startsWith("sec-");
+  const data = concatBytes(
+    DISCRIMINATORS.register_session_key,
+    args.sessionPubkey,
+    encodeU64LE(args.maxAmount),
+    encodeI64LE(args.expiresAt),
+    args.allowedCounterparty.toBytes(),
+    encodeU32LE(args.nonce),
+    encodeVecU8(args.clientDataJSON),
+    encodeVecU8(args.authenticatorData)
+  );
+  return new import_web36.TransactionInstruction({
+    keys: [
+      { pubkey: args.vaultPda, isSigner: false, isWritable: true },
+      { pubkey: INSTRUCTIONS_SYSVAR_ID, isSigner: false, isWritable: false }
+    ],
+    programId: DEXTER_VAULT_PROGRAM_ID,
+    data: Buffer.from(data)
   });
-  if (badHeaders.length > 0) {
-    throw new SolanaError5(SOLANA_ERROR__RPC__TRANSPORT_HTTP_HEADER_FORBIDDEN5, {
-      headers: badHeaders
-    });
-  }
 }
-function normalizeHeaders(headers) {
-  const out = {};
-  for (const headerName in headers) {
-    out[headerName.toLowerCase()] = headers[headerName];
-  }
+
+// src/instructions/revokeSession.ts
+var import_web37 = require("@solana/web3.js");
+function encodeVecU82(bytes) {
+  const out = new Uint8Array(4 + bytes.length);
+  new DataView(out.buffer).setUint32(0, bytes.length >>> 0, true);
+  out.set(bytes, 4);
   return out;
 }
-function createHttpTransport(config) {
-  if (process.env.NODE_ENV !== "production" && false) ;
-  const { fromJson, headers, toJson, url } = config;
-  if (process.env.NODE_ENV !== "production" && headers) {
-    assertIsAllowedHttpRequestHeaders(headers);
-  }
-  let dispatcherConfig;
-  if ("dispatcher_NODE_ONLY" in config) {
-    dispatcherConfig = { dispatcher: config.dispatcher_NODE_ONLY };
+function concatBytes2(...parts) {
+  const total = parts.reduce((n, p) => n + p.length, 0);
+  const out = new Uint8Array(total);
+  let o2 = 0;
+  for (const p of parts) {
+    out.set(p, o2);
+    o2 += p.length;
   }
-  const customHeaders = headers && normalizeHeaders(headers);
-  return async function makeHttpRequest({
-    payload,
-    signal
-  }) {
-    const body = toJson ? toJson(payload) : JSON.stringify(payload);
-    const requestInfo = {
-      ...dispatcherConfig,
-      body,
-      headers: {
-        ...customHeaders,
-        // Keep these headers lowercase so they will override any user-supplied headers above.
