@frontiercompute/zcash-ika 0.5.0 → 0.6.1

package/README.md

@@ -3,6 +3,10 @@
 Split-key custody for Zcash, Bitcoin, and EVM chains. The private key never exists whole. Spend policy enforced on-chain. Every action attested to Zcash.
 
 [![npm](https://img.shields.io/npm/v/@frontiercompute/zcash-ika)](https://www.npmjs.com/package/@frontiercompute/zcash-ika)
+![downloads](https://img.shields.io/npm/dw/@frontiercompute/zcash-ika)
+![license](https://img.shields.io/npm/l/@frontiercompute/zcash-ika)
+[![downloads](https://img.shields.io/npm/dw/@frontiercompute/zcash-ika)](https://www.npmjs.com/package/@frontiercompute/zcash-ika)
+[![license](https://img.shields.io/npm/l/@frontiercompute/zcash-ika)](https://github.com/Frontier-Compute/zcash-ika/blob/main/LICENSE)
 
 ## What this does
 
@@ -183,6 +187,22 @@ SUI_PRIVATE_KEY=... node dist/test-e2e.js
 - [Zebra](https://github.com/ZcashFoundation/zebra) - Zcash node
 - [Sui Move](https://docs.sui.io/concepts/sui-move-concepts) - policy enforcement
 
+## See also
+
+- [@frontiercompute/zcash-mcp](https://www.npmjs.com/package/@frontiercompute/zcash-mcp) - MCP server for Zcash wallets and nodes
+- [@frontiercompute/openclaw-zap1](https://www.npmjs.com/package/@frontiercompute/openclaw-zap1) - OpenClaw attestation client for ZAP1
+- [@frontiercompute/zap1](https://www.npmjs.com/package/@frontiercompute/zap1) - ZAP1 on-chain attestation SDK
+- [@frontiercompute/zcash-ika](https://www.npmjs.com/package/@frontiercompute/zcash-ika) - Split-key custody for Zcash, Bitcoin, and EVM (this package)
+
+## Related Packages
+
+| Package | What it does |
+|---------|-------------|
+| [@frontiercompute/zcash-mcp](https://www.npmjs.com/package/@frontiercompute/zcash-mcp) | MCP server for Zcash (22 tools) |
+| [@frontiercompute/openclaw-zap1](https://www.npmjs.com/package/@frontiercompute/openclaw-zap1) | OpenClaw skill for ZAP1 attestation |
+| [@frontiercompute/zap1](https://www.npmjs.com/package/@frontiercompute/zap1) | ZAP1 attestation client |
+| [@frontiercompute/silo-zap1](https://www.npmjs.com/package/@frontiercompute/silo-zap1) | Silo agent attestation via ZAP1 |
+
 ## License
 
 MIT

package/dist/btc-tx-builder.js

@@ -245,6 +245,8 @@ export function computeBtcSighash(inputs, outputs, inputIndex, hashType = SIGHAS
 export function buildUnsignedBtcTx(utxos, txOutputs, changeAddress, fee) {
     if (utxos.length === 0)
         throw new Error("No UTXOs provided");
+    if (fee < 0)
+        throw new Error("Fee must be non-negative");
     // Build inputs
     const inputs = utxos.map((u) => ({
         prevTxid: reverseTxid(u.txid),
@@ -270,6 +272,12 @@ export function buildUnsignedBtcTx(utxos, txOutputs, changeAddress, fee) {
     else if (change < 0) {
         throw new Error(`UTXOs total ${totalInput} < outputs ${totalOutput} + fee ${fee}`);
     }
+    // Warn on dust outputs (let the network reject them)
+    for (const out of outputs) {
+        if (out.value < 546) {
+            console.warn(`Warning: output value ${out.value} sats is below dust threshold (546)`);
+        }
+    }
     // Compute per-input sighashes
     const sighashes = [];
     for (let i = 0; i < inputs.length; i++) {

