@inco/js 0.8.0-devnet-13 → 0.8.0-devnet-22

package/dist/types/generated/local-node.d.ts

@@ -16,12 +16,12 @@ export declare const localNodeLightningConfig: {
         readonly senderPrivateKey: "0x3ff395b755c4dc09837d0672dd421915e9b9835a4733edf63d8fd12b3fe4475c";
     };
     readonly devnet: {
-        readonly executorAddress: "0xDF3830489208461f72Df6E45D0e6cbF9DBB74fe1";
+        readonly executorAddress: "0x6c9132D324231D2F68a1491686b0d4c10ee7d257";
         readonly chainId: 31337;
         readonly covalidatorUrls: readonly ["http://localhost:50055"];
-        readonly signers: readonly ["0xadAA7b651e894D2B1F4929AC49d065b0143d1506"];
+        readonly signers: readonly ["0xD413DF212d2aeDf4F66241441c018Ce71a2119F1"];
         readonly hostChainRpcUrl: "http://localhost:8545";
-        readonly senderPrivateKey: "0xf829aecfc84240e8bfedfc3274d745a209a1e7d15693f424e0596ef55739215b";
+        readonly senderPrivateKey: "0x5683b966233cfbb5e8355f45cdb5fca9d6c713701909d01086cb85276fb9f474";
     };
     readonly alphanet: {
         readonly executorAddress: "0xc0d693DeEF0A91CE39208676b6da09B822abd199";
@@ -32,7 +32,7 @@ export declare const localNodeLightningConfig: {
         readonly senderPrivateKey: "0x279c172cf3638a79642daa5f7666c600befde318550d7579cf96280920e318b6";
     };
     readonly scratch: {
-        readonly executorAddress: "0xF253724506f9aF666C301c0aD94f92f92Ff390E4";
+        readonly executorAddress: "0x4d71c2268a5a0d525519d2055eaee6b3f5597999";
         readonly chainId: 31337;
         readonly covalidatorUrls: readonly ["http://localhost:50055"];
         readonly signers: readonly ["0xf39Fd6e51aad88F6F4ce6aB8827279cffFb92266"];

package/dist/types/index.d.ts

@@ -1,5 +1,5 @@
 export * from './binary.js';
 export * from './chain.js';
-export * from './handle.js';
+export { HANDLE_LENGTH_BYTES, HANDLE_VERSION, HandleTypeName, InputContext, getHandleType, handleTypes, isFheType, validateHandle, type FheType, type Handle, type HandleTypes, } from './handle.js';
 export * from './schema.js';
 export * from './viem.js';

