@frontiercompute/zcash-ika 0.3.0 → 0.5.0

package/dist/btc-tx-builder.d.ts

@@ -0,0 +1,87 @@
+/**
+ * Bitcoin P2PKH transaction builder.
+ *
+ * Builds legacy (non-segwit) P2PKH transactions for MPC-signed spends.
+ * The signing itself happens via Ika dWallet (secp256k1 ECDSA).
+ * This module handles UTXO fetch, TX structure, sighash computation,
+ * signature attachment, and broadcast via Blockstream API.
+ */
+export type BtcNetwork = "mainnet" | "testnet";
+export interface BtcUTXO {
+    txid: string;
+    vout: number;
+    scriptPubKey: string;
+    value: number;
+}
+export interface BtcTxOutput {
+    address: string;
+    value: number;
+}
+interface BtcInput {
+    prevTxid: Buffer;
+    prevIndex: number;
+    scriptPubKey: Buffer;
+    value: number;
+    sequence: number;
+}
+interface BtcOutput {
+    value: number;
+    script: Buffer;
+}
+/**
+ * Fetch UTXOs for a Bitcoin P2PKH address from Blockstream API.
+ */
+export declare function fetchBtcUTXOs(address: string, network?: BtcNetwork): Promise<BtcUTXO[]>;
+/**
+ * Estimate transaction size in bytes for P2PKH.
+ * ~148 bytes per input, ~34 bytes per output, 10 bytes overhead.
+ */
+export declare function estimateBtcFee(numInputs: number, numOutputs: number, feeRate: number): number;
+/**
+ * Select UTXOs to cover the target amount + estimated fee.
+ * Greedy largest-first selection. Re-estimates fee after selection.
+ */
+export declare function selectBtcUTXOs(utxos: BtcUTXO[], targetAmount: number, feeRate: number): {
+    selected: BtcUTXO[];
+    fee: number;
+    totalInput: number;
+};
+/**
+ * Compute the legacy P2PKH sighash for a specific input.
+ *
+ * For each input being signed:
+ * 1. Copy the transaction
+ * 2. Set all input scriptSigs to empty
+ * 3. Set the current input's scriptSig to the previous output's scriptPubKey
+ * 4. Append SIGHASH_ALL (0x01000000) as 4 bytes LE
+ * 5. Double-SHA256 the result
+ */
+export declare function computeBtcSighash(inputs: BtcInput[], outputs: BtcOutput[], inputIndex: number, hashType?: number): Buffer;
+/**
+ * Build an unsigned Bitcoin P2PKH transaction.
+ *
+ * Returns the per-input sighashes that need to be signed via MPC,
+ * plus the internal tx structure needed for signature attachment.
+ */
+export declare function buildUnsignedBtcTx(utxos: BtcUTXO[], txOutputs: BtcTxOutput[], changeAddress: string, fee: number): {
+    sighashes: Buffer[];
+    inputs: BtcInput[];
+    outputs: BtcOutput[];
+};
+/**
+ * Attach DER signatures to an unsigned transaction.
+ * Returns the fully serialized signed transaction as a Buffer.
+ */
+export declare function attachBtcSignatures(inputs: BtcInput[], outputs: BtcOutput[], signatures: Buffer[], pubkey: Buffer): Buffer;
+/**
+ * Serialize a Bitcoin transaction (version 1, no witness).
+ * If scriptSigs is provided, inputs get signed scriptSigs.
+ * Otherwise inputs get empty scriptSigs (unsigned).
+ */
+export declare function serializeBtcTx(inputs: BtcInput[], outputs: BtcOutput[], scriptSigs?: Buffer[]): Buffer;
+/**
+ * Broadcast a signed transaction via Blockstream API.
+ * Returns the txid on success.
+ */
+export declare function broadcastBtcTx(rawHex: string, network?: BtcNetwork): Promise<string>;
+export {};

package/dist/btc-tx-builder.js

@@ -0,0 +1,373 @@
+/**
+ * Bitcoin P2PKH transaction builder.
+ *
+ * Builds legacy (non-segwit) P2PKH transactions for MPC-signed spends.
+ * The signing itself happens via Ika dWallet (secp256k1 ECDSA).
+ * This module handles UTXO fetch, TX structure, sighash computation,
+ * signature attachment, and broadcast via Blockstream API.
