@inco/js 0.8.0-devnet-5 → 0.8.0-devnet-6

package/dist/types/advancedacl/session-key.d.ts

@@ -1,7 +1,7 @@
 import { type Account, type Address, type Chain, type Hex, PublicClient, type Transport, type WalletClient } from 'viem';
 import { DecryptionAttestation, EncryptedDecryptionAttestation } from '../attesteddecrypt/index.js';
 import { SupportedChainId } from '../chain.js';
-import { type EciesScheme, SupportedFheType } from '../encryption/encryption.js';
+import { EncryptionScheme, SupportedFheType } from '../encryption/encryption.js';
 import { HexString } from '../index.js';
 import type { Secp256k1Keypair } from '../lite/index.js';
 import { BackoffConfig } from '../retry.js';
@@ -46,7 +46,7 @@ export interface SessionKeyAttestedComputeArgs {
     reencryptPubKey?: Uint8Array | undefined;
     reencryptKeypair?: Secp256k1Keypair | undefined;
 }
-export declare function sessionKeyAttestedCompute<T extends SupportedFheType>({ lhsHandle, op, rhsPlaintext, backoffConfig, chainId, kmsQuorumClient, ephemeralKeypair, allowanceVoucherWithSig, requesterArgData, ethClient, executorAddress, reencryptPubKey, reencryptKeypair, }: SessionKeyAttestedComputeArgs): Promise<DecryptionAttestation<EciesScheme, SupportedFheType> | EncryptedDecryptionAttestation<EciesScheme, SupportedFheType>>;
+export declare function sessionKeyAttestedCompute<T extends SupportedFheType>({ lhsHandle, op, rhsPlaintext, backoffConfig, chainId, kmsQuorumClient, ephemeralKeypair, allowanceVoucherWithSig, requesterArgData, ethClient, executorAddress, reencryptPubKey, reencryptKeypair, }: SessionKeyAttestedComputeArgs): Promise<DecryptionAttestation<EncryptionScheme, SupportedFheType> | EncryptedDecryptionAttestation<EncryptionScheme, SupportedFheType>>;
 export interface SessionKeyAttestedDecryptArgs {
     chainId: SupportedChainId;
     ephemeralKeypair: Secp256k1Keypair;
@@ -90,4 +90,4 @@ export interface SessionKeyAttestedDecryptArgs {
  * );
  * ```
  */
-export declare function sessionKeyAttestedDecrypt({ chainId, kmsQuorumClient, handles, ephemeralKeypair, allowanceVoucherWithSig, requesterArgData, backoffConfig, reencryptPubKey, reencryptKeypair, ethClient, executorAddress, }: SessionKeyAttestedDecryptArgs): Promise<Array<DecryptionAttestation<EciesScheme, SupportedFheType> | EncryptedDecryptionAttestation<EciesScheme, SupportedFheType>>>;
+export declare function sessionKeyAttestedDecrypt({ chainId, kmsQuorumClient, handles, ephemeralKeypair, allowanceVoucherWithSig, requesterArgData, backoffConfig, reencryptPubKey, reencryptKeypair, ethClient, executorAddress, }: SessionKeyAttestedDecryptArgs): Promise<Array<DecryptionAttestation<EncryptionScheme, SupportedFheType> | EncryptedDecryptionAttestation<EncryptionScheme, SupportedFheType>>>;

package/dist/types/attestedcompute/attested-compute.d.ts

@@ -2,7 +2,7 @@ import type { Account, Chain, Transport, WalletClient } from 'viem';
 import { DecryptionAttestation, EncryptedDecryptionAttestation } from '../attesteddecrypt/types.js';
 import { HexString } from '../binary.js';
 import { SupportedChainId } from '../chain.js';
-import type { EciesScheme, SupportedFheType } from '../encryption/encryption.js';
+import type { EncryptionScheme, SupportedFheType } from '../encryption/encryption.js';
 import { KmsQuorumClient } from '../kms/quorumClient.js';
 import type { Secp256k1Keypair } from '../lite/ecies.js';
 import type { BackoffConfig } from '../retry.js';
@@ -39,7 +39,7 @@ export declare function attestedCompute<T extends SupportedFheType>({ executorAd
     chainId: SupportedChainId;
     reencryptPubKey: Uint8Array;
     reencryptKeypair: Secp256k1Keypair;
-}): Promise<DecryptionAttestation<EciesScheme, T>>;
+}): Promise<DecryptionAttestation<EncryptionScheme, T>>;
 export declare function attestedCompute<T extends SupportedFheType>({ executorAddress, lhsHandle, op, rhsPlaintext, backoffConfig, walletClient, kmsQuorumClient, chainId, reencryptPubKey, }: {
     executorAddress: HexString;
     lhsHandle: HexString;
@@ -51,7 +51,7 @@ export declare function attestedCompute<T extends SupportedFheType>({ executorAd
     chainId: SupportedChainId;
     reencryptPubKey: Uint8Array;
     reencryptKeypair?: never;
-}): Promise<EncryptedDecryptionAttestation<EciesScheme, T>>;
+}): Promise<EncryptedDecryptionAttestation<EncryptionScheme, T>>;
 export declare function attestedCompute<T extends SupportedFheType>({ executorAddress, lhsHandle, op, rhsPlaintext, backoffConfig, walletClient, kmsQuorumClient, chainId, }: {
     executorAddress: HexString;
     lhsHandle: HexString;
@@ -63,4 +63,4 @@ export declare function attestedCompute<T extends SupportedFheType>({ executorAd
     chainId: SupportedChainId;
     reencryptPubKey?: never;
     reencryptKeypair?: never;
-}): Promise<DecryptionAttestation<EciesScheme, T>>;
+}): Promise<DecryptionAttestation<EncryptionScheme, T>>;

package/dist/types/attesteddecrypt/attested-decrypt.d.ts

@@ -1,7 +1,7 @@
 import type { Account, Chain, PublicClient, Transport, WalletClient } from 'viem';
 import { type HexString } from '../binary.js';
 import { type SupportedChainId } from '../chain.js';
-import { type EciesScheme, type SupportedFheType } from '../encryption/encryption.js';
+import { EncryptionScheme, type SupportedFheType } from '../encryption/encryption.js';
 import { KmsQuorumClient } from '../kms/quorumClient.js';
 import type { Secp256k1Keypair } from '../lite/ecies.js';
 import type { BackoffConfig } from '../retry.js';
@@ -34,7 +34,7 @@ export declare function attestedDecrypt({ handles, backoffConfig, chainId, kmsQu
     chainId: SupportedChainId;
     kmsQuorumClient: KmsQuorumClient;
     executorAddress: HexString;
-}): Promise<Array<DecryptionAttestation<EciesScheme, SupportedFheType>>>;
+}): Promise<Array<DecryptionAttestation<EncryptionScheme, SupportedFheType>>>;
 /**
  * Decrypt multiple handles in a single attested request.
