@frontiercompute/zcash-ika 0.6.1 → 0.7.0

package/README.md

@@ -3,8 +3,6 @@
 Split-key custody for Zcash, Bitcoin, and EVM chains. The private key never exists whole. Spend policy enforced on-chain. Every action attested to Zcash.
 
 [![npm](https://img.shields.io/npm/v/@frontiercompute/zcash-ika)](https://www.npmjs.com/package/@frontiercompute/zcash-ika)
-![downloads](https://img.shields.io/npm/dw/@frontiercompute/zcash-ika)
-![license](https://img.shields.io/npm/l/@frontiercompute/zcash-ika)
 [![downloads](https://img.shields.io/npm/dw/@frontiercompute/zcash-ika)](https://www.npmjs.com/package/@frontiercompute/zcash-ika)
 [![license](https://img.shields.io/npm/l/@frontiercompute/zcash-ika)](https://github.com/Frontier-Compute/zcash-ika/blob/main/LICENSE)
 
@@ -187,13 +185,6 @@ SUI_PRIVATE_KEY=... node dist/test-e2e.js
 - [Zebra](https://github.com/ZcashFoundation/zebra) - Zcash node
 - [Sui Move](https://docs.sui.io/concepts/sui-move-concepts) - policy enforcement
 
-## See also
-
-- [@frontiercompute/zcash-mcp](https://www.npmjs.com/package/@frontiercompute/zcash-mcp) - MCP server for Zcash wallets and nodes
-- [@frontiercompute/openclaw-zap1](https://www.npmjs.com/package/@frontiercompute/openclaw-zap1) - OpenClaw attestation client for ZAP1
-- [@frontiercompute/zap1](https://www.npmjs.com/package/@frontiercompute/zap1) - ZAP1 on-chain attestation SDK
-- [@frontiercompute/zcash-ika](https://www.npmjs.com/package/@frontiercompute/zcash-ika) - Split-key custody for Zcash, Bitcoin, and EVM (this package)
-
 ## Related Packages
 
 | Package | What it does |

package/dist/btc-tx-builder.d.ts

@@ -84,4 +84,71 @@ export declare function serializeBtcTx(inputs: BtcInput[], outputs: BtcOutput[],
  * Returns the txid on success.
  */
 export declare function broadcastBtcTx(rawHex: string, network?: BtcNetwork): Promise<string>;
+/**
+ * Derive a P2TR (Taproot) bech32m address from an x-only public key.
+ *
+ * BIP 341 defines P2TR output as: OP_1 <32-byte-x-only-pubkey>
+ * The address is bech32m encoded with witness version 1.
+ *
+ * For key-path-only spending (no script tree), the output key equals
+ * the internal key tweaked with an empty merkle root:
+ *   Q = P + H("TapTweak", P) * G
+ *
+ * This function takes the already-tweaked x-only pubkey (32 bytes).
+ * If using an MPC-derived key, perform the taptweak externally before
+ * calling this function.
+ */
+export declare function deriveTaprootAddress(xOnlyPubKey: Uint8Array, network?: BtcNetwork): string;
+/**
+ * Build a P2TR scriptPubKey from a 32-byte x-only public key.
+ * Format: OP_1 <0x20> <32-byte-x-only-pubkey>
+ */
+export declare function p2trScript(xOnlyPubKey: Uint8Array): Buffer;
+export interface TaprootInput {
+    prevTxid: string;
+    prevIndex: number;
+    value: number;
+    scriptPubKey: string;
+}
+export interface TaprootTxParams {
+    inputs: TaprootInput[];
+    outputs: BtcTxOutput[];
+    changeAddress?: string;
+    fee: number;
+    /** x-only pubkey for change output P2TR script (32 bytes) */
+    changeXOnlyPubKey?: Uint8Array;
+}
+/**
+ * Build an unsigned P2TR (Taproot) key-path spend transaction.
+ *
+ * Returns per-input sighashes for BIP 340 Schnorr signing.
+ * The witness for key-path spend is a single 64-byte Schnorr signature
+ * (no sighash type byte appended for SIGHASH_DEFAULT).
+ *
+ * Transaction version is 2 (segwit). Uses witness serialization.
+ */
+export declare function buildTaprootTx(params: TaprootTxParams): {
+    sighashes: Buffer[];
+    inputs: {
+        prevTxid: Buffer;
+        prevIndex: number;
+        value: number;
+        scriptPubKey: Buffer;
+        sequence: number;
+    }[];
+    outputs: BtcOutput[];
+};
+/**
+ * Serialize a signed Taproot transaction (segwit v1 with witness).
+ *
+ * Each input witness is a single stack item: the 64-byte Schnorr signature
+ * (for SIGHASH_DEFAULT, no sighash byte is appended).
+ */
+export declare function serializeTaprootTx(inputs: {
+    prevTxid: Buffer;
+    prevIndex: number;
+    value: number;
+    scriptPubKey: Buffer;
+    sequence: number;
+}[], outputs: BtcOutput[], schnorrSigs: Buffer[]): Buffer;
 export {};