+ */
+import { createHash } from "node:crypto";
+// SIGHASH flags
+const SIGHASH_ALL = 0x01;
+// Script opcodes for P2PKH
+const OP_DUP = 0x76;
+const OP_HASH160 = 0xa9;
+const OP_EQUALVERIFY = 0x88;
+const OP_CHECKSIG = 0xac;
+// Bitcoin address version bytes
+const BTC_ADDR_VERSION = {
+    mainnet: 0x00,
+    testnet: 0x6f,
+};
+const BASE58_ALPHABET = "123456789ABCDEFGHJKLMNPQRSTUVWXYZabcdefghijkmnopqrstuvwxyz";
+function sha256(data) {
+    return createHash("sha256").update(data).digest();
+}
+function doubleSha256(data) {
+    return sha256(sha256(data));
+}
+function hash160(data) {
+    return createHash("ripemd160").update(sha256(data)).digest();
+}
+// Write uint32 little-endian
+function writeU32LE(buf, value, offset) {
+    buf.writeUInt32LE(value >>> 0, offset);
+}
+// Write int64 little-endian (as two uint32s, safe for values < 2^53)
+function writeI64LE(buf, value, offset) {
+    buf.writeUInt32LE(value & 0xffffffff, offset);
+    buf.writeUInt32LE(Math.floor(value / 0x100000000) & 0xffffffff, offset + 4);
+}
+// Compact size encoding (Bitcoin varint)
+function compactSize(n) {
+    if (n < 0xfd) {
+        return Buffer.from([n]);
+    }
+    else if (n <= 0xffff) {
+        const buf = Buffer.alloc(3);
+        buf[0] = 0xfd;
+        buf.writeUInt16LE(n, 1);
+        return buf;
+    }
+    else {
+        const buf = Buffer.alloc(5);
+        buf[0] = 0xfe;
+        buf.writeUInt32LE(n, 1);
+        return buf;
+    }
+}
+// Reverse a hex-encoded txid (Bitcoin internal byte order is reversed)
+function reverseTxid(txid) {
+    const buf = Buffer.from(txid, "hex");
+    if (buf.length !== 32)
+        throw new Error(`Invalid txid length: ${buf.length}`);
+    return Buffer.from(buf.reverse());
+}
+// Decode a Bitcoin base58check address to its 20-byte pubkey hash
+function decodeBtcAddress(addr) {
+    let num = BigInt(0);
+    for (const c of addr) {
+        const idx = BASE58_ALPHABET.indexOf(c);
+        if (idx < 0)
+            throw new Error(`Invalid base58 character: ${c}`);
+        num = num * 58n + BigInt(idx);
+    }
+    // 25 bytes: 1 version + 20 hash + 4 checksum
+    const bytes = new Uint8Array(25);
+    for (let i = 24; i >= 0; i--) {
+        bytes[i] = Number(num & 0xffn);
+        num = num >> 8n;
+    }
+    // Verify checksum
+    const payload = bytes.subarray(0, 21);
+    const checksum = doubleSha256(payload).subarray(0, 4);
+    for (let i = 0; i < 4; i++) {
+        if (bytes[21 + i] !== checksum[i]) {
+            throw new Error(`Invalid address checksum: ${addr}`);
+        }
+    }
+    const version = bytes[0];
+    let network;
+    if (version === BTC_ADDR_VERSION.mainnet) {
+        network = "mainnet";
+    }
+    else if (version === BTC_ADDR_VERSION.testnet) {
+        network = "testnet";
+    }
+    else {
+        throw new Error(`Unknown address version byte: 0x${version.toString(16)}`);
+    }
+    return {
+        pubkeyHash: Buffer.from(bytes.subarray(1, 21)),
+        network,
+    };
+}
+// Build a P2PKH scriptPubKey from a 20-byte pubkey hash
+function p2pkhScript(pubkeyHash) {
+    const script = Buffer.alloc(25);
+    script[0] = OP_DUP;
+    script[1] = OP_HASH160;
+    script[2] = 0x14; // push 20 bytes
+    pubkeyHash.copy(script, 3);
+    script[23] = OP_EQUALVERIFY;
+    script[24] = OP_CHECKSIG;
+    return script;
+}
+// Build P2PKH scriptPubKey from a Bitcoin address string
+function scriptFromAddress(addr) {
+    const { pubkeyHash } = decodeBtcAddress(addr);
+    return p2pkhScript(pubkeyHash);
+}
+// Blockstream API base URL
+function apiBase(network) {
+    return network === "mainnet"
+        ? "https://blockstream.info/api"
+        : "https://blockstream.info/testnet/api";
+}
+/**
+ * Fetch UTXOs for a Bitcoin P2PKH address from Blockstream API.
+ */
+export async function fetchBtcUTXOs(address, network = "mainnet") {
+    const base = apiBase(network);
+    const resp = await fetch(`${base}/address/${address}/utxo`);
+    if (!resp.ok) {
+        throw new Error(`Blockstream API error: ${resp.status} ${resp.statusText}`);
+    }
+    const data = (await resp.json());
+    // Blockstream returns {txid, vout, status, value} but no scriptPubKey.
+    // For P2PKH we can derive scriptPubKey from the address.
+    const { pubkeyHash } = decodeBtcAddress(address);
+    const script = p2pkhScript(pubkeyHash).toString("hex");
+    return data.map((u) => ({
+        txid: u.txid,
+        vout: u.vout,
+        scriptPubKey: script,
+        value: u.value,
+    }));
+}
+/**
+ * Estimate transaction size in bytes for P2PKH.
+ * ~148 bytes per input, ~34 bytes per output, 10 bytes overhead.
+ */
+export function estimateBtcFee(numInputs, numOutputs, feeRate // sat/vbyte
+) {
+    const size = 10 + numInputs * 148 + numOutputs * 34;
+    return Math.ceil(size * feeRate);
+}
+/**
+ * Select UTXOs to cover the target amount + estimated fee.
+ * Greedy largest-first selection. Re-estimates fee after selection.
+ */
+export function selectBtcUTXOs(utxos, targetAmount, feeRate // sat/vbyte
+) {
+    const sorted = [...utxos].sort((a, b) => b.value - a.value);
+    const selected = [];
+    let total = 0;
+    // Initial estimate: 1 output + 1 change output
+    for (const u of sorted) {
+        selected.push(u);
+        total += u.value;
+        const fee = estimateBtcFee(selected.length, 2, feeRate);
+        if (total >= targetAmount + fee)
+            break;
+    }
+    const fee = estimateBtcFee(selected.length, 2, feeRate);
+    if (total < targetAmount + fee) {
+        throw new Error(`Insufficient funds: have ${total} sats, need ${targetAmount + fee} (${targetAmount} + ${fee} fee)`);
+    }
+    return { selected, fee, totalInput: total };
+}
+/**
+ * Compute the legacy P2PKH sighash for a specific input.