-        accept: "application/json",
-        "content-length": body.length.toString(),
-        "content-type": "application/json; charset=utf-8"
-      },
-      method: "POST",
-      signal
-    };
-    const response = await fetch(url, requestInfo);
-    if (!response.ok) {
-      throw new SolanaError5(SOLANA_ERROR__RPC__TRANSPORT_HTTP_ERROR5, {
-        headers: response.headers,
-        message: response.statusText,
-        statusCode: response.status
-      });
-    }
-    if (fromJson) {
-      return fromJson(await response.text(), payload);
-    }
-    return await response.json();
-  };
+  return out;
 }
-var SOLANA_RPC_METHODS = [
-  "getAccountInfo",
-  "getBalance",
-  "getBlock",
-  "getBlockCommitment",
-  "getBlockHeight",
-  "getBlockProduction",
-  "getBlocks",
-  "getBlocksWithLimit",
-  "getBlockTime",
-  "getClusterNodes",
-  "getEpochInfo",
-  "getEpochSchedule",
-  "getFeeForMessage",
-  "getFirstAvailableBlock",
-  "getGenesisHash",
-  "getHealth",
-  "getHighestSnapshotSlot",
-  "getIdentity",
-  "getInflationGovernor",
-  "getInflationRate",
-  "getInflationReward",
-  "getLargestAccounts",
-  "getLatestBlockhash",
-  "getLeaderSchedule",
-  "getMaxRetransmitSlot",
-  "getMaxShredInsertSlot",
-  "getMinimumBalanceForRentExemption",
-  "getMultipleAccounts",
-  "getProgramAccounts",
-  "getRecentPerformanceSamples",
-  "getRecentPrioritizationFees",
-  "getSignaturesForAddress",
-  "getSignatureStatuses",
-  "getSlot",
-  "getSlotLeader",
-  "getSlotLeaders",
-  "getStakeMinimumDelegation",
-  "getSupply",
-  "getTokenAccountBalance",
-  "getTokenAccountsByDelegate",
-  "getTokenAccountsByOwner",
-  "getTokenLargestAccounts",
-  "getTokenSupply",
-  "getTransaction",
-  "getTransactionCount",
-  "getVersion",
-  "getVoteAccounts",
-  "index",
-  "isBlockhashValid",
-  "minimumLedgerSlot",
-  "requestAirdrop",
-  "sendTransaction",
-  "simulateTransaction"
-];
-function isSolanaRequest(payload) {
-  return isJsonRpcPayload(payload) && SOLANA_RPC_METHODS.includes(payload.method);
+function buildRevokeSessionKeyInstruction(args) {
+  const data = concatBytes2(
+    DISCRIMINATORS.revoke_session_key,
+    encodeVecU82(args.clientDataJSON),
+    encodeVecU82(args.authenticatorData)
+  );
+  return new import_web37.TransactionInstruction({
+    keys: [
+      { pubkey: args.vaultPda, isSigner: false, isWritable: true },
+      { pubkey: INSTRUCTIONS_SYSVAR_ID, isSigner: false, isWritable: false }
+    ],
+    programId: DEXTER_VAULT_PROGRAM_ID,
+    data: Buffer.from(data)
+  });
 }
-function createHttpTransportForSolanaRpc(config) {
-  return createHttpTransport({
-    ...config,
-    fromJson: (rawResponse, payload) => isSolanaRequest(payload) ? parseJsonWithBigInts(rawResponse) : JSON.parse(rawResponse),
-    toJson: (payload) => isSolanaRequest(payload) ? stringifyJsonWithBigints(payload) : JSON.stringify(payload)
+
+// src/instructions/settleVoucher.ts
+var import_web38 = require("@solana/web3.js");
+function encodeU64(value) {
+  const out = Buffer.alloc(8);
+  out.writeBigUInt64LE(value, 0);
+  return out;
+}
+function encodeBool(value) {
+  return Buffer.from([value ? 1 : 0]);
+}
+function buildSettleVoucherInstruction(p) {
+  const argsBuf = Buffer.concat([encodeU64(p.amount), encodeBool(p.increment)]);
+  const data = Buffer.concat([Buffer.from(DISCRIMINATORS.settle_voucher), argsBuf]);
+  return new import_web38.TransactionInstruction({
+    programId: DEXTER_VAULT_PROGRAM_ID,
+    keys: [