package/dist/btc-tx-builder.js

@@ -379,3 +379,277 @@ export async function broadcastBtcTx(rawHex, network = "mainnet") {
     // Blockstream returns the txid as plain text
     return (await resp.text()).trim();
 }
+// ---------------------------------------------------------------------------
+// P2TR (Taproot) key-path spend support (BIP 340/341/350)
+// ---------------------------------------------------------------------------
+// Bech32m charset
+const BECH32M_CHARSET = "qpzry9x8gf2tvdw0s3jn54khce6mua7l";
+const BECH32M_CONST = 0x2bc830a3;
+function bech32mPolymod(values) {
+    const GEN = [0x3b6a57b2, 0x26508e6d, 0x1ea119fa, 0x3d4233dd, 0x2a1462b3];
+    let chk = 1;
+    for (const v of values) {
+        const b = chk >> 25;
+        chk = ((chk & 0x1ffffff) << 5) ^ v;
+        for (let i = 0; i < 5; i++) {
+            if ((b >> i) & 1)
+                chk ^= GEN[i];
+        }
+    }
+    return chk;
+}
+function bech32mHrpExpand(hrp) {
+    const ret = [];
+    for (const c of hrp)
+        ret.push(c.charCodeAt(0) >> 5);
+    ret.push(0);
+    for (const c of hrp)
+        ret.push(c.charCodeAt(0) & 31);
+    return ret;
+}
+function bech32mCreateChecksum(hrp, data) {
+    const values = bech32mHrpExpand(hrp).concat(data).concat([0, 0, 0, 0, 0, 0]);
+    const polymod = bech32mPolymod(values) ^ BECH32M_CONST;
+    const ret = [];
+    for (let i = 0; i < 6; i++) {
+        ret.push((polymod >> (5 * (5 - i))) & 31);
+    }
+    return ret;
+}
+function bech32mEncode(hrp, data) {
+    const checksum = bech32mCreateChecksum(hrp, data);
+    const combined = data.concat(checksum);
+    let ret = hrp + "1";
+    for (const d of combined)
+        ret += BECH32M_CHARSET[d];
+    return ret;
+}
+function convertBits(data, fromBits, toBits, pad) {
+    let acc = 0;
+    let bits = 0;
+    const ret = [];
+    const maxv = (1 << toBits) - 1;
+    for (const value of data) {
+        acc = (acc << fromBits) | value;
+        bits += fromBits;
+        while (bits >= toBits) {
+            bits -= toBits;
+            ret.push((acc >> bits) & maxv);
+        }
+    }
+    if (pad) {
+        if (bits > 0)
+            ret.push((acc << (toBits - bits)) & maxv);
+    }
+    else if (bits >= fromBits || ((acc << (toBits - bits)) & maxv)) {
+        throw new Error("Invalid bit conversion");
+    }
+    return ret;
+}
+/**
+ * Derive a P2TR (Taproot) bech32m address from an x-only public key.
+ *
+ * BIP 341 defines P2TR output as: OP_1 <32-byte-x-only-pubkey>
+ * The address is bech32m encoded with witness version 1.
+ *
+ * For key-path-only spending (no script tree), the output key equals
+ * the internal key tweaked with an empty merkle root:
+ *   Q = P + H("TapTweak", P) * G
+ *
+ * This function takes the already-tweaked x-only pubkey (32 bytes).
+ * If using an MPC-derived key, perform the taptweak externally before
+ * calling this function.
+ */
+export function deriveTaprootAddress(xOnlyPubKey, network = "mainnet") {
+    if (xOnlyPubKey.length !== 32) {
+        throw new Error("Expected 32-byte x-only pubkey, got " + xOnlyPubKey.length);
+    }
+    const hrp = network === "mainnet" ? "bc" : "tb";
+    const witnessVersion = 1;
+    const data5bit = convertBits(xOnlyPubKey, 8, 5, true);
+    return bech32mEncode(hrp, [witnessVersion].concat(data5bit));
+}
+/**
