@inco/js 0.8.0-devnet-13 → 0.8.0-devnet-22

package/dist/cjs/kms/quorumConsistency.d.ts

@@ -0,0 +1,58 @@
+import type { Address } from 'viem';
+import type { AttestedComputeRequest, AttestedComputeResponse, AttestedDecryptResponse, AttestedRevealResponse, DecryptionAttestation as ProtoDecryptionAttestation } from '../generated/es/inco/kms/lite/v1/kms_service_pb.js';
+import type { XwingKeypair } from '../lite/xwing.js';
+/**
+ * Computes a canonical key for a single attestation.
+ * For plaintext/reencryption+keypair, the key is handle:hex(value).
+ * For reencryption without a keypair (XWing ciphertexts are non-deterministic),
+ * falls back to handle:op-type as a structural stand-in.
+ */
+export declare function computeAttestationKey(att: ProtoDecryptionAttestation, reencryptKeypair?: XwingKeypair): Promise<string>;
+/**
+ * Validates that all responses in a winning bucket have the same attestation
+ * count and types as the quorum-elected reference (bucket[0]).
+ */
+export declare function validateDecryptResponseStructure<T extends AttestedDecryptResponse | AttestedRevealResponse>(bucket: Array<{
+    response: T;
+    signer: Address;
+}>): void;
+/**
+ * Validates that all responses in a winning bucket have a decryption
+ * attestation with the same case as the quorum-elected reference (bucket[0]),
+ * and that the case is consistent with the request's reencryptPubKey.
+ */
+export declare function validateComputeResponseStructure(bucket: Array<{
+    response: AttestedComputeResponse;
+    signer: Address;
+}>, request?: AttestedComputeRequest): void;
+/**
+ * Verifies decrypt/reveal response consistency using hash-bucket voting.
+ * Collects all N responses, buckets them by content key, and returns the
+ * winning bucket (the first one with >= threshold votes).
+ *
+ * This is robust against a faulty first-responding node: even if responses[0]
+ * disagrees, a quorum of agreeing responses will form a winning bucket.
+ */
+export declare function verifyDecryptResponseConsistency<T extends AttestedDecryptResponse | AttestedRevealResponse>(allResults: Array<{
+    response: T;
+    signer: Address;
+}>, threshold: number, reencryptKeypair?: XwingKeypair): Promise<{
+    reference: T;
+    winningResults: Array<{
+        response: T;
+        signer: Address;
+    }>;
+}>;
+/**
+ * Verifies compute response consistency using hash-bucket voting.
+ */
+export declare function verifyComputeResponseConsistency(allResults: Array<{
+    response: AttestedComputeResponse;
+    signer: Address;
+}>, threshold: number, request?: AttestedComputeRequest, reencryptKeypair?: XwingKeypair): Promise<{
+    reference: AttestedComputeResponse;
+    winningResults: Array<{
+        response: AttestedComputeResponse;
+        signer: Address;
+    }>;
+}>;