package/dist/index.d.ts

@@ -216,6 +216,65 @@ export declare function setPolicy(config: ZcashIkaConfig, walletId: string, poli
 export declare function checkPolicy(config: ZcashIkaConfig, policyId: string, amount?: number, recipient?: string): Promise<PolicyState & {
     allowed: boolean;
 }>;
+export interface VaultResult {
+    /** CustodyVault shared object ID on Sui */
+    vaultId: string;
+    /** AdminCap object ID (vault creator holds this) */
+    adminCapId: string;
+    /** Sui transaction digest */
+    txDigest: string;
+}
+export interface AgentResult {
+    /** AgentCap object ID (issued to the registered agent) */
+    agentCapId: string;
+    /** Sui transaction digest */
+    txDigest: string;
+}
+export interface VaultState {
+    vaultId: string;
+    dwalletId: string;
+    maxPerTx: number;
+    maxDaily: number;
+    dailySpent: number;
+    totalSpent: number;
+    totalTxCount: number;
+    agentCount: number;
+    frozen: boolean;
+}
+/**
+ * Create a CustodyVault for a dWallet.
+ * The vault enforces spend policy on-chain and tracks agent access.
+ * Returns the vault ID and AdminCap (transferred to caller).
+ */
+export declare function createVault(config: ZcashIkaConfig, dwalletId: string, maxPerTx: number, maxDaily: number): Promise<VaultResult>;
+/**
+ * Register an agent on a CustodyVault.
+ * Only the admin (holder of AdminCap) can do this.
+ * Returns the AgentCap which should be transferred to the agent.
+ */
+export declare function registerAgent(config: ZcashIkaConfig, vaultId: string, adminCapId: string, agentAddress: string, agentName: string): Promise<AgentResult>;
+/**
+ * Request a spend through the CustodyVault.
+ * The Move contract checks all policy constraints on-chain.
+ * Aborts if the spend violates any limit.
+ */
+export declare function requestSpend(config: ZcashIkaConfig, vaultId: string, agentCapId: string, amount: number, recipient: string, chain: string): Promise<{
+    approved: boolean;
+    txDigest: string;
+    error?: string;
+}>;
+/**
+ * Read the on-chain state of a CustodyVault.
+ */
+export declare function getVaultState(config: ZcashIkaConfig, vaultId: string): Promise<VaultState>;
+/**
+ * Freeze a CustodyVault. All spend requests will be rejected until unfrozen.
+ */
+export declare function freezeVault(config: ZcashIkaConfig, vaultId: string, adminCapId: string): Promise<string>;
+/**
+ * Unfreeze a CustodyVault. Resumes normal spend processing.
+ */
+export declare function unfreezeVault(config: ZcashIkaConfig, vaultId: string, adminCapId: string): Promise<string>;
 /**
  * Spend from a Zcash transparent wallet.
  *