  * Returns an array of attestations aligned with the response ordering.
@@ -52,7 +52,7 @@ export declare function attestedDecrypt({ handles, backoffConfig, walletClient,
     reencryptKeypair: Secp256k1Keypair;
     kmsQuorumClient: KmsQuorumClient;
     executorAddress: HexString;
-}): Promise<Array<DecryptionAttestation<EciesScheme, SupportedFheType>>>;
+}): Promise<Array<DecryptionAttestation<EncryptionScheme, SupportedFheType>>>;
 /**
  * Decrypt multiple handles in a single attested request.
  * Returns an array of attestations aligned with the response ordering.
@@ -70,7 +70,7 @@ export declare function attestedDecrypt({ handles, backoffConfig, walletClient,
     reencryptKeypair?: never;
     kmsQuorumClient: KmsQuorumClient;
     executorAddress: HexString;
-}): Promise<Array<EncryptedDecryptionAttestation<EciesScheme, SupportedFheType>>>;
+}): Promise<Array<EncryptedDecryptionAttestation<EncryptionScheme, SupportedFheType>>>;
 /**
  * Decrypt multiple handles in a single attested request.
  * Returns an array of attestations aligned with the response ordering.
@@ -88,9 +88,9 @@ export declare function attestedDecrypt({ handles, backoffConfig, walletClient,
     reencryptKeypair?: never;
     kmsQuorumClient: KmsQuorumClient;
     executorAddress: HexString;
-}): Promise<Array<DecryptionAttestation<EciesScheme, SupportedFheType>>>;
+}): Promise<Array<DecryptionAttestation<EncryptionScheme, SupportedFheType>>>;
 export declare function fetchEip712DomainVersion(executorAddress: HexString | undefined, defaultVersion: string, walletClient?: WalletClient<Transport, Chain, Account> | PublicClient<Transport, Chain>): Promise<string>;
-export declare function decryptEncryptedAttestations(attestations: Array<DecryptionAttestation<EciesScheme, SupportedFheType> | EncryptedDecryptionAttestation<EciesScheme, SupportedFheType>>, reencryptKeypair: Secp256k1Keypair): Promise<Array<DecryptionAttestation<EciesScheme, SupportedFheType>>>;
+export declare function decryptEncryptedAttestations(attestations: Array<DecryptionAttestation<EncryptionScheme, SupportedFheType> | EncryptedDecryptionAttestation<EncryptionScheme, SupportedFheType>>, reencryptKeypair: Secp256k1Keypair): Promise<Array<DecryptionAttestation<EncryptionScheme, SupportedFheType>>>;
 /**
  * Validates a handle format.
  * @param handle - The handle to validate

package/dist/types/encryption/encryption.d.ts

@@ -15,18 +15,20 @@ export declare const SupportedFheType: Schema.SchemaClass<0 | 5 | 7 | 8, 0 | 5 |
 export type SupportedFheType = typeof SupportedFheType.Type;
 export declare const encryptionSchemes: {
     readonly ecies: 1;
+    readonly xwing: 2;
 };
 export declare function getEncryptionSchemeName(scheme: number): string;
 export type EncryptionSchemes = typeof encryptionSchemes;
 export type EciesScheme = EncryptionSchemes['ecies'];
-export declare const EncryptionScheme: Schema.Literal<[1]>;
+export type XwingScheme = EncryptionSchemes['xwing'];
+export declare const EncryptionScheme: Schema.Literal<[1, 2]>;
 export type EncryptionScheme = typeof EncryptionScheme.Type;
 type DistType<P, S extends EncryptionScheme, T extends SupportedFheType> = P extends any ? P & {
     scheme: S;
     type: T;
 } : never;
 export declare const Ciphertext: Schema.Struct<{
-    scheme: Schema.Literal<[1]>;
+    scheme: Schema.Literal<[1, 2]>;
     type: Schema.SchemaClass<0 | 5 | 7 | 8, 0 | 5 | 7 | 8, never>;
     value: Schema.TemplateLiteral<`0x${string}`>;
 }>;
@@ -34,7 +36,7 @@ export type Ciphertext = typeof Ciphertext.Type;
 export type CiphertextOf<S extends EncryptionScheme, T extends SupportedFheType> = DistType<Ciphertext, S, T>;
 export declare const CiphertextWithContext: Schema.Struct<{
     ciphertext: Schema.Struct<{
-        scheme: Schema.Literal<[1]>;
+        scheme: Schema.Literal<[1, 2]>;
         type: Schema.SchemaClass<0 | 5 | 7 | 8, 0 | 5 | 7 | 8, never>;
         value: Schema.TemplateLiteral<`0x${string}`>;
     }>;
@@ -52,7 +54,7 @@ export type CiphertextWithContextOf<S extends EncryptionScheme, T extends Suppor
 };
 export declare const EncryptResult: Schema.Struct<{
     ciphertext: Schema.Struct<{
-        scheme: Schema.Literal<[1]>;