package/dist/cjs/kms/quorumConsistency.js

@@ -0,0 +1,200 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.computeAttestationKey = computeAttestationKey;
+exports.validateDecryptResponseStructure = validateDecryptResponseStructure;
+exports.validateComputeResponseStructure = validateComputeResponseStructure;
+exports.verifyDecryptResponseConsistency = verifyDecryptResponseConsistency;
+exports.verifyComputeResponseConsistency = verifyComputeResponseConsistency;
+const binary_js_1 = require("../binary.js");
+const handle_js_1 = require("../handle.js");
+const xwing_js_1 = require("../lite/xwing.js");
+/**
+ * Computes a canonical key for a single attestation.
+ * For plaintext/reencryption+keypair, the key is handle:hex(value).
+ * For reencryption without a keypair (XWing ciphertexts are non-deterministic),
+ * falls back to handle:op-type as a structural stand-in.
+ */
+async function computeAttestationKey(att, reencryptKeypair) {
+    if (!att.value)
+        throw new Error('No value in attestation');
+    if (att.value.case === 'plaintext') {
+        if (!att.value.value.value)
+            throw new Error('No plaintext value in attestation');
+        return att.handle + ':' + (0, binary_js_1.bytesToHex)(att.value.value.value);
+    }
+    if (att.value.case === 'reencryption') {
+        const ct = att.value.value.userCiphertext;
+        if (!ct)
+            throw new Error('No ciphertext in reencryption');
+        if (reencryptKeypair) {
+            return att.handle + ':' + (0, binary_js_1.bytesToHex)(await (0, xwing_js_1.decrypt)(reencryptKeypair, ct));
+        }
+        // Without a keypair, XWing ciphertexts are non-deterministic so we
+        // can only check structural equality (handle + op-type).
+        return att.handle + ':' + String((0, handle_js_1.getHandleType)((0, binary_js_1.parseHex)(att.handle)));
+    }
+    throw new Error(`Unexpected attestation type: ${att.value.case}, expected 'plaintext' or 'reencryption'`);
+}
+/**
+ * Validates that all responses in a winning bucket have the same attestation
+ * count and types as the quorum-elected reference (bucket[0]).
+ */
+function validateDecryptResponseStructure(bucket) {
+    const reference = bucket[0].response;
+    for (let r = 1; r < bucket.length; r++) {
+        if (bucket[r].response.decryptionAttestations.length !==
+            reference.decryptionAttestations.length) {
+            throw new Error('Inconsistent number of decryption attestations across KMS responses');
+        }
+    }
+    for (let i = 0; i < reference.decryptionAttestations.length; i++) {
+        const refAtt = reference.decryptionAttestations[i];
+        const refCase = refAtt.value?.case;
+        if (!refCase) {
+            throw new Error('No value in reference attestation');
+        }
+        for (let r = 1; r < bucket.length; r++) {
+            const att = bucket[r].response.decryptionAttestations[i];
+            if (!att.value) {
+                throw new Error('No value in attestation');
+            }
+            // Defensive check: handles should match within a bucket (bucketing includes handle in key)
+            if (att.handle !== refAtt.handle) {
+                throw new Error(`Handle mismatch at attestation index ${i}: expected '${refAtt.handle}' but got '${att.handle}'`);
+            }
+            if (att.value.case !== refCase) {
+                throw new Error(`Inconsistent attestation types: reference has '${refCase}' but response ${r} has '${att.value.case}'`);
+            }
+        }
+    }
+}
+/**
+ * Validates that all responses in a winning bucket have a decryption
+ * attestation with the same case as the quorum-elected reference (bucket[0]),
+ * and that the case is consistent with the request's reencryptPubKey.
+ */
+function validateComputeResponseStructure(bucket, request) {
+    const refAtt = bucket[0].response.decryptionAttestation;
+    if (!refAtt) {
+        throw new Error('No decryption attestation in reference response');
+    }
+    if (!refAtt.value) {
+        throw new Error('No value in reference attestation');
+    }
+    const refCase = refAtt.value.case;
+    const hasReencryptPubKey = request?.reencryptPubKey && request.reencryptPubKey.length > 0;
+    if (refCase === 'reencryption' && !hasReencryptPubKey) {
+        throw new Error("Unexpected attestation type: reencryption, expected 'plaintext'");
+    }
+    if (refCase !== 'plaintext' && refCase !== 'reencryption') {
+        throw new Error(`Unexpected attestation type: ${refCase}, expected 'plaintext' or 'reencryption'`);
+    }
+    for (let r = 1; r < bucket.length; r++) {
+        const att = bucket[r].response.decryptionAttestation;
+        if (!att)
+            throw new Error('No decryption attestation in response');
+        if (!att.value)
+            throw new Error('No value in attestation');
+        // Defensive check: handles should match within a bucket (bucketing includes handle in key)
+        if (att.handle !== refAtt.handle) {
+            throw new Error(`Handle mismatch: expected '${refAtt.handle}' but got '${att.handle}'`);
+        }
+        if (att.value.case !== refCase) {
+            throw new Error(`Inconsistent attestation types: reference has '${refCase}' but response ${r} has '${att.value.case}'`);
+        }
+    }
+}
+async function computeDecryptResponseKey(response, reencryptKeypair) {
+    const keys = await Promise.all(response.decryptionAttestations.map((att) => computeAttestationKey(att, reencryptKeypair)));
+    return keys.join('|');
+}
+async function computeComputeResponseKey(response, reencryptKeypair) {
+    const att = response.decryptionAttestation;
+    if (!att)
+        throw new Error('No decryption attestation in response');
+    return computeAttestationKey(att, reencryptKeypair);
+}
+/**
+ * Verifies decrypt/reveal response consistency using hash-bucket voting.
+ * Collects all N responses, buckets them by content key, and returns the
+ * winning bucket (the first one with >= threshold votes).
+ *
+ * This is robust against a faulty first-responding node: even if responses[0]
+ * disagrees, a quorum of agreeing responses will form a winning bucket.
+ */
+async function verifyDecryptResponseConsistency(allResults, threshold, reencryptKeypair) {
+    if (allResults.length === 0) {
+        throw new Error('No responses collected to verify');
+    }
+    // Compute a content key for each response and bucket by key.
+    // Responses whose key computation fails (malformed/invalid attestation) are
+    // excluded so that one faulty responder cannot abort the whole check.
+    const buckets = new Map();
+    const skippedErrors = [];
+    for (const result of allResults) {
+        let key;
+        try {
+            key = await computeDecryptResponseKey(result.response, reencryptKeypair);
+        }
+        catch (e) {
+            skippedErrors.push(e instanceof Error ? e.message : String(e));
+            continue;
+        }
+        if (!buckets.has(key))
+            buckets.set(key, []);
+        buckets.get(key).push(result);
+    }
+    // Find the first bucket that reaches the quorum threshold.
+    // With majority threshold (floor(n/2) + 1), at most one bucket can reach quorum,
+    // so iteration order doesn't affect which bucket wins.
+    for (const bucket of buckets.values()) {
+        if (bucket.length >= threshold) {
+            validateDecryptResponseStructure(bucket);
+            return { reference: bucket[0].response, winningResults: bucket };
+        }
+    }
+    const skippedSuffix = skippedErrors.length > 0
+        ? `; ${skippedErrors.length} response(s) excluded due to key-computation errors: ${skippedErrors.join(', ')}`
+        : '';
+    throw new Error(`No quorum: no group of ${threshold} KMS responses agreed on the same value${skippedSuffix}`);
+}
+/**
+ * Verifies compute response consistency using hash-bucket voting.
+ */
+async function verifyComputeResponseConsistency(allResults, threshold, request, reencryptKeypair) {
+    if (allResults.length === 0) {
+        throw new Error('No responses collected to verify');
+    }
+    // Compute a content key for each response and bucket by key.
+    // Responses whose key computation fails (malformed/invalid attestation) are
+    // excluded so that one faulty responder cannot abort the whole check.
+    const buckets = new Map();
+    const skippedErrors = [];
+    for (const result of allResults) {
+        let key;
+        try {
+            key = await computeComputeResponseKey(result.response, reencryptKeypair);
+        }
+        catch (e) {
+            skippedErrors.push(e instanceof Error ? e.message : String(e));
+            continue;
+        }
+        if (!buckets.has(key))
+            buckets.set(key, []);
+        buckets.get(key).push(result);
+    }
+    // Find the first bucket that reaches the quorum threshold.
+    // With majority threshold (floor(n/2) + 1), at most one bucket can reach quorum,
+    // so iteration order doesn't affect which bucket wins.
+    for (const bucket of buckets.values()) {
+        if (bucket.length >= threshold) {
+            validateComputeResponseStructure(bucket, request);
+            return { reference: bucket[0].response, winningResults: bucket };
+        }
+    }
+    const skippedSuffix = skippedErrors.length > 0