+ * Build a P2TR scriptPubKey from a 32-byte x-only public key.
+ * Format: OP_1 <0x20> <32-byte-x-only-pubkey>
+ */
+export function p2trScript(xOnlyPubKey) {
+    if (xOnlyPubKey.length !== 32) {
+        throw new Error("Expected 32-byte x-only pubkey, got " + xOnlyPubKey.length);
+    }
+    const script = Buffer.alloc(34);
+    script[0] = 0x51; // OP_1 (witness v1)
+    script[1] = 0x20; // push 32 bytes
+    Buffer.from(xOnlyPubKey).copy(script, 2);
+    return script;
+}
+// BIP 340 tagged hash: SHA256(SHA256(tag) || SHA256(tag) || msg)
+function taggedHash(tag, ...msgs) {
+    const tagHash = sha256(Buffer.from(tag, "utf8"));
+    const parts = [tagHash, tagHash, ...msgs];
+    return sha256(Buffer.concat(parts));
+}
+/**
+ * Compute BIP 341 taproot sighash for key-path spending.
+ * Uses SIGHASH_DEFAULT (0x00) which commits to all inputs and outputs.
+ * The epoch byte (0x00) is prepended per BIP 341.
+ */
+function computeTaprootSighash(inputs, outputs, inputIndex, hashType = 0x00) {
+    const parts = [];
+    // Epoch
+    parts.push(Buffer.from([0x00]));
+    // Hash type
+    parts.push(Buffer.from([hashType]));
+    // Transaction version: 2
+    const ver = Buffer.alloc(4);
+    writeU32LE(ver, 2, 0);
+    parts.push(ver);
+    // nLockTime
+    const lt = Buffer.alloc(4);
+    writeU32LE(lt, 0, 0);
+    parts.push(lt);
+    // sha_prevouts
+    const prevoutsData = [];
+    for (const inp of inputs) {
+        const outpoint = Buffer.alloc(36);
+        inp.prevTxid.copy(outpoint, 0);
+        writeU32LE(outpoint, inp.prevIndex, 32);
+        prevoutsData.push(outpoint);
+    }
+    parts.push(sha256(Buffer.concat(prevoutsData)));
+    // sha_amounts
+    const amountsData = Buffer.alloc(inputs.length * 8);
+    for (let i = 0; i < inputs.length; i++) {
+        writeI64LE(amountsData, inputs[i].value, i * 8);
+    }
+    parts.push(sha256(amountsData));
+    // sha_scriptpubkeys
+    const scriptsData = [];
+    for (const inp of inputs) {
+        scriptsData.push(compactSize(inp.scriptPubKey.length));
+        scriptsData.push(inp.scriptPubKey);
+    }
+    parts.push(sha256(Buffer.concat(scriptsData)));
+    // sha_sequences
+    const seqData = Buffer.alloc(inputs.length * 4);
+    for (let i = 0; i < inputs.length; i++) {
+        writeU32LE(seqData, inputs[i].sequence, i * 4);
+    }
+    parts.push(sha256(seqData));
+    // sha_outputs
+    const outsData = [];
+    for (const out of outputs) {
+        const valueBuf = Buffer.alloc(8);
+        writeI64LE(valueBuf, out.value, 0);
+        outsData.push(valueBuf);
+        outsData.push(compactSize(out.script.length));
+        outsData.push(out.script);
+    }
+    parts.push(sha256(Buffer.concat(outsData)));
+    // spend_type: 0x00 (key-path, no annex)
+    parts.push(Buffer.from([0x00]));
+    // Input index
+    const idxBuf = Buffer.alloc(4);
+    writeU32LE(idxBuf, inputIndex, 0);
+    parts.push(idxBuf);
+    return taggedHash("TapSighash", Buffer.concat(parts));
+}
+/**
+ * Build an unsigned P2TR (Taproot) key-path spend transaction.
+ *
+ * Returns per-input sighashes for BIP 340 Schnorr signing.
+ * The witness for key-path spend is a single 64-byte Schnorr signature
+ * (no sighash type byte appended for SIGHASH_DEFAULT).
+ *
+ * Transaction version is 2 (segwit). Uses witness serialization.
+ */
