@inco/js 0.8.0-devnet-8 → 0.8.0-devnet-10

package/dist/types/generated/abis/test-elist.d.ts

@@ -2,7 +2,7 @@ export declare const elistTesterAbi: readonly [{
     readonly type: "constructor";
     readonly inputs: readonly [{
         readonly name: "_inco";
-        readonly internalType: "contract IIncoLightningPreview";
+        readonly internalType: "contract IIncoLightning";
         readonly type: "address";
     }];
     readonly stateMutability: "nonpayable";

package/dist/types/generated/abis/verifier.d.ts

@@ -429,6 +429,45 @@ export declare const incoVerifierAbi: readonly [{
         readonly type: "bool";
     }];
     readonly stateMutability: "view";
+}, {
+    readonly type: "function";
+    readonly inputs: readonly [{
+        readonly name: "elistHandle";
+        readonly internalType: "bytes32";
+        readonly type: "bytes32";
+    }, {
+        readonly name: "proofElements";
+        readonly internalType: "struct ElementDecryptionProof[]";
+        readonly type: "tuple[]";
+        readonly components: readonly [{
+            readonly name: "pairHash";
+            readonly internalType: "bytes32";
+            readonly type: "bytes32";
+        }, {
+            readonly name: "commitment";
+            readonly internalType: "bytes32";
+            readonly type: "bytes32";
+        }, {
+            readonly name: "value";
+            readonly internalType: "uint256";
+            readonly type: "uint256";
+        }];
+    }, {
+        readonly name: "proof";
+        readonly internalType: "bytes32";
+        readonly type: "bytes32";
+    }, {
+        readonly name: "signatures";
+        readonly internalType: "bytes[]";
+        readonly type: "bytes[]";
+    }];
+    readonly name: "isValidEListDecryptionAttestation";
+    readonly outputs: readonly [{
+        readonly name: "";
+        readonly internalType: "bool";
+        readonly type: "bool";
+    }];
+    readonly stateMutability: "view";
 }, {
     readonly type: "function";
     readonly inputs: readonly [{
@@ -1079,6 +1118,10 @@ export declare const incoVerifierAbi: readonly [{
         readonly type: "uint256";
     }];
     readonly name: "InvalidThreshold";
+}, {
+    readonly type: "error";
+    readonly inputs: readonly [];
+    readonly name: "InvalidVerifyingContract";
 }, {
     readonly type: "error";
     readonly inputs: readonly [{

package/dist/types/generated/es/inco/sealingfetcher/v1/sealingfetcher_pb.d.ts

@@ -122,6 +122,13 @@ export type TeeKeys = Message<"inco.sealingfetcher.v1.TeeKeys"> & {
      * @generated from field: bytes storage_privkey = 3;
      */
     storagePrivkey: Uint8Array;
+    /**
+     * The 32-byte seed used for Lightning's RNG. Generated at bootstrap and
+     * distinct from the network private key.
+     *
+     * @generated from field: bytes rand_seed = 4;
+     */
+    randSeed: Uint8Array;
 };
 /**
  * Describes the message inco.sealingfetcher.v1.TeeKeys.

package/dist/types/generated/lightning.d.ts

@@ -1,4 +1,44 @@
 export declare const lightningDeployments: readonly [{
+    readonly name: "incoLightning_6_0_0__281949651";
+    readonly majorVersion: 6;
+    readonly deployer: "0x8202D2D747784Cb7D48868E44C42C4bf162a70BC";
+    readonly pepper: "devnet";
+    readonly executorAddress: "0xDF3830489208461f72Df6E45D0e6cbF9DBB74fe1";
+    readonly salt: "0x8202d2d747784cb7d48868e44c42c4bf162a70bc009531587de02194b1b7a9d3";
+    readonly chainId: 84532;
+    readonly chainName: "Base Sepolia";
+    readonly version: {
+        readonly major: 6;
+        readonly minor: 0;
+        readonly patch: 0;
+        readonly shortSalt: "281949651";
+    };
+    readonly blockNumber: 37516200;
+    readonly deployDate: "2026-02-11T09:04:51.931Z";
+    readonly commit: "v0.8.0-devnet-9-13-ge2ba2377";
+    readonly active: true;
+    readonly includesPreviewFeatures: false;
+}, {
+    readonly name: "incoLightningPreview_5_0_0__203964628";
+    readonly majorVersion: 5;
+    readonly deployer: "0x8202D2D747784Cb7D48868E44C42C4bf162a70BC";
+    readonly pepper: "devnet";
+    readonly executorAddress: "0x8D5D75CC00E2Fc84ec4dE085aE1708223591c6b6";
+    readonly salt: "0x8202d2d747784cb7d48868e44c42c4bf162a70bc00c573fb2bf617e75b6210d4";
+    readonly chainId: 84532;
+    readonly chainName: "Base Sepolia";
+    readonly version: {
+        readonly major: 5;
+        readonly minor: 0;
+        readonly patch: 0;
+        readonly shortSalt: "203964628";
+    };
+    readonly blockNumber: 37431152;
+    readonly deployDate: "2026-02-09T09:49:55.326Z";
+    readonly commit: "v0.8.0-devnet-8-8-ge2e37e00";
+    readonly active: true;
+    readonly includesPreviewFeatures: true;
+}, {
     readonly name: "incoLightningPreview_4_0_0__409204766";
     readonly majorVersion: 4;
     readonly deployer: "0x8202D2D747784Cb7D48868E44C42C4bf162a70BC";