+        ? `; ${skippedErrors.length} response(s) excluded due to key-computation errors: ${skippedErrors.join(', ')}`
+        : '';
+    throw new Error(`No quorum: no group of ${threshold} KMS responses agreed on the same value${skippedSuffix}`);
+}
+//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoicXVvcnVtQ29uc2lzdGVuY3kuanMiLCJzb3VyY2VSb290IjoiIiwic291cmNlcyI6WyIuLi8uLi8uLi9zcmMva21zL3F1b3J1bUNvbnNpc3RlbmN5LnRzIl0sIm5hbWVzIjpbXSwibWFwcGluZ3MiOiI7O0FBbUJBLHNEQXVCQztBQU1ELDRFQXdDQztBQU9ELDRFQTRDQztBQThCRCw0RUFnREM7QUFLRCw0RUFrREM7QUEvUUQsNENBQW9EO0FBUXBELDRDQUE2QztBQUU3QywrQ0FBMkM7QUFFM0M7Ozs7O0dBS0c7QUFDSSxLQUFLLFVBQVUscUJBQXFCLENBQ3pDLEdBQStCLEVBQy9CLGdCQUErQjtJQUUvQixJQUFJLENBQUMsR0FBRyxDQUFDLEtBQUs7UUFBRSxNQUFNLElBQUksS0FBSyxDQUFDLHlCQUF5QixDQUFDLENBQUM7SUFDM0QsSUFBSSxHQUFHLENBQUMsS0FBSyxDQUFDLElBQUksS0FBSyxXQUFXLEVBQUUsQ0FBQztRQUNuQyxJQUFJLENBQUMsR0FBRyxDQUFDLEtBQUssQ0FBQyxLQUFLLENBQUMsS0FBSztZQUN4QixNQUFNLElBQUksS0FBSyxDQUFDLG1DQUFtQyxDQUFDLENBQUM7UUFDdkQsT0FBTyxHQUFHLENBQUMsTUFBTSxHQUFHLEdBQUcsR0FBRyxJQUFBLHNCQUFVLEVBQUMsR0FBRyxDQUFDLEtBQUssQ0FBQyxLQUFLLENBQUMsS0FBSyxDQUFDLENBQUM7SUFDOUQsQ0FBQztJQUNELElBQUksR0FBRyxDQUFDLEtBQUssQ0FBQyxJQUFJLEtBQUssY0FBYyxFQUFFLENBQUM7UUFDdEMsTUFBTSxFQUFFLEdBQUcsR0FBRyxDQUFDLEtBQUssQ0FBQyxLQUFLLENBQUMsY0FBYyxDQUFDO1FBQzFDLElBQUksQ0FBQyxFQUFFO1lBQUUsTUFBTSxJQUFJLEtBQUssQ0FBQywrQkFBK0IsQ0FBQyxDQUFDO1FBQzFELElBQUksZ0JBQWdCLEVBQUUsQ0FBQztZQUNyQixPQUFPLEdBQUcsQ0FBQyxNQUFNLEdBQUcsR0FBRyxHQUFHLElBQUEsc0JBQVUsRUFBQyxNQUFNLElBQUEsa0JBQU8sRUFBQyxnQkFBZ0IsRUFBRSxFQUFFLENBQUMsQ0FBQyxDQUFDO1FBQzVFLENBQUM7UUFDRCxtRUFBbUU7UUFDbkUseURBQXlEO1FBQ3pELE9BQU8sR0FBRyxDQUFDLE1BQU0sR0FBRyxHQUFHLEdBQUcsTUFBTSxDQUFDLElBQUEseUJBQWEsRUFBQyxJQUFBLG9CQUFRLEVBQUMsR0FBRyxDQUFDLE1BQU0sQ0FBQyxDQUFDLENBQUMsQ0FBQztJQUN4RSxDQUFDO0lBQ0QsTUFBTSxJQUFJLEtBQUssQ0FDYixnQ0FBZ0MsR0FBRyxDQUFDLEtBQUssQ0FBQyxJQUFJLDBDQUEwQyxDQUN6RixDQUFDO0FBQ0osQ0FBQztBQUVEOzs7R0FHRztBQUNILFNBQWdCLGdDQUFnQyxDQUU5QyxNQUErQztJQUMvQyxNQUFNLFNBQVMsR0FBRyxNQUFNLENBQUMsQ0FBQyxDQUFDLENBQUMsUUFBUSxDQUFDO0lBRXJDLEtBQUssSUFBSSxDQUFDLEdBQUcsQ0FBQyxFQUFFLENBQUMsR0FBRyxNQUFNLENBQUMsTUFBTSxFQUFFLENBQUMsRUFBRSxFQUFFLENBQUM7UUFDdkMsSUFDRSxNQUFNLENBQUMsQ0FBQyxDQUFDLENBQUMsUUFBUSxDQUFDLHNCQUFzQixDQUFDLE1BQU07WUFDaEQsU0FBUyxDQUFDLHNCQUFzQixDQUFDLE1BQU0sRUFDdkMsQ0FBQztZQUNELE1BQU0sSUFBSSxLQUFLLENBQ2IscUVBQXFFLENBQ3RFLENBQUM7UUFDSixDQUFDO0lBQ0gsQ0FBQztJQUVELEtBQUssSUFBSSxDQUFDLEdBQUcsQ0FBQyxFQUFFLENBQUMsR0FBRyxTQUFTLENBQUMsc0JBQXNCLENBQUMsTUFBTSxFQUFFLENBQUMsRUFBRSxFQUFFLENBQUM7UUFDakUsTUFBTSxNQUFNLEdBQUcsU0FBUyxDQUFDLHNCQUFzQixDQUFDLENBQUMsQ0FBQyxDQUFDO1FBQ25ELE1BQU0sT0FBTyxHQUFHLE1BQU0sQ0FBQyxLQUFLLEVBQUUsSUFBSSxDQUFDO1FBQ25DLElBQUksQ0FBQyxPQUFPLEVBQUUsQ0FBQztZQUNiLE1BQU0sSUFBSSxLQUFLLENBQUMsbUNBQW1DLENBQUMsQ0FBQztRQUN2RCxDQUFDO1FBQ0QsS0FBSyxJQUFJLENBQUMsR0FBRyxDQUFDLEVBQUUsQ0FBQyxHQUFHLE1BQU0sQ0FBQyxNQUFNLEVBQUUsQ0FBQyxFQUFFLEVBQUUsQ0FBQztZQUN2QyxNQUFNLEdBQUcsR0FBRyxNQUFNLENBQUMsQ0FBQyxDQUFDLENBQUMsUUFBUSxDQUFDLHNCQUFzQixDQUFDLENBQUMsQ0FBQyxDQUFDO1lBQ3pELElBQUksQ0FBQyxHQUFHLENBQUMsS0FBSyxFQUFFLENBQUM7Z0JBQ2YsTUFBTSxJQUFJLEtBQUssQ0FBQyx5QkFBeUIsQ0FBQyxDQUFDO1lBQzdDLENBQUM7WUFDRCwyRkFBMkY7WUFDM0YsSUFBSSxHQUFHLENBQUMsTUFBTSxLQUFLLE1BQU0sQ0FBQyxNQUFNLEVBQUUsQ0FBQztnQkFDakMsTUFBTSxJQUFJLEtBQUssQ0FDYix3Q0FBd0MsQ0FBQyxlQUFlLE1BQU0sQ0FBQyxNQUFNLGNBQWMsR0FBRyxDQUFDLE1BQU0sR0FBRyxDQUNqRyxDQUFDO1lBQ0osQ0FBQztZQUNELElBQUksR0FBRyxDQUFDLEtBQUssQ0FBQyxJQUFJLEtBQUssT0FBTyxFQUFFLENBQUM7Z0JBQy9CLE1BQU0sSUFBSSxLQUFLLENBQ2Isa0RBQWtELE9BQU8sa0JBQWtCLENBQUMsU0FBUyxHQUFHLENBQUMsS0FBSyxDQUFDLElBQUksR0FBRyxDQUN2RyxDQUFDO1lBQ0osQ0FBQztRQUNILENBQUM7SUFDSCxDQUFDO0FBQ0gsQ0FBQztBQUVEOzs7O0dBSUc7QUFDSCxTQUFnQixnQ0FBZ0MsQ0FDOUMsTUFBcUUsRUFDckUsT0FBZ0M7SUFFaEMsTUFBTSxNQUFNLEdBQUcsTUFBTSxDQUFDLENBQUMsQ0FBQyxDQUFDLFFBQVEsQ0FBQyxxQkFBcUIsQ0FBQztJQUN4RCxJQUFJLENBQUMsTUFBTSxFQUFFLENBQUM7UUFDWixNQUFNLElBQUksS0FBSyxDQUFDLGlEQUFpRCxDQUFDLENBQUM7SUFDckUsQ0FBQztJQUNELElBQUksQ0FBQyxNQUFNLENBQUMsS0FBSyxFQUFFLENBQUM7UUFDbEIsTUFBTSxJQUFJLEtBQUssQ0FBQyxtQ0FBbUMsQ0FBQyxDQUFDO0lBQ3ZELENBQUM7SUFFRCxNQUFNLE9BQU8sR0FBRyxNQUFNLENBQUMsS0FBSyxDQUFDLElBQUksQ0FBQztJQUVsQyxNQUFNLGtCQUFrQixHQUN0QixPQUFPLEVBQUUsZUFBZSxJQUFJLE9BQU8sQ0FBQyxlQUFlLENBQUMsTUFBTSxHQUFHLENBQUMsQ0FBQztJQUNqRSxJQUFJLE9BQU8sS0FBSyxjQUFjLElBQUksQ0FBQyxrQkFBa0IsRUFBRSxDQUFDO1FBQ3RELE1BQU0sSUFBSSxLQUFLLENBQ2IsaUVBQWlFLENBQ2xFLENBQUM7SUFDSixDQUFDO0lBRUQsSUFBSSxPQUFPLEtBQUssV0FBVyxJQUFJLE9BQU8sS0FBSyxjQUFjLEVBQUUsQ0FBQztRQUMxRCxNQUFNLElBQUksS0FBSyxDQUNiLGdDQUFnQyxPQUFPLDBDQUEwQyxDQUNsRixDQUFDO0lBQ0osQ0FBQztJQUVELEtBQUssSUFBSSxDQUFDLEdBQUcsQ0FBQyxFQUFFLENBQUMsR0FBRyxNQUFNLENBQUMsTUFBTSxFQUFFLENBQUMsRUFBRSxFQUFFLENBQUM7UUFDdkMsTUFBTSxHQUFHLEdBQUcsTUFBTSxDQUFDLENBQUMsQ0FBQyxDQUFDLFFBQVEsQ0FBQyxxQkFBcUIsQ0FBQztRQUNyRCxJQUFJLENBQUMsR0FBRztZQUFFLE1BQU0sSUFBSSxLQUFLLENBQUMsdUNBQXVDLENBQUMsQ0FBQztRQUNuRSxJQUFJLENBQUMsR0FBRyxDQUFDLEtBQUs7WUFBRSxNQUFNLElBQUksS0FBSyxDQUFDLHlCQUF5QixDQUFDLENBQUM7UUFDM0QsMkZBQTJGO1FBQzNGLElBQUksR0FBRyxDQUFDLE1BQU0sS0FBSyxNQUFNLENBQUMsTUFBTSxFQUFFLENBQUM7WUFDakMsTUFBTSxJQUFJLEtBQUssQ0FDYiw4QkFBOEIsTUFBTSxDQUFDLE1BQU0sY0FBYyxHQUFHLENBQUMsTUFBTSxHQUFHLENBQ3ZFLENBQUM7UUFDSixDQUFDO1FBQ0QsSUFBSSxHQUFHLENBQUMsS0FBSyxDQUFDLElBQUksS0FBSyxPQUFPLEVBQUUsQ0FBQztZQUMvQixNQUFNLElBQUksS0FBSyxDQUNiLGtEQUFrRCxPQUFPLGtCQUFrQixDQUFDLFNBQVMsR0FBRyxDQUFDLEtBQUssQ0FBQyxJQUFJLEdBQUcsQ0FDdkcsQ0FBQztRQUNKLENBQUM7SUFDSCxDQUFDO0FBQ0gsQ0FBQztBQUVELEtBQUssVUFBVSx5QkFBeUIsQ0FFdEMsUUFBVyxFQUFFLGdCQUErQjtJQUM1QyxNQUFNLElBQUksR0FBRyxNQUFNLE9BQU8sQ0FBQyxHQUFHLENBQzVCLFFBQVEsQ0FBQyxzQkFBc0IsQ0FBQyxHQUFHLENBQUMsQ0FBQyxHQUFHLEVBQUUsRUFBRSxDQUMxQyxxQkFBcUIsQ0FBQyxHQUFHLEVBQUUsZ0JBQWdCLENBQUMsQ0FDN0MsQ0FDRixDQUFDO0lBQ0YsT0FBTyxJQUFJLENBQUMsSUFBSSxDQUFDLEdBQUcsQ0FBQyxDQUFDO0FBQ3hCLENBQUM7QUFFRCxLQUFLLFVBQVUseUJBQXlCLENBQ3RDLFFBQWlDLEVBQ2pDLGdCQUErQjtJQUUvQixNQUFNLEdBQUcsR0FBRyxRQUFRLENBQUMscUJBQXFCLENBQUM7SUFDM0MsSUFBSSxDQUFDLEdBQUc7UUFBRSxNQUFNLElBQUksS0FBSyxDQUFDLHVDQUF1QyxDQUFDLENBQUM7SUFDbkUsT0FBTyxxQkFBcUIsQ0FBQyxHQUFHLEVBQUUsZ0JBQWdCLENBQUMsQ0FBQztBQUN0RCxDQUFDO0FBRUQ7Ozs7Ozs7R0FPRztBQUNJLEtBQUssVUFBVSxnQ0FBZ0MsQ0FHcEQsVUFBbUQsRUFDbkQsU0FBaUIsRUFDakIsZ0JBQStCO0lBSy9CLElBQUksVUFBVSxDQUFDLE1BQU0sS0FBSyxDQUFDLEVBQUUsQ0FBQztRQUM1QixNQUFNLElBQUksS0FBSyxDQUFDLGtDQUFrQyxDQUFDLENBQUM7SUFDdEQsQ0FBQztJQUVELDZEQUE2RDtJQUM3RCw0RUFBNEU7SUFDNUUsc0VBQXNFO0lBQ3RFLE1BQU0sT0FBTyxHQUFHLElBQUksR0FBRyxFQUFtRCxDQUFDO0lBQzNFLE1BQU0sYUFBYSxHQUFhLEVBQUUsQ0FBQztJQUNuQyxLQUFLLE1BQU0sTUFBTSxJQUFJLFVBQVUsRUFBRSxDQUFDO1FBQ2hDLElBQUksR0FBVyxDQUFDO1FBQ2hCLElBQUksQ0FBQztZQUNILEdBQUcsR0FBRyxNQUFNLHlCQUF5QixDQUFDLE1BQU0sQ0FBQyxRQUFRLEVBQUUsZ0JBQWdCLENBQUMsQ0FBQztRQUMzRSxDQUFDO1FBQUMsT0FBTyxDQUFDLEVBQUUsQ0FBQztZQUNYLGFBQWEsQ0FBQyxJQUFJLENBQUMsQ0FBQyxZQUFZLEtBQUssQ0FBQyxDQUFDLENBQUMsQ0FBQyxDQUFDLE9BQU8sQ0FBQyxDQUFDLENBQUMsTUFBTSxDQUFDLENBQUMsQ0FBQyxDQUFDLENBQUM7WUFDL0QsU0FBUztRQUNYLENBQUM7UUFDRCxJQUFJLENBQUMsT0FBTyxDQUFDLEdBQUcsQ0FBQyxHQUFHLENBQUM7WUFBRSxPQUFPLENBQUMsR0FBRyxDQUFDLEdBQUcsRUFBRSxFQUFFLENBQUMsQ0FBQztRQUM1QyxPQUFPLENBQUMsR0FBRyxDQUFDLEdBQUcsQ0FBRSxDQUFDLElBQUksQ0FBQyxNQUFNLENBQUMsQ0FBQztJQUNqQyxDQUFDO0lBRUQsMkRBQTJEO0lBQzNELGlGQUFpRjtJQUNqRix1REFBdUQ7SUFDdkQsS0FBSyxNQUFNLE1BQU0sSUFBSSxPQUFPLENBQUMsTUFBTSxFQUFFLEVBQUUsQ0FBQztRQUN0QyxJQUFJLE1BQU0sQ0FBQyxNQUFNLElBQUksU0FBUyxFQUFFLENBQUM7WUFDL0IsZ0NBQWdDLENBQUMsTUFBTSxDQUFDLENBQUM7WUFDekMsT0FBTyxFQUFFLFNBQVMsRUFBRSxNQUFNLENBQUMsQ0FBQyxDQUFDLENBQUMsUUFBUSxFQUFFLGNBQWMsRUFBRSxNQUFNLEVBQUUsQ0FBQztRQUNuRSxDQUFDO0lBQ0gsQ0FBQztJQUVELE1BQU0sYUFBYSxHQUNqQixhQUFhLENBQUMsTUFBTSxHQUFHLENBQUM7UUFDdEIsQ0FBQyxDQUFDLEtBQUssYUFBYSxDQUFDLE1BQU0sd0RBQXdELGFBQWEsQ0FBQyxJQUFJLENBQUMsSUFBSSxDQUFDLEVBQUU7UUFDN0csQ0FBQyxDQUFDLEVBQUUsQ0FBQztJQUNULE1BQU0sSUFBSSxLQUFLLENBQ2IsMEJBQTBCLFNBQVMsMENBQTBDLGFBQWEsRUFBRSxDQUM3RixDQUFDO0FBQ0osQ0FBQztBQUVEOztHQUVHO0FBQ0ksS0FBSyxVQUFVLGdDQUFnQyxDQUNwRCxVQUF5RSxFQUN6RSxTQUFpQixFQUNqQixPQUFnQyxFQUNoQyxnQkFBK0I7SUFLL0IsSUFBSSxVQUFVLENBQUMsTUFBTSxLQUFLLENBQUMsRUFBRSxDQUFDO1FBQzVCLE1BQU0sSUFBSSxLQUFLLENBQUMsa0NBQWtDLENBQUMsQ0FBQztJQUN0RCxDQUFDO0lBRUQsNkRBQTZEO0lBQzdELDRFQUE0RTtJQUM1RSxzRUFBc0U7SUFDdEUsTUFBTSxPQUFPLEdBQUcsSUFBSSxHQUFHLEVBR3BCLENBQUM7SUFDSixNQUFNLGFBQWEsR0FBYSxFQUFFLENBQUM7SUFDbkMsS0FBSyxNQUFNLE1BQU0sSUFBSSxVQUFVLEVBQUUsQ0FBQztRQUNoQyxJQUFJLEdBQVcsQ0FBQztRQUNoQixJQUFJLENBQUM7WUFDSCxHQUFHLEdBQUcsTUFBTSx5QkFBeUIsQ0FBQyxNQUFNLENBQUMsUUFBUSxFQUFFLGdCQUFnQixDQUFDLENBQUM7UUFDM0UsQ0FBQztRQUFDLE9BQU8sQ0FBQyxFQUFFLENBQUM7WUFDWCxhQUFhLENBQUMsSUFBSSxDQUFDLENBQUMsWUFBWSxLQUFLLENBQUMsQ0FBQyxDQUFDLENBQUMsQ0FBQyxPQUFPLENBQUMsQ0FBQyxDQUFDLE1BQU0sQ0FBQyxDQUFDLENBQUMsQ0FBQyxDQUFDO1lBQy9ELFNBQVM7UUFDWCxDQUFDO1FBQ0QsSUFBSSxDQUFDLE9BQU8sQ0FBQyxHQUFHLENBQUMsR0FBRyxDQUFDO1lBQUUsT0FBTyxDQUFDLEdBQUcsQ0FBQyxHQUFHLEVBQUUsRUFBRSxDQUFDLENBQUM7UUFDNUMsT0FBTyxDQUFDLEdBQUcsQ0FBQyxHQUFHLENBQUUsQ0FBQyxJQUFJLENBQUMsTUFBTSxDQUFDLENBQUM7SUFDakMsQ0FBQztJQUVELDJEQUEyRDtJQUMzRCxpRkFBaUY7SUFDakYsdURBQXVEO0lBQ3ZELEtBQUssTUFBTSxNQUFNLElBQUksT0FBTyxDQUFDLE1BQU0sRUFBRSxFQUFFLENBQUM7UUFDdEMsSUFBSSxNQUFNLENBQUMsTUFBTSxJQUFJLFNBQVMsRUFBRSxDQUFDO1lBQy9CLGdDQUFnQyxDQUFDLE1BQU0sRUFBRSxPQUFPLENBQUMsQ0FBQztZQUNsRCxPQUFPLEVBQUUsU0FBUyxFQUFFLE1BQU0sQ0FBQyxDQUFDLENBQUMsQ0FBQyxRQUFRLEVBQUUsY0FBYyxFQUFFLE1BQU0sRUFBRSxDQUFDO1FBQ25FLENBQUM7SUFDSCxDQUFDO0lBRUQsTUFBTSxhQUFhLEdBQ2pCLGFBQWEsQ0FBQyxNQUFNLEdBQUcsQ0FBQztRQUN0QixDQUFDLENBQUMsS0FBSyxhQUFhLENBQUMsTUFBTSx3REFBd0QsYUFBYSxDQUFDLElBQUksQ0FBQyxJQUFJLENBQUMsRUFBRTtRQUM3RyxDQUFDLENBQUMsRUFBRSxDQUFDO0lBQ1QsTUFBTSxJQUFJLEtBQUssQ0FDYiwwQkFBMEIsU0FBUywwQ0FBMEMsYUFBYSxFQUFFLENBQzdGLENBQUM7QUFDSixDQUFDIn0=