+        scheme: Schema.Literal<[1, 2]>;
         type: Schema.SchemaClass<0 | 5 | 7 | 8, 0 | 5 | 7 | 8, never>;
         value: Schema.TemplateLiteral<`0x${string}`>;
     }>;
@@ -71,11 +73,11 @@ export type EncryptResultOf<S extends EncryptionScheme, T extends SupportedFheTy
     ciphertext: CiphertextOf<S, T>;
 };
 export declare const Plaintext: Schema.Union<[Schema.Struct<{
-    scheme: Schema.Literal<[1]>;
+    scheme: Schema.Literal<[1, 2]>;
     type: Schema.Literal<[5, 7, 8]>;
     value: typeof Schema.BigInt;
 }>, Schema.Struct<{
-    scheme: Schema.Literal<[1]>;
+    scheme: Schema.Literal<[1, 2]>;
     type: Schema.Literal<[0]>;
     value: typeof Schema.Boolean;
 }>]>;
@@ -83,11 +85,11 @@ export type Plaintext = typeof Plaintext.Type;
 export type PlaintextOf<S extends EncryptionScheme, T extends SupportedFheType> = DistType<Plaintext, S, T>;
 export declare const PlaintextWithContext: Schema.Struct<{
     plaintext: Schema.Union<[Schema.Struct<{
-        scheme: Schema.Literal<[1]>;
+        scheme: Schema.Literal<[1, 2]>;
         type: Schema.Literal<[5, 7, 8]>;
         value: typeof Schema.BigInt;
     }>, Schema.Struct<{
-        scheme: Schema.Literal<[1]>;
+        scheme: Schema.Literal<[1, 2]>;
         type: Schema.Literal<[0]>;
         value: typeof Schema.Boolean;
     }>]>;

package/dist/types/generated/es/inco/covalidator/compute/v1/server_pb.d.ts

@@ -580,6 +580,24 @@ export type ConfigureRequest = Message<"inco.covalidator.compute.v1.ConfigureReq
  * Use `create(ConfigureRequestSchema)` to create a new message.
  */
 export declare const ConfigureRequestSchema: GenMessage<ConfigureRequest>;
+/**
+ * HeliosConfigureRequest is a request to configure the helios light client.
+ *
+ * @generated from message inco.covalidator.compute.v1.HeliosConfigureRequest
+ */
+export type HeliosConfigureRequest = Message<"inco.covalidator.compute.v1.HeliosConfigureRequest"> & {
+    /**
+     * Provide Helios-specific configuration to start the Helios from compute service.
+     *
+     * @generated from field: inco.helioswrapper.v1.StartHeliosRequest helios_config = 2;
+     */
+    heliosConfig?: StartHeliosRequest;
+};
+/**
+ * Describes the message inco.covalidator.compute.v1.HeliosConfigureRequest.
+ * Use `create(HeliosConfigureRequestSchema)` to create a new message.
+ */
+export declare const HeliosConfigureRequestSchema: GenMessage<HeliosConfigureRequest>;
 /**
  * ConfigureResponse is a response to ConfigureRequest.
  *
@@ -604,6 +622,24 @@ export type ConfigureResponse = Message<"inco.covalidator.compute.v1.ConfigureRe
  * Use `create(ConfigureResponseSchema)` to create a new message.
  */
 export declare const ConfigureResponseSchema: GenMessage<ConfigureResponse>;
+/**
+ * HeliosConfigureResponse is a response to HeliosConfigureRequest.
+ *
+ * @generated from message inco.covalidator.compute.v1.HeliosConfigureResponse
+ */
+export type HeliosConfigureResponse = Message<"inco.covalidator.compute.v1.HeliosConfigureResponse"> & {
+    /**
+     * True if the Helios light client was started successfully.
+     *
+     * @generated from field: bool helios_started = 1;
+     */
+    heliosStarted: boolean;
+};
+/**
+ * Describes the message inco.covalidator.compute.v1.HeliosConfigureResponse.
+ * Use `create(HeliosConfigureResponseSchema)` to create a new message.
+ */
+export declare const HeliosConfigureResponseSchema: GenMessage<HeliosConfigureResponse>;
 /**
  * AttestedDecryptRequest is the request type for the ComputeService/AttestedDecrypt RPC method.
  *

package/dist/types/generated/es/inco/sealingfetcher/v1/sealingfetcher_pb.d.ts

@@ -107,9 +107,9 @@ export type TeeKeys = Message<"inco.sealingfetcher.v1.TeeKeys"> & {
      */
     eoaPrivkey: Uint8Array;
     /**
-     * The Network private key that the TEE generated during the bootstrap process.
-     * This is simply a 32-byte array, that can be used as-is as a sepc256k1
-     * private key.
+     * The Network private key (X-Wing) that the TEE generated during the bootstrap process.
+     * This is a 32-byte seed used to derive the X-Wing keypair for input encryption.
+     * X-Wing is a post-quantum hybrid KEM combining ML-KEM-768 and X25519.
