npm - @kairoguard/sdk - Versions diffs - 0.0.1 - Mend

@kairoguard/sdk 0.0.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (36) hide show

package/dist/evm.d.ts ADDED Viewed

@@ -0,0 +1,19 @@
+/**
+ * Minimal EVM JSON-RPC helpers using raw fetch (no ethers/viem runtime dependency).
+ */
+export interface EstimateGasParams {
+    from?: string;
+    to?: string;
+    value?: string;
+    data?: string;
+    gas?: string;
+    gasPrice?: string;
+    maxFeePerGas?: string;
+    maxPriorityFeePerGas?: string;
+    nonce?: string;
+}
+export declare function broadcastEvm(signedTx: string, rpcUrl: string): Promise<string>;
+export declare function getBalance(address: string, rpcUrl: string): Promise<bigint>;
+export declare function estimateGas(txParams: EstimateGasParams, rpcUrl: string): Promise<bigint>;
+export declare function getTransactionCount(address: string, rpcUrl: string): Promise<bigint>;
+export declare function getGasPrice(rpcUrl: string): Promise<bigint>;

package/dist/evm.js ADDED Viewed

@@ -0,0 +1,53 @@
+/**
+ * Minimal EVM JSON-RPC helpers using raw fetch (no ethers/viem runtime dependency).
+ */
+let rpcRequestId = 0;
+function parseHexQuantity(value, field) {
+    if (typeof value !== "string" || !/^0x[0-9a-fA-F]+$/.test(value)) {
+        throw new Error(`Invalid ${field} response: expected hex quantity`);
+    }
+    return BigInt(value);
+}
+async function rpcCall(rpcUrl, method, params) {
+    const id = ++rpcRequestId;
+    const response = await fetch(rpcUrl, {
+        method: "POST",
+        headers: { "Content-Type": "application/json" },
+        body: JSON.stringify({
+            jsonrpc: "2.0",
+            id,
+            method,
+            params,
+        }),
+    });
+    const payload = await response.json();
+    if (!response.ok) {
+        const errorMessage = "error" in payload
+            ? payload.error.message
+            : `HTTP ${response.status}`;
+        throw new Error(`EVM RPC error (${method}): ${errorMessage}`);
+    }
+    if ("error" in payload) {
+        throw new Error(`EVM RPC error (${method}): ${payload.error.message}`);
+    }
+    return payload.result;
+}
+export async function broadcastEvm(signedTx, rpcUrl) {
+    return rpcCall(rpcUrl, "eth_sendRawTransaction", [signedTx]);
+}
+export async function getBalance(address, rpcUrl) {
+    const result = await rpcCall(rpcUrl, "eth_getBalance", [address, "latest"]);
+    return parseHexQuantity(result, "eth_getBalance");
+}
+export async function estimateGas(txParams, rpcUrl) {
+    const result = await rpcCall(rpcUrl, "eth_estimateGas", [txParams]);
+    return parseHexQuantity(result, "eth_estimateGas");
+}
+export async function getTransactionCount(address, rpcUrl) {
+    const result = await rpcCall(rpcUrl, "eth_getTransactionCount", [address, "pending"]);
+    return parseHexQuantity(result, "eth_getTransactionCount");
+}
+export async function getGasPrice(rpcUrl) {
+    const result = await rpcCall(rpcUrl, "eth_gasPrice", []);
+    return parseHexQuantity(result, "eth_gasPrice");
+}

package/dist/evmIntent.d.ts ADDED Viewed

@@ -0,0 +1,11 @@
+import type { EvmChainId, EvmIntent, Hex } from "./types.js";
+/**
+ * Compute the EVM intent hash from the serialized unsigned tx bytes.
+ *
+ * In the reference ETH demo, the MPC signs over the raw serialized unsigned tx bytes,
+ * and the hash scheme used for ECDSA is KECCAK256.
+ */
+export declare function computeEvmIntentFromUnsignedTxBytes(params: {
+    chainId: EvmChainId;
+    unsignedTxBytesHex: Hex;
+}): EvmIntent;