package/dist/cjs/kms/signatureVerification.d.ts

@@ -0,0 +1,35 @@
+import type { Account, Address, Chain, PublicClient, Transport, WalletClient } from 'viem';
+export type ViemClient = WalletClient<Transport, Chain, Account> | PublicClient<Transport, Chain>;
+/**
+ * Verifies covalidator signatures for a plaintext DecryptionAttestation
+ * by calling `isValidDecryptionAttestation` on the IncoVerifier contract.
+ *
+ * This delegates all verification logic (EIP-712 digest computation,
+ * ECDSA recovery, signer authorization, threshold check) to the contract,
+ * ensuring exact parity with on-chain verification.
+ *
+ * @param handle - The handle hex string (bytes32)
+ * @param rawValueBytes - The raw plaintext value bytes (will be left-padded to 32 bytes)
+ * @param signatures - The covalidator ECDSA signatures to verify
+ * @param executorAddress - The Lightning contract address (executor)
+ * @param client - A viem client capable of reading contract state
+ * @throws If the contract returns false (insufficient valid signatures)
+ */
+export declare function verifyPlaintextAttestationSignatures(handle: string, rawValueBytes: Uint8Array, signatures: Uint8Array[], executorAddress: Address, client: ViemClient): Promise<void>;
+/**
+ * Verifies covalidator envelope signatures for reencryption attestations
+ * by calling `isValidReencryptionAttestation` on the IncoVerifier contract.
+ *
+ * Each covalidator signs over its own unique (userCiphertext, handle, encryptedSignature)
+ * tuple, so all three per-covalidator arrays must be aligned by index and sorted
+ * by signer address in ascending order.
+ *
+ * @param handle - The handle hex string (bytes32)
+ * @param userCiphertexts - Per-covalidator ciphertexts (sorted by signer address)
+ * @param encryptedSignatures - Per-covalidator encrypted inner signatures (sorted by signer address)
+ * @param envelopeSignatures - Per-covalidator envelope signatures (sorted by signer address)
+ * @param executorAddress - The Lightning contract address (executor)
+ * @param client - A viem client capable of reading contract state
+ * @throws If the contract returns false (insufficient valid signatures)
+ */
+export declare function verifyReencryptionAttestationSignatures(handle: string, userCiphertexts: Uint8Array[], encryptedSignatures: Uint8Array[], envelopeSignatures: Uint8Array[], executorAddress: Address, client: ViemClient): Promise<void>;