+export function buildTaprootTx(params) {
+    const { inputs: rawInputs, outputs: txOutputs, fee, changeAddress, changeXOnlyPubKey } = params;
+    if (rawInputs.length === 0)
+        throw new Error("No inputs provided");
+    const inputs = rawInputs.map((inp) => ({
+        prevTxid: reverseTxid(inp.prevTxid),
+        prevIndex: inp.prevIndex,
+        value: inp.value,
+        scriptPubKey: Buffer.from(inp.scriptPubKey, "hex"),
+        sequence: 0xfffffffd, // RBF-enabled default
+    }));
+    const totalInput = rawInputs.reduce((s, u) => s + u.value, 0);
+    const totalOutput = txOutputs.reduce((s, o) => s + o.value, 0);
+    const change = totalInput - totalOutput - fee;
+    const outputs = txOutputs.map((o) => ({
+        value: o.value,
+        script: scriptFromAddress(o.address),
+    }));
+    if (change > 0 && change >= 546) {
+        if (changeXOnlyPubKey) {
+            outputs.push({ value: change, script: p2trScript(changeXOnlyPubKey) });
+        }
+        else if (changeAddress) {
+            outputs.push({ value: change, script: scriptFromAddress(changeAddress) });
+        }
+    }
+    else if (change < 0) {
+        throw new Error("Inputs total " + totalInput + " < outputs " + totalOutput + " + fee " + fee);
+    }
+    const sighashes = [];
+    for (let i = 0; i < inputs.length; i++) {
+        sighashes.push(computeTaprootSighash(inputs, outputs, i));
+    }
+    return { sighashes, inputs, outputs };
+}
+/**
+ * Serialize a signed Taproot transaction (segwit v1 with witness).
+ *
+ * Each input witness is a single stack item: the 64-byte Schnorr signature
+ * (for SIGHASH_DEFAULT, no sighash byte is appended).
+ */
+export function serializeTaprootTx(inputs, outputs, schnorrSigs) {
+    if (schnorrSigs.length !== inputs.length) {
+        throw new Error("Expected " + inputs.length + " signatures, got " + schnorrSigs.length);
+    }
+    const parts = [];
+    // Version: 2
+    const ver = Buffer.alloc(4);
+    writeU32LE(ver, 2, 0);
+    parts.push(ver);
+    // Segwit marker + flag
+    parts.push(Buffer.from([0x00, 0x01]));
+    // Input count
+    parts.push(compactSize(inputs.length));
+    // Inputs (empty scriptSig for segwit)
+    for (const inp of inputs) {
+        const outpoint = Buffer.alloc(36);
+        inp.prevTxid.copy(outpoint, 0);
+        writeU32LE(outpoint, inp.prevIndex, 32);
+        parts.push(outpoint);
+        parts.push(compactSize(0));
+        const seq = Buffer.alloc(4);
+        writeU32LE(seq, inp.sequence, 0);
+        parts.push(seq);
+    }
+    // Output count
+    parts.push(compactSize(outputs.length));
+    // Outputs
+    for (const out of outputs) {
+        const valueBuf = Buffer.alloc(8);
+        writeI64LE(valueBuf, out.value, 0);
+        parts.push(valueBuf);
+        parts.push(compactSize(out.script.length));
+        parts.push(out.script);
+    }
+    // Witness data
+    for (const sig of schnorrSigs) {
+        if (sig.length !== 64) {
+            throw new Error("Schnorr signature must be 64 bytes, got " + sig.length);
+        }
+        parts.push(Buffer.from([0x01])); // 1 witness item
+        parts.push(compactSize(sig.length));
+        parts.push(sig);
+    }
+    // Locktime
+    const lt = Buffer.alloc(4);
+    writeU32LE(lt, 0, 0);
+    parts.push(lt);
+    return Buffer.concat(parts);
+}