package/dist/evmIntent.js ADDED Viewed

@@ -0,0 +1,12 @@
+import { keccak256, toBytes } from "viem";
+/**
+ * Compute the EVM intent hash from the serialized unsigned tx bytes.
+ *
+ * In the reference ETH demo, the MPC signs over the raw serialized unsigned tx bytes,
+ * and the hash scheme used for ECDSA is KECCAK256.
+ */
+export function computeEvmIntentFromUnsignedTxBytes(params) {
+    const bytes = toBytes(params.unsignedTxBytesHex);
+    const intentHash = keccak256(bytes);
+    return { chainId: params.chainId, intentHash };
+}

package/dist/ika-protocol.d.ts ADDED Viewed

@@ -0,0 +1,85 @@
+/**
+ * Ika Protocol helpers -- wraps @ika.xyz/sdk internals into clean functions.
+ *
+ * All Ika-specific crypto runs on the caller's machine (agent/client).
+ * The agent's secret share never leaves this process.
+ */
+import { UserShareEncryptionKeys, Curve, Hash, SignatureAlgorithm } from "@ika.xyz/sdk";
+export type SupportedCurve = "secp256k1" | "ed25519";
+declare function resolveCurve(curve: SupportedCurve): Curve;
+/**
+ * Fetch Ika protocol public parameters for a given curve.
+ * Uses the IkaClient which reads from the Ika coordinator on Sui.
+ */
+export declare function fetchProtocolParams(curve: SupportedCurve, suiRpcUrl: string, network?: "testnet" | "mainnet"): Promise<Uint8Array>;
+/**
+ * Derive encryption keys from a random seed (replaces browser wallet signature).
+ */
+export declare function deriveEncryptionKeys(seed: Uint8Array, curve: SupportedCurve): Promise<UserShareEncryptionKeys>;
+/**
+ * Generate a random 32-byte seed for encryption key derivation.
+ */
+export declare function generateSeed(): Uint8Array;
+export interface DKGOutputs {
+    userPublicOutput: number[];
+    userSecretKeyShare: number[];
+    userDKGMessage: number[];
+    encryptedUserShareAndProof: number[];
+}
+/**
+ * Run the client-side DKG computation.
+ * This generates the user's share of the dWallet key pair.
+ */
+export declare function runDKG(params: {
+    protocolPublicParameters: Uint8Array;
+    curve: SupportedCurve;
+    encryptionKey: Uint8Array;
+    sessionIdentifier: Uint8Array;
+    adminAddress: string;
+}): Promise<DKGOutputs>;
+/**
+ * Generate a fresh random session identifier (32 bytes).
+ */
+export declare function generateSessionIdentifier(): Uint8Array;
+/**
+ * Compute the user output signature needed to activate a dWallet.
+ * Requires the dWallet object (fetched from chain) and the user's public output.
+ */
+export declare function computeUserOutputSignature(params: {
+    encryptionKeys: UserShareEncryptionKeys;
+    dWallet: any;
+    userPublicOutput: Uint8Array;
+}): Promise<Uint8Array>;
+/**
+ * Fetch the dWallet object from Ika network for activation.
+ */
+export declare function fetchDWallet(suiRpcUrl: string, network: "testnet" | "mainnet", dwalletId: string): Promise<any>;
+export interface ComputeUserSignMessageParams {
+    protocolPublicParameters: Uint8Array;
+    userPublicOutput: Uint8Array;
+    userSecretKeyShare: Uint8Array;
+    presignBytes: Uint8Array;
+    message: Uint8Array;
+    hash?: Hash;
+    signatureAlgorithm?: SignatureAlgorithm;
+    curve?: Curve;
+}
+/**
+ * Build the user-side sign message used by IKA MPC signing.
+ */
+export declare function computeUserSignMessage(params: ComputeUserSignMessageParams): Promise<Uint8Array>;
+/**
+ * Decode presign bytes from common backend/network payload formats.
+ */
+export declare function decodePresignBytes(value: unknown): Uint8Array;
+/**
+ * Decode and validate presign result objects returned by polling APIs.
+ */
+export declare function decodePresignResult(value: {
+    presignId?: string;
+    presignBytes?: unknown;
+}): {
+    presignId: string;
+    presignBytes: Uint8Array;
+};
+export { Curve, resolveCurve };