package/dist/cjs/kms/signatureVerification.js

@@ -0,0 +1,88 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.verifyPlaintextAttestationSignatures = verifyPlaintextAttestationSignatures;
+exports.verifyReencryptionAttestationSignatures = verifyReencryptionAttestationSignatures;
+const viem_1 = require("viem");
+const lightning_js_1 = require("../generated/abis/lightning.js");
+const verifier_js_1 = require("../generated/abis/verifier.js");
+/**
+ * Resolves the IncoVerifier contract instance from the executor (Lightning) contract.
+ */
+async function getVerifierContract(executorAddress, client) {
+    const lightning = (0, viem_1.getContract)({
+        address: executorAddress,
+        abi: lightning_js_1.incoLightningAbi,
+        client,
+    });
+    const verifierAddress = await lightning.read.incoVerifier();
+    return (0, viem_1.getContract)({
+        address: verifierAddress,
+        abi: verifier_js_1.incoVerifierAbi,
+        client,
+    });
+}
+/**
+ * Verifies covalidator signatures for a plaintext DecryptionAttestation
+ * by calling `isValidDecryptionAttestation` on the IncoVerifier contract.
+ *
+ * This delegates all verification logic (EIP-712 digest computation,
+ * ECDSA recovery, signer authorization, threshold check) to the contract,
+ * ensuring exact parity with on-chain verification.
+ *
+ * @param handle - The handle hex string (bytes32)
+ * @param rawValueBytes - The raw plaintext value bytes (will be left-padded to 32 bytes)
+ * @param signatures - The covalidator ECDSA signatures to verify
+ * @param executorAddress - The Lightning contract address (executor)
+ * @param client - A viem client capable of reading contract state
+ * @throws If the contract returns false (insufficient valid signatures)
+ */
+async function verifyPlaintextAttestationSignatures(handle, rawValueBytes, signatures, executorAddress, client) {
+    const verifier = await getVerifierContract(executorAddress, client);
+    // Left-pad value to 32 bytes (matching Go's common.LeftPadBytes(value, 32))
+    const valueHex = (0, viem_1.pad)((0, viem_1.bytesToHex)(rawValueBytes), {
+        dir: 'left',
+        size: 32,
+    });
+    // Convert signatures to hex format for the contract call
+    const signaturesHex = signatures.map((sig) => (0, viem_1.bytesToHex)(sig));
+    const isValid = await verifier.read.isValidDecryptionAttestation([
+        { handle: handle, value: valueHex },
+        signaturesHex,
+    ]);
+    if (!isValid) {
+        throw new Error('Covalidator signature verification failed: isValidDecryptionAttestation returned false');
+    }
+}
+/**
+ * Verifies covalidator envelope signatures for reencryption attestations
+ * by calling `isValidReencryptionAttestation` on the IncoVerifier contract.
+ *
+ * Each covalidator signs over its own unique (userCiphertext, handle, encryptedSignature)
+ * tuple, so all three per-covalidator arrays must be aligned by index and sorted
+ * by signer address in ascending order.
+ *
+ * @param handle - The handle hex string (bytes32)
+ * @param userCiphertexts - Per-covalidator ciphertexts (sorted by signer address)
+ * @param encryptedSignatures - Per-covalidator encrypted inner signatures (sorted by signer address)
+ * @param envelopeSignatures - Per-covalidator envelope signatures (sorted by signer address)
+ * @param executorAddress - The Lightning contract address (executor)
+ * @param client - A viem client capable of reading contract state
+ * @throws If the contract returns false (insufficient valid signatures)
+ */
+async function verifyReencryptionAttestationSignatures(handle, userCiphertexts, encryptedSignatures, envelopeSignatures, executorAddress, client) {
+    const verifier = await getVerifierContract(executorAddress, client);
+    const attestations = userCiphertexts.map((ct, i) => ({
+        handle: handle,
+        userCiphertext: (0, viem_1.bytesToHex)(ct),
+        encryptedSignature: (0, viem_1.bytesToHex)(encryptedSignatures[i]),
+    }));
+    const signaturesHex = envelopeSignatures.map((sig) => (0, viem_1.bytesToHex)(sig));
+    const isValid = await verifier.read.isValidReencryptionAttestation([
+        attestations,
+        signaturesHex,
+    ]);
+    if (!isValid) {
+        throw new Error('Covalidator signature verification failed: isValidReencryptionAttestation returned false');
+    }
+}
+//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoic2lnbmF0dXJlVmVyaWZpY2F0aW9uLmpzIiwic291cmNlUm9vdCI6IiIsInNvdXJjZXMiOlsiLi4vLi4vLi4vc3JjL2ttcy9zaWduYXR1cmVWZXJpZmljYXRpb24udHMiXSwibmFtZXMiOltdLCJtYXBwaW5ncyI6Ijs7QUFzREEsb0ZBOEJDO0FBa0JELDBGQThCQztBQTNIRCwrQkFBc0U7QUFDdEUsaUVBQWtFO0FBQ2xFLCtEQUFnRTtBQU1oRTs7R0FFRztBQUNILEtBQUssVUFBVSxtQkFBbUIsQ0FDaEMsZUFBd0IsRUFDeEIsTUFBa0I7SUFFbEIsTUFBTSxTQUFTLEdBQUcsSUFBQSxrQkFBVyxFQUFDO1FBQzVCLE9BQU8sRUFBRSxlQUFlO1FBQ3hCLEdBQUcsRUFBRSwrQkFBZ0I7UUFDckIsTUFBTTtLQUNQLENBQUMsQ0FBQztJQUVILE1BQU0sZUFBZSxHQUFHLE1BQU0sU0FBUyxDQUFDLElBQUksQ0FBQyxZQUFZLEVBQUUsQ0FBQztJQUU1RCxPQUFPLElBQUEsa0JBQVcsRUFBQztRQUNqQixPQUFPLEVBQUUsZUFBZTtRQUN4QixHQUFHLEVBQUUsNkJBQWU7UUFDcEIsTUFBTTtLQUNQLENBQUMsQ0FBQztBQUNMLENBQUM7QUFFRDs7Ozs7Ozs7Ozs7Ozs7R0FjRztBQUNJLEtBQUssVUFBVSxvQ0FBb0MsQ0FDeEQsTUFBYyxFQUNkLGFBQXlCLEVBQ3pCLFVBQXdCLEVBQ3hCLGVBQXdCLEVBQ3hCLE1BQWtCO0lBRWxCLE1BQU0sUUFBUSxHQUFHLE1BQU0sbUJBQW1CLENBQUMsZUFBZSxFQUFFLE1BQU0sQ0FBQyxDQUFDO0lBRXBFLDRFQUE0RTtJQUM1RSxNQUFNLFFBQVEsR0FBRyxJQUFBLFVBQUcsRUFBQyxJQUFBLGlCQUFjLEVBQUMsYUFBYSxDQUFDLEVBQUU7UUFDbEQsR0FBRyxFQUFFLE1BQU07UUFDWCxJQUFJLEVBQUUsRUFBRTtLQUNULENBQUMsQ0FBQztJQUVILHlEQUF5RDtJQUN6RCxNQUFNLGFBQWEsR0FBVSxVQUFVLENBQUMsR0FBRyxDQUN6QyxDQUFDLEdBQUcsRUFBRSxFQUFFLENBQUMsSUFBQSxpQkFBYyxFQUFDLEdBQUcsQ0FBUSxDQUNwQyxDQUFDO0lBRUYsTUFBTSxPQUFPLEdBQUcsTUFBTSxRQUFRLENBQUMsSUFBSSxDQUFDLDRCQUE0QixDQUFDO1FBQy9ELEVBQUUsTUFBTSxFQUFFLE1BQWEsRUFBRSxLQUFLLEVBQUUsUUFBUSxFQUFFO1FBQzFDLGFBQWE7S0FDZCxDQUFDLENBQUM7SUFFSCxJQUFJLENBQUMsT0FBTyxFQUFFLENBQUM7UUFDYixNQUFNLElBQUksS0FBSyxDQUNiLHdGQUF3RixDQUN6RixDQUFDO0lBQ0osQ0FBQztBQUNILENBQUM7QUFFRDs7Ozs7Ozs7Ozs7Ozs7O0dBZUc7QUFDSSxLQUFLLFVBQVUsdUNBQXVDLENBQzNELE1BQWMsRUFDZCxlQUE2QixFQUM3QixtQkFBaUMsRUFDakMsa0JBQWdDLEVBQ2hDLGVBQXdCLEVBQ3hCLE1BQWtCO0lBRWxCLE1BQU0sUUFBUSxHQUFHLE1BQU0sbUJBQW1CLENBQUMsZUFBZSxFQUFFLE1BQU0sQ0FBQyxDQUFDO0lBRXBFLE1BQU0sWUFBWSxHQUFHLGVBQWUsQ0FBQyxHQUFHLENBQUMsQ0FBQyxFQUFFLEVBQUUsQ0FBQyxFQUFFLEVBQUUsQ0FBQyxDQUFDO1FBQ25ELE1BQU0sRUFBRSxNQUFhO1FBQ3JCLGNBQWMsRUFBRSxJQUFBLGlCQUFjLEVBQUMsRUFBRSxDQUFRO1FBQ3pDLGtCQUFrQixFQUFFLElBQUEsaUJBQWMsRUFBQyxtQkFBbUIsQ0FBQyxDQUFDLENBQUMsQ0FBUTtLQUNsRSxDQUFDLENBQUMsQ0FBQztJQUVKLE1BQU0sYUFBYSxHQUFVLGtCQUFrQixDQUFDLEdBQUcsQ0FDakQsQ0FBQyxHQUFHLEVBQUUsRUFBRSxDQUFDLElBQUEsaUJBQWMsRUFBQyxHQUFHLENBQVEsQ0FDcEMsQ0FBQztJQUVGLE1BQU0sT0FBTyxHQUFHLE1BQU0sUUFBUSxDQUFDLElBQUksQ0FBQyw4QkFBOEIsQ0FBQztRQUNqRSxZQUFZO1FBQ1osYUFBYTtLQUNkLENBQUMsQ0FBQztJQUVILElBQUksQ0FBQyxPQUFPLEVBQUUsQ0FBQztRQUNiLE1BQU0sSUFBSSxLQUFLLENBQ2IsMEZBQTBGLENBQzNGLENBQUM7SUFDSixDQUFDO0FBQ0gsQ0FBQyJ9