+      { pubkey: p.vaultPda, isSigner: false, isWritable: true },
+      { pubkey: p.dexterAuthority, isSigner: true, isWritable: false }
+    ],
+    data
   });
 }
 
-// node_modules/@solana/rpc/dist/index.node.mjs
-var import_events = require("events");
+// src/instructions/settleTabVoucher.ts
+var import_web310 = require("@solana/web3.js");
 
-// node_modules/@solana/fast-stable-stringify/dist/index.node.mjs
-var objToString = Object.prototype.toString;
-var objKeys = Object.keys || function(obj) {
-  const keys = [];
-  for (const name in obj) {
-    keys.push(name);
-  }
-  return keys;
-};
-function stringify(val, isArrayProp) {
-  let i, max, str, keys, key, propVal, toStr;
-  if (val === true) {
-    return "true";
-  }
-  if (val === false) {
-    return "false";
-  }
-  switch (typeof val) {
-    case "object":
-      if (val === null) {
-        return null;
-      } else if ("toJSON" in val && typeof val.toJSON === "function") {
-        return stringify(val.toJSON(), isArrayProp);
-      } else {
-        toStr = objToString.call(val);
-        if (toStr === "[object Array]") {
-          str = "[";
-          max = val.length - 1;
-          for (i = 0; i < max; i++) {
-            str += stringify(val[i], true) + ",";
-          }
-          if (max > -1) {
-            str += stringify(val[i], true);
-          }
-          return str + "]";
-        } else if (toStr === "[object Object]") {
-          keys = objKeys(val).sort();
-          max = keys.length;
-          str = "";
-          i = 0;
-          while (i < max) {
-            key = keys[i];
-            propVal = stringify(val[key], false);
-            if (propVal !== void 0) {
-              if (str) {
-                str += ",";
-              }
-              str += JSON.stringify(key) + ":" + propVal;
-            }
-            i++;
-          }
-          return "{" + str + "}";
-        } else {
-          return JSON.stringify(val);
-        }
-      }
-    case "function":
-    case "undefined":
-      return isArrayProp ? null : void 0;
-    case "bigint":
-      return `${val.toString()}n`;
-    case "string":
-      return JSON.stringify(val);
-    default:
-      return isFinite(val) ? val : null;
-  }
+// src/instructions/withdraw.ts
+var import_web39 = require("@solana/web3.js");
+function encodeBytesVec2(buf) {
+  const out = Buffer.alloc(4 + buf.length);
+  out.writeUInt32LE(buf.length, 0);
+  Buffer.from(buf).copy(out, 4);
+  return out;
 }
-function index_default(val) {
-  const returnVal = stringify(val, false);
-  if (returnVal !== void 0) {
-    return "" + returnVal;
-  }
+function encodeU642(value) {
+  const out = Buffer.alloc(8);
+  out.writeBigUInt64LE(value, 0);
+  return out;
 }
-
-// node_modules/@solana/rpc/dist/index.node.mjs
-function createSolanaJsonRpcIntegerOverflowError(methodName, keyPath, value) {
-  let argumentLabel = "";
-  if (typeof keyPath[0] === "number") {
-    const argPosition = keyPath[0] + 1;
-    const lastDigit = argPosition % 10;
-    const lastTwoDigits = argPosition % 100;
-    if (lastDigit == 1 && lastTwoDigits != 11) {
-      argumentLabel = argPosition + "st";
-    } else if (lastDigit == 2 && lastTwoDigits != 12) {
-      argumentLabel = argPosition + "nd";
-    } else if (lastDigit == 3 && lastTwoDigits != 13) {
-      argumentLabel = argPosition + "rd";
-    } else {
-      argumentLabel = argPosition + "th";
-    }
-  } else {
-    argumentLabel = `\`${keyPath[0].toString()}\``;
-  }
