@inco/lightning-js 0.0.0-bootstrap.0

package/dist/cjs/advancedacl/session-key.d.ts

@@ -0,0 +1,95 @@
+import { type Account, type Address, type Chain, type Hex, PublicClient, type Transport, type WalletClient } from 'viem';
+import type { PrivateKeyAccount } from 'viem/accounts';
+import { DecryptionAttestation, EncryptedDecryptionAttestation } from '../attesteddecrypt/index.js';
+import { SupportedChainId } from '../chain.js';
+import { EncryptionScheme, SupportedTeeType } from '../encryption/encryption.js';
+import { HexString } from '../index.js';
+import { type XwingKeypair } from '../lite/xwing.js';
+import { BackoffConfig } from '../retry.js';
+import type { AllowanceVoucher, AllowanceVoucherWithSig } from './types.js';
+import { AttestedComputeOP } from '../attestedcompute/types.js';
+import { KmsQuorumClient } from '../kms/quorumClient.js';
+export declare const SESSION_KEY_WARNING = "Inco Warning: signing this message may leak your private data, including from unrelated apps. Sign only if you fully trust this app.";
+export interface Session {
+    decrypter: Address;
+    expiresAt: bigint;
+}
+export declare function createAllowanceVoucher(incoLiteAddress: Address, sharerWalletClient: WalletClient<Transport, Chain, Account>, verifyingContract: Address, callFunction: Hex, sharerArgData: Hex): Promise<AllowanceVoucher>;
+export interface GrantSessionKeyArgs {
+    chainId: bigint;
+    incoLiteAddress: Address;
+    sessionVerifierContractAddress: Address;
+    granteeAddress: Address;
+    sharerWalletClient: WalletClient<Transport, Chain, Account>;
+    expiresAt: Date;
+}
+export interface GrantSessionKeyCustomVerifierArgs {
+    chainId: bigint;
+    incoLiteAddress: Address;
+    sessionVerifierContractAddress: Address;
+    sharerWalletClient: WalletClient<Transport, Chain, Account>;
+    sharerArgData: Hex;
+}
+export declare function grantSessionKey({ chainId, incoLiteAddress, sessionVerifierContractAddress, granteeAddress, sharerWalletClient, expiresAt, }: GrantSessionKeyArgs): Promise<AllowanceVoucherWithSig>;
+export declare function grantSessionKeyCustomVerifier({ chainId, incoLiteAddress, sessionVerifierContractAddress, sharerWalletClient, sharerArgData, }: GrantSessionKeyCustomVerifierArgs): Promise<AllowanceVoucherWithSig>;
+export declare function updateActiveVouchersSessionNonce(incoLiteAddress: Address, sharerWalletClient: WalletClient<Transport, Chain, Account>): Promise<`0x${string}`>;
+export interface SessionKeyAttestedComputeArgs {
+    chainId: SupportedChainId;
+    ephemeralAccount: PrivateKeyAccount;
+    kmsQuorumClient: KmsQuorumClient;
+    allowanceVoucherWithSig: AllowanceVoucherWithSig;
+    lhsHandle: HexString;
+    op: AttestedComputeOP;
+    rhsPlaintext: bigint | boolean;
+    requesterArgData?: Hex | undefined;
+    backoffConfig?: Partial<BackoffConfig> | undefined;
+    ethClient: PublicClient<Transport, Chain>;
+    executorAddress: HexString;
+    reencryptPubKey?: Uint8Array | undefined;
+    reencryptKeypair?: XwingKeypair | undefined;
+}
+export declare function sessionKeyAttestedCompute<T extends SupportedTeeType>({ lhsHandle, op, rhsPlaintext, backoffConfig, chainId, kmsQuorumClient, ephemeralAccount, allowanceVoucherWithSig, requesterArgData, ethClient, executorAddress, reencryptPubKey, reencryptKeypair, }: SessionKeyAttestedComputeArgs): Promise<DecryptionAttestation<EncryptionScheme, SupportedTeeType> | EncryptedDecryptionAttestation<EncryptionScheme, SupportedTeeType>>;
+export interface SessionKeyAttestedDecryptArgs {
+    chainId: SupportedChainId;
+    ephemeralAccount: PrivateKeyAccount;
+    kmsQuorumClient: KmsQuorumClient;
+    allowanceVoucherWithSig: AllowanceVoucherWithSig;
+    handles: HexString[];
+    requesterArgData?: Hex | undefined;
+    backoffConfig?: Partial<BackoffConfig> | undefined;
+    reencryptPubKey?: Uint8Array | undefined;
+    reencryptKeypair?: XwingKeypair | undefined;
+    ethClient: PublicClient<Transport, Chain>;
+    executorAddress: HexString;
+}
+/**
+ * Performs attested decrypts using a voucher-backed session key.
+ *
+ * @example Plaintext results
+ * ```ts
+ * const attestations = await sessionKeyAttestedDecrypt({
+ *   chainId,
+ *   kmsConnectRpcEndpointOrClient: covalidatorUrl,
+ *   allowanceVoucherWithSig: voucher,
+ *   ephemeralAccount,
+ *   handles,
+ * });
+ * console.log(attestations[0].plaintext.value);
+ * ```
+ *
+ * @example Encrypted results
+ * ```ts
+ * const encryptedResults = await sessionKeyAttestedDecrypt({
+ *   chainId,
+ *   kmsConnectRpcEndpointOrClient: covalidatorUrl,
+ *   allowanceVoucherWithSig: voucher,
+ *   ephemeralAccount,
+ *   handles,
+ *   reencryptPubKey: recipientPubKey,
+ * });
+ * console.log(
+ *   encryptedResults[0].encryptedPlaintext.ciphertext.value,
+ * );
+ * ```
+ */
+export declare function sessionKeyAttestedDecrypt({ chainId, kmsQuorumClient, handles, ephemeralAccount, allowanceVoucherWithSig, requesterArgData, backoffConfig, reencryptPubKey, reencryptKeypair, ethClient, executorAddress, }: SessionKeyAttestedDecryptArgs): Promise<Array<DecryptionAttestation<EncryptionScheme, SupportedTeeType> | EncryptedDecryptionAttestation<EncryptionScheme, SupportedTeeType>>>;

package/dist/cjs/advancedacl/session-key.js

@@ -0,0 +1,376 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.SESSION_KEY_WARNING = void 0;
+exports.createAllowanceVoucher = createAllowanceVoucher;
+exports.grantSessionKey = grantSessionKey;
+exports.grantSessionKeyCustomVerifier = grantSessionKeyCustomVerifier;
+exports.updateActiveVouchersSessionNonce = updateActiveVouchersSessionNonce;
+exports.sessionKeyAttestedCompute = sessionKeyAttestedCompute;
+exports.sessionKeyAttestedDecrypt = sessionKeyAttestedDecrypt;
+const protobuf_1 = require("@bufbuild/protobuf");
+const viem_1 = require("viem");
+const lightning_js_1 = require("../generated/abis/lightning.js");
+const verifier_js_1 = require("../generated/abis/verifier.js");
+const index_js_1 = require("../index.js");
+const index_js_2 = require("../lite/index.js");
+const xwing_js_1 = require("../lite/xwing.js");
+const index_js_3 = require("../reencryption/index.js");
+const types_js_1 = require("../attestedcompute/types.js");
+const attested_decrypt_js_1 = require("../attesteddecrypt/attested-decrypt.js");
+const types_js_2 = require("../attesteddecrypt/types.js");
+const eip712_js_1 = require("../eip712/eip712.js");
+const kms_service_pb_js_1 = require("../generated/es/inco/kms/lite/v1/kms_service_pb.js");
+const types_pb_js_1 = require("../generated/es/inco/kms/lite/v1/types_pb.js");
+// SessionKey is a special case of the SessionVerifier allowance, where the
+// requester is an ephemeral keypair generated by the user, to use the same
+// keypair for multiple reencryptions, expired after a certain time.
+// Default warning message included in session vouchers. Displayed by wallets
+// at signing time so users understand what they are granting access to.