package/dist/cjs/kms/thresholdPromises.d.ts

@@ -1,7 +1,8 @@
 /**
- * Executes promises and returns results as soon as threshold is reached
+ * Executes all promises and returns all successful results.
+ * Rejects early if it becomes mathematically impossible to reach the threshold.
  * @param promises Array of promises to execute
- * @param threshold Number of successful responses needed
- * @returns Promise that resolves with threshold number of results
+ * @param threshold Minimum number of successful responses required
+ * @returns Promise that resolves with all successful results (length >= threshold)
  */
 export declare function executeWithThreshold<T>(promises: Promise<T>[], threshold: number): Promise<T[]>;

package/dist/cjs/kms/thresholdPromises.js

@@ -2,10 +2,11 @@
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.executeWithThreshold = executeWithThreshold;
 /**
- * Executes promises and returns results as soon as threshold is reached
+ * Executes all promises and returns all successful results.
+ * Rejects early if it becomes mathematically impossible to reach the threshold.
  * @param promises Array of promises to execute
- * @param threshold Number of successful responses needed
- * @returns Promise that resolves with threshold number of results
+ * @param threshold Minimum number of successful responses required
+ * @returns Promise that resolves with all successful results (length >= threshold)
  */
 async function executeWithThreshold(promises, threshold) {
     if (threshold < 0) {
@@ -22,31 +23,40 @@ async function executeWithThreshold(promises, threshold) {
         throw new Error(`Threshold ${threshold} exceeds number of promises ${promises.length}`);
     }
     const results = [];
-    let failures = 0;
+    let settled = 0;
+    let rejected = false;
     return new Promise((resolve, reject) => {
         promises.forEach((promise) => {
             promise
                 .then((response) => {
-                if (results.length < threshold) {
-                    results.push(response);
-                    if (results.length === threshold) {
-                        resolve(results);
-                    }
+                // After early rejection (threshold became unreachable), ignore late-arriving
+                // successes since we've already rejected the overall promise.
+                if (rejected)
+                    return;
+                results.push(response);
+                settled++;
+                if (settled === promises.length) {
+                    resolve(results);
                 }
             })
                 .catch((error) => {
-                console.error(`Error executing promise: ${error}`);
-                failures++;
+                // After early rejection, ignore subsequent failures since we've already
+                // rejected the overall promise.
+                if (rejected)
+                    return;
+                settled++;
                 // Check if we can still reach the threshold
-                // We need (threshold - results.length) more successes
-                // from (promises.length - results.length - failures) remaining promises
-                const remainingPromises = promises.length - results.length - failures;
+                const remainingPromises = promises.length - settled;
                 const neededSuccesses = threshold - results.length;
                 if (remainingPromises < neededSuccesses) {
+                    rejected = true;
                     reject(new Error(`Cannot reach threshold of ${threshold} responses. Failed clients exceed limit. Last error: ${error}`));
                 }
+                else if (settled === promises.length) {
+                    resolve(results);
+                }
             });
         });
     });
 }
-//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoidGhyZXNob2xkUHJvbWlzZXMuanMiLCJzb3VyY2VSb290IjoiIiwic291cmNlcyI6WyIuLi8uLi8uLi9zcmMva21zL3RocmVzaG9sZFByb21pc2VzLnRzIl0sIm5hbWVzIjpbXSwibWFwcGluZ3MiOiI7O0FBTUEsb0RBb0RDO0FBMUREOzs7OztHQUtHO0FBQ0ksS0FBSyxVQUFVLG9CQUFvQixDQUN4QyxRQUFzQixFQUN0QixTQUFpQjtJQUVqQixJQUFJLFNBQVMsR0FBRyxDQUFDLEVBQUUsQ0FBQztRQUNsQixNQUFNLElBQUksS0FBSyxDQUFDLDhCQUE4QixDQUFDLENBQUM7SUFDbEQsQ0FBQztJQUNELDBDQUEwQztJQUMxQyxJQUFJLFNBQVMsS0FBSyxDQUFDLEVBQUUsQ0FBQztRQUNwQixPQUFPLEVBQUUsQ0FBQztJQUNaLENBQUM7SUFDRCxJQUFJLFFBQVEsQ0FBQyxNQUFNLEtBQUssQ0FBQyxJQUFJLFNBQVMsR0FBRyxDQUFDLEVBQUUsQ0FBQztRQUMzQyxNQUFNLElBQUksS0FBSyxDQUFDLGtEQUFrRCxDQUFDLENBQUM7SUFDdEUsQ0FBQztJQUNELElBQUksU0FBUyxHQUFHLFFBQVEsQ0FBQyxNQUFNLEVBQUUsQ0FBQztRQUNoQyxNQUFNLElBQUksS0FBSyxDQUNiLGFBQWEsU0FBUywrQkFBK0IsUUFBUSxDQUFDLE1BQU0sRUFBRSxDQUN2RSxDQUFDO0lBQ0osQ0FBQztJQUVELE1BQU0sT0FBTyxHQUFRLEVBQUUsQ0FBQztJQUN4QixJQUFJLFFBQVEsR0FBRyxDQUFDLENBQUM7SUFFakIsT0FBTyxJQUFJLE9BQU8sQ0FBQyxDQUFDLE9BQU8sRUFBRSxNQUFNLEVBQUUsRUFBRTtRQUNyQyxRQUFRLENBQUMsT0FBTyxDQUFDLENBQUMsT0FBTyxFQUFFLEVBQUU7WUFDM0IsT0FBTztpQkFDSixJQUFJLENBQUMsQ0FBQyxRQUFRLEVBQUUsRUFBRTtnQkFDakIsSUFBSSxPQUFPLENBQUMsTUFBTSxHQUFHLFNBQVMsRUFBRSxDQUFDO29CQUMvQixPQUFPLENBQUMsSUFBSSxDQUFDLFFBQVEsQ0FBQyxDQUFDO29CQUN2QixJQUFJLE9BQU8sQ0FBQyxNQUFNLEtBQUssU0FBUyxFQUFFLENBQUM7d0JBQ2pDLE9BQU8sQ0FBQyxPQUFPLENBQUMsQ0FBQztvQkFDbkIsQ0FBQztnQkFDSCxDQUFDO1lBQ0gsQ0FBQyxDQUFDO2lCQUNELEtBQUssQ0FBQyxDQUFDLEtBQUssRUFBRSxFQUFFO2dCQUNmLE9BQU8sQ0FBQyxLQUFLLENBQUMsNEJBQTRCLEtBQUssRUFBRSxDQUFDLENBQUM7Z0JBQ25ELFFBQVEsRUFBRSxDQUFDO2dCQUNYLDRDQUE0QztnQkFDNUMsc0RBQXNEO2dCQUN0RCx3RUFBd0U7Z0JBQ3hFLE1BQU0saUJBQWlCLEdBQUcsUUFBUSxDQUFDLE1BQU0sR0FBRyxPQUFPLENBQUMsTUFBTSxHQUFHLFFBQVEsQ0FBQztnQkFDdEUsTUFBTSxlQUFlLEdBQUcsU0FBUyxHQUFHLE9BQU8sQ0FBQyxNQUFNLENBQUM7Z0JBQ25ELElBQUksaUJBQWlCLEdBQUcsZUFBZSxFQUFFLENBQUM7b0JBQ3hDLE1BQU0sQ0FDSixJQUFJLEtBQUssQ0FDUCw2QkFBNkIsU0FBUyx3REFBd0QsS0FBSyxFQUFFLENBQ3RHLENBQ0YsQ0FBQztnQkFDSixDQUFDO1lBQ0gsQ0FBQyxDQUFDLENBQUM7UUFDUCxDQUFDLENBQUMsQ0FBQztJQUNMLENBQUMsQ0FBQyxDQUFDO0FBQ0wsQ0FBQyJ9
+//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoidGhyZXNob2xkUHJvbWlzZXMuanMiLCJzb3VyY2VSb290IjoiIiwic291cmNlcyI6WyIuLi8uLi8uLi9zcmMva21zL3RocmVzaG9sZFByb21pc2VzLnRzIl0sIm5hbWVzIjpbXSwibWFwcGluZ3MiOiI7O0FBT0Esb0RBMERDO0FBakVEOzs7Ozs7R0FNRztBQUNJLEtBQUssVUFBVSxvQkFBb0IsQ0FDeEMsUUFBc0IsRUFDdEIsU0FBaUI7SUFFakIsSUFBSSxTQUFTLEdBQUcsQ0FBQyxFQUFFLENBQUM7UUFDbEIsTUFBTSxJQUFJLEtBQUssQ0FBQyw4QkFBOEIsQ0FBQyxDQUFDO0lBQ2xELENBQUM7SUFDRCwwQ0FBMEM7SUFDMUMsSUFBSSxTQUFTLEtBQUssQ0FBQyxFQUFFLENBQUM7UUFDcEIsT0FBTyxFQUFFLENBQUM7SUFDWixDQUFDO0lBQ0QsSUFBSSxRQUFRLENBQUMsTUFBTSxLQUFLLENBQUMsSUFBSSxTQUFTLEdBQUcsQ0FBQyxFQUFFLENBQUM7UUFDM0MsTUFBTSxJQUFJLEtBQUssQ0FBQyxrREFBa0QsQ0FBQyxDQUFDO0lBQ3RFLENBQUM7SUFDRCxJQUFJLFNBQVMsR0FBRyxRQUFRLENBQUMsTUFBTSxFQUFFLENBQUM7UUFDaEMsTUFBTSxJQUFJLEtBQUssQ0FDYixhQUFhLFNBQVMsK0JBQStCLFFBQVEsQ0FBQyxNQUFNLEVBQUUsQ0FDdkUsQ0FBQztJQUNKLENBQUM7SUFFRCxNQUFNLE9BQU8sR0FBUSxFQUFFLENBQUM7SUFDeEIsSUFBSSxPQUFPLEdBQUcsQ0FBQyxDQUFDO0lBQ2hCLElBQUksUUFBUSxHQUFHLEtBQUssQ0FBQztJQUVyQixPQUFPLElBQUksT0FBTyxDQUFDLENBQUMsT0FBTyxFQUFFLE1BQU0sRUFBRSxFQUFFO1FBQ3JDLFFBQVEsQ0FBQyxPQUFPLENBQUMsQ0FBQyxPQUFPLEVBQUUsRUFBRTtZQUMzQixPQUFPO2lCQUNKLElBQUksQ0FBQyxDQUFDLFFBQVEsRUFBRSxFQUFFO2dCQUNqQiw2RUFBNkU7Z0JBQzdFLDhEQUE4RDtnQkFDOUQsSUFBSSxRQUFRO29CQUFFLE9BQU87Z0JBQ3JCLE9BQU8sQ0FBQyxJQUFJLENBQUMsUUFBUSxDQUFDLENBQUM7Z0JBQ3ZCLE9BQU8sRUFBRSxDQUFDO2dCQUNWLElBQUksT0FBTyxLQUFLLFFBQVEsQ0FBQyxNQUFNLEVBQUUsQ0FBQztvQkFDaEMsT0FBTyxDQUFDLE9BQU8sQ0FBQyxDQUFDO2dCQUNuQixDQUFDO1lBQ0gsQ0FBQyxDQUFDO2lCQUNELEtBQUssQ0FBQyxDQUFDLEtBQUssRUFBRSxFQUFFO2dCQUNmLHdFQUF3RTtnQkFDeEUsZ0NBQWdDO2dCQUNoQyxJQUFJLFFBQVE7b0JBQUUsT0FBTztnQkFDckIsT0FBTyxFQUFFLENBQUM7Z0JBQ1YsNENBQTRDO2dCQUM1QyxNQUFNLGlCQUFpQixHQUFHLFFBQVEsQ0FBQyxNQUFNLEdBQUcsT0FBTyxDQUFDO2dCQUNwRCxNQUFNLGVBQWUsR0FBRyxTQUFTLEdBQUcsT0FBTyxDQUFDLE1BQU0sQ0FBQztnQkFDbkQsSUFBSSxpQkFBaUIsR0FBRyxlQUFlLEVBQUUsQ0FBQztvQkFDeEMsUUFBUSxHQUFHLElBQUksQ0FBQztvQkFDaEIsTUFBTSxDQUNKLElBQUksS0FBSyxDQUNQLDZCQUE2QixTQUFTLHdEQUF3RCxLQUFLLEVBQUUsQ0FDdEcsQ0FDRixDQUFDO2dCQUNKLENBQUM7cUJBQU0sSUFBSSxPQUFPLEtBQUssUUFBUSxDQUFDLE1BQU0sRUFBRSxDQUFDO29CQUN2QyxPQUFPLENBQUMsT0FBTyxDQUFDLENBQUM7Z0JBQ25CLENBQUM7WUFDSCxDQUFDLENBQUMsQ0FBQztRQUNQLENBQUMsQ0FBQyxDQUFDO0lBQ0wsQ0FBQyxDQUFDLENBQUM7QUFDTCxDQUFDIn0=