+ *
+ * For each input being signed:
+ * 1. Copy the transaction
+ * 2. Set all input scriptSigs to empty
+ * 3. Set the current input's scriptSig to the previous output's scriptPubKey
+ * 4. Append SIGHASH_ALL (0x01000000) as 4 bytes LE
+ * 5. Double-SHA256 the result
+ */
+export function computeBtcSighash(inputs, outputs, inputIndex, hashType = SIGHASH_ALL) {
+    const parts = [];
+    // version
+    const ver = Buffer.alloc(4);
+    writeU32LE(ver, 1, 0);
+    parts.push(ver);
+    // input count
+    parts.push(compactSize(inputs.length));
+    // inputs
+    for (let i = 0; i < inputs.length; i++) {
+        const inp = inputs[i];
+        // prevout (txid + vout)
+        const outpoint = Buffer.alloc(36);
+        inp.prevTxid.copy(outpoint, 0);
+        writeU32LE(outpoint, inp.prevIndex, 32);
+        parts.push(outpoint);
+        // scriptSig: empty for all inputs except the one being signed
+        if (i === inputIndex) {
+            parts.push(compactSize(inp.scriptPubKey.length));
+            parts.push(inp.scriptPubKey);
+        }
+        else {
+            parts.push(compactSize(0));
+        }
+        // sequence
+        const seq = Buffer.alloc(4);
+        writeU32LE(seq, inp.sequence, 0);
+        parts.push(seq);
+    }
+    // output count
+    parts.push(compactSize(outputs.length));
+    // outputs
+    for (const out of outputs) {
+        const valueBuf = Buffer.alloc(8);
+        writeI64LE(valueBuf, out.value, 0);
+        parts.push(valueBuf);
+        parts.push(compactSize(out.script.length));
+        parts.push(out.script);
+    }
+    // locktime
+    const lt = Buffer.alloc(4);
+    writeU32LE(lt, 0, 0);
+    parts.push(lt);
+    // Append hash type as 4 bytes LE
+    const ht = Buffer.alloc(4);
+    writeU32LE(ht, hashType, 0);
+    parts.push(ht);
+    return doubleSha256(Buffer.concat(parts));
+}
+/**
+ * Build an unsigned Bitcoin P2PKH transaction.
+ *
+ * Returns the per-input sighashes that need to be signed via MPC,
+ * plus the internal tx structure needed for signature attachment.
+ */
+export function buildUnsignedBtcTx(utxos, txOutputs, changeAddress, fee) {
+    if (utxos.length === 0)
+        throw new Error("No UTXOs provided");
+    // Build inputs
+    const inputs = utxos.map((u) => ({
+        prevTxid: reverseTxid(u.txid),
+        prevIndex: u.vout,
+        scriptPubKey: Buffer.from(u.scriptPubKey, "hex"),
+        value: u.value,
+        sequence: 0xffffffff,
+    }));
+    // Build outputs
+    const totalInput = utxos.reduce((s, u) => s + u.value, 0);
+    const totalOutput = txOutputs.reduce((s, o) => s + o.value, 0);
+    const change = totalInput - totalOutput - fee;
+    const outputs = txOutputs.map((o) => ({
+        value: o.value,
+        script: scriptFromAddress(o.address),
+    }));
+    if (change > 0) {
+        // Dust threshold: skip change if below 546 satoshis
+        if (change >= 546) {
+            outputs.push({ value: change, script: scriptFromAddress(changeAddress) });
+        }
+    }
+    else if (change < 0) {
+        throw new Error(`UTXOs total ${totalInput} < outputs ${totalOutput} + fee ${fee}`);
+    }
+    // Compute per-input sighashes
+    const sighashes = [];
+    for (let i = 0; i < inputs.length; i++) {
+        sighashes.push(computeBtcSighash(inputs, outputs, i, SIGHASH_ALL));
+    }
+    return { sighashes, inputs, outputs };
+}
+/**
+ * Build a P2PKH scriptSig from a DER signature and compressed pubkey.
+ *
+ * Format: <sig_length> <DER_sig + SIGHASH_ALL_byte> <pubkey_length> <compressed_pubkey>
+ */
+function buildScriptSig(derSig, pubkey) {
+    const sigWithHashType = Buffer.concat([derSig, Buffer.from([SIGHASH_ALL])]);
+    const parts = [
+        Buffer.from([sigWithHashType.length]),
+        sigWithHashType,
+        Buffer.from([pubkey.length]),
+        pubkey,
+    ];
+    return Buffer.concat(parts);
+}
+/**
+ * Attach DER signatures to an unsigned transaction.
+ * Returns the fully serialized signed transaction as a Buffer.
+ */
+export function attachBtcSignatures(inputs, outputs, signatures, pubkey) {
+    if (signatures.length !== inputs.length) {
+        throw new Error(`Expected ${inputs.length} signatures, got ${signatures.length}`);
+    }
+    if (pubkey.length !== 33) {
+        throw new Error(`Expected 33-byte compressed pubkey, got ${pubkey.length}`);
+    }
+    const scriptSigs = signatures.map((sig) => buildScriptSig(sig, pubkey));
+    return serializeBtcTx(inputs, outputs, scriptSigs);
+}
+/**
+ * Serialize a Bitcoin transaction (version 1, no witness).
+ * If scriptSigs is provided, inputs get signed scriptSigs.
+ * Otherwise inputs get empty scriptSigs (unsigned).