-  const path = keyPath.length > 1 ? keyPath.slice(1).map((pathPart) => typeof pathPart === "number" ? `[${pathPart}]` : pathPart).join(".") : void 0;
-  const error = new SolanaError4(SOLANA_ERROR__RPC__INTEGER_OVERFLOW4, {
-    argumentLabel,
-    keyPath,
-    methodName,
-    optionalPathLabel: path ? ` at path \`${path}\`` : "",
-    value,
-    ...path !== void 0 ? { path } : void 0
-  });
-  safeCaptureStackTrace2(error, createSolanaJsonRpcIntegerOverflowError);
-  return error;
+function encodeI64(value) {
+  const out = Buffer.alloc(8);
+  out.writeBigInt64LE(value, 0);
+  return out;
 }
-var DEFAULT_RPC_CONFIG = {
-  defaultCommitment: "confirmed",
-  onIntegerOverflow(request, keyPath, value) {
-    throw createSolanaJsonRpcIntegerOverflowError(request.methodName, keyPath, value);
-  }
-};
-var e2 = class extends globalThis.AbortController {
-  constructor(...t) {
-    super(...t), (0, import_events.setMaxListeners)(Number.MAX_SAFE_INTEGER, this.signal);
-  }
-};
-var EXPLICIT_ABORT_TOKEN;
-function createExplicitAbortToken() {
-  return process.env.NODE_ENV !== "production" ? {
-    EXPLICIT_ABORT_TOKEN: "This object is thrown from the request that underlies a series of coalesced requests when the last request in that series aborts"
-  } : {};
+function encodePubkey2(key) {
+  return Buffer.from(key.toBytes());
 }
-function getRpcTransportWithRequestCoalescing(transport, getDeduplicationKey) {
-  let coalescedRequestsByDeduplicationKey;
-  return async function makeCoalescedHttpRequest(request) {
-    const { payload, signal } = request;
-    const deduplicationKey = getDeduplicationKey(payload);
-    if (deduplicationKey === void 0) {
-      return await transport(request);
-    }
-    if (!coalescedRequestsByDeduplicationKey) {
-      queueMicrotask(() => {
-        coalescedRequestsByDeduplicationKey = void 0;
-      });
-      coalescedRequestsByDeduplicationKey = {};
-    }
-    if (coalescedRequestsByDeduplicationKey[deduplicationKey] == null) {
-      const abortController = new e2();
-      const responsePromise = (async () => {
-        try {
-          return await transport({
-            ...request,
-            signal: abortController.signal
-          });
-        } catch (e22) {
-          if (e22 === (EXPLICIT_ABORT_TOKEN ||= createExplicitAbortToken())) {
-            return;
-          }
-          throw e22;
-        }
-      })();
-      coalescedRequestsByDeduplicationKey[deduplicationKey] = {
-        abortController,
-        numConsumers: 0,
-        responsePromise
-      };
-    }
-    const coalescedRequest = coalescedRequestsByDeduplicationKey[deduplicationKey];
-    coalescedRequest.numConsumers++;
-    if (signal) {
-      const responsePromise = coalescedRequest.responsePromise;
-      return await new Promise((resolve, reject) => {
-        const handleAbort = (e22) => {
-          signal.removeEventListener("abort", handleAbort);
-          coalescedRequest.numConsumers -= 1;
-          queueMicrotask(() => {
-            if (coalescedRequest.numConsumers === 0) {
-              const abortController = coalescedRequest.abortController;
-              abortController.abort(EXPLICIT_ABORT_TOKEN ||= createExplicitAbortToken());
-            }
-          });
-          reject(e22.target.reason);
-        };
-        signal.addEventListener("abort", handleAbort);
-        responsePromise.then(resolve).catch(reject).finally(() => {
-          signal.removeEventListener("abort", handleAbort);