package/dist/cjs/lite/hadu.d.ts

@@ -1,4 +1,4 @@
-import { PlaintextWithContext } from '../encryption/index.js';
+import { PlaintextWithContext } from '../encryption/encryption.js';
 import { InputPayload } from '../generated/es/inco/covalidator/compute/v1/types_pb.js';
 export declare function encodeInput({ plaintext, context, }: PlaintextWithContext): Uint8Array;
 export declare function decodeInput(input: Uint8Array): InputPayload;

package/dist/cjs/lite/hadu.js

@@ -3,7 +3,7 @@ Object.defineProperty(exports, "__esModule", { value: true });
 exports.encodeInput = encodeInput;
 exports.decodeInput = decodeInput;
 const protobuf_1 = require("@bufbuild/protobuf");
-const index_js_1 = require("../encryption/index.js");
+const encryption_js_1 = require("../encryption/encryption.js");
 const types_pb_js_1 = require("../generated/es/inco/covalidator/compute/v1/types_pb.js");
 const handle_js_1 = require("../handle.js");
 // HADU stands for "Host Chain, ACL, DApp, and User" it maps to the InputContext type where the aclAddress
@@ -15,7 +15,7 @@ function encodeInput({ plaintext, context, }) {
             case: 'scalar',
             value: (0, protobuf_1.create)(types_pb_js_1.ScalarSchema, {
                 type: plaintext.type,
-                value: (0, index_js_1.plaintextToBytes)(plaintext),
+                value: (0, encryption_js_1.plaintextToBytes)(plaintext),
             }),
         },
     });
@@ -25,4 +25,4 @@ function decodeInput(input) {
     const payload = (0, protobuf_1.fromBinary)(types_pb_js_1.InputPayloadSchema, input);
     return payload;
 }
-//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiaGFkdS5qcyIsInNvdXJjZVJvb3QiOiIiLCJzb3VyY2VzIjpbIi4uLy4uLy4uL3NyYy9saXRlL2hhZHUudHMiXSwibmFtZXMiOltdLCJtYXBwaW5ncyI6Ijs7QUFZQSxrQ0FlQztBQUVELGtDQUdDO0FBaENELGlEQUFrRTtBQUNsRSxxREFBZ0Y7QUFDaEYseUZBSWlFO0FBQ2pFLDRDQUFnRDtBQUVoRCwwR0FBMEc7QUFDMUcsMEVBQTBFO0FBRTFFLFNBQWdCLFdBQVcsQ0FBQyxFQUMxQixTQUFTLEVBQ1QsT0FBTyxHQUNjO0lBQ3JCLE1BQU0sT0FBTyxHQUFHLElBQUEsaUJBQU0sRUFBQyxnQ0FBa0IsRUFBRTtRQUN6QyxXQUFXLEVBQUUsSUFBQSw0QkFBZ0IsRUFBQyxPQUFPLENBQUM7UUFDdEMsS0FBSyxFQUFFO1lBQ0wsSUFBSSxFQUFFLFFBQVE7WUFDZCxLQUFLLEVBQUUsSUFBQSxpQkFBTSxFQUFDLDBCQUFZLEVBQUU7Z0JBQzFCLElBQUksRUFBRSxTQUFTLENBQUMsSUFBSTtnQkFDcEIsS0FBSyxFQUFFLElBQUEsMkJBQWdCLEVBQUMsU0FBUyxDQUFDO2FBQ25DLENBQUM7U0FDSDtLQUNGLENBQUMsQ0FBQztJQUNILE9BQU8sSUFBQSxtQkFBUSxFQUFDLGdDQUFrQixFQUFFLE9BQU8sQ0FBQyxDQUFDO0FBQy9DLENBQUM7QUFFRCxTQUFnQixXQUFXLENBQUMsS0FBaUI7SUFDM0MsTUFBTSxPQUFPLEdBQUcsSUFBQSxxQkFBVSxFQUFDLGdDQUFrQixFQUFFLEtBQUssQ0FBQyxDQUFDO0lBQ3RELE9BQU8sT0FBTyxDQUFDO0FBQ2pCLENBQUMifQ==
+//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiaGFkdS5qcyIsInNvdXJjZVJvb3QiOiIiLCJzb3VyY2VzIjpbIi4uLy4uLy4uL3NyYy9saXRlL2hhZHUudHMiXSwibmFtZXMiOltdLCJtYXBwaW5ncyI6Ijs7QUFlQSxrQ0FlQztBQUVELGtDQUdDO0FBbkNELGlEQUFrRTtBQUNsRSwrREFHcUM7QUFDckMseUZBSWlFO0FBQ2pFLDRDQUFnRDtBQUVoRCwwR0FBMEc7QUFDMUcsMEVBQTBFO0FBRTFFLFNBQWdCLFdBQVcsQ0FBQyxFQUMxQixTQUFTLEVBQ1QsT0FBTyxHQUNjO0lBQ3JCLE1BQU0sT0FBTyxHQUFHLElBQUEsaUJBQU0sRUFBQyxnQ0FBa0IsRUFBRTtRQUN6QyxXQUFXLEVBQUUsSUFBQSw0QkFBZ0IsRUFBQyxPQUFPLENBQUM7UUFDdEMsS0FBSyxFQUFFO1lBQ0wsSUFBSSxFQUFFLFFBQVE7WUFDZCxLQUFLLEVBQUUsSUFBQSxpQkFBTSxFQUFDLDBCQUFZLEVBQUU7Z0JBQzFCLElBQUksRUFBRSxTQUFTLENBQUMsSUFBSTtnQkFDcEIsS0FBSyxFQUFFLElBQUEsZ0NBQWdCLEVBQUMsU0FBUyxDQUFDO2FBQ25DLENBQUM7U0FDSDtLQUNGLENBQUMsQ0FBQztJQUNILE9BQU8sSUFBQSxtQkFBUSxFQUFDLGdDQUFrQixFQUFFLE9BQU8sQ0FBQyxDQUFDO0FBQy9DLENBQUM7QUFFRCxTQUFnQixXQUFXLENBQUMsS0FBaUI7SUFDM0MsTUFBTSxPQUFPLEdBQUcsSUFBQSxxQkFBVSxFQUFDLGdDQUFrQixFQUFFLEtBQUssQ0FBQyxDQUFDO0lBQ3RELE9BQU8sT0FBTyxDQUFDO0FBQ2pCLENBQUMifQ==