+ */
+export function serializeBtcTx(inputs, outputs, scriptSigs) {
+    const parts = [];
+    // version: 4 bytes LE
+    const ver = Buffer.alloc(4);
+    writeU32LE(ver, 1, 0);
+    parts.push(ver);
+    // input count
+    parts.push(compactSize(inputs.length));
+    // inputs
+    for (let i = 0; i < inputs.length; i++) {
+        const inp = inputs[i];
+        // prevout
+        const outpoint = Buffer.alloc(36);
+        inp.prevTxid.copy(outpoint, 0);
+        writeU32LE(outpoint, inp.prevIndex, 32);
+        parts.push(outpoint);
+        // scriptSig
+        const sig = scriptSigs ? scriptSigs[i] : Buffer.alloc(0);
+        parts.push(compactSize(sig.length));
+        if (sig.length > 0)
+            parts.push(sig);
+        // sequence
+        const seq = Buffer.alloc(4);
+        writeU32LE(seq, inp.sequence, 0);
+        parts.push(seq);
+    }
+    // output count
+    parts.push(compactSize(outputs.length));
+    // outputs
+    for (const out of outputs) {
+        const valueBuf = Buffer.alloc(8);
+        writeI64LE(valueBuf, out.value, 0);
+        parts.push(valueBuf);
+        parts.push(compactSize(out.script.length));
+        parts.push(out.script);
+    }
+    // locktime: 4 bytes LE
+    const lt = Buffer.alloc(4);
+    writeU32LE(lt, 0, 0);
+    parts.push(lt);
+    return Buffer.concat(parts);
+}
+/**
+ * Broadcast a signed transaction via Blockstream API.
+ * Returns the txid on success.
+ */
+export async function broadcastBtcTx(rawHex, network = "mainnet") {
+    const base = apiBase(network);
+    const resp = await fetch(`${base}/tx`, {
+        method: "POST",
+        headers: { "Content-Type": "text/plain" },
+        body: rawHex,
+    });
+    if (!resp.ok) {
+        const body = await resp.text();
+        throw new Error(`Broadcast failed: ${resp.status} ${body}`);
+    }
+    // Blockstream returns the txid as plain text
+    return (await resp.text()).trim();
+}

package/dist/index.d.ts

@@ -16,6 +16,8 @@
 export { Curve, Hash, SignatureAlgorithm, IkaClient, IkaTransaction, UserShareEncryptionKeys, getNetworkConfig, createClassGroupsKeypair, createRandomSessionIdentifier, prepareDKG, prepareDKGAsync, prepareDKGSecondRound, prepareDKGSecondRoundAsync, createDKGUserOutput, publicKeyFromDWalletOutput, parseSignatureFromSignOutput, } from "@ika.xyz/sdk";
 export { fetchUTXOs, selectUTXOs, buildUnsignedTx, attachSignatures, broadcastTx, estimateFee, BRANCH_ID, } from "./tx-builder.js";
 export type { UTXO } from "./tx-builder.js";
+export { fetchBtcUTXOs, selectBtcUTXOs, buildUnsignedBtcTx, attachBtcSignatures, serializeBtcTx, broadcastBtcTx, estimateBtcFee, computeBtcSighash, } from "./btc-tx-builder.js";
+export type { BtcUTXO, BtcTxOutput, BtcNetwork } from "./btc-tx-builder.js";
 export type Chain = "zcash-transparent" | "bitcoin" | "ethereum";
 export interface ZcashIkaConfig {
     /** Ika network: mainnet or testnet */
@@ -71,6 +73,19 @@ export declare const CHAIN_PARAMS: {
  *   4. Base58 encode (version + hash + checksum)
  */
 export declare function deriveZcashAddress(publicKey: Uint8Array, network?: "mainnet" | "testnet"): string;
+/**
+ * Derive a Bitcoin P2PKH address from a compressed secp256k1 public key.
+ *
+ * Same as Zcash transparent but with a 1-byte version prefix:
+ *   mainnet 0x00 (1...), testnet 0x6f (m.../n...)
+ *
+ * Steps:
+ *   1. SHA256(pubkey) then RIPEMD160 = 20-byte hash
+ *   2. Prepend 1-byte version
+ *   3. Double-SHA256 checksum (first 4 bytes)
+ *   4. Base58 encode (version + hash + checksum)
+ */
+export declare function deriveBitcoinAddress(publicKey: Uint8Array, network?: "mainnet" | "testnet"): string;
 export interface DWalletHandle {
     /** dWallet object ID on Sui */
     id: string;
@@ -215,7 +230,14 @@ export declare function checkPolicy(config: ZcashIkaConfig, policyId: string, am
 export declare function spendTransparent(config: ZcashIkaConfig, walletId: string, encryptionSeed: string, request: SpendRequest): Promise<SpendResult>;
 /**
  * Spend from a Bitcoin wallet.
- * Same MPC flow as Zcash transparent - DoubleSHA256 sighash, ECDSA signature.