package/dist/index.js

@@ -373,13 +373,18 @@ export async function sign(config, request) {
     });
     const presignIkaCoin = presignTx.object(ikaCoinId);
     const presignSuiCoin = presignTx.splitCoins(presignTx.gas, [50_000_000]);
-    presignIkaTx.requestGlobalPresign({
+    const presignReturn = presignIkaTx.requestGlobalPresign({
         dwalletNetworkEncryptionKeyId: dWallet.dwallet_network_encryption_key_id,
         curve: Curve.SECP256K1,
         signatureAlgorithm: SignatureAlgorithm.ECDSASecp256k1,
         ikaCoin: presignIkaCoin,
         suiCoin: presignSuiCoin,
     });
+    // Transfer split SUI coin back and presign cap to ourselves
+    presignTx.transferObjects([presignSuiCoin], address);
+    if (presignReturn) {
+        presignTx.transferObjects([presignReturn], address);
+    }
     const presignResult = await suiClient.signAndExecuteTransaction({
         transaction: presignTx,
         signer: keypair,
@@ -517,9 +522,9 @@ export async function sign(config, request) {
         signTxDigest: signResult.digest,
     };
 }
-// Published package ID - set after sui client publish
-// Override via POLICY_PACKAGE_ID env var or pass directly
-const DEFAULT_POLICY_PACKAGE_ID = "0x0";
+// Sui testnet deployment (zap1_policy package)
+// Override via POLICY_PACKAGE_ID env var for mainnet or redeployments
+const DEFAULT_POLICY_PACKAGE_ID = "0xb0468033d854e95ad89de4b6fec8f6d8e8187778c9d8337a6aa30a5c24775a77";
 function getPolicyPackageId() {
     return process.env.POLICY_PACKAGE_ID || DEFAULT_POLICY_PACKAGE_ID;
 }
@@ -530,10 +535,6 @@ function getPolicyPackageId() {
  */
 export async function setPolicy(config, walletId, policy) {
     const packageId = getPolicyPackageId();
-    if (packageId === "0x0") {
-        throw new Error("Policy Move module not deployed. Set POLICY_PACKAGE_ID env var " +
-            "after running: sui client publish --path move/");
-    }
     const { suiClient, keypair } = await initClients(config);
     const tx = new Transaction();
     // 0x6 is the shared Clock object on Sui
@@ -655,6 +656,211 @@ export async function checkPolicy(config, policyId, amount, recipient) {
     }
     return { ...state, allowed };
 }
+/**
+ * Create a CustodyVault for a dWallet.
+ * The vault enforces spend policy on-chain and tracks agent access.
+ * Returns the vault ID and AdminCap (transferred to caller).
+ */
+export async function createVault(config, dwalletId, maxPerTx, maxDaily) {
+    const packageId = getPolicyPackageId();
+    const { suiClient, keypair } = await initClients(config);
+    const sender = keypair.getPublicKey().toSuiAddress();
+    const tx = new Transaction();
+    const adminCap = tx.moveCall({
+        target: `${packageId}::custody::create_vault`,
+        arguments: [
+            tx.pure.address(dwalletId),
+            tx.pure.u64(maxPerTx),
+            tx.pure.u64(maxDaily),
+            tx.object("0x6"), // Clock
+        ],
+    });
+    tx.transferObjects([adminCap], sender);
+    const result = await suiClient.signAndExecuteTransaction({
+        transaction: tx,
+        signer: keypair,
+        options: { showEffects: true, showObjectChanges: true },
+    });
+    if (result.effects?.status?.status !== "success") {
+        throw new Error(`createVault TX failed: ${result.effects?.status?.error}`);
+    }
+    let vaultId = "";
+    let adminCapId = "";
+    const changes = result.objectChanges || [];
+    for (const change of changes) {
+        if (change.type !== "created")
+            continue;
+        const objType = change.objectType || "";
+        if (objType.includes("::custody::CustodyVault")) {
+            vaultId = change.objectId;
+        }
+        else if (objType.includes("::custody::AdminCap")) {
+            adminCapId = change.objectId;
+        }
+    }
+    if (!vaultId || !adminCapId) {
+        const created = result.effects?.created || [];
+        for (const obj of created) {
+            const id = obj.reference?.objectId || obj.objectId;
+            if (id && !vaultId)
+                vaultId = id;
+            else if (id && !adminCapId)
+                adminCapId = id;
+        }
+    }
+    return { vaultId, adminCapId, txDigest: result.digest };
+}
+/**
+ * Register an agent on a CustodyVault.
+ * Only the admin (holder of AdminCap) can do this.
+ * Returns the AgentCap which should be transferred to the agent.
+ */
+export async function registerAgent(config, vaultId, adminCapId, agentAddress, agentName) {
+    const packageId = getPolicyPackageId();
+    const { suiClient, keypair } = await initClients(config);
+    const sender = keypair.getPublicKey().toSuiAddress();
+    const tx = new Transaction();
+    const nameBytes = Array.from(new TextEncoder().encode(agentName));
+    const agentCap = tx.moveCall({
+        target: `${packageId}::custody::register_agent`,
+        arguments: [
+            tx.object(vaultId),
+            tx.object(adminCapId),
+            tx.pure.address(agentAddress),
+            tx.pure.vector("u8", nameBytes),
+            tx.object("0x6"), // Clock
+        ],
+    });
+    // Transfer AgentCap to the agent address