      *
      * @generated from field: bytes network_privkey = 2;
      */

package/dist/types/kms/quorumClient.d.ts

@@ -1,6 +1,6 @@
 import type { Address } from 'viem';
 import type { DecryptionAttestation, EncryptedDecryptionAttestation } from '../attesteddecrypt/types.js';
-import type { EciesScheme, SupportedFheType } from '../encryption/encryption.js';
+import type { EncryptionScheme, SupportedFheType } from '../encryption/encryption.js';
 import type { AttestedComputeRequest, AttestedDecryptRequest, AttestedRevealRequest } from '../generated/es/inco/kms/lite/v1/kms_service_pb.js';
 import type { BackoffConfig } from '../retry.js';
 import { type KmsClient } from './client.js';
@@ -28,9 +28,9 @@ export declare class KmsQuorumClient {
      * @throws {Error} If KMS clients array is empty or threshold is invalid
      */
     static fromKmsClients(kmsClients: KmsClient[], threshold: number): KmsQuorumClient;
-    attestedDecrypt(request: AttestedDecryptRequest, backoffConfig?: Partial<BackoffConfig>): Promise<(DecryptionAttestation<EciesScheme, SupportedFheType> | EncryptedDecryptionAttestation<EciesScheme, SupportedFheType>)[]>;
-    attestedCompute(request: AttestedComputeRequest, backoffConfig?: Partial<BackoffConfig>): Promise<DecryptionAttestation<EciesScheme, SupportedFheType> | EncryptedDecryptionAttestation<EciesScheme, SupportedFheType>>;
-    attestedReveal(request: AttestedRevealRequest, backoffConfig?: Partial<BackoffConfig>): Promise<(DecryptionAttestation<EciesScheme, SupportedFheType> | EncryptedDecryptionAttestation<EciesScheme, SupportedFheType>)[]>;
+    attestedDecrypt(request: AttestedDecryptRequest, backoffConfig?: Partial<BackoffConfig>): Promise<(DecryptionAttestation<EncryptionScheme, SupportedFheType> | EncryptedDecryptionAttestation<EncryptionScheme, SupportedFheType>)[]>;
+    attestedCompute(request: AttestedComputeRequest, backoffConfig?: Partial<BackoffConfig>): Promise<DecryptionAttestation<EncryptionScheme, SupportedFheType> | EncryptedDecryptionAttestation<EncryptionScheme, SupportedFheType>>;
+    attestedReveal(request: AttestedRevealRequest, backoffConfig?: Partial<BackoffConfig>): Promise<(DecryptionAttestation<EncryptionScheme, SupportedFheType> | EncryptedDecryptionAttestation<EncryptionScheme, SupportedFheType>)[]>;
     /**
      * Generic method to execute a KMS operation across all clients with retry and threshold logic.
      * Returns results with both the response and signer address.

package/dist/types/lite/index.d.ts

@@ -4,6 +4,7 @@ export type { HandleWithProof } from '../generated/es/inco/kms/lite/v1/types_pb.
 export * from './attested-compute.js';
 export * from './attested-decrypt.js';
 export * from './deployments.js';
-export * from './ecies.js';
+export { TEST_NETWORK_PRIVATE_KEY, TEST_NETWORK_PUBKEY, decodeSecp256k1PrivateKey, decodeSecp256k1PublicKey, decrypt as eciesDecrypt, encrypt as eciesEncrypt, encodeSecp256k1PublicKey, generateSecp256k1Keypair, getEciesDecryptor, getEciesEncryptor, toSecp256k1Keypair, type EciesDecryptorArgs, type EciesEncryptorArgs, type Secp256k1Keypair, type Secp256k1PubKey, } from './ecies.js';
 export * from './hadu.js';
 export * from './lightning.js';
+export { TEST_NETWORK_SEED_KEY, TEST_NETWORK_XWING_PUBKEY, decodeXwingPrivateKey, decodeXwingPublicKey, deriveXwingKeypairFromSeed, encodeXwingPublicKey, generateXwingKeypair, getXwingDecryptor, getXwingEncryptor, decrypt as xwingDecrypt, encrypt as xwingEncrypt, type XwingDecryptorArgs, type XwingEncryptorArgs, type XwingKeypair, } from './xwing.js';

package/dist/types/lite/lightning.d.ts

@@ -3,7 +3,7 @@ import { AllowanceVoucherWithSig } from '../advancedacl/types.js';
 import { AttestedComputeOP } from '../attestedcompute/types.js';
 import { DecryptionAttestation, EncryptedDecryptionAttestation } from '../attesteddecrypt/index.js';
 import { Address, HexString } from '../binary.js';
-import { EciesScheme, SupportedFheType } from '../encryption/index.js';
+import { EncryptionScheme, SupportedFheType } from '../encryption/index.js';
 import { incoVerifierAbi } from '../generated/abis/verifier.js';
 import { lightningDeployments } from '../generated/lightning.js';
 import { localNodeLightningConfig } from '../generated/local-node.js';
@@ -59,10 +59,18 @@ export declare class Lightning<T extends DeploymentSlice = DeploymentSlice> {
     private readonly networkPubkey;
     readonly executorAddress: Address;
     readonly chainId: bigint;
-    private readonly ephemeralKeypair;
     private readonly kmsQuorumClient;
-    private readonly encryptor;
+    private readonly ephemeralKeypair;
+    private encryptor;
+    private encryptionScheme;
     private constructor();
+    private getEncryptor;
+    /**
+     * Get the encryption scheme version used by this Lightning instance.
+     * Returns 1 for ECIES or 2 for X-Wing.
+     * This is a convenience method to get the encryption scheme used by this Lightning instance.
+     */
+    getEncryptionScheme(): Promise<EncryptionScheme>;
     /**
      * Get a Lightning instance bound to the latest Lightning deployment for the Base Sepolia testnet.