+ *
+ * Full pipeline:
+ * 1. Fetch UTXOs from Blockstream API
+ * 2. Build unsigned TX, compute legacy P2PKH sighashes
+ * 3. Sign each sighash via Ika 2PC-MPC
+ * 4. Attach signatures, serialize signed TX
+ * 5. Broadcast via Blockstream API
+ * 6. Attest to ZAP1 as AGENT_ACTION
  */
 export declare function spendBitcoin(config: ZcashIkaConfig, walletId: string, encryptionSeed: string, request: SpendRequest): Promise<SpendResult>;
 /**

package/dist/index.js

@@ -21,6 +21,8 @@ import { decodeSuiPrivateKey } from "@mysten/sui/cryptography";
 import { createHash } from "node:crypto";
 import { fetchUTXOs, selectUTXOs, buildUnsignedTx, attachSignatures, broadcastTx, estimateFee, BRANCH_ID, } from "./tx-builder.js";
 export { fetchUTXOs, selectUTXOs, buildUnsignedTx, attachSignatures, broadcastTx, estimateFee, BRANCH_ID, } from "./tx-builder.js";
+import { fetchBtcUTXOs, selectBtcUTXOs, buildUnsignedBtcTx, attachBtcSignatures, broadcastBtcTx, } from "./btc-tx-builder.js";
+export { fetchBtcUTXOs, selectBtcUTXOs, buildUnsignedBtcTx, attachBtcSignatures, serializeBtcTx, broadcastBtcTx, estimateBtcFee, computeBtcSighash, } from "./btc-tx-builder.js";
 const IKA_COIN_TYPE = "0x1f26bb2f711ff82dcda4d02c77d5123089cb7f8418751474b9fb744ce031526a::ika::IKA";
 /** Parameters for dWallet creation per chain.
  *
@@ -118,6 +120,45 @@ export function deriveZcashAddress(publicKey, network = "mainnet") {
     full.set(checksum, 22);
     return base58Encode(full);
 }
+// Bitcoin P2PKH version bytes (1 byte each)
+const BITCOIN_VERSION_BYTE = {
+    mainnet: 0x00, // 1...
+    testnet: 0x6f, // m... or n...
+};
+/**
+ * Derive a Bitcoin P2PKH address from a compressed secp256k1 public key.
+ *
+ * Same as Zcash transparent but with a 1-byte version prefix:
+ *   mainnet 0x00 (1...), testnet 0x6f (m.../n...)
+ *
+ * Steps:
+ *   1. SHA256(pubkey) then RIPEMD160 = 20-byte hash
+ *   2. Prepend 1-byte version
+ *   3. Double-SHA256 checksum (first 4 bytes)
+ *   4. Base58 encode (version + hash + checksum)
+ */
+export function deriveBitcoinAddress(publicKey, network = "mainnet") {
+    if (publicKey.length !== 33) {
+        throw new Error(`Expected 33-byte compressed secp256k1 pubkey, got ${publicKey.length} bytes`);
+    }
+    const prefix = publicKey[0];
+    if (prefix !== 0x02 && prefix !== 0x03) {
+        throw new Error(`Invalid compressed pubkey prefix 0x${prefix.toString(16)}, expected 0x02 or 0x03`);
+    }
+    const pubkeyHash = hash160(publicKey); // 20 bytes
+    const version = BITCOIN_VERSION_BYTE[network];
+    // version (1) + hash160 (20) = 21 bytes
+    const payload = new Uint8Array(21);
+    payload[0] = version;
+    payload.set(pubkeyHash, 1);
+    // checksum: first 4 bytes of SHA256(SHA256(payload))
+    const checksum = sha256(sha256(payload)).subarray(0, 4);
+    // final: payload (21) + checksum (4) = 25 bytes
+    const full = new Uint8Array(25);
+    full.set(payload, 0);
+    full.set(checksum, 21);
+    return base58Encode(full);
+}
 // Default poll settings for testnet (epochs can be slow)
 const POLL_OPTS = {
     timeout: 300_000,
@@ -276,6 +317,9 @@ export async function createWallet(config, chain, _operatorSeed) {
     if (pubkey && pubkey.length === 33 && chain === "zcash-transparent") {
         derivedAddress = deriveZcashAddress(pubkey, config.network);
     }
+    else if (pubkey && pubkey.length === 33 && chain === "bitcoin") {
+        derivedAddress = deriveBitcoinAddress(pubkey, config.network);
+    }
     return {
         id: dwalletId,
         publicKey: pubkey || new Uint8Array(0),
@@ -709,11 +753,93 @@ export async function spendTransparent(config, walletId, encryptionSeed, request
 }
 /**
  * Spend from a Bitcoin wallet.
- * Same MPC flow as Zcash transparent - DoubleSHA256 sighash, ECDSA signature.