-        });
-      });
-    } else {
-      return await coalescedRequest.responsePromise;
-    }
-  };
+function deriveSwigWalletAddress(swigAddress) {
+  const [pda] = import_web39.PublicKey.findProgramAddressSync(
+    [Buffer.from("swig-wallet-address"), swigAddress.toBuffer()],
+    SWIG_PROGRAM_ID
+  );
+  return pda;
 }
-function getSolanaRpcPayloadDeduplicationKey(payload) {
-  return isJsonRpcPayload(payload) ? index_default([payload.method, payload.params]) : void 0;
+function buildRequestWithdrawalInstruction(p) {
+  const argsBuf = Buffer.concat([
+    encodeU642(p.amount),
+    encodePubkey2(p.destination),
+    encodeI64(p.signedAt),
+    encodeBytesVec2(p.clientDataJSON),
+    encodeBytesVec2(p.authenticatorData)
+  ]);
+  const data = Buffer.concat([Buffer.from(DISCRIMINATORS.request_withdrawal), argsBuf]);
+  return new import_web39.TransactionInstruction({
+    programId: DEXTER_VAULT_PROGRAM_ID,
+    keys: [
+      { pubkey: p.vaultPda, isSigner: false, isWritable: true },
+      { pubkey: import_web39.SYSVAR_INSTRUCTIONS_PUBKEY, isSigner: false, isWritable: false }
+    ],
+    data
+  });
+}
+function buildFinalizeWithdrawalInstruction(p) {
+  const argsBuf = Buffer.concat([
+    encodeBytesVec2(p.clientDataJSON),
+    encodeBytesVec2(p.authenticatorData)
+  ]);
+  const data = Buffer.concat([Buffer.from(DISCRIMINATORS.finalize_withdrawal), argsBuf]);
+  const swigWalletAddress = deriveSwigWalletAddress(p.swigAddress);
+  return new import_web39.TransactionInstruction({
+    programId: DEXTER_VAULT_PROGRAM_ID,
+    keys: [
+      { pubkey: p.swigAddress, isSigner: false, isWritable: false },
+      { pubkey: swigWalletAddress, isSigner: false, isWritable: false },
+      { pubkey: p.vaultPda, isSigner: false, isWritable: true },
+      { pubkey: import_web39.SYSVAR_INSTRUCTIONS_PUBKEY, isSigner: false, isWritable: false }
+    ],
+    data
+  });
+}
+function buildForceReleaseInstruction(p) {
+  const argsBuf = Buffer.concat([
+    encodeBytesVec2(p.clientDataJSON),
+    encodeBytesVec2(p.authenticatorData)
+  ]);
+  const data = Buffer.concat([Buffer.from(DISCRIMINATORS.force_release), argsBuf]);
+  return new import_web39.TransactionInstruction({
+    programId: DEXTER_VAULT_PROGRAM_ID,
+    keys: [
+      { pubkey: p.vaultPda, isSigner: false, isWritable: true },
+      { pubkey: import_web39.SYSVAR_INSTRUCTIONS_PUBKEY, isSigner: false, isWritable: false }
+    ],
+    data
+  });
 }
-function normalizeHeaders2(headers) {
-  const out = {};
-  for (const headerName in headers) {
-    out[headerName.toLowerCase()] = headers[headerName];
+
+// src/instructions/settleTabVoucher.ts
+function encodeFixedBytes2(buf, len) {
+  if (buf.length !== len) {
+    throw new Error(`expected ${len} bytes, got ${buf.length}`);
   }
-  return out;
+  return Buffer.from(buf);
 }
-function createDefaultRpcTransport(config) {
-  return pipe(
-    createHttpTransportForSolanaRpc({
-      ...config,
-      headers: {
-        ...{
-          // Keep these headers lowercase so they will be overridden by any user-supplied headers below.
-          "accept-encoding": (
-            // Natively supported by Node LTS v20.18.0 and above.
-            "br,gzip,deflate"
-          )
-          // Brotli, gzip, and Deflate, in that order.
-        },
-        ...config.headers ? normalizeHeaders2(config.headers) : void 0,
-        ...{
-          // Keep these headers lowercase so they will override any user-supplied headers above.