package/dist/ika-protocol.js ADDED Viewed

@@ -0,0 +1,156 @@
+/**
+ * Ika Protocol helpers -- wraps @ika.xyz/sdk internals into clean functions.
+ *
+ * All Ika-specific crypto runs on the caller's machine (agent/client).
+ * The agent's secret share never leaves this process.
+ */
+import { prepareDKG, UserShareEncryptionKeys, createRandomSessionIdentifier, createUserSignMessageWithPublicOutput, Curve, Hash, IkaClient, getNetworkConfig, SignatureAlgorithm, } from "@ika.xyz/sdk";
+import { SuiClient } from "@mysten/sui/client";
+import { randomBytes } from "node:crypto";
+function resolveCurve(curve) {
+    return curve === "ed25519" ? Curve.ED25519 : Curve.SECP256K1;
+}
+// Protocol params are large (~MB). Cache per curve to avoid refetching.
+const paramsCache = new Map();
+/**
+ * Fetch Ika protocol public parameters for a given curve.
+ * Uses the IkaClient which reads from the Ika coordinator on Sui.
+ */
+export async function fetchProtocolParams(curve, suiRpcUrl, network = "testnet") {
+    const ikaCurve = resolveCurve(curve);
+    const cached = paramsCache.get(ikaCurve);
+    if (cached)
+        return cached;
+    const suiClient = new SuiClient({ url: suiRpcUrl });
+    const ikaConfig = getNetworkConfig(network);
+    const ikaClient = new IkaClient({ suiClient, config: ikaConfig });
+    await ikaClient.initialize();
+    // First arg is dWallet (undefined for new wallets), second is curve
+    const params = await ikaClient.getProtocolPublicParameters(undefined, ikaCurve);
+    paramsCache.set(ikaCurve, params);
+    return params;
+}
+/**
+ * Derive encryption keys from a random seed (replaces browser wallet signature).
+ */
+export async function deriveEncryptionKeys(seed, curve) {
+    return UserShareEncryptionKeys.fromRootSeedKey(seed, resolveCurve(curve));
+}
+/**
+ * Generate a random 32-byte seed for encryption key derivation.
+ */
+export function generateSeed() {
+    return new Uint8Array(randomBytes(32));
+}
+/**
+ * Run the client-side DKG computation.
+ * This generates the user's share of the dWallet key pair.
+ */
+export async function runDKG(params) {
+    const ikaCurve = resolveCurve(params.curve);
+    const result = await prepareDKG(params.protocolPublicParameters, ikaCurve, params.encryptionKey, params.sessionIdentifier, params.adminAddress);
+    return {
+        userPublicOutput: Array.from(result.userPublicOutput),
+        userSecretKeyShare: Array.from(result.userSecretKeyShare),
+        userDKGMessage: Array.from(result.userDKGMessage),
+        encryptedUserShareAndProof: Array.from(result.encryptedUserShareAndProof),
+    };
+}
+/**
+ * Generate a fresh random session identifier (32 bytes).
+ */
+export function generateSessionIdentifier() {
+    return createRandomSessionIdentifier();
+}
+/**
+ * Compute the user output signature needed to activate a dWallet.
+ * Requires the dWallet object (fetched from chain) and the user's public output.
+ */
+export async function computeUserOutputSignature(params) {
+    return params.encryptionKeys.getUserOutputSignature(params.dWallet, params.userPublicOutput);
+}
+/**
+ * Fetch the dWallet object from Ika network for activation.
+ */
+export async function fetchDWallet(suiRpcUrl, network, dwalletId) {
+    const suiClient = new SuiClient({ url: suiRpcUrl });
+    const ikaConfig = getNetworkConfig(network);
+    const ikaClient = new IkaClient({ suiClient, config: ikaConfig });
+    await ikaClient.initialize();
+    return ikaClient.getDWallet(dwalletId);
+}
+/**
+ * Build the user-side sign message used by IKA MPC signing.
+ */
+export async function computeUserSignMessage(params) {
+    return createUserSignMessageWithPublicOutput(params.protocolPublicParameters, params.userPublicOutput, params.userSecretKeyShare, params.presignBytes, params.message, params.hash ?? Hash.KECCAK256, params.signatureAlgorithm ?? SignatureAlgorithm.ECDSASecp256k1, params.curve ?? Curve.SECP256K1);
+}
+/**
+ * Decode presign bytes from common backend/network payload formats.
+ */
+export function decodePresignBytes(value) {
+    const decoded = coerceBytes(value);
+    if (!decoded) {
+        throw new Error("Invalid presign bytes format");
+    }
+    return decoded;
+}
+/**
+ * Decode and validate presign result objects returned by polling APIs.
+ */
+export function decodePresignResult(value) {
+    if (!value.presignId) {
+        throw new Error("Missing presignId");
+    }
+    return {
+        presignId: value.presignId,
+        presignBytes: decodePresignBytes(value.presignBytes),
+    };
+}
+function coerceBytes(v) {
+    if (v instanceof Uint8Array)
+        return v;
+    if (Array.isArray(v) && v.every((x) => Number.isInteger(x) && x >= 0 && x <= 255)) {
+        return Uint8Array.from(v);
+    }
+    if (typeof v === "string") {
+        if (/^0x[0-9a-fA-F]*$/.test(v)) {
+            const raw = v.slice(2);
+            if (raw.length % 2 !== 0)
+                return null;
+            const out = new Uint8Array(raw.length / 2);
+            for (let i = 0; i < out.length; i++)
+                out[i] = parseInt(raw.slice(i * 2, i * 2 + 2), 16);
+            return out;
+        }
+        return base64ToBytes(v);
+    }
+    if (v && typeof v === "object") {
+        const obj = v;
+        if (typeof obj.bytes === "string")
+            return coerceBytes(obj.bytes);
+        if (typeof obj.data === "string")
+            return coerceBytes(obj.data);
+        if (typeof obj.value === "string")
+            return coerceBytes(obj.value);
+        if (Array.isArray(obj.bytes))
+            return coerceBytes(obj.bytes);
+        if (Array.isArray(obj.data))
+            return coerceBytes(obj.data);
+        if (Array.isArray(obj.value))
+            return coerceBytes(obj.value);
+    }
+    return null;
+}
+function base64ToBytes(s) {
+    try {
+        const buf = Buffer.from(s, "base64");
+        if (buf.length === 0 && s.length > 0)
+            return null;
+        return Uint8Array.from(buf);
+    }
+    catch {
+        return null;
+    }
+}
+export { Curve, resolveCurve };