+exports.SESSION_KEY_WARNING = 'Inco Warning: signing this message may leak your private data, including from unrelated apps. Sign only if you fully trust this app.';
+// Given a sharer's wallet client, an incoLite contract address, and a
+// (verifyingContract, callFunction, sharerArgData) tuple, this function
+// creates an AllowanceVoucher. The warning is always SESSION_KEY_WARNING.
+async function createAllowanceVoucher(incoLiteAddress, sharerWalletClient, verifyingContract, callFunction, sharerArgData) {
+    const verifier = await getIncoVerifier(incoLiteAddress, sharerWalletClient);
+    // The session nonce in the AllowanceVoucher must match the current active
+    // session nonce of the sharer on-chain.
+    const sessionNonce = await verifier.read.getActiveVouchersSessionNonce([
+        sharerWalletClient.account.address,
+    ]);
+    return {
+        sessionNonce,
+        verifyingContract,
+        callFunction,
+        sharerArgData,
+        warning: exports.SESSION_KEY_WARNING,
+    };
+}
+// Let the sharer grant a session key to the requester.
+// The session grants temporary access to ALL of the sharer's encrypted handles.
+async function grantSessionKey({ chainId, incoLiteAddress, sessionVerifierContractAddress, granteeAddress, sharerWalletClient, expiresAt, }) {
+    // Validate that expiresAt is a valid Date object
+    if (!(expiresAt instanceof Date) || isNaN(expiresAt.getTime())) {
+        throw new Error('expiresAt must be a valid Date object');
+    }
+    const nowMs = Date.now();
+    const expiresAtMs = expiresAt.getTime();
+    // Validate that expiresAt is in the future
+    if (expiresAtMs < nowMs) {
+        throw new Error('expiresAt must be in the future');
+    }
+    const sharerArgData = (0, viem_1.encodeAbiParameters)(getSessionAbi(), [
+        granteeAddress,
+        BigInt(Math.floor(expiresAtMs / 1000)),
+    ]);
+    const incoVerifier = await getIncoVerifier(incoLiteAddress, sharerWalletClient);
+    // returned by read.eip712Domain():
+    // bytes1 fields,
+    // string memory name,
+    // string memory version,
+    // uint256 chainId,
+    // address verifyingContract,
+    // bytes32 salt,
+    // uint256[] memory extensions
+    const verifierDomain = await incoVerifier.read.eip712Domain();
+    const eip712DomainName = verifierDomain[1];
+    const eip712DomainVersion = verifierDomain[2];
+    const voucher = await createAllowanceVoucher(incoLiteAddress, sharerWalletClient, 
+    // Careful that the verifying contract here is the SessionVerifier contract,
+    // not the incoLite contract.
+    sessionVerifierContractAddress, (0, viem_1.toFunctionSelector)(getCanUseSessionAbi()), sharerArgData);
+    const eip712Payload = (0, index_js_3.createEIP712Payload)({
+        chainId,
+        primaryType: 'AllowanceVoucher',
+        primaryTypeFields: getAllowanceVoucherAbi(),
+        message: voucher,
+        // Related to comment above: careful that the verifying contract here is
+        // the incoVerifier contract (not the SessionVerifier contract).
+        verifyingContract: incoVerifier.address,
+        domainName: eip712DomainName,
+        domainVersion: eip712DomainVersion,
+    });
+    // Using browser extensions, this step will prompt the user to sign the
+    // payload.
+    const voucherSignature = await sharerWalletClient.signTypedData(eip712Payload);
+    return {
+        sharer: sharerWalletClient.account.address,
+        voucher,
+        voucherSignature,
+    };
+}
+async function grantSessionKeyCustomVerifier({ chainId, incoLiteAddress, sessionVerifierContractAddress, sharerWalletClient, sharerArgData, }) {
+    const incoVerifier = await getIncoVerifier(incoLiteAddress, sharerWalletClient);
+    // returned by read.eip712Domain():
+    // bytes1 fields,
+    // string memory name,
+    // string memory version,
+    // uint256 chainId,
+    // address verifyingContract,
+    // bytes32 salt,
+    // uint256[] memory extensions
+    const verifierDomain = await incoVerifier.read.eip712Domain();
+    const eip712DomainName = verifierDomain[1];
+    const eip712DomainVersion = verifierDomain[2];
+    const voucher = await createAllowanceVoucher(incoLiteAddress, sharerWalletClient, 
+    // Careful that the verifying contract here is the SessionVerifier contract,
+    // not the incoLite contract.
+    sessionVerifierContractAddress, (0, viem_1.toFunctionSelector)(getCanUseSessionAbi()), sharerArgData);
+    const eip712Payload = (0, index_js_3.createEIP712Payload)({
+        chainId,
+        primaryType: 'AllowanceVoucher',
+        primaryTypeFields: getAllowanceVoucherAbi(),
+        message: voucher,
+        // Related to comment above: careful that the verifying contract here is
+        // the incoVerifier contract (not the SessionVerifier contract).
+        verifyingContract: incoVerifier.address,
+        domainName: eip712DomainName,
+        domainVersion: eip712DomainVersion,
+    });
+    // Using browser extensions, this step will prompt the user to sign the
+    // payload.
+    const voucherSignature = await sharerWalletClient.signTypedData(eip712Payload);
+    return {
+        sharer: sharerWalletClient.account.address,
+        voucher,
+        voucherSignature,
+    };
+}
+async function updateActiveVouchersSessionNonce(incoLiteAddress, sharerWalletClient) {
+    const verifier = await getIncoVerifier(incoLiteAddress, sharerWalletClient);
+    const salt = (0, viem_1.bytesToHex)(crypto.getRandomValues(new Uint8Array(32)));
+    const txHash = await verifier.write.updateActiveVouchersSessionNonce([salt]);
+    return txHash;
+}
+// The sessionKeyAttestedCompute function is a decryptor that uses a session key
+// to compute on a handle.
+async function sessionKeyAttestedCompute({ lhsHandle, op, rhsPlaintext, backoffConfig, chainId, kmsQuorumClient, ephemeralAccount, allowanceVoucherWithSig, requesterArgData, ethClient, executorAddress, reencryptPubKey, reencryptKeypair, }) {
+    const requesterAccount = ephemeralAccount;
+    const rhsPlaintextBig = BigInt(rhsPlaintext);
+    if (reencryptPubKey &&
+        reencryptKeypair &&
+        !(0, xwing_js_1.reencryptPublicKeysMatch)(reencryptPubKey, reencryptKeypair)) {
+        throw new types_js_1.AttestedComputeError('reencryptPubKey does not match reencryptKeypair public key');
+    }
+    const eip712DomainVersion = await (0, eip712_js_1.fetchEip712DomainVersion)(executorAddress, ethClient);
+    // Sign the EIP712 attesting that the requester has access to the private key
+    // corresponding to the ephemeral public key.
+    const eip712Payload = (0, index_js_3.createEIP712Payload)({
+        chainId: BigInt(chainId),
+        primaryType: 'AttestedComputeRequest',
+        primaryTypeFields: [
+            { name: 'op', type: 'uint8' },
+            { name: 'lhsHandle', type: 'bytes32' },
+            { name: 'rhsPlaintext', type: 'bytes32' },
+            { name: 'publicKey', type: 'bytes' },
+        ],
+        message: {
+            op: op,
+            lhsHandle: lhsHandle,
+            rhsPlaintext: (0, index_js_1.bigintToBytes32)(rhsPlaintextBig),
+            publicKey: (0, viem_1.bytesToHex)(reencryptPubKey ? reencryptPubKey : new Uint8Array()),
+        },
+        domainName: index_js_2.ATTESTED_COMPUTE_DOMAIN_NAME,
+        domainVersion: eip712DomainVersion,
+    });
+    // Since the account is an ephemeral keypair stored in memory (not in Metamask),
+    // this step will NOT prompt the user with a pop-up.