package/dist/types/kms/quorumClient.d.ts

@@ -2,9 +2,10 @@ import type { Address } from 'viem';
 import type { DecryptionAttestation, EncryptedDecryptionAttestation } from '../attesteddecrypt/types.js';
 import type { EncryptionScheme, SupportedFheType } from '../encryption/encryption.js';
 import type { AttestedComputeRequest, AttestedDecryptRequest, AttestedRevealRequest } from '../generated/es/inco/kms/lite/v1/kms_service_pb.js';
-import type { XwingKeypair } from '../lite/index.js';
+import type { XwingKeypair } from '../lite/xwing.js';
 import type { BackoffConfig } from '../retry.js';
 import { type KmsClient } from './client.js';
+import type { ViemClient } from './signatureVerification.js';
 export declare class KmsQuorumClient {
     private readonly kmss;
     private readonly threshold;
@@ -29,9 +30,9 @@ export declare class KmsQuorumClient {
      * @throws {Error} If KMS clients array is empty or threshold is invalid
      */
     static fromKmsClients(kmsClients: KmsClient[], threshold: number): KmsQuorumClient;
-    attestedDecrypt(request: AttestedDecryptRequest, backoffConfig?: Partial<BackoffConfig>, reencryptKeypair?: XwingKeypair): Promise<(DecryptionAttestation<EncryptionScheme, SupportedFheType> | EncryptedDecryptionAttestation<EncryptionScheme, SupportedFheType>)[]>;
-    attestedCompute(request: AttestedComputeRequest, backoffConfig?: Partial<BackoffConfig>, reencryptKeypair?: XwingKeypair): Promise<DecryptionAttestation<EncryptionScheme, SupportedFheType> | EncryptedDecryptionAttestation<EncryptionScheme, SupportedFheType>>;
-    attestedReveal(request: AttestedRevealRequest, backoffConfig?: Partial<BackoffConfig>): Promise<(DecryptionAttestation<EncryptionScheme, SupportedFheType> | EncryptedDecryptionAttestation<EncryptionScheme, SupportedFheType>)[]>;
+    attestedDecrypt(request: AttestedDecryptRequest, backoffConfig?: Partial<BackoffConfig>, reencryptKeypair?: XwingKeypair, executorAddress?: Address, client?: ViemClient): Promise<(DecryptionAttestation<EncryptionScheme, SupportedFheType> | EncryptedDecryptionAttestation<EncryptionScheme, SupportedFheType>)[]>;
+    attestedCompute(request: AttestedComputeRequest, backoffConfig?: Partial<BackoffConfig>, reencryptKeypair?: XwingKeypair, executorAddress?: Address, client?: ViemClient): Promise<DecryptionAttestation<EncryptionScheme, SupportedFheType> | EncryptedDecryptionAttestation<EncryptionScheme, SupportedFheType>>;
+    attestedReveal(request: AttestedRevealRequest, backoffConfig?: Partial<BackoffConfig>, executorAddress?: Address, client?: ViemClient): Promise<(DecryptionAttestation<EncryptionScheme, SupportedFheType> | EncryptedDecryptionAttestation<EncryptionScheme, SupportedFheType>)[]>;
     /**
      * Generic method to execute a KMS operation across all clients with retry and threshold logic.
      * Returns results with both the response and signer address.
@@ -48,13 +49,4 @@ export declare class KmsQuorumClient {
     private buildPlaintextAttestation;
     private buildAggregatedAttestations;
     private buildAggregatedComputeAttestation;
-    private verifyResponseConsistency;
-    private verifyComputeResponseConsistency;
-    /**
-     * Verifies that two plaintext byte arrays are identical.
-     * Uses constant-time comparison to prevent timing side-channel attacks.
-     */
-    private verifyPlaintextBytesConsistency;
-    private verifyPlaintextConsistency;
-    private verifyCiphertextConsistency;
 }

package/dist/types/kms/quorumConsistency.d.ts

@@ -0,0 +1,58 @@
+import type { Address } from 'viem';
+import type { AttestedComputeRequest, AttestedComputeResponse, AttestedDecryptResponse, AttestedRevealResponse, DecryptionAttestation as ProtoDecryptionAttestation } from '../generated/es/inco/kms/lite/v1/kms_service_pb.js';
+import type { XwingKeypair } from '../lite/xwing.js';
+/**
+ * Computes a canonical key for a single attestation.
+ * For plaintext/reencryption+keypair, the key is handle:hex(value).
+ * For reencryption without a keypair (XWing ciphertexts are non-deterministic),
+ * falls back to handle:op-type as a structural stand-in.
+ */
+export declare function computeAttestationKey(att: ProtoDecryptionAttestation, reencryptKeypair?: XwingKeypair): Promise<string>;
+/**
+ * Validates that all responses in a winning bucket have the same attestation
+ * count and types as the quorum-elected reference (bucket[0]).
+ */
+export declare function validateDecryptResponseStructure<T extends AttestedDecryptResponse | AttestedRevealResponse>(bucket: Array<{
+    response: T;
+    signer: Address;
+}>): void;
+/**
+ * Validates that all responses in a winning bucket have a decryption
+ * attestation with the same case as the quorum-elected reference (bucket[0]),
+ * and that the case is consistent with the request's reencryptPubKey.
+ */
+export declare function validateComputeResponseStructure(bucket: Array<{
+    response: AttestedComputeResponse;
+    signer: Address;
+}>, request?: AttestedComputeRequest): void;
+/**
+ * Verifies decrypt/reveal response consistency using hash-bucket voting.
+ * Collects all N responses, buckets them by content key, and returns the
+ * winning bucket (the first one with >= threshold votes).
+ *
+ * This is robust against a faulty first-responding node: even if responses[0]
+ * disagrees, a quorum of agreeing responses will form a winning bucket.
+ */
+export declare function verifyDecryptResponseConsistency<T extends AttestedDecryptResponse | AttestedRevealResponse>(allResults: Array<{
+    response: T;
+    signer: Address;
+}>, threshold: number, reencryptKeypair?: XwingKeypair): Promise<{
+    reference: T;
+    winningResults: Array<{
+        response: T;
+        signer: Address;
+    }>;
+}>;
+/**
+ * Verifies compute response consistency using hash-bucket voting.
+ */
+export declare function verifyComputeResponseConsistency(allResults: Array<{
+    response: AttestedComputeResponse;
+    signer: Address;
+}>, threshold: number, request?: AttestedComputeRequest, reencryptKeypair?: XwingKeypair): Promise<{
+    reference: AttestedComputeResponse;
+    winningResults: Array<{
+        response: AttestedComputeResponse;
+        signer: Address;
+    }>;
+}>;