+    tx.transferObjects([agentCap], agentAddress);
+    const result = await suiClient.signAndExecuteTransaction({
+        transaction: tx,
+        signer: keypair,
+        options: { showEffects: true, showObjectChanges: true },
+    });
+    if (result.effects?.status?.status !== "success") {
+        throw new Error(`registerAgent TX failed: ${result.effects?.status?.error}`);
+    }
+    let agentCapId = "";
+    const changes = result.objectChanges || [];
+    for (const change of changes) {
+        if (change.type !== "created")
+            continue;
+        const objType = change.objectType || "";
+        if (objType.includes("::custody::AgentCap")) {
+            agentCapId = change.objectId;
+        }
+    }
+    return { agentCapId, txDigest: result.digest };
+}
+/**
+ * Request a spend through the CustodyVault.
+ * The Move contract checks all policy constraints on-chain.
+ * Aborts if the spend violates any limit.
+ */
+export async function requestSpend(config, vaultId, agentCapId, amount, recipient, chain) {
+    const packageId = getPolicyPackageId();
+    const { suiClient, keypair } = await initClients(config);
+    const tx = new Transaction();
+    const recipientBytes = Array.from(new TextEncoder().encode(recipient));
+    const chainBytes = Array.from(new TextEncoder().encode(chain));
+    tx.moveCall({
+        target: `${packageId}::custody::request_spend_entry`,
+        arguments: [
+            tx.object(vaultId),
+            tx.object(agentCapId),
+            tx.pure.u64(amount),
+            tx.pure.vector("u8", recipientBytes),
+            tx.pure.vector("u8", chainBytes),
+            tx.object("0x6"), // Clock
+        ],
+    });
+    const result = await suiClient.signAndExecuteTransaction({
+        transaction: tx,
+        signer: keypair,
+        options: { showEffects: true },
+    });
+    if (result.effects?.status?.status !== "success") {
+        return { approved: false, txDigest: result.digest, error: result.effects?.status?.error || "Policy violation" };
+    }
+    return { approved: true, txDigest: result.digest };
+}
+/**
+ * Read the on-chain state of a CustodyVault.
+ */
+export async function getVaultState(config, vaultId) {
+    const { suiClient } = await initClients(config);
+    const obj = await suiClient.getObject({
+        id: vaultId,
+        options: { showContent: true },
+    });
+    const content = obj.data?.content;
+    if (!content || content.dataType !== "moveObject") {
+        throw new Error(`Vault object ${vaultId} not found or not a Move object`);
+    }
+    const fields = content.fields;
+    return {
+        vaultId,
+        dwalletId: fields.dwallet_id,
+        maxPerTx: Number(fields.max_per_tx),
+        maxDaily: Number(fields.max_daily),
+        dailySpent: Number(fields.daily_spent),
+        totalSpent: Number(fields.total_spent),
+        totalTxCount: Number(fields.total_tx_count),
+        agentCount: Number(fields.agent_count),
+        frozen: fields.frozen,
+    };
+}
+/**
+ * Freeze a CustodyVault. All spend requests will be rejected until unfrozen.
+ */
+export async function freezeVault(config, vaultId, adminCapId) {
+    const packageId = getPolicyPackageId();
+    const { suiClient, keypair } = await initClients(config);
+    const tx = new Transaction();
+    tx.moveCall({
+        target: `${packageId}::custody::freeze_vault`,
+        arguments: [
+            tx.object(vaultId),
+            tx.object(adminCapId),
+            tx.object("0x6"), // Clock
+        ],
+    });
+    const result = await suiClient.signAndExecuteTransaction({
+        transaction: tx,
+        signer: keypair,
+        options: { showEffects: true },
+    });
+    if (result.effects?.status?.status !== "success") {
+        throw new Error(`freezeVault TX failed: ${result.effects?.status?.error}`);
+    }
+    return result.digest;
+}
+/**
+ * Unfreeze a CustodyVault. Resumes normal spend processing.
+ */
+export async function unfreezeVault(config, vaultId, adminCapId) {
+    const packageId = getPolicyPackageId();
+    const { suiClient, keypair } = await initClients(config);
+    const tx = new Transaction();
+    tx.moveCall({
+        target: `${packageId}::custody::unfreeze_vault`,
+        arguments: [
+            tx.object(vaultId),
+            tx.object(adminCapId),
+            tx.object("0x6"), // Clock
+        ],
+    });
+    const result = await suiClient.signAndExecuteTransaction({
+        transaction: tx,
+        signer: keypair,
+        options: { showEffects: true },
+    });
+    if (result.effects?.status?.status !== "success") {
+        throw new Error(`unfreezeVault TX failed: ${result.effects?.status?.error}`);
+    }
+    return result.digest;
+}
 /**
  * Spend from a Zcash transparent wallet.
  *

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@frontiercompute/zcash-ika",
-  "version": "0.5.0",
+  "version": "0.6.1",
   "description": "Split-key custody for Zcash, Bitcoin, and EVM. 2PC-MPC signing, on-chain spend policy, transparent TX builder, ZAP1 attestation.",
   "type": "module",
   "main": "dist/index.js",