package/dist/index.d.ts ADDED Viewed

@@ -0,0 +1,13 @@
+export * from "./types";
+export * from "./evmIntent";
+export * from "./evm";
+export * from "./bitcoinIntent";
+export { type SolanaCluster, LAMPORTS_PER_SOL, type ParsedInstruction, type ParsedSolanaTransaction, type SolanaIntent, PROGRAM_IDS, SystemInstructionType, base58Decode, base58Encode, validateSolanaAddress, computeSolanaIntentHash, isKnownSafeProgram, isTokenProgram, getProgramName, lamportsToSOL, solToLamports, extractSystemTransfers, } from "./solanaIntent";
+export * from "./suiReceipts";
+export * from "./suiResult";
+export * from "./suiTxBuilders";
+export * from "./auditBundle";
+export * from "./suiCustody";
+export { KairoClient, type KairoClientOpts, type CreateWalletOpts, type WalletInfo, type ProposePolicyUpdateParams, type PolicyUpdateProposalResult, type ApprovePolicyUpdateParams, type ExecutePolicyUpdateParams, type PolicyUpdateStatus, } from "./client";
+export { KeyStore, type WalletRecord } from "./keystore";
+export { BackendClient, DEFAULT_BACKEND_URL, type BackendClientOpts } from "./backend";

package/dist/index.js ADDED Viewed

@@ -0,0 +1,13 @@
+export * from "./types";
+export * from "./evmIntent";
+export * from "./evm";
+export * from "./bitcoinIntent";
+export { LAMPORTS_PER_SOL, PROGRAM_IDS, SystemInstructionType, base58Decode, base58Encode, validateSolanaAddress, computeSolanaIntentHash, isKnownSafeProgram, isTokenProgram, getProgramName, lamportsToSOL, solToLamports, extractSystemTransfers, } from "./solanaIntent";
+export * from "./suiReceipts";
+export * from "./suiResult";
+export * from "./suiTxBuilders";
+export * from "./auditBundle";
+export * from "./suiCustody";
+export { KairoClient, } from "./client";
+export { KeyStore } from "./keystore";
+export { BackendClient, DEFAULT_BACKEND_URL } from "./backend";