+    const eip712Signature = await requesterAccount.signTypedData(eip712Payload);
+    const attestedComputeRequest = (0, protobuf_1.create)(kms_service_pb_js_1.AttestedComputeRequestSchema, {
+        userAddress: requesterAccount.address,
+        reencryptPubKey: reencryptPubKey ? reencryptPubKey : new Uint8Array(),
+        op: op,
+        lhsHandle: lhsHandle,
+        rhsPlaintext: rhsPlaintextBig.toString(16),
+        eip712Signature: (0, viem_1.hexToBytes)(eip712Signature),
+        aclProof: {
+            proof: {
+                case: 'incoLiteAdvancedAclProof',
+                value: (0, protobuf_1.create)(types_pb_js_1.IncoLiteAdvancedACLProofSchema, {
+                    allowanceProof: (0, protobuf_1.create)(types_pb_js_1.AllowanceProofSchema, {
+                        sharer: allowanceVoucherWithSig.sharer,
+                        voucher: (0, protobuf_1.create)(types_pb_js_1.AllowanceVoucherSchema, {
+                            sessionNonce: (0, viem_1.hexToBytes)(allowanceVoucherWithSig.voucher.sessionNonce),
+                            verifyingContract: allowanceVoucherWithSig.voucher.verifyingContract,
+                            callFunction: (0, viem_1.hexToBytes)(allowanceVoucherWithSig.voucher.callFunction),
+                            sharerArgData: (0, viem_1.hexToBytes)(allowanceVoucherWithSig.voucher.sharerArgData),
+                            warning: allowanceVoucherWithSig.voucher.warning,
+                        }),
+                        voucherSignature: (0, viem_1.hexToBytes)(allowanceVoucherWithSig.voucherSignature),
+                        // For DefaultSessionVerifier, the requesterArgData is empty.
+                        requesterArgData: requesterArgData
+                            ? (0, viem_1.hexToBytes)(requesterArgData)
+                            : new Uint8Array(),
+                    }),
+                }),
+            },
+        },
+    });
+    let response = await kmsQuorumClient.attestedCompute(attestedComputeRequest, executorAddress, ethClient, backoffConfig, reencryptKeypair);
+    // If reencryptPubKey is provided with a keypair, decrypt the encrypted attestation
+    if (reencryptPubKey && reencryptKeypair) {
+        const [decryptedAttestation] = await (0, attested_decrypt_js_1.decryptEncryptedAttestations)([response], reencryptKeypair);
+        return decryptedAttestation;
+    }
+    return response;
+}
+/**
+ * Performs attested decrypts using a voucher-backed session key.
+ *
+ * @example Plaintext results
+ * ```ts
+ * const attestations = await sessionKeyAttestedDecrypt({
+ *   chainId,
+ *   kmsConnectRpcEndpointOrClient: covalidatorUrl,
+ *   allowanceVoucherWithSig: voucher,
+ *   ephemeralAccount,
+ *   handles,
+ * });
+ * console.log(attestations[0].plaintext.value);
+ * ```
+ *
+ * @example Encrypted results
+ * ```ts
+ * const encryptedResults = await sessionKeyAttestedDecrypt({
+ *   chainId,
+ *   kmsConnectRpcEndpointOrClient: covalidatorUrl,
+ *   allowanceVoucherWithSig: voucher,
+ *   ephemeralAccount,
+ *   handles,
+ *   reencryptPubKey: recipientPubKey,
+ * });
+ * console.log(
+ *   encryptedResults[0].encryptedPlaintext.ciphertext.value,
+ * );
+ * ```
+ */
+async function sessionKeyAttestedDecrypt({ chainId, kmsQuorumClient, handles, ephemeralAccount, allowanceVoucherWithSig, requesterArgData, backoffConfig, reencryptPubKey, reencryptKeypair, ethClient, executorAddress, }) {
+    const requesterAccount = ephemeralAccount;
+    if (reencryptPubKey &&
+        reencryptKeypair &&
+        !(0, xwing_js_1.reencryptPublicKeysMatch)(reencryptPubKey, reencryptKeypair)) {
+        throw new types_js_2.AttestedDecryptError('reencryptPubKey does not match reencryptKeypair public key');
+    }
+    const eip712DomainVersion = await (0, eip712_js_1.fetchEip712DomainVersion)(executorAddress, ethClient);
+    // Sign the EIP712 attesting that the requester has access to the private key
+    // corresponding to the ephemeral public key.
+    const eip712Payload = (0, index_js_3.createEIP712Payload)({
+        chainId: BigInt(chainId),
+        primaryType: 'AttestedDecryptRequest',
+        primaryTypeFields: [
+            { name: 'handles', type: 'bytes32[]' },
+            { name: 'publicKey', type: 'bytes' },
+        ],
+        message: {
+            handles: handles,
+            publicKey: (0, viem_1.bytesToHex)(reencryptPubKey ? reencryptPubKey : Uint8Array.from([])),
+        },
+        domainName: index_js_2.ATTESTED_DECRYPT_DOMAIN_NAME,
+        domainVersion: eip712DomainVersion,
+    });
+    // Since the account is an ephemeral keypair stored in memory (not in Metamask),
+    // this step will NOT prompt the user with a pop-up.
+    const eip712Signature = await requesterAccount.signTypedData(eip712Payload);
+    const handlesWithProofs = handles.map((handle) => {
+        return (0, protobuf_1.create)(types_pb_js_1.HandleWithProofSchema, {
+            handle: handle,
+            aclProof: {
+                proof: {
+                    case: 'incoLiteAdvancedAclProof',
+                    value: (0, protobuf_1.create)(types_pb_js_1.IncoLiteAdvancedACLProofSchema, {
+                        allowanceProof: (0, protobuf_1.create)(types_pb_js_1.AllowanceProofSchema, {
+                            sharer: allowanceVoucherWithSig.sharer,
+                            voucher: (0, protobuf_1.create)(types_pb_js_1.AllowanceVoucherSchema, {
+                                sessionNonce: (0, viem_1.hexToBytes)(allowanceVoucherWithSig.voucher.sessionNonce),
+                                verifyingContract: allowanceVoucherWithSig.voucher.verifyingContract,
+                                callFunction: (0, viem_1.hexToBytes)(allowanceVoucherWithSig.voucher.callFunction),
+                                sharerArgData: (0, viem_1.hexToBytes)(allowanceVoucherWithSig.voucher.sharerArgData),
+                                warning: allowanceVoucherWithSig.voucher.warning,
+                            }),
+                            voucherSignature: (0, viem_1.hexToBytes)(allowanceVoucherWithSig.voucherSignature),
+                            // For DefaultSessionVerifier, the requesterArgData is empty.
+                            requesterArgData: requesterArgData
+                                ? (0, viem_1.hexToBytes)(requesterArgData)
+                                : new Uint8Array(),
+                        }),
+                    }),
+                },
+            },
+        });
+    });
+    const attestedDecryptRequest = (0, protobuf_1.create)(kms_service_pb_js_1.AttestedDecryptRequestSchema, {
+        userAddress: requesterAccount.address,
+        handlesWithProofs: handlesWithProofs,
+        eip712Signature: (0, viem_1.hexToBytes)(eip712Signature),
+        reencryptPubKey: reencryptPubKey ? reencryptPubKey : Uint8Array.from([]),
+    });
+    let response = await kmsQuorumClient.attestedDecrypt(attestedDecryptRequest, executorAddress, ethClient, backoffConfig, reencryptKeypair);
+    // If reencryptPubKey is provided with a keypair, decrypt the encrypted attestations
+    if (reencryptPubKey !== undefined && reencryptKeypair) {
+        response = await (0, attested_decrypt_js_1.decryptEncryptedAttestations)(response, reencryptKeypair);
+    }
+    return response;
+}
+// Below are helpers to get ABIs of functions/structs from the SessionVerifier
+// contract.
+// Get the ABI of the `AllowanceVoucher` struct.
+function getAllowanceVoucherAbi() {
+    // Find the `allowanceVoucherDigest` function, it takes an AllowanceVoucher
+    // as sole argument.
+    const allowanceVoucherDigest = lightning_js_1.advancedAccessControlAbi.find((item) => item.name === 'allowanceVoucherDigest');
+    if (!allowanceVoucherDigest) {
+        throw new Error('allowanceVoucherDigest not found');
+    }
+    // Get the input whose internalType is "struct AllowanceVoucher"
+    const allowanceVoucherInput = allowanceVoucherDigest.inputs.find((input) => input.internalType === 'struct AllowanceVoucher');
+    if (!allowanceVoucherInput) {
+        throw new Error('allowanceVoucherInput not found');
+    }
+    return allowanceVoucherInput.components;
+}
+// Get the ABI of the `Session` struct.