package/dist/types/kms/signatureVerification.d.ts

@@ -0,0 +1,35 @@
+import type { Account, Address, Chain, PublicClient, Transport, WalletClient } from 'viem';
+export type ViemClient = WalletClient<Transport, Chain, Account> | PublicClient<Transport, Chain>;
+/**
+ * Verifies covalidator signatures for a plaintext DecryptionAttestation
+ * by calling `isValidDecryptionAttestation` on the IncoVerifier contract.
+ *
+ * This delegates all verification logic (EIP-712 digest computation,
+ * ECDSA recovery, signer authorization, threshold check) to the contract,
+ * ensuring exact parity with on-chain verification.
+ *
+ * @param handle - The handle hex string (bytes32)
+ * @param rawValueBytes - The raw plaintext value bytes (will be left-padded to 32 bytes)
+ * @param signatures - The covalidator ECDSA signatures to verify
+ * @param executorAddress - The Lightning contract address (executor)
+ * @param client - A viem client capable of reading contract state
+ * @throws If the contract returns false (insufficient valid signatures)
+ */
+export declare function verifyPlaintextAttestationSignatures(handle: string, rawValueBytes: Uint8Array, signatures: Uint8Array[], executorAddress: Address, client: ViemClient): Promise<void>;
+/**
+ * Verifies covalidator envelope signatures for reencryption attestations
+ * by calling `isValidReencryptionAttestation` on the IncoVerifier contract.
+ *
+ * Each covalidator signs over its own unique (userCiphertext, handle, encryptedSignature)
+ * tuple, so all three per-covalidator arrays must be aligned by index and sorted
+ * by signer address in ascending order.
+ *
+ * @param handle - The handle hex string (bytes32)
+ * @param userCiphertexts - Per-covalidator ciphertexts (sorted by signer address)
+ * @param encryptedSignatures - Per-covalidator encrypted inner signatures (sorted by signer address)
+ * @param envelopeSignatures - Per-covalidator envelope signatures (sorted by signer address)
+ * @param executorAddress - The Lightning contract address (executor)
+ * @param client - A viem client capable of reading contract state
+ * @throws If the contract returns false (insufficient valid signatures)
+ */
+export declare function verifyReencryptionAttestationSignatures(handle: string, userCiphertexts: Uint8Array[], encryptedSignatures: Uint8Array[], envelopeSignatures: Uint8Array[], executorAddress: Address, client: ViemClient): Promise<void>;