package/dist/cjs/lite/index.d.ts

@@ -4,6 +4,4 @@ export type { HandleWithProof } from '../generated/es/inco/kms/lite/v1/types_pb.
 export * from './attested-compute.js';
 export * from './attested-decrypt.js';
 export * from './deployments.js';
-export * from './hadu.js';
 export * from './lightning.js';
-export { TEST_NETWORK_SEED_KEY, XWING_PUBLIC_KEY_SIZE, decodeXwingPrivateKey, decodeXwingPublicKey, decrypt, deriveXwingKeypairFromSeed, encodeXwingPublicKey, encrypt, generateXwingKeypair, getXwingDecryptor, getXwingEncryptor, type XwingDecryptorArgs, type XwingEncryptorArgs, type XwingKeypair, } from './xwing.js';

package/dist/cjs/lite/index.js

@@ -14,23 +14,9 @@ var __exportStar = (this && this.__exportStar) || function(m, exports) {
     for (var p in m) if (p !== "default" && !Object.prototype.hasOwnProperty.call(exports, p)) __createBinding(exports, m, p);
 };
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.getXwingEncryptor = exports.getXwingDecryptor = exports.generateXwingKeypair = exports.encrypt = exports.encodeXwingPublicKey = exports.deriveXwingKeypairFromSeed = exports.decrypt = exports.decodeXwingPublicKey = exports.decodeXwingPrivateKey = exports.XWING_PUBLIC_KEY_SIZE = exports.TEST_NETWORK_SEED_KEY = void 0;
 __exportStar(require("../generated/abis/lightning.js"), exports);
 __exportStar(require("./attested-compute.js"), exports);
 __exportStar(require("./attested-decrypt.js"), exports);
 __exportStar(require("./deployments.js"), exports);
-__exportStar(require("./hadu.js"), exports);
 __exportStar(require("./lightning.js"), exports);
-var xwing_js_1 = require("./xwing.js");
-Object.defineProperty(exports, "TEST_NETWORK_SEED_KEY", { enumerable: true, get: function () { return xwing_js_1.TEST_NETWORK_SEED_KEY; } });
-Object.defineProperty(exports, "XWING_PUBLIC_KEY_SIZE", { enumerable: true, get: function () { return xwing_js_1.XWING_PUBLIC_KEY_SIZE; } });
-Object.defineProperty(exports, "decodeXwingPrivateKey", { enumerable: true, get: function () { return xwing_js_1.decodeXwingPrivateKey; } });
-Object.defineProperty(exports, "decodeXwingPublicKey", { enumerable: true, get: function () { return xwing_js_1.decodeXwingPublicKey; } });
-Object.defineProperty(exports, "decrypt", { enumerable: true, get: function () { return xwing_js_1.decrypt; } });
-Object.defineProperty(exports, "deriveXwingKeypairFromSeed", { enumerable: true, get: function () { return xwing_js_1.deriveXwingKeypairFromSeed; } });
-Object.defineProperty(exports, "encodeXwingPublicKey", { enumerable: true, get: function () { return xwing_js_1.encodeXwingPublicKey; } });
-Object.defineProperty(exports, "encrypt", { enumerable: true, get: function () { return xwing_js_1.encrypt; } });
-Object.defineProperty(exports, "generateXwingKeypair", { enumerable: true, get: function () { return xwing_js_1.generateXwingKeypair; } });
-Object.defineProperty(exports, "getXwingDecryptor", { enumerable: true, get: function () { return xwing_js_1.getXwingDecryptor; } });
-Object.defineProperty(exports, "getXwingEncryptor", { enumerable: true, get: function () { return xwing_js_1.getXwingEncryptor; } });
-//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiaW5kZXguanMiLCJzb3VyY2VSb290IjoiIiwic291cmNlcyI6WyIuLi8uLi8uLi9zcmMvbGl0ZS9pbmRleC50cyJdLCJuYW1lcyI6W10sIm1hcHBpbmdzIjoiOzs7Ozs7Ozs7Ozs7Ozs7OztBQUFBLGlFQUErQztBQU8vQyx3REFBc0M7QUFDdEMsd0RBQXNDO0FBQ3RDLG1EQUFpQztBQUNqQyw0Q0FBMEI7QUFDMUIsaURBQStCO0FBQy9CLHVDQWVvQjtBQWRsQixpSEFBQSxxQkFBcUIsT0FBQTtBQUNyQixpSEFBQSxxQkFBcUIsT0FBQTtBQUNyQixpSEFBQSxxQkFBcUIsT0FBQTtBQUNyQixnSEFBQSxvQkFBb0IsT0FBQTtBQUNwQixtR0FBQSxPQUFPLE9BQUE7QUFDUCxzSEFBQSwwQkFBMEIsT0FBQTtBQUMxQixnSEFBQSxvQkFBb0IsT0FBQTtBQUNwQixtR0FBQSxPQUFPLE9BQUE7QUFDUCxnSEFBQSxvQkFBb0IsT0FBQTtBQUNwQiw2R0FBQSxpQkFBaUIsT0FBQTtBQUNqQiw2R0FBQSxpQkFBaUIsT0FBQSJ9
+//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiaW5kZXguanMiLCJzb3VyY2VSb290IjoiIiwic291cmNlcyI6WyIuLi8uLi8uLi9zcmMvbGl0ZS9pbmRleC50cyJdLCJuYW1lcyI6W10sIm1hcHBpbmdzIjoiOzs7Ozs7Ozs7Ozs7Ozs7O0FBQUEsaUVBQStDO0FBTy9DLHdEQUFzQztBQUN0Qyx3REFBc0M7QUFDdEMsbURBQWlDO0FBQ2pDLGlEQUErQiJ9

package/dist/cjs/lite/lightning.d.ts

@@ -4,7 +4,7 @@ import { AllowanceVoucherWithSig } from '../advancedacl/types.js';
 import { AttestedComputeOP } from '../attestedcompute/types.js';
 import { DecryptionAttestation, EncryptedDecryptionAttestation } from '../attesteddecrypt/index.js';
 import { Address, HexString } from '../binary.js';
-import { EncryptionScheme, SupportedFheType } from '../encryption/index.js';
+import { EncryptionScheme, SupportedFheType } from '../encryption/encryption.js';
 import { incoVerifierAbi } from '../generated/abis/verifier.js';
 import { lightningDeployments } from '../generated/lightning.js';
 import { localNodeLightningConfig } from '../generated/local-node.js';