package/dist/types/generated/local-node.d.ts

@@ -16,12 +16,12 @@ export declare const localNodeLightningConfig: {
         readonly senderPrivateKey: "0x3ff395b755c4dc09837d0672dd421915e9b9835a4733edf63d8fd12b3fe4475c";
     };
     readonly devnet: {
-        readonly executorAddress: "0x4046b737B454b0430FBF29cea070e3337AdE95aD";
+        readonly executorAddress: "0xDF3830489208461f72Df6E45D0e6cbF9DBB74fe1";
         readonly chainId: 31337;
         readonly covalidatorUrls: readonly ["http://localhost:50055"];
-        readonly signers: readonly ["0x9463C02Da6EAAd8E2916d42BEE46a16a54833623"];
+        readonly signers: readonly ["0x686190B567C1EF3adD333B73ad9B4B092D8723c1"];
         readonly hostChainRpcUrl: "http://localhost:8545";
-        readonly senderPrivateKey: "0xf852e519594d8f6e9202adafa3354c196d77332d0f2214ff598e8ff14549f59c";
+        readonly senderPrivateKey: "0xcffaf5c90b8131b526b028c6c328b3e9f5079932e29a2ec3a1b7f29b383fd0e6";
     };
     readonly alphanet: {
         readonly executorAddress: "0xc0d693DeEF0A91CE39208676b6da09B822abd199";
@@ -32,7 +32,7 @@ export declare const localNodeLightningConfig: {
         readonly senderPrivateKey: "0x279c172cf3638a79642daa5f7666c600befde318550d7579cf96280920e318b6";
     };
     readonly scratch: {
-        readonly executorAddress: "0x1123128730a0b046F3FB4E02c4B9e06A69da110e";
+        readonly executorAddress: "0xF253724506f9aF666C301c0aD94f92f92Ff390E4";
         readonly chainId: 31337;
         readonly covalidatorUrls: readonly ["http://localhost:50055"];
         readonly signers: readonly ["0xf39Fd6e51aad88F6F4ce6aB8827279cffFb92266"];

package/dist/types/handle.d.ts

@@ -29,6 +29,18 @@ export declare const InputContext: Schema.Struct<{
 }>;
 export type InputContext = typeof InputContext.Type;
 export type Handle = HexString;
+/**
+ * Expected length of a handle in bytes.
+ * Handle format: 29 bytes hash + 1 byte index + 1 byte type + 1 byte version = 32 bytes
+ */
+export declare const HANDLE_LENGTH_BYTES = 32;
+/**
+ * Validates handle integrity by checking format, length, and version.
+ * Matches the validation in Go's HandleFromBytes (pkg/fhe/handle.go).
+ * @param handle - The handle to validate
+ * @throws Error if handle is malformed (wrong format, length, or unsupported version)
+ */
+export declare function validateHandle(handle: HexString): void;
 export declare function getHandleType(handle: HexString): FheType;
 /**
  *  Computes the prehandle hash for an input based on the ciphertext

package/dist/types/kms/client.d.ts

@@ -2,7 +2,7 @@ import { type Client } from '@connectrpc/connect';
 import type { Address } from 'viem';
 import type { SupportedChain } from '../chain.js';
 import { KmsService } from '../generated/es/inco/kms/lite/v1/kms_service_pb.js';
-export declare const DEFAULT_COVALIDATOR_SIGNER: Address;
+export declare const TEST_DEFAULT_COVALIDATOR_SIGNER: Address;
 export type KmsClient = Client<typeof KmsService> & {
     signerAddress: Address;
 };

package/dist/types/kms/quorumClient.d.ts

@@ -52,6 +52,7 @@ export declare class KmsQuorumClient {
     private verifyComputeResponseConsistency;
     /**
      * Verifies that two plaintext byte arrays are identical.
+     * Uses constant-time comparison to prevent timing side-channel attacks.
      */
     private verifyPlaintextBytesConsistency;
     private verifyPlaintextConsistency;