+ *
+ * Full pipeline:
+ * 1. Fetch UTXOs from Blockstream API
+ * 2. Build unsigned TX, compute legacy P2PKH sighashes
+ * 3. Sign each sighash via Ika 2PC-MPC
+ * 4. Attach signatures, serialize signed TX
+ * 5. Broadcast via Blockstream API
+ * 6. Attest to ZAP1 as AGENT_ACTION
  */
 export async function spendBitcoin(config, walletId, encryptionSeed, request) {
-    throw new Error("spendBitcoin requires Bitcoin tx builder. " +
-        "Use sign() with chain='bitcoin' and a pre-computed sighash for now.");
+    // Fetch the dWallet to get the public key
+    const { ikaClient } = await initClients(config);
+    const dWallet = await ikaClient.getDWallet(walletId);
+    if (!dWallet?.state?.Active) {
+        throw new Error(`dWallet ${walletId} not Active`);
+    }
+    const rawOutput = dWallet.state.Active.public_output;
+    const outputBytes = new Uint8Array(Array.isArray(rawOutput) ? rawOutput : Array.from(rawOutput));
+    const pubkey = await publicKeyFromDWalletOutput(Curve.SECP256K1, outputBytes);
+    if (!pubkey || pubkey.length !== 33) {
+        throw new Error("Could not extract 33-byte compressed pubkey from dWallet");
+    }
+    const btcNetwork = config.network === "mainnet" ? "mainnet" : "testnet";
+    // Derive our BTC address from the pubkey
+    const ourAddress = deriveBitcoinAddress(pubkey, btcNetwork);
+    // Step 1: Fetch UTXOs
+    const allUtxos = await fetchBtcUTXOs(ourAddress, btcNetwork);
+    if (allUtxos.length === 0) {
+        throw new Error(`No UTXOs found for ${ourAddress}`);
+    }
+    // Step 2: Select UTXOs and build unsigned TX
+    const feeRate = 10; // sat/vbyte, conservative default
+    const { selected, fee } = selectBtcUTXOs(allUtxos, request.amount, feeRate);
+    const { sighashes, inputs, outputs } = buildUnsignedBtcTx(selected, [{ address: request.to, value: request.amount }], ourAddress, // change back to our address
+    fee);
+    // Step 3: Sign each sighash via MPC
+    const signatures = [];
+    for (const sighash of sighashes) {
+        const signResult = await sign(config, {
+            messageHash: new Uint8Array(sighash),
+            walletId,
+            chain: "bitcoin",
+            encryptionSeed,
+        });
+        signatures.push(Buffer.from(signResult.signature));
+    }
+    // Step 4: Attach signatures and serialize
+    const signedTx = attachBtcSignatures(inputs, outputs, signatures, Buffer.from(pubkey));
+    const txHex = signedTx.toString("hex");
+    // Step 5: Broadcast
+    const broadcastTxid = await broadcastBtcTx(txHex, btcNetwork);
+    // Step 6: Attest to ZAP1
+    let leafHash = "";
+    if (config.zap1ApiUrl && config.zap1ApiKey) {
+        try {
+            const attestResp = await fetch(`${config.zap1ApiUrl}/attest`, {
+                method: "POST",
+                headers: {
+                    "Content-Type": "application/json",
+                    "Authorization": `Bearer ${config.zap1ApiKey}`,
+                },
+                body: JSON.stringify({
+                    event_type: "AGENT_ACTION",
+                    agent_id: walletId,
+                    action: "bitcoin_spend",
+                    chain_txid: broadcastTxid,
+                    recipient: request.to,
+                    amount: request.amount,
+                    fee,
+                    memo: request.memo || "",
+                }),
+            });
+            if (attestResp.ok) {
+                const attestData = (await attestResp.json());
+                leafHash = attestData.leaf_hash || "";
+            }
+        }
+        catch {
+            // Attestation failure is non-fatal - tx already broadcast
+        }
+    }
+    return {
+        txid: broadcastTxid,
+        leafHash,
+        chain: "bitcoin",
+        policyChecked: false,
+    };
 }
 /**
  * Verify the wallet's attestation history via ZAP1.

package/dist/tx-builder.d.ts

@@ -9,6 +9,7 @@
 export declare const BRANCH_ID: {
     readonly NU5: 3268858036;
     readonly NU6: 3370586197;
+    readonly NU61: 1307332080;
 };
 export interface UTXO {
     txid: string;

package/dist/tx-builder.js

@@ -16,6 +16,7 @@ const TX_VERSION_GROUP_ID = 0x26a7270a;
 export const BRANCH_ID = {
     NU5: 0xc2d6d0b4,
     NU6: 0xc8e71055,
+    NU61: 0x4dec4df0,
 };
 // SIGHASH flags
 const SIGHASH_ALL = 0x01;
@@ -159,7 +160,7 @@ function hashPrevouts(inputs, branchId) {
         parts.push(outpoint);
     }
     const data = Buffer.concat(parts);
-    return blake2b256(data, personalization("ZTxIdPrevoutHash", branchIdBytes(branchId)));
+    return blake2b256(data, personalization("ZTxIdPrevoutHash"));
 }
 // Hash of all input amounts
 function hashAmounts(inputs, branchId) {
@@ -167,7 +168,7 @@ function hashAmounts(inputs, branchId) {
     for (let i = 0; i < inputs.length; i++) {
         writeI64LE(data, inputs[i].value, i * 8);
     }
-    return blake2b256(data, personalization("ZTxTrAmountsHash", branchIdBytes(branchId)));
+    return blake2b256(data, personalization("ZTxTrAmountsHash"));
 }
 // Hash of all input scriptPubKeys
 function hashScriptPubKeys(inputs, branchId) {
