@frontiercompute/zcash-ika 0.1.0 → 0.2.0

package/README.md

@@ -1,46 +1,28 @@
 # zcash-ika
 
-Split-key custody for Zcash and Bitcoin. The private key never exists whole.
+Split-key custody for Zcash, Bitcoin, and EVM chains. The private key never exists whole.
 
 [![npm](https://img.shields.io/npm/v/@frontiercompute/zcash-ika)](https://www.npmjs.com/package/@frontiercompute/zcash-ika)
 
 ## What this is
 
-Your agent/DAO/treasury holds ZEC and BTC through [Ika's 2PC-MPC network](https://ika.xyz). One key share on your device, one distributed across Ika's nodes on Sui. Both must cooperate to sign. Spending policy enforced by smart contract. Every action attested on-chain via [ZAP1](https://pay.frontiercompute.io).
+One secp256k1 dWallet on [Ika's 2PC-MPC network](https://ika.xyz) signs for Zcash transparent, Bitcoin, and Ethereum. Your device holds half the key. Ika's nodes hold the other half. Spending policy enforced by Sui Move contract. Every action attested on Zcash via [ZAP1](https://pay.frontiercompute.io).
 
-**Ed25519 dWallet live on Ika testnet.** First Zcash-capable dWallet ever created on the network.
+## What works today
 
-## Use cases
-
-### AI Agent Custody
-Your agent needs to spend money. Give it a split-key wallet instead of full access. The agent requests transactions, but can't override spending limits, daily caps, or approved recipient lists. If the agent gets compromised, the attacker gets half a key. Worthless.
-
-```
-npx @frontiercompute/zcash-mcp  # 17 tools, any MCP client
-```
-
-### DAO Treasury
-Multi-sig is 2003 technology. Split-key custody means the treasury key literally doesn't exist in one place. Policy lives in a Sui Move contract that no single party controls. Every spend attested to Zcash for the full audit trail, but balances stay shielded.
-
-### Privacy Payroll
-Pay contributors without publishing amounts on a block explorer. Shielded ZEC from an Orchard address, every payment attested via ZAP1 for compliance. The auditor sees proof of payment. Nobody else sees anything.
-
-### Cross-Border Commerce
-Hold shielded ZEC + stablecoins (USDC/USDT via secp256k1 on EVM chains) in one wallet. Same operator, same policy. Swap between them via NEAR Intents. Settlement is private. Compliance is provable.
+| Chain | Curve | Algorithm | Hash | Status |
+|-------|-------|-----------|------|--------|
+| Zcash transparent | secp256k1 | ECDSA | DoubleSHA256 | dWallet on testnet, signing wired |
+| Bitcoin | secp256k1 | ECDSA | DoubleSHA256 | Same dWallet, same key |
+| Ethereum/EVM | secp256k1 | ECDSA | KECCAK256 | Same dWallet, different hash |
 
-### Compliance Without Exposure
-ZAP1 attestations prove what happened without revealing what you hold. Bond deposits prove skin in the game. Policy verification proves you followed the rules. All on Zcash mainnet, all verifiable, nothing visible beyond what you choose to share.
+One dWallet. Three chain families. Split custody on all of them.
 
-## Signing parameters
+## What does NOT work
 
-| Chain | Curve | Algorithm | Hash | Status |
-|-------|-------|-----------|------|--------|
-| Zcash Orchard | ED25519 | EdDSA | SHA512 | dWallet live on testnet |
-| Bitcoin | SECP256K1 | ECDSASecp256k1 | DoubleSHA256 | SDK ready |
-| Zcash transparent | SECP256K1 | ECDSASecp256k1 | DoubleSHA256 | SDK ready |
-| Ethereum/Base | SECP256K1 | ECDSASecp256k1 | KECCAK256 | SDK ready |
+**Zcash shielded (Orchard)** requires RedPallas signatures on the Pallas curve. Ika's MPC supports secp256k1 and Ed25519, but not Pallas. There is no path from Ika to Orchard signing today. Same for Sapling (RedJubjub on Jubjub).
 
-One secp256k1 dWallet signs for Bitcoin, Zcash transparent, and every EVM chain.
+For shielded operations, use the [embedded Orchard wallet](https://github.com/Frontier-Compute/zap1) which holds keys directly. The hybrid architecture: MPC custody for transparent + cross-chain, local wallet for shielded.
 