-          "solana-client": `js/${"2.3.0"}`
-        }
-      }
-    }),
-    (transport) => getRpcTransportWithRequestCoalescing(transport, getSolanaRpcPayloadDeduplicationKey)
-  );
+function encodeU643(value) {
+  const out = Buffer.alloc(8);
+  out.writeBigUInt64LE(value, 0);
+  return out;
 }
-function createSolanaRpc(clusterUrl, config) {
-  return createSolanaRpcFromTransport(createDefaultRpcTransport({ url: clusterUrl, ...config }));
+function encodeU322(value) {
+  const out = Buffer.alloc(4);
+  out.writeUInt32LE(value >>> 0, 0);
+  return out;
 }
-function createSolanaRpcFromTransport(transport) {
-  return createRpc({
-    api: createSolanaRpcApi(DEFAULT_RPC_CONFIG),
-    transport
+function buildSettleTabVoucherInstruction(p) {
+  if (p.channelId.length !== 32) {
+    throw new Error(`channelId must be 32 bytes, got ${p.channelId.length}`);
+  }
+  const argsBuf = Buffer.concat([
+    encodeFixedBytes2(p.channelId, 32),
+    encodeU643(p.cumulativeAmount),
+    encodeU322(p.sequenceNumber)
+  ]);
+  const data = Buffer.concat([Buffer.from(DISCRIMINATORS.settle_tab_voucher), argsBuf]);
+  const swigWalletAddress = deriveSwigWalletAddress(p.swigAddress);
+  return new import_web310.TransactionInstruction({
+    programId: DEXTER_VAULT_PROGRAM_ID,
+    keys: [
+      { pubkey: p.swigAddress, isSigner: false, isWritable: false },
+      { pubkey: swigWalletAddress, isSigner: false, isWritable: false },
+      { pubkey: p.vaultPda, isSigner: false, isWritable: true },
+      { pubkey: p.dexterAuthority, isSigner: true, isWritable: false },
+      { pubkey: import_web310.SYSVAR_INSTRUCTIONS_PUBKEY, isSigner: false, isWritable: false }
+    ],
+    data
   });
 }
 
-// src/instructions/swigBundle.ts
-var bs58Module = __toESM(require("bs58"), 1);
-var import_web312 = require("@solana/web3.js");
-var bs58 = bs58Module.default ?? bs58Module;
-var SWIG_ID_DOMAIN = "dexter-swig-id:v1:";
-var DEFAULT_SESSION_TTL_SECONDS = BigInt(30 * 24 * 60 * 60);
-var DEFAULT_SPEND_LIMIT_ATOMIC = BigInt(1e9);
-var SWIG_PROGRAM_EXEC_PREFIX = new Uint8Array([
-  178,
-  87,
-  206,
-  68,
-  201,
-  186,
-  164,
-  232
-]);
-var SWIG_PROGRAM_EXEC_PREFIX_SETTLE_TAB = new Uint8Array([
-  173,
-  22,
-  98,
-  31,
-  110,
-  129,
-  59,
-  161
-]);
-var SWIG_PROGRAM_EXEC_MARKERS = [
-  SWIG_PROGRAM_EXEC_PREFIX,
-  SWIG_PROGRAM_EXEC_PREFIX_SETTLE_TAB
-];
-function deriveSwigId(identitySeed, hmacKey) {
-  if (hmacKey.length !== 32) {
-    throw new Error(`hmacKey must be 32 bytes, got ${hmacKey.length}`);
+// src/instructions/rotate.ts
+var import_web311 = require("@solana/web3.js");
+function encodeBytesVec3(buf) {
+  const out = Buffer.alloc(4 + buf.length);
+  out.writeUInt32LE(buf.length, 0);
+  Buffer.from(buf).copy(out, 4);
+  return out;
+}
+function encodeFixedBytes3(buf, len) {
+  if (buf.length !== len) {
+    throw new Error(`expected ${len} bytes, got ${buf.length}`);
   }
-  return (0, import_node_crypto.createHmac)("sha256", Buffer.from(hmacKey)).update(SWIG_ID_DOMAIN).update(Buffer.from(identitySeed)).digest();
+  return Buffer.from(buf);
 }
-async function buildSwigCreationBundle(params) {