@@ -177,7 +178,7 @@ function hashScriptPubKeys(inputs, branchId) {
         parts.push(inp.script);
     }
     const data = Buffer.concat(parts);
-    return blake2b256(data, personalization("ZTxTrScriptsHash", branchIdBytes(branchId)));
+    return blake2b256(data, personalization("ZTxTrScriptsHash"));
 }
 // Hash of all sequences
 function hashSequences(inputs, branchId) {
@@ -185,7 +186,7 @@ function hashSequences(inputs, branchId) {
     for (let i = 0; i < inputs.length; i++) {
         writeU32LE(data, inputs[i].sequence, i * 4);
     }
-    return blake2b256(data, personalization("ZTxIdSequencHash", branchIdBytes(branchId)));
+    return blake2b256(data, personalization("ZTxIdSequencHash"));
 }
 // Hash of all transparent outputs
 function hashOutputs(outputs, branchId) {
@@ -198,70 +199,66 @@ function hashOutputs(outputs, branchId) {
         parts.push(out.script);
     }
     const data = Buffer.concat(parts);
-    return blake2b256(data, personalization("ZTxIdOutputsHash", branchIdBytes(branchId)));
+    return blake2b256(data, personalization("ZTxIdOutputsHash"));
 }
-// Transparent inputs digest (ZIP 244 section T.3a)
-function transparentInputsDigest(inputs, branchId) {
-    const prevoutsHash = hashPrevouts(inputs, branchId);
-    const amountsHash = hashAmounts(inputs, branchId);
-    const scriptPubKeysHash = hashScriptPubKeys(inputs, branchId);
-    const sequencesHash = hashSequences(inputs, branchId);
-    const data = Buffer.concat([prevoutsHash, amountsHash, scriptPubKeysHash, sequencesHash]);
-    return blake2b256(data, personalization("ZTxIdTrInHash__", branchIdBytes(branchId)));
-}
-// Transparent outputs digest (ZIP 244 section T.3b)
-function transparentOutputsDigest(outputs, branchId) {
-    const outputsHash = hashOutputs(outputs, branchId);
-    return blake2b256(outputsHash, personalization("ZTxIdTrOutHash_", branchIdBytes(branchId)));
-}
-// Full transparent digest for txid (ZIP 244 T.3)
+// Full transparent digest for txid (ZIP 244 T.2)
+// transparent_digest = BLAKE2b("ZTxIdTranspaHash", prevouts || sequences || outputs)
 function transparentDigest(inputs, outputs, branchId) {
     if (inputs.length === 0 && outputs.length === 0) {
-        return blake2b256(Buffer.alloc(0), personalization("ZTxIdTranspaHash", branchIdBytes(branchId)));
+        return blake2b256(Buffer.alloc(0), personalization("ZTxIdTranspaHash"));
     }
-    const inDigest = transparentInputsDigest(inputs, branchId);
-    const outDigest = transparentOutputsDigest(outputs, branchId);
-    return blake2b256(Buffer.concat([inDigest, outDigest]), personalization("ZTxIdTranspaHash", branchIdBytes(branchId)));
+    const prevoutsDigest = hashPrevouts(inputs, branchId);
+    const sequenceDigest = hashSequences(inputs, branchId);
+    const outputsDigest = hashOutputs(outputs, branchId);
+    return blake2b256(Buffer.concat([prevoutsDigest, sequenceDigest, outputsDigest]), personalization("ZTxIdTranspaHash"));
 }
 // Sapling digest (empty bundle)
-function emptyBundleDigest(tag, branchId) {
-    return blake2b256(Buffer.alloc(0), personalization(tag, branchIdBytes(branchId)));
+function emptyBundleDigest(tag) {
+    return blake2b256(Buffer.alloc(0), personalization(tag));
 }
 // Header digest (ZIP 244 T.1)
 function headerDigest(version, versionGroupId, branchId, lockTime, expiryHeight) {
     const data = Buffer.alloc(4 + 4 + 4 + 4 + 4);
-    writeU32LE(data, version, 0);
+    writeU32LE(data, (version | (1 << 31)) >>> 0, 0);
     writeU32LE(data, versionGroupId, 4);
     writeU32LE(data, branchId, 8);
     writeU32LE(data, lockTime, 12);
     writeU32LE(data, expiryHeight, 16);
-    return blake2b256(data, personalization("ZTxIdHeadersHash", branchIdBytes(branchId)));
+    return blake2b256(data, personalization("ZTxIdHeadersHash"));
 }
 // Transaction digest for txid (ZIP 244 T)
 function txidDigest(inputs, outputs, branchId, lockTime, expiryHeight) {
     const hdrDigest = headerDigest(TX_VERSION, TX_VERSION_GROUP_ID, branchId, lockTime, expiryHeight);
     const txpDigest = transparentDigest(inputs, outputs, branchId);
-    const sapDigest = emptyBundleDigest("ZTxIdSaplingHash", branchId);
-    const orchDigest = emptyBundleDigest("ZTxIdOrchardHash", branchId);
+    const sapDigest = emptyBundleDigest("ZTxIdSaplingHash");
+    const orchDigest = emptyBundleDigest("ZTxIdOrchardHash");
     return blake2b256(Buffer.concat([hdrDigest, txpDigest, sapDigest, orchDigest]), personalization("ZcashTxHash__", branchIdBytes(branchId)));
 }
-// Per-input sighash for signing (ZIP 244 S.2 - transparent)
-// This is the hash that actually gets signed by ECDSA
+// Per-input sighash for signing (ZIP 244 signature_digest)
+// Structure: BLAKE2b("ZcashTxHash_" || BRANCH_ID,
+//   S.1: header_digest
+//   S.2: transparent_sig_digest (NOT the txid transparent digest)
+//   S.3: sapling_digest
+//   S.4: orchard_digest
+// )
 function transparentSighash(inputs, outputs, branchId, lockTime, expiryHeight, inputIndex, hashType) {
-    // T.1: header digest
+    // S.1: header digest (same as T.1)
     const hdrDigest = headerDigest(TX_VERSION, TX_VERSION_GROUP_ID, branchId, lockTime, expiryHeight);