 ## Install
 
@@ -48,106 +30,106 @@ One secp256k1 dWallet signs for Bitcoin, Zcash transparent, and every EVM chain.
 npm install @frontiercompute/zcash-ika
 ```
 
-## Quick start
+## Usage
 
 ```typescript
 import {
+  createWallet,
+  sign,
   createDualCustody,
-  spendShielded,
-  spendBitcoin,
-  setPolicy,
   getHistory,
   checkCompliance,
   CHAIN_PARAMS,
 } from "@frontiercompute/zcash-ika";
 
 const config = {
-  network: "mainnet",
-  zebraRpcUrl: "http://127.0.0.1:8232",
+  network: "testnet",
+  suiPrivateKey: "suiprivkey1...",
   zap1ApiUrl: "https://pay.frontiercompute.io",
-  zap1ApiKey: "your-key",
 };
 
-// Create dual custody - shielded ZEC + BTC/stablecoins
-const custody = await createDualCustody(config, operatorSeed);
-
-// Set spending policy (enforced by Sui contract, not by trust)
-await setPolicy(config, custody.shielded.id, {
-  maxPerTx: 100_000,       // 0.001 ZEC per tx
-  maxDaily: 1_000_000,     // 0.01 ZEC daily cap
-  allowedRecipients: [],   // any recipient (or lock to specific addresses)
-  approvalThreshold: 500_000, // operator approval above 0.005 ZEC
+// Create split-key wallet (secp256k1 - signs for ZEC + BTC + ETH)
+const custody = await createDualCustody(config);
+console.log("dWallet:", custody.primary.id);
+console.log("Save this seed:", custody.primary.encryptionSeed);
+
+// Sign a Zcash transparent sighash through MPC
+const result = await sign(config, {
+  messageHash: sighashBytes, // DoubleSHA256 of the tx
+  walletId: custody.primary.id,
+  chain: "zcash-transparent",
+  encryptionSeed: custody.primary.encryptionSeed,
 });
-
-// Shielded spend - agent requests, both key shares cooperate
-const result = await spendShielded(config, custody.shielded.id, operatorSeed, {
-  to: "u1abc...",
-  amount: 50_000,
-  memo: "payment for API access",
+console.log("Signature:", Buffer.from(result.signature).toString("hex"));
+
+// Sign Bitcoin (same dWallet, same MPC, same seed)
+const btcSig = await sign(config, {
+  messageHash: btcSighash,
+  walletId: custody.primary.id,
+  chain: "bitcoin",
+  encryptionSeed: custody.primary.encryptionSeed,
 });
 
 // Compliance check (works now against live ZAP1 API)
-const compliance = await checkCompliance(config, custody.shielded.id);
-// { compliant: true, violations: 0, bondDeposits: 1 }
+const compliance = await checkCompliance(config, custody.primary.id);
 ```
 
 ## How it works
 