+//
+// We specifically created an ABIHelper.sol contract to export the Session
+// struct from the SessionVerifier contract.
+function getSessionAbi() {
+    const getSession = lightning_js_1.abiHelperAbi.find((item) => 'name' in item && item.name === 'getSession');
+    if (!getSession) {
+        throw new Error('getSession not found');
+    }
+    const session = getSession.outputs[0];
+    if (!session) {
+        throw new Error('session not found');
+    }
+    return session.components;
+}
+// Get the ABI of the `canUseSession` function.
+function getCanUseSessionAbi() {
+    const canUseSession = lightning_js_1.sessionVerifierAbi.find((item) => 'name' in item && item.name === 'canUseSession');
+    if (!canUseSession) {
+        throw new Error('canUseSession not found');
+    }
+    return canUseSession;
+}
+function getAdvancedAcl(incoVerifierAddress, sharerWalletClient) {
+    return (0, viem_1.getContract)({
+        address: incoVerifierAddress,
+        abi: lightning_js_1.advancedAccessControlAbi,
+        client: sharerWalletClient,
+    });
+}
+function getIncoLightning(incoLiteAddress, walletClient) {
+    return (0, viem_1.getContract)({
+        address: incoLiteAddress,
+        abi: lightning_js_1.incoLightningAbi,
+        client: walletClient,
+    });
+}
+async function getIncoVerifier(incoLiteAddress, walletClient) {
+    const incoLite = getIncoLightning(incoLiteAddress, walletClient);
+    const incoVerifierAddress = await incoLite.read.incoVerifier();
+    return (0, viem_1.getContract)({
+        address: incoVerifierAddress,
+        abi: verifier_js_1.incoVerifierAbi,
+        client: walletClient,
+    });
+}
+//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoic2Vzc2lvbi1rZXkuanMiLCJzb3VyY2VSb290IjoiIiwic291cmNlcyI6WyIuLi8uLi8uLi9zcmMvYWR2YW5jZWRhY2wvc2Vzc2lvbi1rZXkudHMiXSwibmFtZXMiOltdLCJtYXBwaW5ncyI6Ijs7O0FBdUZBLHdEQXNCQztBQXdDRCwwQ0EwRUM7QUFFRCxzRUF1REM7QUFFRCw0RUFRQztBQXFDRCw4REE4SEM7QUE2REQsOERBcUhDO0FBdm5CRCxpREFBNEM7QUFDNUMsK0JBYWM7QUFXZCxpRUFLd0M7QUFDeEMsK0RBQWdFO0FBQ2hFLDBDQUF5RDtBQU16RCwrQ0FHMEI7QUFDMUIsK0NBQStFO0FBQy9FLHVEQUErRDtBQUkvRCwwREFHcUM7QUFDckMsZ0ZBQXNGO0FBQ3RGLDBEQUFtRTtBQUNuRSxtREFBK0Q7QUFDL0QsMEZBRzREO0FBQzVELDhFQUtzRDtBQUd0RCwyRUFBMkU7QUFDM0UsMkVBQTJFO0FBQzNFLG9FQUFvRTtBQUVwRSw2RUFBNkU7QUFDN0Usd0VBQXdFO0FBQzNELFFBQUEsbUJBQW1CLEdBQzlCLHNJQUFzSSxDQUFDO0FBV3pJLHNFQUFzRTtBQUN0RSx3RUFBd0U7QUFDeEUsMEVBQTBFO0FBQ25FLEtBQUssVUFBVSxzQkFBc0IsQ0FDMUMsZUFBd0IsRUFDeEIsa0JBQTJELEVBQzNELGlCQUEwQixFQUMxQixZQUFpQixFQUNqQixhQUFrQjtJQUVsQixNQUFNLFFBQVEsR0FBRyxNQUFNLGVBQWUsQ0FBQyxlQUFlLEVBQUUsa0JBQWtCLENBQUMsQ0FBQztJQUU1RSwwRUFBMEU7SUFDMUUsd0NBQXdDO0lBQ3hDLE1BQU0sWUFBWSxHQUFHLE1BQU0sUUFBUSxDQUFDLElBQUksQ0FBQyw2QkFBNkIsQ0FBQztRQUNyRSxrQkFBa0IsQ0FBQyxPQUFPLENBQUMsT0FBTztLQUNuQyxDQUFDLENBQUM7SUFFSCxPQUFPO1FBQ0wsWUFBWTtRQUNaLGlCQUFpQjtRQUNqQixZQUFZO1FBQ1osYUFBYTtRQUNiLE9BQU8sRUFBRSwyQkFBbUI7S0FDN0IsQ0FBQztBQUNKLENBQUM7QUFzQ0QsdURBQXVEO0FBQ3ZELGdGQUFnRjtBQUN6RSxLQUFLLFVBQVUsZUFBZSxDQUFDLEVBQ3BDLE9BQU8sRUFDUCxlQUFlLEVBQ2YsOEJBQThCLEVBQzlCLGNBQWMsRUFDZCxrQkFBa0IsRUFDbEIsU0FBUyxHQUNXO0lBQ3BCLGlEQUFpRDtJQUNqRCxJQUFJLENBQUMsQ0FBQyxTQUFTLFlBQVksSUFBSSxDQUFDLElBQUksS0FBSyxDQUFDLFNBQVMsQ0FBQyxPQUFPLEVBQUUsQ0FBQyxFQUFFLENBQUM7UUFDL0QsTUFBTSxJQUFJLEtBQUssQ0FBQyx1Q0FBdUMsQ0FBQyxDQUFDO0lBQzNELENBQUM7SUFFRCxNQUFNLEtBQUssR0FBRyxJQUFJLENBQUMsR0FBRyxFQUFFLENBQUM7SUFDekIsTUFBTSxXQUFXLEdBQUcsU0FBUyxDQUFDLE9BQU8sRUFBRSxDQUFDO0lBRXhDLDJDQUEyQztJQUMzQyxJQUFJLFdBQVcsR0FBRyxLQUFLLEVBQUUsQ0FBQztRQUN4QixNQUFNLElBQUksS0FBSyxDQUFDLGlDQUFpQyxDQUFDLENBQUM7SUFDckQsQ0FBQztJQUVELE1BQU0sYUFBYSxHQUFHLElBQUEsMEJBQW1CLEVBQUMsYUFBYSxFQUFFLEVBQUU7UUFDekQsY0FBYztRQUNkLE1BQU0sQ0FBQyxJQUFJLENBQUMsS0FBSyxDQUFDLFdBQVcsR0FBRyxJQUFJLENBQUMsQ0FBQztLQUN2QyxDQUFDLENBQUM7SUFFSCxNQUFNLFlBQVksR0FBRyxNQUFNLGVBQWUsQ0FDeEMsZUFBZSxFQUNmLGtCQUFrQixDQUNuQixDQUFDO0lBRUYsbUNBQW1DO0lBQ25DLGlCQUFpQjtJQUNqQixzQkFBc0I7SUFDdEIseUJBQXlCO0lBQ3pCLG1CQUFtQjtJQUNuQiw2QkFBNkI7SUFDN0IsZ0JBQWdCO0lBQ2hCLDhCQUE4QjtJQUM5QixNQUFNLGNBQWMsR0FBRyxNQUFNLFlBQVksQ0FBQyxJQUFJLENBQUMsWUFBWSxFQUFFLENBQUM7SUFDOUQsTUFBTSxnQkFBZ0IsR0FBVyxjQUFjLENBQUMsQ0FBQyxDQUFDLENBQUM7SUFDbkQsTUFBTSxtQkFBbUIsR0FBVyxjQUFjLENBQUMsQ0FBQyxDQUFDLENBQUM7SUFFdEQsTUFBTSxPQUFPLEdBQUcsTUFBTSxzQkFBc0IsQ0FDMUMsZUFBZSxFQUNmLGtCQUFrQjtJQUNsQiw0RUFBNEU7SUFDNUUsNkJBQTZCO0lBQzdCLDhCQUE4QixFQUM5QixJQUFBLHlCQUFrQixFQUFDLG1CQUFtQixFQUFFLENBQUMsRUFDekMsYUFBYSxDQUNkLENBQUM7SUFDRixNQUFNLGFBQWEsR0FBRyxJQUFBLDhCQUFtQixFQUFDO1FBQ3hDLE9BQU87UUFDUCxXQUFXLEVBQUUsa0JBQWtCO1FBQy9CLGlCQUFpQixFQUFFLHNCQUFzQixFQUFFO1FBQzNDLE9BQU8sRUFBRSxPQUFPO1FBQ2hCLHdFQUF3RTtRQUN4RSxnRUFBZ0U7UUFDaEUsaUJBQWlCLEVBQUUsWUFBWSxDQUFDLE9BQU87UUFDdkMsVUFBVSxFQUFFLGdCQUFnQjtRQUM1QixhQUFhLEVBQUUsbUJBQW1CO0tBQ25DLENBQUMsQ0FBQztJQUVILHVFQUF1RTtJQUN2RSxXQUFXO0lBQ1gsTUFBTSxnQkFBZ0IsR0FDcEIsTUFBTSxrQkFBa0IsQ0FBQyxhQUFhLENBQUMsYUFBYSxDQUFDLENBQUM7SUFFeEQsT0FBTztRQUNMLE1BQU0sRUFBRSxrQkFBa0IsQ0FBQyxPQUFPLENBQUMsT0FBTztRQUMxQyxPQUFPO1FBQ1AsZ0JBQWdCO0tBQ2pCLENBQUM7QUFDSixDQUFDO0FBRU0sS0FBSyxVQUFVLDZCQUE2QixDQUFDLEVBQ2xELE9BQU8sRUFDUCxlQUFlLEVBQ2YsOEJBQThCLEVBQzlCLGtCQUFrQixFQUNsQixhQUFhLEdBQ3FCO0lBQ2xDLE1BQU0sWUFBWSxHQUFHLE1BQU0sZUFBZSxDQUN4QyxlQUFlLEVBQ2Ysa0JBQWtCLENBQ25CLENBQUM7SUFFRixtQ0FBbUM7SUFDbkMsaUJBQWlCO0lBQ2pCLHNCQUFzQjtJQUN0Qix5QkFBeUI7SUFDekIsbUJBQW1CO0lBQ25CLDZCQUE2QjtJQUM3QixnQkFBZ0I7SUFDaEIsOEJBQThCO0lBQzlCLE1BQU0sY0FBYyxHQUFHLE1BQU0sWUFBWSxDQUFDLElBQUksQ0FBQyxZQUFZLEVBQUUsQ0FBQztJQUM5RCxNQUFNLGdCQUFnQixHQUFXLGNBQWMsQ0FBQyxDQUFDLENBQUMsQ0FBQztJQUNuRCxNQUFNLG1CQUFtQixHQUFXLGNBQWMsQ0FBQyxDQUFDLENBQUMsQ0FBQztJQUV0RCxNQUFNLE9BQU8sR0FBRyxNQUFNLHNCQUFzQixDQUMxQyxlQUFlLEVBQ2Ysa0JBQWtCO0lBQ2xCLDRFQUE0RTtJQUM1RSw2QkFBNkI7SUFDN0IsOEJBQThCLEVBQzlCLElBQUEseUJBQWtCLEVBQUMsbUJBQW1CLEVBQUUsQ0FBQyxFQUN6QyxhQUFhLENBQ2QsQ0FBQztJQUNGLE1BQU0sYUFBYSxHQUFHLElBQUEsOEJBQW1CLEVBQUM7UUFDeEMsT0FBTztRQUNQLFdBQVcsRUFBRSxrQkFBa0I7UUFDL0IsaUJBQWlCLEVBQUUsc0JBQXNCLEVBQUU7UUFDM0MsT0FBTyxFQUFFLE9BQU87UUFDaEIsd0VBQXdFO1FBQ3hFLGdFQUFnRTtRQUNoRSxpQkFBaUIsRUFBRSxZQUFZLENBQUMsT0FBTztRQUN2QyxVQUFVLEVBQUUsZ0JBQWdCO1FBQzVCLGFBQWEsRUFBRSxtQkFBbUI7S0FDbkMsQ0FBQyxDQUFDO0lBRUgsdUVBQXVFO0lBQ3ZFLFdBQVc7SUFDWCxNQUFNLGdCQUFnQixHQUNwQixNQUFNLGtCQUFrQixDQUFDLGFBQWEsQ0FBQyxhQUFhLENBQUMsQ0FBQztJQUV4RCxPQUFPO1FBQ0wsTUFBTSxFQUFFLGtCQUFrQixDQUFDLE9BQU8sQ0FBQyxPQUFPO1FBQzFDLE9BQU87UUFDUCxnQkFBZ0I7S0FDakIsQ0FBQztBQUNKLENBQUM7QUFFTSxLQUFLLFVBQVUsZ0NBQWdDLENBQ3BELGVBQXdCLEVBQ3hCLGtCQUEyRDtJQUUzRCxNQUFNLFFBQVEsR0FBRyxNQUFNLGVBQWUsQ0FBQyxlQUFlLEVBQUUsa0JBQWtCLENBQUMsQ0FBQztJQUM1RSxNQUFNLElBQUksR0FBRyxJQUFBLGlCQUFVLEVBQUMsTUFBTSxDQUFDLGVBQWUsQ0FBQyxJQUFJLFVBQVUsQ0FBQyxFQUFFLENBQUMsQ0FBQyxDQUFDLENBQUM7SUFDcEUsTUFBTSxNQUFNLEdBQUcsTUFBTSxRQUFRLENBQUMsS0FBSyxDQUFDLGdDQUFnQyxDQUFDLENBQUMsSUFBSSxDQUFDLENBQUMsQ0FBQztJQUM3RSxPQUFPLE1BQU0sQ0FBQztBQUNoQixDQUFDO0FBbUNELGdGQUFnRjtBQUNoRiwwQkFBMEI7QUFDbkIsS0FBSyxVQUFVLHlCQUF5QixDQUE2QixFQUMxRSxTQUFTLEVBQ1QsRUFBRSxFQUNGLFlBQVksRUFDWixhQUFhLEVBQ2IsT0FBTyxFQUNQLGVBQWUsRUFDZixnQkFBZ0IsRUFDaEIsdUJBQXVCLEVBQ3ZCLGdCQUFnQixFQUNoQixTQUFTLEVBQ1QsZUFBZSxFQUNmLGVBQWUsRUFDZixnQkFBZ0IsR0FDYztJQUk5QixNQUFNLGdCQUFnQixHQUFHLGdCQUFnQixDQUFDO0lBQzFDLE1BQU0sZUFBZSxHQUFHLE1BQU0sQ0FBQyxZQUFZLENBQUMsQ0FBQztJQUU3QyxJQUNFLGVBQWU7UUFDZixnQkFBZ0I7UUFDaEIsQ0FBQyxJQUFBLG1DQUF3QixFQUFDLGVBQWUsRUFBRSxnQkFBZ0IsQ0FBQyxFQUM1RCxDQUFDO1FBQ0QsTUFBTSxJQUFJLCtCQUFvQixDQUM1Qiw0REFBNEQsQ0FDN0QsQ0FBQztJQUNKLENBQUM7SUFFRCxNQUFNLG1CQUFtQixHQUFHLE1BQU0sSUFBQSxvQ0FBd0IsRUFDeEQsZUFBZSxFQUNmLFNBQVMsQ0FDVixDQUFDO0lBRUYsNkVBQTZFO0lBQzdFLDZDQUE2QztJQUM3QyxNQUFNLGFBQWEsR0FBRyxJQUFBLDhCQUFtQixFQUFDO1FBQ3hDLE9BQU8sRUFBRSxNQUFNLENBQUMsT0FBTyxDQUFDO1FBQ3hCLFdBQVcsRUFBRSx3QkFBd0I7UUFDckMsaUJBQWlCLEVBQUU7WUFDakIsRUFBRSxJQUFJLEVBQUUsSUFBSSxFQUFFLElBQUksRUFBRSxPQUFPLEVBQUU7WUFDN0IsRUFBRSxJQUFJLEVBQUUsV0FBVyxFQUFFLElBQUksRUFBRSxTQUFTLEVBQUU7WUFDdEMsRUFBRSxJQUFJLEVBQUUsY0FBYyxFQUFFLElBQUksRUFBRSxTQUFTLEVBQUU7WUFDekMsRUFBRSxJQUFJLEVBQUUsV0FBVyxFQUFFLElBQUksRUFBRSxPQUFPLEVBQUU7U0FDckM7UUFDRCxPQUFPLEVBQUU7WUFDUCxFQUFFLEVBQUUsRUFBRTtZQUNOLFNBQVMsRUFBRSxTQUFTO1lBQ3BCLFlBQVksRUFBRSxJQUFBLDBCQUFlLEVBQUMsZUFBZSxDQUFDO1lBQzlDLFNBQVMsRUFBRSxJQUFBLGlCQUFVLEVBQ25CLGVBQWUsQ0FBQyxDQUFDLENBQUMsZUFBZSxDQUFDLENBQUMsQ0FBQyxJQUFJLFVBQVUsRUFBRSxDQUNyRDtTQUNGO1FBQ0QsVUFBVSxFQUFFLHVDQUE0QjtRQUN4QyxhQUFhLEVBQUUsbUJBQW1CO0tBQ25DLENBQUMsQ0FBQztJQUNILGdGQUFnRjtJQUNoRixvREFBb0Q7SUFDcEQsTUFBTSxlQUFlLEdBQUcsTUFBTSxnQkFBZ0IsQ0FBQyxhQUFhLENBQUMsYUFBYSxDQUFDLENBQUM7SUFFNUUsTUFBTSxzQkFBc0IsR0FBMkIsSUFBQSxpQkFBTSxFQUMzRCxnREFBNEIsRUFDNUI7UUFDRSxXQUFXLEVBQUUsZ0JBQWdCLENBQUMsT0FBTztRQUNyQyxlQUFlLEVBQUUsZUFBZSxDQUFDLENBQUMsQ0FBQyxlQUFlLENBQUMsQ0FBQyxDQUFDLElBQUksVUFBVSxFQUFFO1FBQ3JFLEVBQUUsRUFBRSxFQUFFO1FBQ04sU0FBUyxFQUFFLFNBQVM7UUFDcEIsWUFBWSxFQUFFLGVBQWUsQ0FBQyxRQUFRLENBQUMsRUFBRSxDQUFDO1FBQzFDLGVBQWUsRUFBRSxJQUFBLGlCQUFVLEVBQUMsZUFBZSxDQUFDO1FBQzVDLFFBQVEsRUFBRTtZQUNSLEtBQUssRUFBRTtnQkFDTCxJQUFJLEVBQUUsMEJBQTBCO2dCQUNoQyxLQUFLLEVBQUUsSUFBQSxpQkFBTSxFQUFDLDRDQUE4QixFQUFFO29CQUM1QyxjQUFjLEVBQUUsSUFBQSxpQkFBTSxFQUFDLGtDQUFvQixFQUFFO3dCQUMzQyxNQUFNLEVBQUUsdUJBQXVCLENBQUMsTUFBTTt3QkFDdEMsT0FBTyxFQUFFLElBQUEsaUJBQU0sRUFBQyxvQ0FBc0IsRUFBRTs0QkFDdEMsWUFBWSxFQUFFLElBQUEsaUJBQVUsRUFDdEIsdUJBQXVCLENBQUMsT0FBTyxDQUFDLFlBQVksQ0FDN0M7NEJBQ0QsaUJBQWlCLEVBQ2YsdUJBQXVCLENBQUMsT0FBTyxDQUFDLGlCQUFpQjs0QkFDbkQsWUFBWSxFQUFFLElBQUEsaUJBQVUsRUFDdEIsdUJBQXVCLENBQUMsT0FBTyxDQUFDLFlBQVksQ0FDN0M7NEJBQ0QsYUFBYSxFQUFFLElBQUEsaUJBQVUsRUFDdkIsdUJBQXVCLENBQUMsT0FBTyxDQUFDLGFBQWEsQ0FDOUM7NEJBQ0QsT0FBTyxFQUFFLHVCQUF1QixDQUFDLE9BQU8sQ0FBQyxPQUFPO3lCQUNqRCxDQUFDO3dCQUNGLGdCQUFnQixFQUFFLElBQUEsaUJBQVUsRUFDMUIsdUJBQXVCLENBQUMsZ0JBQWdCLENBQ3pDO3dCQUNELDZEQUE2RDt3QkFDN0QsZ0JBQWdCLEVBQUUsZ0JBQWdCOzRCQUNoQyxDQUFDLENBQUMsSUFBQSxpQkFBVSxFQUFDLGdCQUFnQixDQUFDOzRCQUM5QixDQUFDLENBQUMsSUFBSSxVQUFVLEVBQUU7cUJBQ3JCLENBQUM7aUJBQ0gsQ0FBQzthQUNIO1NBQ0Y7S0FDRixDQUNGLENBQUM7SUFFRixJQUFJLFFBQVEsR0FBRyxNQUFNLGVBQWUsQ0FBQyxlQUFlLENBQ2xELHNCQUFzQixFQUN0QixlQUFlLEVBQ2YsU0FBUyxFQUNULGFBQWEsRUFDYixnQkFBZ0IsQ0FDakIsQ0FBQztJQUVGLG1GQUFtRjtJQUNuRixJQUFJLGVBQWUsSUFBSSxnQkFBZ0IsRUFBRSxDQUFDO1FBQ3hDLE1BQU0sQ0FBQyxvQkFBb0IsQ0FBQyxHQUFHLE1BQU0sSUFBQSxrREFBNEIsRUFDL0QsQ0FBQyxRQUFRLENBQUMsRUFDVixnQkFBZ0IsQ0FDakIsQ0FBQztRQUNGLE9BQU8sb0JBR04sQ0FBQztJQUNKLENBQUM7SUFFRCxPQUFPLFFBQVEsQ0FBQztBQUNsQixDQUFDO0FBK0JEOzs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7OztHQTZCRztBQUNJLEtBQUssVUFBVSx5QkFBeUIsQ0FBQyxFQUM5QyxPQUFPLEVBQ1AsZUFBZSxFQUNmLE9BQU8sRUFDUCxnQkFBZ0IsRUFDaEIsdUJBQXVCLEVBQ3ZCLGdCQUFnQixFQUNoQixhQUFhLEVBQ2IsZUFBZSxFQUNmLGdCQUFnQixFQUNoQixTQUFTLEVBQ1QsZUFBZSxHQUNlO0lBTTlCLE1BQU0sZ0JBQWdCLEdBQUcsZ0JBQWdCLENBQUM7SUFFMUMsSUFDRSxlQUFlO1FBQ2YsZ0JBQWdCO1FBQ2hCLENBQUMsSUFBQSxtQ0FBd0IsRUFBQyxlQUFlLEVBQUUsZ0JBQWdCLENBQUMsRUFDNUQsQ0FBQztRQUNELE1BQU0sSUFBSSwrQkFBb0IsQ0FDNUIsNERBQTRELENBQzdELENBQUM7SUFDSixDQUFDO0lBRUQsTUFBTSxtQkFBbUIsR0FBRyxNQUFNLElBQUEsb0NBQXdCLEVBQ3hELGVBQWUsRUFDZixTQUFTLENBQ1YsQ0FBQztJQUVGLDZFQUE2RTtJQUM3RSw2Q0FBNkM7SUFDN0MsTUFBTSxhQUFhLEdBQUcsSUFBQSw4QkFBbUIsRUFBQztRQUN4QyxPQUFPLEVBQUUsTUFBTSxDQUFDLE9BQU8sQ0FBQztRQUN4QixXQUFXLEVBQUUsd0JBQXdCO1FBQ3JDLGlCQUFpQixFQUFFO1lBQ2pCLEVBQUUsSUFBSSxFQUFFLFNBQVMsRUFBRSxJQUFJLEVBQUUsV0FBVyxFQUFFO1lBQ3RDLEVBQUUsSUFBSSxFQUFFLFdBQVcsRUFBRSxJQUFJLEVBQUUsT0FBTyxFQUFFO1NBQ3JDO1FBQ0QsT0FBTyxFQUFFO1lBQ1AsT0FBTyxFQUFFLE9BQU87WUFDaEIsU0FBUyxFQUFFLElBQUEsaUJBQVUsRUFDbkIsZUFBZSxDQUFDLENBQUMsQ0FBQyxlQUFlLENBQUMsQ0FBQyxDQUFDLFVBQVUsQ0FBQyxJQUFJLENBQUMsRUFBRSxDQUFDLENBQ3hEO1NBQ0Y7UUFDRCxVQUFVLEVBQUUsdUNBQTRCO1FBQ3hDLGFBQWEsRUFBRSxtQkFBbUI7S0FDbkMsQ0FBQyxDQUFDO0lBQ0gsZ0ZBQWdGO0lBQ2hGLG9EQUFvRDtJQUNwRCxNQUFNLGVBQWUsR0FBRyxNQUFNLGdCQUFnQixDQUFDLGFBQWEsQ0FBQyxhQUFhLENBQUMsQ0FBQztJQUM1RSxNQUFNLGlCQUFpQixHQUEyQixPQUFPLENBQUMsR0FBRyxDQUFDLENBQUMsTUFBTSxFQUFFLEVBQUU7UUFDdkUsT0FBTyxJQUFBLGlCQUFNLEVBQUMsbUNBQXFCLEVBQUU7WUFDbkMsTUFBTSxFQUFFLE1BQU07WUFDZCxRQUFRLEVBQUU7Z0JBQ1IsS0FBSyxFQUFFO29CQUNMLElBQUksRUFBRSwwQkFBMEI7b0JBQ2hDLEtBQUssRUFBRSxJQUFBLGlCQUFNLEVBQUMsNENBQThCLEVBQUU7d0JBQzVDLGNBQWMsRUFBRSxJQUFBLGlCQUFNLEVBQUMsa0NBQW9CLEVBQUU7NEJBQzNDLE1BQU0sRUFBRSx1QkFBdUIsQ0FBQyxNQUFNOzRCQUN0QyxPQUFPLEVBQUUsSUFBQSxpQkFBTSxFQUFDLG9DQUFzQixFQUFFO2dDQUN0QyxZQUFZLEVBQUUsSUFBQSxpQkFBVSxFQUN0Qix1QkFBdUIsQ0FBQyxPQUFPLENBQUMsWUFBWSxDQUM3QztnQ0FDRCxpQkFBaUIsRUFDZix1QkFBdUIsQ0FBQyxPQUFPLENBQUMsaUJBQWlCO2dDQUNuRCxZQUFZLEVBQUUsSUFBQSxpQkFBVSxFQUN0Qix1QkFBdUIsQ0FBQyxPQUFPLENBQUMsWUFBWSxDQUM3QztnQ0FDRCxhQUFhLEVBQUUsSUFBQSxpQkFBVSxFQUN2Qix1QkFBdUIsQ0FBQyxPQUFPLENBQUMsYUFBYSxDQUM5QztnQ0FDRCxPQUFPLEVBQUUsdUJBQXVCLENBQUMsT0FBTyxDQUFDLE9BQU87NkJBQ2pELENBQUM7NEJBQ0YsZ0JBQWdCLEVBQUUsSUFBQSxpQkFBVSxFQUMxQix1QkFBdUIsQ0FBQyxnQkFBZ0IsQ0FDekM7NEJBQ0QsNkRBQTZEOzRCQUM3RCxnQkFBZ0IsRUFBRSxnQkFBZ0I7Z0NBQ2hDLENBQUMsQ0FBQyxJQUFBLGlCQUFVLEVBQUMsZ0JBQWdCLENBQUM7Z0NBQzlCLENBQUMsQ0FBQyxJQUFJLFVBQVUsRUFBRTt5QkFDckIsQ0FBQztxQkFDSCxDQUFDO2lCQUNIO2FBQ0Y7U0FDRixDQUFDLENBQUM7SUFDTCxDQUFDLENBQUMsQ0FBQztJQUVILE1BQU0sc0JBQXNCLEdBQTJCLElBQUEsaUJBQU0sRUFDM0QsZ0RBQTRCLEVBQzVCO1FBQ0UsV0FBVyxFQUFFLGdCQUFnQixDQUFDLE9BQU87UUFDckMsaUJBQWlCLEVBQUUsaUJBQWlCO1FBQ3BDLGVBQWUsRUFBRSxJQUFBLGlCQUFVLEVBQUMsZUFBZSxDQUFDO1FBQzVDLGVBQWUsRUFBRSxlQUFlLENBQUMsQ0FBQyxDQUFDLGVBQWUsQ0FBQyxDQUFDLENBQUMsVUFBVSxDQUFDLElBQUksQ0FBQyxFQUFFLENBQUM7S0FDekUsQ0FDRixDQUFDO0lBRUYsSUFBSSxRQUFRLEdBQUcsTUFBTSxlQUFlLENBQUMsZUFBZSxDQUNsRCxzQkFBc0IsRUFDdEIsZUFBZSxFQUNmLFNBQVMsRUFDVCxhQUFhLEVBQ2IsZ0JBQWdCLENBQ2pCLENBQUM7SUFFRixvRkFBb0Y7SUFDcEYsSUFBSSxlQUFlLEtBQUssU0FBUyxJQUFJLGdCQUFnQixFQUFFLENBQUM7UUFDdEQsUUFBUSxHQUFHLE1BQU0sSUFBQSxrREFBNEIsRUFBQyxRQUFRLEVBQUUsZ0JBQWdCLENBQUMsQ0FBQztJQUM1RSxDQUFDO0lBRUQsT0FBTyxRQUFRLENBQUM7QUFDbEIsQ0FBQztBQUVELDhFQUE4RTtBQUM5RSxZQUFZO0FBRVosZ0RBQWdEO0FBQ2hELFNBQVMsc0JBQXNCO0lBQzdCLDJFQUEyRTtJQUMzRSxvQkFBb0I7SUFDcEIsTUFBTSxzQkFBc0IsR0FBRyx1Q0FBd0IsQ0FBQyxJQUFJLENBQzFELENBQUMsSUFBSSxFQUFFLEVBQUUsQ0FBQyxJQUFJLENBQUMsSUFBSSxLQUFLLHdCQUF3QixDQUNqRCxDQUFDO0lBQ0YsSUFBSSxDQUFDLHNCQUFzQixFQUFFLENBQUM7UUFDNUIsTUFBTSxJQUFJLEtBQUssQ0FBQyxrQ0FBa0MsQ0FBQyxDQUFDO0lBQ3RELENBQUM7SUFFRCxnRUFBZ0U7SUFDaEUsTUFBTSxxQkFBcUIsR0FBRyxzQkFBc0IsQ0FBQyxNQUFNLENBQUMsSUFBSSxDQUM5RCxDQUFDLEtBQUssRUFBRSxFQUFFLENBQUMsS0FBSyxDQUFDLFlBQVksS0FBSyx5QkFBeUIsQ0FDNUQsQ0FBQztJQUNGLElBQUksQ0FBQyxxQkFBcUIsRUFBRSxDQUFDO1FBQzNCLE1BQU0sSUFBSSxLQUFLLENBQUMsaUNBQWlDLENBQUMsQ0FBQztJQUNyRCxDQUFDO0lBRUQsT0FBTyxxQkFBcUIsQ0FBQyxVQUFVLENBQUM7QUFDMUMsQ0FBQztBQUVELHVDQUF1QztBQUN2QyxFQUFFO0FBQ0YsMEVBQTBFO0FBQzFFLDRDQUE0QztBQUM1QyxTQUFTLGFBQWE7SUFDcEIsTUFBTSxVQUFVLEdBQUcsMkJBQVksQ0FBQyxJQUFJLENBQ2xDLENBQUMsSUFBSSxFQUFFLEVBQUUsQ0FBQyxNQUFNLElBQUksSUFBSSxJQUFJLElBQUksQ0FBQyxJQUFJLEtBQUssWUFBWSxDQUN2RCxDQUFDO0lBQ0YsSUFBSSxDQUFDLFVBQVUsRUFBRSxDQUFDO1FBQ2hCLE1BQU0sSUFBSSxLQUFLLENBQUMsc0JBQXNCLENBQUMsQ0FBQztJQUMxQyxDQUFDO0lBRUQsTUFBTSxPQUFPLEdBQUcsVUFBVSxDQUFDLE9BQU8sQ0FBQyxDQUFDLENBQUMsQ0FBQztJQUN0QyxJQUFJLENBQUMsT0FBTyxFQUFFLENBQUM7UUFDYixNQUFNLElBQUksS0FBSyxDQUFDLG1CQUFtQixDQUFDLENBQUM7SUFDdkMsQ0FBQztJQUVELE9BQU8sT0FBTyxDQUFDLFVBQVUsQ0FBQztBQUM1QixDQUFDO0FBRUQsK0NBQStDO0FBQy9DLFNBQVMsbUJBQW1CO0lBQzFCLE1BQU0sYUFBYSxHQUFHLGlDQUFrQixDQUFDLElBQUksQ0FDM0MsQ0FBQyxJQUFJLEVBQUUsRUFBRSxDQUFDLE1BQU0sSUFBSSxJQUFJLElBQUksSUFBSSxDQUFDLElBQUksS0FBSyxlQUFlLENBQzFELENBQUM7SUFDRixJQUFJLENBQUMsYUFBYSxFQUFFLENBQUM7UUFDbkIsTUFBTSxJQUFJLEtBQUssQ0FBQyx5QkFBeUIsQ0FBQyxDQUFDO0lBQzdDLENBQUM7SUFFRCxPQUFPLGFBQWEsQ0FBQztBQUN2QixDQUFDO0FBRUQsU0FBUyxjQUFjLENBQ3JCLG1CQUE0QixFQUM1QixrQkFBMkQ7SUFFM0QsT0FBTyxJQUFBLGtCQUFXLEVBQUM7UUFDakIsT0FBTyxFQUFFLG1CQUFtQjtRQUM1QixHQUFHLEVBQUUsdUNBQXdCO1FBQzdCLE1BQU0sRUFBRSxrQkFBa0I7S0FDM0IsQ0FBQyxDQUFDO0FBQ0wsQ0FBQztBQUVELFNBQVMsZ0JBQWdCLENBQ3ZCLGVBQXdCLEVBQ3hCLFlBQXFEO0lBRXJELE9BQU8sSUFBQSxrQkFBVyxFQUFDO1FBQ2pCLE9BQU8sRUFBRSxlQUFlO1FBQ3hCLEdBQUcsRUFBRSwrQkFBZ0I7UUFDckIsTUFBTSxFQUFFLFlBQVk7S0FDckIsQ0FBQyxDQUFDO0FBQ0wsQ0FBQztBQUVELEtBQUssVUFBVSxlQUFlLENBQzVCLGVBQXdCLEVBQ3hCLFlBQXFEO0lBRXJELE1BQU0sUUFBUSxHQUFHLGdCQUFnQixDQUFDLGVBQWUsRUFBRSxZQUFZLENBQUMsQ0FBQztJQUNqRSxNQUFNLG1CQUFtQixHQUFHLE1BQU0sUUFBUSxDQUFDLElBQUksQ0FBQyxZQUFZLEVBQUUsQ0FBQztJQUMvRCxPQUFPLElBQUEsa0JBQVcsRUFBQztRQUNqQixPQUFPLEVBQUUsbUJBQW1CO1FBQzVCLEdBQUcsRUFBRSw2QkFBZTtRQUNwQixNQUFNLEVBQUUsWUFBWTtLQUNyQixDQUFDLENBQUM7QUFDTCxDQUFDIn0=

package/dist/cjs/advancedacl/types.d.ts

@@ -0,0 +1,16 @@
+import { Address, Hex } from 'viem';
+export type AllowanceVoucher = {
+    sessionNonce: Hex;
+    verifyingContract: Address;