      */
@@ -121,7 +129,8 @@ export declare class Lightning<T extends DeploymentSlice = DeploymentSlice> {
     static latest<P extends Pepper>(pepper: P, chainId: ChainId): Promise<Lightning<Deployment>>;
     get deployment(): T;
     /**
-     * Encrypt a value using the public ECIES key of the Lightning deployment.
+     * Encrypt a value using the network's public key (ECIES or X-Wing).
+     * The encryption scheme is automatically detected based on the public key length.
      *
      * @param value a boolean or numeric value to encrypt
      * @param accountAddress the address of the account interacting with the dapp contract, normally an Externally Owned Account (EOA)
@@ -224,9 +233,9 @@ export declare class Lightning<T extends DeploymentSlice = DeploymentSlice> {
      * console.log(decrypted[0].plaintext.value);
      * ```
      */
-    attestedDecrypt(walletClient: WalletClient<Transport, Chain, Account>, handles: HexString[], backoffConfig?: Partial<BackoffConfig>): Promise<Array<DecryptionAttestation<EciesScheme, SupportedFheType>>>;
-    attestedDecrypt(walletClient: WalletClient<Transport, Chain, Account>, handles: HexString[], reencryptPubKey: Uint8Array, backoffConfig?: Partial<BackoffConfig>): Promise<Array<EncryptedDecryptionAttestation<EciesScheme, SupportedFheType>>>;
-    attestedDecrypt(walletClient: WalletClient<Transport, Chain, Account>, handles: HexString[], reencryptPubKey: Uint8Array, reencryptKeypair: Secp256k1Keypair, backoffConfig?: Partial<BackoffConfig>): Promise<Array<DecryptionAttestation<EciesScheme, SupportedFheType>>>;
+    attestedDecrypt(walletClient: WalletClient<Transport, Chain, Account>, handles: HexString[], backoffConfig?: Partial<BackoffConfig>): Promise<Array<DecryptionAttestation<EncryptionScheme, SupportedFheType>>>;
+    attestedDecrypt(walletClient: WalletClient<Transport, Chain, Account>, handles: HexString[], reencryptPubKey: Uint8Array, backoffConfig?: Partial<BackoffConfig>): Promise<Array<EncryptedDecryptionAttestation<EncryptionScheme, SupportedFheType>>>;
+    attestedDecrypt(walletClient: WalletClient<Transport, Chain, Account>, handles: HexString[], reencryptPubKey: Uint8Array, reencryptKeypair: Secp256k1Keypair, backoffConfig?: Partial<BackoffConfig>): Promise<Array<DecryptionAttestation<EncryptionScheme, SupportedFheType>>>;
     /**
      * Requests attested decrypts using a voucher-backed session key.
      *
@@ -257,9 +266,9 @@ export declare class Lightning<T extends DeploymentSlice = DeploymentSlice> {
      * );
      * ```
      */
-    attestedDecryptWithVoucher(ephemeralKeypair: Secp256k1Keypair, allowanceVoucherWithSig: AllowanceVoucherWithSig, ethClient: PublicClient<Transport, Chain> | WalletClient<Transport, Chain, Account>, handles: HexString[], requesterArgData?: HexString, backoffConfig?: Partial<BackoffConfig>): Promise<Array<DecryptionAttestation<EciesScheme, SupportedFheType>>>;
-    attestedDecryptWithVoucher(ephemeralKeypair: Secp256k1Keypair, allowanceVoucherWithSig: AllowanceVoucherWithSig, ethClient: PublicClient<Transport, Chain> | WalletClient<Transport, Chain, Account>, handles: HexString[], reencryptPubKey: Uint8Array, requesterArgData?: HexString, backoffConfig?: Partial<BackoffConfig>): Promise<Array<EncryptedDecryptionAttestation<EciesScheme, SupportedFheType>>>;
-    attestedDecryptWithVoucher(ephemeralKeypair: Secp256k1Keypair, allowanceVoucherWithSig: AllowanceVoucherWithSig, ethClient: PublicClient<Transport, Chain> | WalletClient<Transport, Chain, Account>, handles: HexString[], reencryptPubKey: Uint8Array, reencryptKeypair: Secp256k1Keypair, requesterArgData?: HexString, backoffConfig?: Partial<BackoffConfig>): Promise<Array<DecryptionAttestation<EciesScheme, SupportedFheType>>>;
+    attestedDecryptWithVoucher(ephemeralKeypair: Secp256k1Keypair, allowanceVoucherWithSig: AllowanceVoucherWithSig, ethClient: PublicClient<Transport, Chain> | WalletClient<Transport, Chain, Account>, handles: HexString[], requesterArgData?: HexString, backoffConfig?: Partial<BackoffConfig>): Promise<Array<DecryptionAttestation<EncryptionScheme, SupportedFheType>>>;
+    attestedDecryptWithVoucher(ephemeralKeypair: Secp256k1Keypair, allowanceVoucherWithSig: AllowanceVoucherWithSig, ethClient: PublicClient<Transport, Chain> | WalletClient<Transport, Chain, Account>, handles: HexString[], reencryptPubKey: Uint8Array, requesterArgData?: HexString, backoffConfig?: Partial<BackoffConfig>): Promise<Array<EncryptedDecryptionAttestation<EncryptionScheme, SupportedFheType>>>;
+    attestedDecryptWithVoucher(ephemeralKeypair: Secp256k1Keypair, allowanceVoucherWithSig: AllowanceVoucherWithSig, ethClient: PublicClient<Transport, Chain> | WalletClient<Transport, Chain, Account>, handles: HexString[], reencryptPubKey: Uint8Array, reencryptKeypair: Secp256k1Keypair, requesterArgData?: HexString, backoffConfig?: Partial<BackoffConfig>): Promise<Array<DecryptionAttestation<EncryptionScheme, SupportedFheType>>>;
     /**
      * Get an attested compute for the given wallet client.