-    // T.3: transparent digest (full, for the txid computation)
-    const txpDigest = transparentDigest(inputs, outputs, branchId);
-    // T.4: sapling digest (empty)
-    const sapDigest = emptyBundleDigest("ZTxIdSaplingHash", branchId);
-    // T.5: orchard digest (empty)
-    const orchDigest = emptyBundleDigest("ZTxIdOrchardHash", branchId);
-    // S.2: per-input transparent sighash data
-    // hash_type (1 byte)
-    // prevout (32 + 4 bytes)
-    // value (8 bytes)
-    // scriptPubKey (compact size + script bytes)
-    // sequence (4 bytes)
+    // S.2: transparent_sig_digest
+    // For SIGHASH_ALL without ANYONECANPAY:
+    // S.2a: hash_type (1 byte)
+    // S.2b: prevouts_sig_digest = prevouts_digest (same as T.2a)
+    // S.2c: amounts_sig_digest
+    // S.2d: scriptpubkeys_sig_digest
+    // S.2e: sequence_sig_digest = sequence_digest (same as T.2b)
+    // S.2f: outputs_sig_digest = outputs_digest (same as T.2c)
+    // S.2g: txin_sig_digest (per-input)
+    const prevoutsSigDigest = hashPrevouts(inputs, branchId);
+    const amountsSigDigest = hashAmounts(inputs, branchId);
+    const scriptpubkeysSigDigest = hashScriptPubKeys(inputs, branchId);
+    const sequenceSigDigest = hashSequences(inputs, branchId);
+    const outputsSigDigest = hashOutputs(outputs, branchId);
+    // S.2g: txin_sig_digest for the input being signed
     const inp = inputs[inputIndex];
     const prevout = Buffer.alloc(36);
     inp.prevTxid.copy(prevout, 0);
@@ -270,17 +267,23 @@ function transparentSighash(inputs, outputs, branchId, lockTime, expiryHeight, i
     writeI64LE(valueBuf, inp.value, 0);
     const seqBuf = Buffer.alloc(4);
     writeU32LE(seqBuf, inp.sequence, 0);
-    const txinSigDigestData = Buffer.concat([
+    const txinSigDigest = blake2b256(Buffer.concat([prevout, valueBuf, compactSize(inp.script.length), inp.script, seqBuf]), personalization("Zcash___TxInHash"));
+    // S.2: transparent_sig_digest
+    const transparentSigDigest = blake2b256(Buffer.concat([
         Buffer.from([hashType]),
-        prevout,
-        valueBuf,
-        compactSize(inp.script.length),
-        inp.script,
-        seqBuf,
-    ]);
-    const txinSigDigest = blake2b256(txinSigDigestData, personalization("Zcash___TxInHash", branchIdBytes(branchId)));
-    // Final sighash: BLAKE2b of all digests
-    return blake2b256(Buffer.concat([hdrDigest, txpDigest, sapDigest, orchDigest, txinSigDigest]), personalization("ZcashTxHash__", branchIdBytes(branchId)));
+        prevoutsSigDigest,
+        amountsSigDigest,
+        scriptpubkeysSigDigest,
+        sequenceSigDigest,
+        outputsSigDigest,
+        txinSigDigest,
+    ]), personalization("ZTxIdTranspaHash"));
+    // S.3: sapling digest (empty)
+    const sapDigest = emptyBundleDigest("ZTxIdSaplingHash");
+    // S.4: orchard digest (empty)
+    const orchDigest = emptyBundleDigest("ZTxIdOrchardHash");
+    // Final signature_digest
+    return blake2b256(Buffer.concat([hdrDigest, transparentSigDigest, sapDigest, orchDigest]), personalization("ZcashTxHash_", branchIdBytes(branchId)));
 }
 // Serialize a v5 transparent-only transaction to raw bytes.
 // If scriptSigs is provided, inputs get signed scriptSigs.
@@ -402,7 +405,7 @@ export function selectUTXOs(utxos, targetAmount, fee) {
  * Returns the unsigned serialized TX and per-input sighashes
  * that need to be signed via MPC.
  */
-export function buildUnsignedTx(utxos, recipient, amount, fee = 10000, changeAddress, branchId = BRANCH_ID.NU5) {
+export function buildUnsignedTx(utxos, recipient, amount, fee = 10000, changeAddress, branchId = BRANCH_ID.NU61) {
     if (utxos.length === 0)
         throw new Error("No UTXOs provided");
     if (amount <= 0)
@@ -467,7 +470,7 @@ function buildScriptSig(derSig, pubkey) {
  * DER-encoded signatures from MPC, and the compressed pubkey.
  * Returns hex-encoded signed transaction ready for broadcast.
  */
-export function attachSignatures(utxos, recipient, amount, fee, changeAddress, signatures, pubkey, branchId = BRANCH_ID.NU5) {
+export function attachSignatures(utxos, recipient, amount, fee, changeAddress, signatures, pubkey, branchId = BRANCH_ID.NU61) {
     if (signatures.length !== utxos.length) {
         throw new Error(`Expected ${utxos.length} signatures, got ${signatures.length}`);
     }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@frontiercompute/zcash-ika",
-  "version": "0.3.0",
+  "version": "0.5.0",
   "description": "Split-key custody for Zcash, Bitcoin, and EVM. 2PC-MPC signing, on-chain spend policy, transparent TX builder, ZAP1 attestation.",
   "type": "module",
   "main": "dist/index.js",
@@ -12,7 +12,8 @@
   "dependencies": {
     "@ika.xyz/sdk": "^0.3.1",
     "@mysten/sui": "^2.5.0",
-    "blakejs": "^1.2.1"
+    "blakejs": "^1.2.1",
+    "elliptic": "^6.6.1"
   },
   "devDependencies": {
     "@types/node": "^25.5.2",
@@ -24,7 +25,9 @@
     "dist/tx-builder.js",
     "dist/tx-builder.d.ts",
     "dist/hybrid.js",
-    "dist/hybrid.d.ts"
+    "dist/hybrid.d.ts",
+    "dist/btc-tx-builder.js",
+    "dist/btc-tx-builder.d.ts"
   ],
   "repository": {
     "type": "git",