package/dist/types/kms/thresholdPromises.d.ts

@@ -1,7 +1,8 @@
 /**
- * Executes promises and returns results as soon as threshold is reached
+ * Executes all promises and returns all successful results.
+ * Rejects early if it becomes mathematically impossible to reach the threshold.
  * @param promises Array of promises to execute
- * @param threshold Number of successful responses needed
- * @returns Promise that resolves with threshold number of results
+ * @param threshold Minimum number of successful responses required
+ * @returns Promise that resolves with all successful results (length >= threshold)
  */
 export declare function executeWithThreshold<T>(promises: Promise<T>[], threshold: number): Promise<T[]>;

package/dist/types/lite/hadu.d.ts

@@ -1,4 +1,4 @@
-import { PlaintextWithContext } from '../encryption/index.js';
+import { PlaintextWithContext } from '../encryption/encryption.js';
 import { InputPayload } from '../generated/es/inco/covalidator/compute/v1/types_pb.js';
 export declare function encodeInput({ plaintext, context, }: PlaintextWithContext): Uint8Array;
 export declare function decodeInput(input: Uint8Array): InputPayload;

package/dist/types/lite/index.d.ts

@@ -4,6 +4,4 @@ export type { HandleWithProof } from '../generated/es/inco/kms/lite/v1/types_pb.
 export * from './attested-compute.js';
 export * from './attested-decrypt.js';
 export * from './deployments.js';
-export * from './hadu.js';
 export * from './lightning.js';
-export { TEST_NETWORK_SEED_KEY, XWING_PUBLIC_KEY_SIZE, decodeXwingPrivateKey, decodeXwingPublicKey, decrypt, deriveXwingKeypairFromSeed, encodeXwingPublicKey, encrypt, generateXwingKeypair, getXwingDecryptor, getXwingEncryptor, type XwingDecryptorArgs, type XwingEncryptorArgs, type XwingKeypair, } from './xwing.js';

package/dist/types/lite/lightning.d.ts

@@ -4,7 +4,7 @@ import { AllowanceVoucherWithSig } from '../advancedacl/types.js';
 import { AttestedComputeOP } from '../attestedcompute/types.js';
 import { DecryptionAttestation, EncryptedDecryptionAttestation } from '../attesteddecrypt/index.js';
 import { Address, HexString } from '../binary.js';
-import { EncryptionScheme, SupportedFheType } from '../encryption/index.js';
+import { EncryptionScheme, SupportedFheType } from '../encryption/encryption.js';
 import { incoVerifierAbi } from '../generated/abis/verifier.js';
 import { lightningDeployments } from '../generated/lightning.js';
 import { localNodeLightningConfig } from '../generated/local-node.js';

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@inco/js",
-  "version": "0.8.0-devnet-13",
+  "version": "0.8.0-devnet-22",
   "repository": "https://github.com/Inco-fhevm/inco-monorepo",
   "license": "Apache-2.0",
   "sideEffects": false,
@@ -80,17 +80,17 @@
     "test:update-snapshots": "bun vitest run --project unit --update"
   },
   "dependencies": {
-    "@bufbuild/protobuf": "^2.2.3",
-    "@connectrpc/connect": "^2.0.0",
-    "@connectrpc/connect-node": "^2.0.0",
-    "@connectrpc/connect-web": "^2.0.1",
-    "@grpc/grpc-js": "^1.13.4",
-    "@hpke/hybridkem-x-wing": "^0.6.1",
-    "@hpke/core": "^1.7.5",
-    "@hpke/chacha20poly1305": "^1.7.1",
-    "effect": "^3.17.13",
-    "sha3": "^2.1.4",
-    "viem": "^2.39.3"
+    "@bufbuild/protobuf": "2.10.0",
+    "@connectrpc/connect": "2.1.0",
+    "@connectrpc/connect-node": "2.1.0",
+    "@connectrpc/connect-web": "2.1.0",
+    "@grpc/grpc-js": "1.14.0",
+    "@hpke/hybridkem-x-wing": "0.6.1",
+    "@hpke/core": "1.7.5",
+    "@hpke/chacha20poly1305": "1.7.1",
+    "effect": "3.18.4",
+    "sha3": "2.1.4",
+    "viem": "2.39.3"
   },
   "devDependencies": {
     "@inco/pega": "workspace:*",