package/dist/types/lite/index.d.ts

@@ -6,4 +6,4 @@ export * from './attested-decrypt.js';
 export * from './deployments.js';
 export * from './hadu.js';
 export * from './lightning.js';
-export { TEST_NETWORK_SEED_KEY, TEST_NETWORK_XWING_PUBKEY, XWING_PUBLIC_KEY_SIZE, decodeXwingPrivateKey, decodeXwingPublicKey, decrypt, deriveXwingKeypairFromSeed, encodeXwingPublicKey, encrypt, generateXwingKeypair, getXwingDecryptor, getXwingEncryptor, type XwingDecryptorArgs, type XwingEncryptorArgs, type XwingKeypair, } from './xwing.js';
+export { TEST_NETWORK_SEED_KEY, XWING_PUBLIC_KEY_SIZE, decodeXwingPrivateKey, decodeXwingPublicKey, decrypt, deriveXwingKeypairFromSeed, encodeXwingPublicKey, encrypt, generateXwingKeypair, getXwingDecryptor, getXwingEncryptor, type XwingDecryptorArgs, type XwingEncryptorArgs, type XwingKeypair, } from './xwing.js';

package/dist/types/lite/lightning.d.ts

@@ -387,15 +387,14 @@ export declare class Lightning<T extends DeploymentSlice = DeploymentSlice> {
     static getNetworkPubkey(client: PublicClient, executorAddress: Address): Promise<HexString>;
     static getIncoVerifierContract(client: PublicClient, executorAddress: Address): Promise<GetContractReturnType<typeof incoVerifierAbi, PublicClient, Address>>;
     /**
-     * Retrieves the verifier contract details including threshold, signers, and ECIES public key from the Inco Verifier contract.
+     * Retrieves the verifier contract details including threshold, signers, and XWING public key from the Inco Verifier contract.
      *
      * @param executorAddress The address of the Inco Lightning executor contract.
      * @param client The public client to interact with the blockchain.
-     * @returns An object containing the threshold, signers, and ECIES public key.
+     * @returns An object containing the threshold, signers, and XWING public key.
      */
     private static getVerifierContractDetails;
     private static getChainConfig;
     private static supportsThresholdRetrieval;
-    private static getDefaultThresholdAndSigners;
 }
 export {};