      *
@@ -305,9 +314,9 @@ export declare class Lightning<T extends DeploymentSlice = DeploymentSlice> {
      * console.log(decrypted.plaintext.value);
      * ```
      */
-    attestedCompute(walletClient: WalletClient<Transport, Chain, Account>, lhsHandle: HexString, op: AttestedComputeOP, rhsPlaintext: bigint | boolean, backoffConfig?: Partial<BackoffConfig>): Promise<DecryptionAttestation<EciesScheme, SupportedFheType>>;
-    attestedCompute(walletClient: WalletClient<Transport, Chain, Account>, lhsHandle: HexString, op: AttestedComputeOP, rhsPlaintext: bigint | boolean, reencryptPubKey: Uint8Array, backoffConfig?: Partial<BackoffConfig>): Promise<EncryptedDecryptionAttestation<EciesScheme, SupportedFheType>>;
-    attestedCompute(walletClient: WalletClient<Transport, Chain, Account>, lhsHandle: HexString, op: AttestedComputeOP, rhsPlaintext: bigint | boolean, reencryptPubKey: Uint8Array, reencryptKeypair: Secp256k1Keypair, backoffConfig?: Partial<BackoffConfig>): Promise<DecryptionAttestation<EciesScheme, SupportedFheType>>;
+    attestedCompute(walletClient: WalletClient<Transport, Chain, Account>, lhsHandle: HexString, op: AttestedComputeOP, rhsPlaintext: bigint | boolean, backoffConfig?: Partial<BackoffConfig>): Promise<DecryptionAttestation<EncryptionScheme, SupportedFheType>>;
+    attestedCompute(walletClient: WalletClient<Transport, Chain, Account>, lhsHandle: HexString, op: AttestedComputeOP, rhsPlaintext: bigint | boolean, reencryptPubKey: Uint8Array, backoffConfig?: Partial<BackoffConfig>): Promise<EncryptedDecryptionAttestation<EncryptionScheme, SupportedFheType>>;
+    attestedCompute(walletClient: WalletClient<Transport, Chain, Account>, lhsHandle: HexString, op: AttestedComputeOP, rhsPlaintext: bigint | boolean, reencryptPubKey: Uint8Array, reencryptKeypair: Secp256k1Keypair, backoffConfig?: Partial<BackoffConfig>): Promise<DecryptionAttestation<EncryptionScheme, SupportedFheType>>;
     /**
      * Performs attested compute via a voucher-backed session key.
      *
@@ -350,9 +359,9 @@ export declare class Lightning<T extends DeploymentSlice = DeploymentSlice> {
      * console.log(decrypted.plaintext.value);
      * ```
      */
-    attestedComputeWithVoucher(ephemeralKeypair: Secp256k1Keypair, allowanceVoucherWithSig: AllowanceVoucherWithSig, ethClient: PublicClient<Transport, Chain> | WalletClient<Transport, Chain, Account>, lhsHandle: HexString, op: AttestedComputeOP, rhsPlaintext: bigint | boolean, requesterArgData?: HexString, backoffConfig?: Partial<BackoffConfig>): Promise<DecryptionAttestation<EciesScheme, SupportedFheType>>;
-    attestedComputeWithVoucher(ephemeralKeypair: Secp256k1Keypair, allowanceVoucherWithSig: AllowanceVoucherWithSig, ethClient: PublicClient<Transport, Chain> | WalletClient<Transport, Chain, Account>, lhsHandle: HexString, op: AttestedComputeOP, rhsPlaintext: bigint | boolean, reencryptPubKey: Uint8Array, requesterArgData?: HexString, backoffConfig?: Partial<BackoffConfig>): Promise<EncryptedDecryptionAttestation<EciesScheme, SupportedFheType>>;
-    attestedComputeWithVoucher(ephemeralKeypair: Secp256k1Keypair, allowanceVoucherWithSig: AllowanceVoucherWithSig, ethClient: PublicClient<Transport, Chain> | WalletClient<Transport, Chain, Account>, lhsHandle: HexString, op: AttestedComputeOP, rhsPlaintext: bigint | boolean, reencryptPubKey: Uint8Array, reencryptKeypair: Secp256k1Keypair, requesterArgData?: HexString, backoffConfig?: Partial<BackoffConfig>): Promise<DecryptionAttestation<EciesScheme, SupportedFheType>>;
+    attestedComputeWithVoucher(ephemeralKeypair: Secp256k1Keypair, allowanceVoucherWithSig: AllowanceVoucherWithSig, ethClient: PublicClient<Transport, Chain> | WalletClient<Transport, Chain, Account>, lhsHandle: HexString, op: AttestedComputeOP, rhsPlaintext: bigint | boolean, requesterArgData?: HexString, backoffConfig?: Partial<BackoffConfig>): Promise<DecryptionAttestation<EncryptionScheme, SupportedFheType>>;
+    attestedComputeWithVoucher(ephemeralKeypair: Secp256k1Keypair, allowanceVoucherWithSig: AllowanceVoucherWithSig, ethClient: PublicClient<Transport, Chain> | WalletClient<Transport, Chain, Account>, lhsHandle: HexString, op: AttestedComputeOP, rhsPlaintext: bigint | boolean, reencryptPubKey: Uint8Array, requesterArgData?: HexString, backoffConfig?: Partial<BackoffConfig>): Promise<EncryptedDecryptionAttestation<EncryptionScheme, SupportedFheType>>;
+    attestedComputeWithVoucher(ephemeralKeypair: Secp256k1Keypair, allowanceVoucherWithSig: AllowanceVoucherWithSig, ethClient: PublicClient<Transport, Chain> | WalletClient<Transport, Chain, Account>, lhsHandle: HexString, op: AttestedComputeOP, rhsPlaintext: bigint | boolean, reencryptPubKey: Uint8Array, reencryptKeypair: Secp256k1Keypair, requesterArgData?: HexString, backoffConfig?: Partial<BackoffConfig>): Promise<DecryptionAttestation<EncryptionScheme, SupportedFheType>>;
     /**
      * Get an decryption of publicly revealed handles.