 ```
-Operator (phone / hardware wallet / DAO multisig)
+Operator (phone / hardware wallet)
   |
-  | user key share
+  | user key share (encryption seed)
   |
-Ika MPC Network (2PC-MPC on Sui, mainnet live)
+Ika MPC Network (2PC-MPC on Sui)
   |
   | network key share (distributed across nodes)
   |
   +-- Spending Policy (Sui Move contract)
   |     max per tx, daily cap, approved recipients
-  |     the agent CANNOT modify its own limits
   |
-  +-- Sign Zcash tx (Ed25519/EdDSA)  -> shielded spend
-  +-- Sign Bitcoin tx (secp256k1/ECDSA) -> BTC spend
-  +-- Sign EVM tx (secp256k1/ECDSA)  -> USDC/USDT spend
+  +-- Sign ZEC transparent tx (secp256k1/ECDSA/DoubleSHA256)
+  +-- Sign BTC tx             (secp256k1/ECDSA/DoubleSHA256)
+  +-- Sign ETH tx             (secp256k1/ECDSA/KECCAK256)
   |
 ZAP1 Attestation (Zcash mainnet)
-  +-- every spend recorded as AGENT_ACTION
-  +-- policy violations on-chain as POLICY_VIOLATION
-  +-- bond deposits prove skin in the game
-  +-- full audit trail, verifiable by anyone
+  +-- every spend recorded
+  +-- policy violations on-chain
+  +-- full audit trail
 ```
 
-## What's live
+## Sign flow (two transactions)
+
+1. **Presign** - pre-compute MPC ephemeral key share (TX 1, poll for completion)
+2. **Sign** - approve message + request signature (TX 2, poll for completion)
 
-- Ed25519 dWallet on Ika testnet (TX: `FYcuaxBCAfuZqfBW7JEtEJME3KLBSBKLvhjLpZGSyaXb`)
-- `getHistory()` and `checkCompliance()` against live ZAP1 API
-- All Ika SDK primitives re-exported and typed
-- Chain parameter configs for all signing modes
-- DKG test script proving the full round-trip
+Both transactions on Sui. The user partial signature is computed locally via WASM. Neither party ever sees the full private key.
 
-## What's next
+## On-chain proof
 
-- secp256k1 dWallet for BTC/stablecoins (same flow, different curve)
-- Sign a real Zcash sighash through the MPC
-- Ed25519 -> Orchard spending key derivation bridge
-- Move policy template for spending limits
-- Mainnet deployment
+secp256k1 dWallet created on Ika testnet:
 
-## The competition
+- dWalletId: `0xd9055400c88aeae675413b78143aa54e25eca7061ab659f54a42167cbfdd7aec`
+- TX: [`CYrS5X1S3itHUtux4qS35AJz5AAyUaJYeWZuqm1CcX2L`](https://testnet.suivision.xyz/txblock/CYrS5X1S3itHUtux4qS35AJz5AAyUaJYeWZuqm1CcX2L)
+- Public key: `03ba9e85a85674df494520c2e80b804656fac54fe68668266f33fee9b03ad4b069`
+- Derived BTC: `moV3JAzgNa6NkxVfdaNqUjLoDxKEwNAnkX`
+- Derived ZEC t-addr: `t1Rqh1TKqXsSiaV4wrSDandEPccucpHEudn`
 
-| Project | Custody | Privacy | Attestation |
-|---------|---------|---------|-------------|
-| Coinbase AgentKit | Full key in agent | None | None |
-| GOAT SDK | Full key in agent | None | None |
-| Solana Agent Kit | Full key in agent | None | None |
-| **zcash-ika** | **Split-key MPC** | **Zcash Orchard** | **ZAP1 on-chain** |
+## Test scripts
+
+```bash
+# Create a new dWallet (saves encryption seed)
+SUI_PRIVATE_KEY=suiprivkey1... node dist/test-dkg.js
+
+# Sign a test message through MPC
+SUI_PRIVATE_KEY=... DWALLET_ID=0x... ENC_SEED=... node dist/test-sign.js
+```
 
 ## Stack
 
 - [Ika](https://ika.xyz) - 2PC-MPC threshold signing on Sui
 - [ZAP1](https://pay.frontiercompute.io) - on-chain attestation protocol
 - [Zebra](https://github.com/ZcashFoundation/zebra) - Zcash node
-- [zcash-mcp](https://www.npmjs.com/package/@frontiercompute/zcash-mcp) - 17-tool MCP server
 
 ## License
 

package/dist/hybrid.d.ts

@@ -0,0 +1,119 @@
+/**
+ * Hybrid custody model for Zcash agents.
+ *
+ * Two custody paths, one interface:
+ *
+ * TRANSPARENT (secp256k1 via Ika MPC):
+ *   - t-addr transactions signed through 2PC-MPC
+ *   - Neither party holds the full key
+ *   - Policy enforced by Sui Move contract
+ *   - Same key signs BTC and ETH
+ *
+ * SHIELDED (RedPallas via local Orchard wallet):
+ *   - Orchard transactions signed locally (direct key)
+ *   - Ika cannot sign RedPallas (Pallas curve not supported)
+ *   - Privacy from Zcash protocol, not from MPC
+ *   - Every shielded spend attested to ZAP1
+ *
+ * The gap:
+ *   Orchard uses RedPallas on the Pallas curve. Ika supports secp256k1,
+ *   Ed25519, secp256r1, and Ristretto. None of these are Pallas.
+ *   Until an MPC network adds Pallas curve support, shielded custody
+ *   requires holding keys directly.
+ *
+ * The bridge:
+ *   shield()  - move ZEC from t-addr (MPC) to shielded pool (local wallet)