+    callFunction: Hex;
+    sharerArgData: Hex;
+    warning: string;
+};
+export interface AllowanceVoucherWithSig {
+    sharer: Address;
+    voucher: AllowanceVoucher;
+    voucherSignature: Hex;
+}
+export interface AllowanceProof extends AllowanceVoucherWithSig {
+    requesterArgData: Uint8Array;
+}

package/dist/cjs/advancedacl/types.js

@@ -0,0 +1,3 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoidHlwZXMuanMiLCJzb3VyY2VSb290IjoiIiwic291cmNlcyI6WyIuLi8uLi8uLi9zcmMvYWR2YW5jZWRhY2wvdHlwZXMudHMiXSwibmFtZXMiOltdLCJtYXBwaW5ncyI6IiJ9

package/dist/cjs/attestedcompute/attested-compute.d.ts

@@ -0,0 +1,65 @@
+import type { Account, Chain, Transport, WalletClient } from 'viem';
+import { DecryptionAttestation, EncryptedDecryptionAttestation } from '../attesteddecrypt/types.js';
+import { HexString } from '../binary.js';
+import { SupportedChainId } from '../chain.js';
+import type { EncryptionScheme, SupportedTeeType } from '../encryption/encryption.js';
+import { KmsQuorumClient } from '../kms/quorumClient.js';
+import { type XwingKeypair } from '../lite/xwing.js';
+import type { BackoffConfig } from '../retry.js';
+import { AttestedComputeOP } from './types.js';
+export declare const ATTESTED_COMPUTE_DOMAIN_NAME = "IncoAttestedCompute";
+/**
+ * Arguments for creating an attested compute.
+ */
+export interface IncoLiteAttestedComputeArgs {
+    /** The wallet used to interact with the blockchain and sign the compute request */
+    walletClient: WalletClient<Transport, Chain, Account>;
+    /** The KMS quorum client instance */
+    kmsQuorumClient: KmsQuorumClient;
+    /** The chain ID to use */
+    chainId: SupportedChainId;
+}
+/**
+ * Creates an attested compute function that can decrypt handles with an attached attestation from the covalidator.
+ * @param args - The arguments for creating the attested compute function
+ * @returns A function that can perform binary operation on a handle and return an attestation
+ * @throws {AttestedComputeError} If the creation fails
+ *
+ * @todo Support multiple operations in a single request.
+ */
+export declare function attestedCompute<T extends SupportedTeeType>({ executorAddress, lhsHandle, op, rhsPlaintext, backoffConfig, walletClient, kmsQuorumClient, chainId, reencryptPubKey, reencryptKeypair, }: {
+    executorAddress: HexString;
+    lhsHandle: HexString;
+    op: AttestedComputeOP;
+    rhsPlaintext: bigint | boolean;
+    backoffConfig?: Partial<BackoffConfig> | undefined;
+    walletClient: WalletClient<Transport, Chain, Account>;
+    kmsQuorumClient: KmsQuorumClient;
+    chainId: SupportedChainId;
+    reencryptPubKey: Uint8Array;
+    reencryptKeypair: XwingKeypair;
+}): Promise<DecryptionAttestation<EncryptionScheme, T>>;
+export declare function attestedCompute<T extends SupportedTeeType>({ executorAddress, lhsHandle, op, rhsPlaintext, backoffConfig, walletClient, kmsQuorumClient, chainId, reencryptPubKey, }: {
+    executorAddress: HexString;
+    lhsHandle: HexString;
+    op: AttestedComputeOP;
+    rhsPlaintext: bigint | boolean;
+    backoffConfig?: Partial<BackoffConfig> | undefined;
+    walletClient: WalletClient<Transport, Chain, Account>;
+    kmsQuorumClient: KmsQuorumClient;
+    chainId: SupportedChainId;
+    reencryptPubKey: Uint8Array;
+    reencryptKeypair?: never;
+}): Promise<EncryptedDecryptionAttestation<EncryptionScheme, T>>;
+export declare function attestedCompute<T extends SupportedTeeType>({ executorAddress, lhsHandle, op, rhsPlaintext, backoffConfig, walletClient, kmsQuorumClient, chainId, }: {
+    executorAddress: HexString;
+    lhsHandle: HexString;
+    op: AttestedComputeOP;
+    rhsPlaintext: bigint | boolean;
+    backoffConfig?: Partial<BackoffConfig> | undefined;
+    walletClient: WalletClient<Transport, Chain, Account>;
+    kmsQuorumClient: KmsQuorumClient;
+    chainId: SupportedChainId;
+    reencryptPubKey?: never;
+    reencryptKeypair?: never;
+}): Promise<DecryptionAttestation<EncryptionScheme, T>>;