      *
@@ -366,7 +375,7 @@ export declare class Lightning<T extends DeploymentSlice = DeploymentSlice> {
      * const { plaintext, covalidatorSignature } = response[0];
      * ```
      */
-    attestedReveal(handles: HexString[], backoffConfig?: Partial<BackoffConfig>): Promise<Array<DecryptionAttestation<EciesScheme, SupportedFheType>>>;
+    attestedReveal(handles: HexString[], backoffConfig?: Partial<BackoffConfig>): Promise<Array<DecryptionAttestation<EncryptionScheme, SupportedFheType>>>;
     /**
      * Get the GRPC endpoint for the covalidator that services this deployment.
      */

package/dist/types/lite/xwing.d.ts

@@ -0,0 +1,119 @@
+import { Decryptor, Encryptor, XwingScheme } from '../encryption/encryption.js';
+import { PubKeyEncodable } from '../reencryption/index.js';
+export declare const TEST_NETWORK_SEED_KEY = "0x0000000000000000000000000000000000000000000000000000000000000000";
+export declare const TEST_NETWORK_XWING_PUBKEY = "0xca882388911c7c762aafc20debd63e845b3bed28c9d5262cdea7771fb31bd660a1ae7b395a9a7df3d12c7b118e8eda5057572c1ba05cd9b635edf33dabca4cac7291e0848f19c20e5beb850c3818f3543d49b3a5c729cb86a28fda539775d04feda112fe0c81d138aaf623aea7d507a4e826e890105db6065a44aba76a10d771c00d1b33f4ac51869806aae18eada68f19047024542d64a7aa1c91a5e1aa49d93613b5224b415bcc7aa166e4b55033438d20c641f9664fdb1689b53208181463e3d1325d46b30f07c5945b7e3fa1418bf833d975258461b294664eaf60795964924a280729c10a37fc6e967440bdd55d4ca53596286383481291152365303d44517cef369c00933b0b30368a230353e729c031075e8388673678a56b3ba84a165b28096ee9bd684483e1844258b451c365c41fa534152a3b64120041450128e960c7d6437d717ee266bdde7aaeec225ed93b958d188e97407349f1382976ca47d761ecc59a6f394487eb015c083abb490584677240eb47f838c838568a496119378b8bb81484610a50792b5d9c9939db188e7d0249d3cb918c436f111a2898849b286b0743a22c57464c709c5eaceac1ba493adca3328c0b14b5e38d3aea74e328b622b17e7181c35ad11c2103bdb7f2b209d93dcbc4ab61a06bc37139e6d2b7a06c5b7e9267bef3a8918a706f793271a5acc2574532da79e5a10cf074b998147a3c43586a411a513bba0d11cc19a36c83b19277f28022c88b120abfdba7076a8263e05336e3245aef7033eb3c762b5bbfa5791ac960398b649d5cbb652ddc6b2398143a0861ab3b410b696328879c099098adf819fbf7ac170030e86675e7f45c22ac9e1cf52c3102487bb0b91ab592afdc69c6e3a9b71876b86260b6c736b8291098f1130d3b763525cbad540ce2d042eacb6ed43b7bcba898f712c412f26066e09945f44ec7026c8ef959831abc10719d2017a12a41728b41c02371a5f5756ebc79406be708ea41bbd21563c874a0b791a3b4e4224a609967004f065c5ab4f3b4c61cb35df70573269da53179c3701fc5205f61974426f9b794c1b5826494b70842b6920c17752029369264dc8590b898b85c9d89a258e1f46c1b0490efd17c485cb51687cea272041e90b8e629521d3c5e3fa7518161bad7a159295b63cc6c0077897b53d47db8bc0ecb820f550705b65715a1a1094d04854f56acd26aa0baa10cb8447fad6211f53105796a42882328e6852e8de821c283b51eaab9bc95c4dc53615626049d63b1f9a457193805276b1905b0ab39353b5cf91fdd6023d4d816aef9cce4a3cfb3d12190172df221ae61d427563a098cc60e3dc9997ef54959180be5dc64a911157db6be3a01be2ee343caab33b8729abf0c50c674758c511291941fceac646232920907c2e88b9ec10211161729c797643a553a6ae5c4b7483c04e3263bd291e311c609071348b7c3310aa97d6b8318e0a4afe8399fa22f951049a9bb8860f7c69a333d3cc1aaf0129ab560713bf29eb3a01f9a276c78e54e3a3648b2447c80242b271b11406866389426d8b59796540d6b5702092ab21ee217c075cfc0c17ef826ce9ea29b9e61617457a5b1aaa23a58615dc53c59183beb36ea19498c21820b70ab47adeb678f1c52bf8768b3597b608ea1a8a15cd62e8a29bec4a1ac248ef9f02de0144bca06025f95a42bd6c8eaaaaaa2366328561d";
+/**
+ * X-Wing keypair interface.
+ * X-Wing is a post-quantum hybrid KEM combining ML-KEM-768 and X25519.