+ *   unshield() - move ZEC from shielded back to t-addr (for MPC custody)
+ *   Both operations attested on-chain via ZAP1.
+ */
+import type { ZcashIkaConfig, DWalletHandle, SignResult } from "./index.js";
+export type CustodyMode = "mpc" | "local";
+export interface HybridWallet {
+    /** MPC-custody transparent wallet (secp256k1 dWallet on Ika) */
+    transparent: {
+        mode: "mpc";
+        walletId: string;
+        publicKey: Uint8Array;
+        tAddress: string;
+        encryptionSeed: string;
+    };
+    /** Local-custody shielded wallet (Orchard keys held directly) */
+    shielded: {
+        mode: "local";
+        /** Unified address (starts with u1) */
+        uAddress: string;
+        /** Whether the local wallet is initialized */
+        initialized: boolean;
+    };
+    /** ZAP1 attestation endpoint */
+    zap1ApiUrl: string;
+}
+export interface ShieldRequest {
+    /** Amount in zatoshis to move from t-addr to shielded pool */
+    amount: number;
+    /** Optional memo for the shielding transaction */
+    memo?: string;
+}
+export interface UnshieldRequest {
+    /** Amount in zatoshis to move from shielded back to t-addr */
+    amount: number;
+    /** Optional memo */
+    memo?: string;
+}
+export interface ShieldResult {
+    /** Zcash transaction ID */
+    txid: string;
+    /** Direction */
+    direction: "shield" | "unshield";
+    /** Amount moved */
+    amount: number;
+    /** ZAP1 attestation leaf hash */
+    leafHash?: string;
+}
+/**
+ * Create a hybrid wallet - MPC for transparent, local for shielded.
+ *
+ * The transparent side is an Ika dWallet (already created via createWallet).
+ * The shielded side connects to the local Zebra/Zashi wallet.
+ */
+export declare function createHybridWallet(transparentWallet: DWalletHandle, shieldedAddress: string, zap1ApiUrl: string): HybridWallet;
+/**
+ * Sign a transparent transaction through MPC.
+ * Delegates to the Ika sign() function.
+ */
+export declare function signTransparent(config: ZcashIkaConfig, wallet: HybridWallet, sighash: Uint8Array): Promise<SignResult>;
+/**
+ * Shield ZEC - move from MPC-custody t-addr to local shielded pool.
+ *
+ * Flow:
+ * 1. Build transparent tx: t-addr -> shielded address
+ * 2. Compute sighash (DoubleSHA256)
+ * 3. Sign via Ika MPC (secp256k1)
+ * 4. Broadcast via Zebra
+ * 5. Attest via ZAP1 as AGENT_ACTION
+ *
+ * After shielding, the ZEC is in the local Orchard wallet.
+ * Private from that point forward.
+ */
+export declare function shield(config: ZcashIkaConfig, wallet: HybridWallet, request: ShieldRequest): Promise<ShieldResult>;
+/**
+ * Unshield ZEC - move from local shielded pool back to MPC-custody t-addr.
+ *
+ * Flow:
+ * 1. Build Orchard tx: shielded -> t-addr (signed locally, RedPallas)
+ * 2. Broadcast via Zebra
+ * 3. Attest via ZAP1 as AGENT_ACTION
+ *
+ * After unshielding, the ZEC is back under MPC custody.
+ * The MPC can then send it to BTC, ETH, or another t-addr.
+ */
+export declare function unshield(config: ZcashIkaConfig, wallet: HybridWallet, request: UnshieldRequest): Promise<ShieldResult>;
+/**
+ * Attest a custody operation to ZAP1.
+ */
+export declare function attestCustodyOp(zap1ApiUrl: string, zap1ApiKey: string, op: {
+    direction: "shield" | "unshield";
+    txid: string;
+    amount: number;
+    walletId: string;
+}): Promise<string | null>;

package/dist/hybrid.js

@@ -0,0 +1,148 @@
+/**
+ * Hybrid custody model for Zcash agents.
+ *
+ * Two custody paths, one interface:
+ *
+ * TRANSPARENT (secp256k1 via Ika MPC):
+ *   - t-addr transactions signed through 2PC-MPC
+ *   - Neither party holds the full key
+ *   - Policy enforced by Sui Move contract
+ *   - Same key signs BTC and ETH
+ *
+ * SHIELDED (RedPallas via local Orchard wallet):
+ *   - Orchard transactions signed locally (direct key)
+ *   - Ika cannot sign RedPallas (Pallas curve not supported)
+ *   - Privacy from Zcash protocol, not from MPC
+ *   - Every shielded spend attested to ZAP1
+ *
+ * The gap:
+ *   Orchard uses RedPallas on the Pallas curve. Ika supports secp256k1,
+ *   Ed25519, secp256r1, and Ristretto. None of these are Pallas.
+ *   Until an MPC network adds Pallas curve support, shielded custody
+ *   requires holding keys directly.
+ *
+ * The bridge:
+ *   shield()  - move ZEC from t-addr (MPC) to shielded pool (local wallet)