package/dist/index.d.ts

@@ -14,10 +14,10 @@
  * is viable through this package today.
  */
 export { Curve, Hash, SignatureAlgorithm, IkaClient, IkaTransaction, UserShareEncryptionKeys, getNetworkConfig, createClassGroupsKeypair, createRandomSessionIdentifier, prepareDKG, prepareDKGAsync, prepareDKGSecondRound, prepareDKGSecondRoundAsync, createDKGUserOutput, publicKeyFromDWalletOutput, parseSignatureFromSignOutput, } from "@ika.xyz/sdk";
-export { fetchUTXOs, selectUTXOs, buildUnsignedTx, attachSignatures, broadcastTx, estimateFee, BRANCH_ID, } from "./tx-builder.js";
-export type { UTXO } from "./tx-builder.js";
-export { fetchBtcUTXOs, selectBtcUTXOs, buildUnsignedBtcTx, attachBtcSignatures, serializeBtcTx, broadcastBtcTx, estimateBtcFee, computeBtcSighash, } from "./btc-tx-builder.js";
-export type { BtcUTXO, BtcTxOutput, BtcNetwork } from "./btc-tx-builder.js";
+export { fetchUTXOs, selectUTXOs, buildUnsignedTx, attachSignatures, broadcastTx, estimateFee, BRANCH_ID, computeSighashV6, } from "./tx-builder.js";
+export type { UTXO, V6SighashParams } from "./tx-builder.js";
+export { fetchBtcUTXOs, selectBtcUTXOs, buildUnsignedBtcTx, attachBtcSignatures, serializeBtcTx, broadcastBtcTx, estimateBtcFee, computeBtcSighash, deriveTaprootAddress, p2trScript, buildTaprootTx, serializeTaprootTx, } from "./btc-tx-builder.js";
+export type { BtcUTXO, BtcTxOutput, BtcNetwork, TaprootInput, TaprootTxParams } from "./btc-tx-builder.js";
 export type Chain = "zcash-transparent" | "bitcoin" | "ethereum";
 export interface ZcashIkaConfig {
     /** Ika network: mainnet or testnet */

package/dist/index.js

@@ -20,9 +20,9 @@ import { Transaction } from "@mysten/sui/transactions";
 import { decodeSuiPrivateKey } from "@mysten/sui/cryptography";
 import { createHash } from "node:crypto";
 import { fetchUTXOs, selectUTXOs, buildUnsignedTx, attachSignatures, broadcastTx, estimateFee, BRANCH_ID, } from "./tx-builder.js";
-export { fetchUTXOs, selectUTXOs, buildUnsignedTx, attachSignatures, broadcastTx, estimateFee, BRANCH_ID, } from "./tx-builder.js";
+export { fetchUTXOs, selectUTXOs, buildUnsignedTx, attachSignatures, broadcastTx, estimateFee, BRANCH_ID, computeSighashV6, } from "./tx-builder.js";
 import { fetchBtcUTXOs, selectBtcUTXOs, buildUnsignedBtcTx, attachBtcSignatures, broadcastBtcTx, } from "./btc-tx-builder.js";
-export { fetchBtcUTXOs, selectBtcUTXOs, buildUnsignedBtcTx, attachBtcSignatures, serializeBtcTx, broadcastBtcTx, estimateBtcFee, computeBtcSighash, } from "./btc-tx-builder.js";
+export { fetchBtcUTXOs, selectBtcUTXOs, buildUnsignedBtcTx, attachBtcSignatures, serializeBtcTx, broadcastBtcTx, estimateBtcFee, computeBtcSighash, deriveTaprootAddress, p2trScript, buildTaprootTx, serializeTaprootTx, } from "./btc-tx-builder.js";
 const IKA_COIN_TYPE = "0x1f26bb2f711ff82dcda4d02c77d5123089cb7f8418751474b9fb744ce031526a::ika::IKA";
 /** Parameters for dWallet creation per chain.
  *