-  const {
-    feePayer,
-    dexterMasterPubkey,
-    identitySeed,
-    hmacKey,
-    sessionTtlSeconds = DEFAULT_SESSION_TTL_SECONDS,
-    spendLimitAtomic = DEFAULT_SPEND_LIMIT_ATOMIC
-  } = params;
-  const swigId = deriveSwigId(identitySeed, hmacKey);
-  const swigPda = await (0, import_kit.findSwigPda)(swigId);
-  const swigAddressStr = String(swigPda);
-  const feePayerBytes = bs58.decode(feePayer);
-  const vaultProgramIdBytes = Uint8Array.from(DEXTER_VAULT_PROGRAM_ID.toBytes());
-  const dexterPubkeyBytes = bs58.decode(dexterMasterPubkey);
-  const bootstrapAuthorityInfo = (0, import_lib.createEd25519AuthorityInfo)(feePayerBytes);
-  const bootstrapActions = import_lib.Actions.set().manageAuthority().get();
-  const vaultAuthorityInfo = (0, import_lib.createProgramExecAuthorityInfo)(
-    vaultProgramIdBytes,
-    SWIG_PROGRAM_EXEC_PREFIX
-  );
-  const vaultActions = import_lib.Actions.set().all().get();
-  const vaultTabSettleAuthorityInfo = (0, import_lib.createProgramExecAuthorityInfo)(
-    vaultProgramIdBytes,
-    SWIG_PROGRAM_EXEC_PREFIX_SETTLE_TAB
-  );
-  const vaultTabSettleActions = import_lib.Actions.set().all().get();
-  const sessionAuthorityInfo = (0, import_lib.createEd25519SessionAuthorityInfo)(
-    dexterPubkeyBytes,
-    sessionTtlSeconds
-  );
-  const sessionActions = import_lib.Actions.set().tokenLimit({ mint: bs58.decode(USDC_MAINNET), amount: spendLimitAtomic }).programAll().get();
-  const builder = (0, import_lib.getCreateSwigWithMultipleAuthoritiesInstructionContextBuilder)({
-    payer: address(feePayer),
-    swigAddress: address(swigAddressStr),
-    id: swigId,
-    actions: bootstrapActions,
-    authorityInfo: bootstrapAuthorityInfo,
-    options: {}
-  }).addAuthority(vaultAuthorityInfo, vaultActions).addAuthority(sessionAuthorityInfo, sessionActions).addAuthority(vaultTabSettleAuthorityInfo, vaultTabSettleActions);
-  const contexts = await builder.getInstructionContexts();
-  const instructions = contexts.flatMap((ctx) => (0, import_kit.getInstructionsFromContext)(ctx));
-  return {
-    swigAddress: swigAddressStr,
-    swigIdBase58: bs58.encode(swigId),
-    instructions
-  };
+function encodePubkey3(key) {
+  return Buffer.from(key.toBytes());
 }
-async function expectedSwigAddressFor(identitySeed, hmacKey) {
-  const swigId = deriveSwigId(identitySeed, hmacKey);
-  return String(await (0, import_kit.findSwigPda)(swigId));
+function buildRotatePasskeyInstruction(p) {
+  const argsBuf = Buffer.concat([
+    encodeFixedBytes3(p.newPasskeyPubkey, 33),
+    encodeBytesVec3(p.clientDataJSON),
+    encodeBytesVec3(p.authenticatorData)
+  ]);
+  const data = Buffer.concat([Buffer.from(DISCRIMINATORS.rotate_passkey), argsBuf]);
+  return new import_web311.TransactionInstruction({
+    programId: DEXTER_VAULT_PROGRAM_ID,
+    keys: [
+      { pubkey: p.vaultPda, isSigner: false, isWritable: true },
+      { pubkey: import_web311.SYSVAR_INSTRUCTIONS_PUBKEY, isSigner: false, isWritable: false }
+    ],
+    data
+  });
 }
-async function verifySwigIsOurs(params) {
-  const { swigAddress, identitySeed, hmacKey, dexterMasterPubkey, rpcEndpoint } = params;