+ * - Private key: 32-byte seed
+ * - Public key: 1216 bytes
+ * - Encapsulated key: 1120 bytes
+ */
+export interface XwingKeypair extends PubKeyEncodable {
+    scheme: XwingScheme;
+    publicKey: CryptoKey;
+    privateKey: CryptoKey;
+    publicKeyBytes: Uint8Array;
+}
+/**
+ * Derive X-Wing keypair from a 32-byte seed (deterministic).
+ * This matches the Go implementation in covalidator/encoding/xwing.go
+ *
+ * @param seed - 32-byte seed for deterministic key derivation
+ * @returns X-Wing keypair with cached public key bytes
+ */
+export declare function deriveXwingKeypairFromSeed(seed: Uint8Array): Promise<XwingKeypair>;
+/**
+ * Generate a random X-Wing keypair.
+ *
+ * @returns X-Wing keypair with cached public key bytes
+ */
+export declare function generateXwingKeypair(): Promise<XwingKeypair>;
+/**
+ * Decode X-Wing public key from bytes.
+ *
+ * @param pubKeyBytes - 1216-byte X-Wing public key
+ * @returns CryptoKey for encryption operations
+ */
+export declare function decodeXwingPublicKey(pubKeyBytes: Uint8Array): Promise<CryptoKey>;
+/**
+ * Decode X-Wing private key from 32-byte seed.
+ * Alias for deriveXwingKeypairFromSeed for consistency with Go API.
+ *
+ * @param seed - 32-byte seed
+ * @returns X-Wing keypair
+ */
+export declare function decodeXwingPrivateKey(seed: Uint8Array): Promise<XwingKeypair>;
+/**
+ * Encode X-Wing public key to bytes.
+ *
+ * @param publicKey - CryptoKey containing X-Wing public key
+ * @returns 1216-byte serialized public key
+ */
+export declare function encodeXwingPublicKey(publicKey: CryptoKey): Promise<Uint8Array>;
+/**
+ * X-Wing encryptor arguments.
+ * pubKeyA is the recipient's public key (usually the covalidator's public key).
+ */
+export type XwingEncryptorArgs = {
+    pubKeyA: CryptoKey;
+};
+/**
+ * X-Wing decryptor arguments.
+ * privKeyA is the recipient's private key (usually the covalidator's private key).
+ */
+export type XwingDecryptorArgs = {
+    privKeyA: XwingKeypair;
+};
+/**
+ * Encrypt using X-Wing HPKE (RFC 9180) with ChaCha20-Poly1305 AEAD.
+ *
+ * Output format: encappedKey (1184 bytes) || ciphertext (variable length)
+ *
+ * @param pubKeyA - Recipient's public key
+ * @param msg - Message to encrypt
+ * @param aad - Additional authenticated data (default: empty)
+ * @param info - Context info for key derivation (default: empty)
+ * @returns Encrypted data (encappedKey || ciphertext)
+ */
+export declare function encrypt(pubKeyA: CryptoKey, msg: Uint8Array, aad?: Uint8Array, info?: Uint8Array): Promise<Uint8Array>;
+/**
+ * Decrypt using X-Wing HPKE (RFC 9180) with ChaCha20-Poly1305 AEAD.
+ *
+ * Input format: encappedKey (1184 bytes) || ciphertext (variable length)
+ *
+ * @param privKeyA - Recipient's private key
+ * @param encryptedData - Encrypted data (encappedKey || ciphertext)
+ * @param aad - Additional authenticated data (default: empty)
+ * @param info - Context info for key derivation (default: empty)
+ * @returns Decrypted plaintext
+ */
+export declare function decrypt(privKeyA: XwingKeypair, encryptedData: Uint8Array, aad?: Uint8Array, info?: Uint8Array): Promise<Uint8Array>;
+/**
+ * Create an X-Wing encryptor for encrypting inputs.
+ * Follows the same pattern as ECIES encryptor in ecies.ts.
+ *
+ * The encryptor:
+ * 1. Encodes the plaintext with its context (HADU encoding)
+ * 2. Encrypts using X-Wing HPKE
+ * 3. Computes prehandle and handle for tracking
+ * 4. Returns the encrypted ciphertext with metadata
+ *
+ * @param args - X-Wing encryptor arguments (recipient's public key)
+ * @returns Encryptor function
+ */
+export declare function getXwingEncryptor({ pubKeyA, }: XwingEncryptorArgs): Encryptor<XwingScheme>;
+/**
+ * Create an X-Wing decryptor for decrypting inputs.
+ * Follows the same pattern as ECIES decryptor in ecies.ts.
+ *
+ * The decryptor:
+ * 1. Removes the prepended handle from the ciphertext
+ * 2. Decrypts using X-Wing HPKE
+ * 3. Decodes the HADU-encoded payload
+ * 4. Extracts and returns the plaintext
+ *
+ * @param args - X-Wing decryptor arguments (recipient's private key)
+ * @returns Decryptor function
+ */
+export declare function getXwingDecryptor({ privKeyA, }: XwingDecryptorArgs): Decryptor<XwingScheme>;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@inco/js",
-  "version": "0.8.0-devnet-5",
+  "version": "0.8.0-devnet-6",
   "repository": "https://github.com/Inco-fhevm/inco-monorepo",
   "license": "Apache-2.0",
   "sideEffects": false,
@@ -91,6 +91,9 @@
     "@connectrpc/connect-node": "^2.0.0",
     "@connectrpc/connect-web": "^2.0.1",
     "@grpc/grpc-js": "^1.13.4",
+    "@hpke/hybridkem-x-wing": "^0.6.1",
+    "@hpke/core": "^1.7.5",
+    "@hpke/chacha20poly1305": "^1.7.1",
     "@types/elliptic": "^6.4.18",
     "ecies-geth": "^1.7.5",
     "effect": "^3.17.13",