package/dist/tx-builder.d.ts

@@ -66,3 +66,39 @@ export declare function broadcastTx(zebraRpcUrl: string, txHex: string): Promise
  * Each additional input adds 1 logical action = +5000 zatoshis
  */
 export declare function estimateFee(numInputs: number, numOutputs: number): number;
+export interface V6SighashParams {
+    /** UTXOs being spent */
+    utxos: UTXO[];
+    /** Recipient address */
+    recipient: string;
+    /** Send amount in zatoshis */
+    amount: number;
+    /** Explicit fee in zatoshis (ZIP 2002) */
+    fee: number;
+    /** Change address */
+    changeAddress: string;
+    /** Consensus branch ID (defaults to NU6.1 until NU7 is defined) */
+    branchId?: number;
+    /** NSM burn amount in zatoshis (ZIP 233), defaults to 0 */
+    zip233Amount?: number;
+    /** Lock time, defaults to 0 */
+    lockTime?: number;
+    /** Expiry height, defaults to 0 */
+    expiryHeight?: number;
+}
+/**
+ * Compute per-input sighash for a v6 transparent transaction (ZIP 246).
+ *
+ * Structure mirrors ZIP 244 signature_digest but uses headerDigestV6
+ * which includes the explicit fee and NSM burn amount.
+ *
+ * Returns per-input sighashes ready for MPC signing.
+ *
+ * NOTE: NU7 is not yet activated. The v6 version group ID and branch ID
+ * are placeholders. This function will produce structurally correct
+ * sighashes once the constants are finalized.
+ */
+export declare function computeSighashV6(params: V6SighashParams): {
+    sighashes: Buffer[];
+    txid: Buffer;
+};

package/dist/tx-builder.js

@@ -535,3 +535,109 @@ export function estimateFee(numInputs, numOutputs) {
     const graceActions = 2;
     return Math.max(graceActions, logicalActions) * 5000;
 }
+// ---------------------------------------------------------------------------
+// ZIP 246: v6 transaction sighash (NU7)
+// ---------------------------------------------------------------------------
+// Zcash v6 constants. Version group ID and NU7 branch ID are placeholders
+// until the protocol spec finalizes them. The sighash structure follows
+// ZIP 246 which extends ZIP 244 with two new header digest fields.
+const TX_VERSION_V6 = 6;
+const TX_VERSION_GROUP_ID_V6 = 0x26a7270a; // TODO: update when NU7 assigns new vgid
+/**
+ * Header digest for v6 transactions (ZIP 246 T.1).
+ *
+ * Extends the v5 header digest with two new fields appended:
+ *   T.1f: fee (8-byte LE uint64) per ZIP 2002
+ *   T.1g: zip233Amount (8-byte LE uint64) per ZIP 233 (NSM burn)
+ *
+ * Personalization: "ZTxIdHeadersHash" (same as v5)
+ */
+function headerDigestV6(version, versionGroupId, branchId, lockTime, expiryHeight, fee, zip233Amount) {
+    const data = Buffer.alloc(36);
+    writeU32LE(data, (version | (1 << 31)) >>> 0, 0);
+    writeU32LE(data, versionGroupId, 4);
+    writeU32LE(data, branchId, 8);
+    writeU32LE(data, lockTime, 12);
+    writeU32LE(data, expiryHeight, 16);
+    writeI64LE(data, fee, 20);
+    writeI64LE(data, zip233Amount, 28);
+    return blake2b256(data, personalization("ZTxIdHeadersHash"));
+}
+/**
+ * Compute per-input sighash for a v6 transparent transaction (ZIP 246).
+ *
+ * Structure mirrors ZIP 244 signature_digest but uses headerDigestV6
+ * which includes the explicit fee and NSM burn amount.
+ *
+ * Returns per-input sighashes ready for MPC signing.
+ *
+ * NOTE: NU7 is not yet activated. The v6 version group ID and branch ID
+ * are placeholders. This function will produce structurally correct
+ * sighashes once the constants are finalized.
+ */
+export function computeSighashV6(params) {
+    const { utxos, recipient, amount, fee, changeAddress, branchId = BRANCH_ID.NU61, // TODO: replace with NU7 branch ID when defined
+    zip233Amount = 0, lockTime = 0, expiryHeight = 0, } = params;
+    if (utxos.length === 0)
+        throw new Error("No UTXOs provided");
+    if (amount <= 0)
+        throw new Error("Amount must be positive");
+    if (fee < 0)
+        throw new Error("Fee must be non-negative");
+    const inputs = utxos.map((u) => ({
+        prevTxid: reverseTxid(u.txid),
+        prevIndex: u.outputIndex,
+        script: Buffer.from(u.script, "hex"),
+        value: u.satoshis,
+        sequence: 0xffffffff,
+    }));
+    const totalInput = utxos.reduce((s, u) => s + u.satoshis, 0);
+    const change = totalInput - amount - fee;
+    const outputs = [
+        { value: amount, script: scriptFromAddress(recipient) },
+    ];
+    if (change > 0 && change >= 546) {
+        outputs.push({ value: change, script: scriptFromAddress(changeAddress) });
+    }
+    else if (change < 0) {
+        throw new Error("UTXOs total " + totalInput + " < amount " + amount + " + fee " + fee);
+    }
+    // V6 header digest with fee and zip233Amount
+    const hdrDigest = headerDigestV6(TX_VERSION_V6, TX_VERSION_GROUP_ID_V6, branchId, lockTime, expiryHeight, fee, zip233Amount);
+    // Transparent digest components (same as v5 / ZIP 244)
+    const prevoutsSigDigest = hashPrevouts(inputs, branchId);
+    const amountsSigDigest = hashAmounts(inputs, branchId);
+    const scriptpubkeysSigDigest = hashScriptPubKeys(inputs, branchId);
+    const sequenceSigDigest = hashSequences(inputs, branchId);
+    const outputsSigDigest = hashOutputs(outputs, branchId);
+    // Empty bundle digests (transparent-only tx)
+    const sapDigest = emptyBundleDigest("ZTxIdSaplingHash");
+    const orchDigest = emptyBundleDigest("ZTxIdOrchardHash");
+    const sighashes = [];
+    for (let i = 0; i < inputs.length; i++) {
+        const inp = inputs[i];
+        const prevout = Buffer.alloc(36);
+        inp.prevTxid.copy(prevout, 0);
+        writeU32LE(prevout, inp.prevIndex, 32);
+        const valueBuf = Buffer.alloc(8);
+        writeI64LE(valueBuf, inp.value, 0);
+        const seqBuf = Buffer.alloc(4);
+        writeU32LE(seqBuf, inp.sequence, 0);
+        const txinSigDigest = blake2b256(Buffer.concat([prevout, valueBuf, compactSize(inp.script.length), inp.script, seqBuf]), personalization("Zcash___TxInHash"));
+        const transparentSigDig = blake2b256(Buffer.concat([
+            Buffer.from([SIGHASH_ALL]),
+            prevoutsSigDigest,
+            amountsSigDigest,
+            scriptpubkeysSigDigest,
+            sequenceSigDigest,
+            outputsSigDigest,
+            txinSigDigest,
+        ]), personalization("ZTxIdTranspaHash"));
+        const sighash = blake2b256(Buffer.concat([hdrDigest, transparentSigDig, sapDigest, orchDigest]), personalization("ZcashTxHash_", branchIdBytes(branchId)));
+        sighashes.push(sighash);
+    }
+    // Compute txid digest using v6 header
+    const txpDigest = transparentDigest(inputs, outputs, branchId);
+    const txid = blake2b256(Buffer.concat([hdrDigest, txpDigest, sapDigest, orchDigest]), personalization("ZcashTxHash__", branchIdBytes(branchId)));
+    return { sighashes, txid };
+}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@frontiercompute/zcash-ika",
-  "version": "0.6.1",
+  "version": "0.7.0",
   "description": "Split-key custody for Zcash, Bitcoin, and EVM. 2PC-MPC signing, on-chain spend policy, transparent TX builder, ZAP1 attestation.",
   "type": "module",
   "main": "dist/index.js",