-  const expected = await expectedSwigAddressFor(identitySeed, hmacKey);
-  if (swigAddress !== expected) {
-    return {
-      ok: false,
-      reason: `swig_address_mismatch: expected ${expected}, got ${swigAddress}`
-    };
-  }
-  try {
-    const rpc = createSolanaRpc(rpcEndpoint);
-    const swig = await (0, import_kit.fetchNullableSwig)(rpc, address(swigAddress));
-    if (swig) {
-      const ourRoles = swig.findRolesByAuthorityAddress(bs58.decode(dexterMasterPubkey));
-      if (!ourRoles || ourRoles.length === 0) {
-        return {
-          ok: false,
-          reason: "swig_missing_session_master_role"
-        };
-      }
-    }
-  } catch {
-  }
-  return { ok: true };
+function buildRotateDexterAuthorityInstruction(p) {
+  const data = Buffer.concat([
+    Buffer.from(DISCRIMINATORS.rotate_dexter_authority),
+    encodePubkey3(p.newDexterAuthority)
+  ]);
+  return new import_web311.TransactionInstruction({
+    programId: DEXTER_VAULT_PROGRAM_ID,
+    keys: [
+      { pubkey: p.vaultPda, isSigner: false, isWritable: true },
+      { pubkey: p.currentDexterAuthority, isSigner: true, isWritable: false }
+    ],
+    data
+  });
 }
-function deriveVaultPda(supabaseUserId) {
-  if (supabaseUserId.length !== 16) {
-    throw new Error("supabaseUserId must be 16 bytes (UUID v4)");
+
+// src/instructions/provePasskey.ts
+var import_web312 = require("@solana/web3.js");
+function encodeBytesVec4(buf) {
+  const out = Buffer.alloc(4 + buf.length);
+  out.writeUInt32LE(buf.length, 0);
+  Buffer.from(buf).copy(out, 4);
+  return out;
+}
+function encodeFixedBytes4(buf, len) {
+  if (buf.length !== len) {
+    throw new Error(`expected ${len} bytes, got ${buf.length}`);
   }
-  const [pda, bump] = import_web312.PublicKey.findProgramAddressSync(
-    [Buffer.from("vault"), Buffer.from(supabaseUserId)],
-    DEXTER_VAULT_PROGRAM_ID
-  );
-  return { pda, bump };
+  return Buffer.from(buf);
+}
+function buildProvePasskeyInstruction(p) {
+  const argsBuf = Buffer.concat([
+    encodeFixedBytes4(p.challenge, 32),
+    encodeBytesVec4(p.clientDataJSON),
+    encodeBytesVec4(p.authenticatorData)
+  ]);
+  const data = Buffer.concat([Buffer.from(DISCRIMINATORS.prove_passkey), argsBuf]);
+  return new import_web312.TransactionInstruction({
+    programId: DEXTER_VAULT_PROGRAM_ID,
+    keys: [
+      { pubkey: p.vaultPda, isSigner: false, isWritable: false },
+      { pubkey: import_web312.SYSVAR_INSTRUCTIONS_PUBKEY, isSigner: false, isWritable: false }
+    ],
+    data
+  });
 }
 // Annotate the CommonJS export names for ESM import in node:
 0 && (module.exports = {
@@ -5072,11 +5101,13 @@ function deriveVaultPda(supabaseUserId) {
   buildRevokeSessionKeyInstruction,
   buildRotateDexterAuthorityInstruction,
   buildRotatePasskeyInstruction,
+  buildSetSwigAtomicFromIdentity,
   buildSetSwigAtomicInstruction,
   buildSetSwigInstruction,
   buildSettleTabVoucherInstruction,
   buildSettleVoucherInstruction,
   buildSwigCreationBundle,
+  deriveSwigId,
   deriveSwigWalletAddress,
   deriveVaultPda,
   expectedSwigAddressFor,