+ *   unshield() - move ZEC from shielded back to t-addr (for MPC custody)
+ *   Both operations attested on-chain via ZAP1.
+ */
+import { sign } from "./index.js";
+/**
+ * Create a hybrid wallet - MPC for transparent, local for shielded.
+ *
+ * The transparent side is an Ika dWallet (already created via createWallet).
+ * The shielded side connects to the local Zebra/Zashi wallet.
+ */
+export function createHybridWallet(transparentWallet, shieldedAddress, zap1ApiUrl) {
+    return {
+        transparent: {
+            mode: "mpc",
+            walletId: transparentWallet.id,
+            publicKey: transparentWallet.publicKey,
+            tAddress: transparentWallet.address,
+            encryptionSeed: transparentWallet.encryptionSeed,
+        },
+        shielded: {
+            mode: "local",
+            uAddress: shieldedAddress,
+            initialized: shieldedAddress.startsWith("u1"),
+        },
+        zap1ApiUrl,
+    };
+}
+/**
+ * Sign a transparent transaction through MPC.
+ * Delegates to the Ika sign() function.
+ */
+export async function signTransparent(config, wallet, sighash) {
+    return sign(config, {
+        messageHash: sighash,
+        walletId: wallet.transparent.walletId,
+        chain: "zcash-transparent",
+        encryptionSeed: wallet.transparent.encryptionSeed,
+    });
+}
+/**
+ * Shield ZEC - move from MPC-custody t-addr to local shielded pool.
+ *
+ * Flow:
+ * 1. Build transparent tx: t-addr -> shielded address
+ * 2. Compute sighash (DoubleSHA256)
+ * 3. Sign via Ika MPC (secp256k1)
+ * 4. Broadcast via Zebra
+ * 5. Attest via ZAP1 as AGENT_ACTION
+ *
+ * After shielding, the ZEC is in the local Orchard wallet.
+ * Private from that point forward.
+ */
+export async function shield(config, wallet, request) {
+    if (!wallet.shielded.initialized) {
+        throw new Error("Shielded wallet not initialized. Provide a valid u1 address.");
+    }
+    if (!config.zebraRpcUrl) {
+        throw new Error("shield() requires zebraRpcUrl for building and broadcasting the tx.");
+    }
+    // The full pipeline:
+    // 1. z_listunspent on the t-addr to find UTXOs
+    // 2. Build raw tx spending to the shielded address
+    // 3. Extract sighash
+    // 4. sign() via Ika MPC
+    // 5. Attach signature
+    // 6. sendrawtransaction
+    // 7. Attest to ZAP1
+    throw new Error("shield() requires Zcash transparent tx builder (zcash-primitives or librustzcash). " +
+        "Use sign() with a pre-built sighash for now. " +
+        "The shielding tx is a standard t-addr -> Orchard spend.");
+}
+/**
+ * Unshield ZEC - move from local shielded pool back to MPC-custody t-addr.
+ *
+ * Flow:
+ * 1. Build Orchard tx: shielded -> t-addr (signed locally, RedPallas)
+ * 2. Broadcast via Zebra
+ * 3. Attest via ZAP1 as AGENT_ACTION
+ *
+ * After unshielding, the ZEC is back under MPC custody.
+ * The MPC can then send it to BTC, ETH, or another t-addr.
+ */
+export async function unshield(config, wallet, request) {
+    if (!config.zebraRpcUrl) {
+        throw new Error("unshield() requires zebraRpcUrl.");
+    }
+    // Unshielding is done entirely locally - no MPC involved.
+    // The Orchard wallet holds keys directly and signs with RedPallas.
+    // z_sendmany from the shielded address to the t-addr.
+    throw new Error("unshield() requires connection to local Zebra wallet with Orchard spending keys. " +
+        "Use z_sendmany via Zebra RPC directly for now.");
+}
+/**
+ * Attest a custody operation to ZAP1.
+ */
+export async function attestCustodyOp(zap1ApiUrl, zap1ApiKey, op) {
+    try {
+        const resp = await fetch(`${zap1ApiUrl}/attest`, {
+            method: "POST",
+            headers: {
+                "Content-Type": "application/json",
+                Authorization: `Bearer ${zap1ApiKey}`,
+            },
+            body: JSON.stringify({
+                event_type: "AGENT_ACTION",
+                wallet_hash: op.walletId,
+                input_hash: op.txid,
+                memo: JSON.stringify({
+                    action: op.direction,
+                    amount: op.amount,
+                    custody: op.direction === "shield" ? "mpc->local" : "local->mpc",
+                }),
+            }),
+        });
+        if (!resp.ok)
+            return null;
+        const data = (await resp.json());
+        return data.leaf_hash || null;
+    }
+    catch {
+        return null;
+    }
+}