package/dist/types/lite/xwing.d.ts

@@ -5,8 +5,33 @@ import { PubKeyEncodable } from '../reencryption/index.js';
  * Combining ML-KEM-768 (1184 bytes) and X25519 (32 bytes).
  */
 export declare const XWING_PUBLIC_KEY_SIZE: number;
+/**
+ * WARNING: TEST KEY - DO NOT USE IN PRODUCTION
+ * This is a well-known test seed (all zeros) that provides NO security.
+ * Anyone can derive the private key from this seed and decrypt all data.
+ * Only use for local development and testing.
+ */
 export declare const TEST_NETWORK_SEED_KEY = "0x0000000000000000000000000000000000000000000000000000000000000000";
+/**
+ * WARNING: TEST KEY - DO NOT USE IN PRODUCTION
+ * This is the public key derived from TEST_NETWORK_SEED_KEY (all zeros).
+ * Data encrypted with this key can be decrypted by anyone who knows the seed.
+ * Only use for local development and testing.
+ *
+ * Generated from Go with seed of all zeros using HPKE layer: hpke.KEM_XWING.Scheme().DeriveKeyPair(seed)
+ * This matches the key used in covalidator's GetXwingPrivateKeyForTesting() via DeriveXwingPrivateKey
+ */
 export declare const TEST_NETWORK_XWING_PUBKEY = "0xca882388911c7c762aafc20debd63e845b3bed28c9d5262cdea7771fb31bd660a1ae7b395a9a7df3d12c7b118e8eda5057572c1ba05cd9b635edf33dabca4cac7291e0848f19c20e5beb850c3818f3543d49b3a5c729cb86a28fda539775d04feda112fe0c81d138aaf623aea7d507a4e826e890105db6065a44aba76a10d771c00d1b33f4ac51869806aae18eada68f19047024542d64a7aa1c91a5e1aa49d93613b5224b415bcc7aa166e4b55033438d20c641f9664fdb1689b53208181463e3d1325d46b30f07c5945b7e3fa1418bf833d975258461b294664eaf60795964924a280729c10a37fc6e967440bdd55d4ca53596286383481291152365303d44517cef369c00933b0b30368a230353e729c031075e8388673678a56b3ba84a165b28096ee9bd684483e1844258b451c365c41fa534152a3b64120041450128e960c7d6437d717ee266bdde7aaeec225ed93b958d188e97407349f1382976ca47d761ecc59a6f394487eb015c083abb490584677240eb47f838c838568a496119378b8bb81484610a50792b5d9c9939db188e7d0249d3cb918c436f111a2898849b286b0743a22c57464c709c5eaceac1ba493adca3328c0b14b5e38d3aea74e328b622b17e7181c35ad11c2103bdb7f2b209d93dcbc4ab61a06bc37139e6d2b7a06c5b7e9267bef3a8918a706f793271a5acc2574532da79e5a10cf074b998147a3c43586a411a513bba0d11cc19a36c83b19277f28022c88b120abfdba7076a8263e05336e3245aef7033eb3c762b5bbfa5791ac960398b649d5cbb652ddc6b2398143a0861ab3b410b696328879c099098adf819fbf7ac170030e86675e7f45c22ac9e1cf52c3102487bb0b91ab592afdc69c6e3a9b71876b86260b6c736b8291098f1130d3b763525cbad540ce2d042eacb6ed43b7bcba898f712c412f26066e09945f44ec7026c8ef959831abc10719d2017a12a41728b41c02371a5f5756ebc79406be708ea41bbd21563c874a0b791a3b4e4224a609967004f065c5ab4f3b4c61cb35df70573269da53179c3701fc5205f61974426f9b794c1b5826494b70842b6920c17752029369264dc8590b898b85c9d89a258e1f46c1b0490efd17c485cb51687cea272041e90b8e629521d3c5e3fa7518161bad7a159295b63cc6c0077897b53d47db8bc0ecb820f550705b65715a1a1094d04854f56acd26aa0baa10cb8447fad6211f53105796a42882328e6852e8de821c283b51eaab9bc95c4dc53615626049d63b1f9a457193805276b1905b0ab39353b5cf91fdd6023d4d816aef9cce4a3cfb3d12190172df221ae61d427563a098cc60e3dc9997ef54959180be5dc64a911157db6be3a01be2ee343caab33b8729abf0c50c674758c511291941fceac646232920907c2e88b9ec10211161729c797643a553a6ae5c4b7483c04e3263bd291e311c609071348b7c3310aa97d6b8318e0a4afe8399fa22f951049a9bb8860f7c69a333d3cc1aaf0129ab560713bf29eb3a01f9a276c78e54e3a3648b2447c80242b271b11406866389426d8b59796540d6b5702092ab21ee217c075cfc0c17ef826ce9ea29b9e61617457a5b1aaa23a58615dc53c59183beb36ea19498c21820b70ab47adeb678f1c52bf8768b3597b608ea1a8a15cd62e8a29bec4a1ac248ef9f02de0144bca06025f95a42bd6c8eaaaaaa2366328561d";
+/**
+ * Check if a byte array matches the test seed key.
+ * Logs a warning if it does.
+ */
+export declare function warnIfTestSeed(seed: Uint8Array): boolean;
+/**
+ * Check if a byte array matches the test public key.
+ * Logs a warning if it does.
+ */
+export declare function warnIfTestPubKey(pubKeyBytes: Uint8Array): boolean;
 /**
  * X-Wing keypair interface.
  * X-Wing is a post-quantum hybrid KEM combining ML-KEM-768 and X25519.

package/dist/types/retry.d.ts

@@ -7,6 +7,20 @@ export type BackoffConfig = {
     backoffFactor: number;
     errHandler?: (error: Error, attempt: number) => 'stop' | 'continue';
 };
+/**
+ * Checks if an error is safe to retry.
+ * Only transient errors matching the allowlist should return true.
+ * All other errors fail fast to avoid masking security-critical failures.
+ *
+ * @param error - The error to check
+ * @returns true if the error is transient and safe to retry, false otherwise
+ */
+export declare function isRetryableError(error: Error): boolean;
+/**
+ * Default error handler that only retries known transient errors.
+ * Security-critical errors will fail fast.
+ */
+export declare function defaultRetryErrorHandler(error: Error): 'stop' | 'continue';
 /**
  * Helper function to implement exponential backoff retry logic.
  * @param fn - The function to retry

package/dist/types/test/mocks.d.ts

@@ -5,6 +5,7 @@ import { KmsQuorumClient } from '../kms/quorumClient.js';
 interface MinimalKmsClient {
     attestedCompute: ReturnType<typeof vi.fn>;
     attestedDecrypt: ReturnType<typeof vi.fn>;
+    attestedReveal: ReturnType<typeof vi.fn>;
     key: ReturnType<typeof vi.fn>;
     reencrypt: ReturnType<typeof vi.fn>;
 }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@inco/js",
-  "version": "0.8.0-devnet-8",
+  "version": "0.8.0-devnet-10",
   "repository": "https://github.com/Inco-fhevm/inco-monorepo",
   "license": "Apache-2.0",
   "sideEffects": false,