package/dist/keystore.d.ts ADDED Viewed

@@ -0,0 +1,29 @@
+/**
+ * Local file-based key store for agent secret shares.
+ *
+ * Stores one JSON file per wallet in `storePath`.
+ * The agent's secret key share NEVER leaves this directory.
+ */
+export interface WalletRecord {
+    walletId: string;
+    dWalletCapId?: string;
+    address: string;
+    curve: string;
+    seed: number[];
+    userSecretKeyShare: number[];
+    userPublicOutput: number[];
+    encryptedUserSecretKeyShareId: string;
+    bindingObjectId?: string;
+    policyObjectId?: string;
+    createdAt: number;
+}
+export declare class KeyStore {
+    private dir;
+    constructor(storePath?: string);
+    private filePath;
+    save(record: WalletRecord): void;
+    load(walletId: string): WalletRecord | null;
+    list(): WalletRecord[];
+    delete(walletId: string): boolean;
+    has(walletId: string): boolean;
+}

package/dist/keystore.js ADDED Viewed

@@ -0,0 +1,53 @@
+/**
+ * Local file-based key store for agent secret shares.
+ *
+ * Stores one JSON file per wallet in `storePath`.
+ * The agent's secret key share NEVER leaves this directory.
+ */
+import { existsSync, mkdirSync, readFileSync, writeFileSync, readdirSync, unlinkSync } from "node:fs";
+import { join, resolve } from "node:path";
+import { homedir } from "node:os";
+function defaultStorePath() {
+    return join(homedir(), ".kairo", "keys");
+}
+function sanitizeId(walletId) {
+    return walletId.replace(/[^a-zA-Z0-9_-]/g, "_");
+}
+export class KeyStore {
+    dir;
+    constructor(storePath) {
+        this.dir = resolve(storePath ?? defaultStorePath());
+        if (!existsSync(this.dir)) {
+            mkdirSync(this.dir, { recursive: true });
+        }
+    }
+    filePath(walletId) {
+        return join(this.dir, `${sanitizeId(walletId)}.json`);
+    }
+    save(record) {
+        writeFileSync(this.filePath(record.walletId), JSON.stringify(record, null, 2), "utf-8");
+    }
+    load(walletId) {
+        const fp = this.filePath(walletId);
+        if (!existsSync(fp))
+            return null;
+        return JSON.parse(readFileSync(fp, "utf-8"));
+    }
+    list() {
+        const files = readdirSync(this.dir).filter((f) => f.endsWith(".json"));
+        return files.map((f) => {
+            const raw = readFileSync(join(this.dir, f), "utf-8");
+            return JSON.parse(raw);
+        });
+    }
+    delete(walletId) {
+        const fp = this.filePath(walletId);
+        if (!existsSync(fp))
+            return false;
+        unlinkSync(fp);
+        return true;
+    }
+    has(walletId) {
+        return existsSync(this.filePath(walletId));
+    }
+}

package/dist/skill-templates.d.ts ADDED Viewed

@@ -0,0 +1,9 @@
+/**
+ * Embedded skill file templates shipped with the SDK.
+ * Generated by `kairo init` into .cursor/skills/kairo/.
+ * All backend URLs are intentionally omitted -- the SDK and CLI
+ * resolve the endpoint internally.
+ */
+export declare const SKILL_MD = "---\nname: kairo\ndescription: Manage Kairo policy-enforced agent wallets. Use when creating wallets, setting transaction policies, checking vault status, minting policy receipts, or signing transactions through the Kairo SDK/CLI. Supports full wallet lifecycle: register API key -> create wallet (DKG) -> create policy -> bind -> vault provision -> mint receipt -> sign. Uses @kairo/sdk for non-custodial wallet creation (agent keeps secret share locally).\n---\n\n# Kairo \u2014 Agent Wallet Management\n\n## Quick Reference\n\nCLI: `npx kairo <command>`\nSDK reference: `.cursor/skills/kairo/references/sdk.md`\nAPI reference: `.cursor/skills/kairo/references/api.md`\n\n## Setup\n\nRun the one-line installer (already done if you see this file):\n```bash\nnpx @kairo/sdk init <YOUR_API_KEY>\n```\n\nThe API key is stored in `~/.kairo/config.json`. All CLI commands read it automatically.\n\n## Common Workflows\n\n### Check API Health\n```bash\nnpx kairo health\n```\n\n### Create a Policy\n```bash\nnpx kairo policy-create --stable-id \"my-policy\" --allow \"0x742d35Cc6634C0532925a3b844Bc9e7595f2bD18\"\n```\nThen register the version:\n```bash\nnpx kairo policy-register --policy-id \"0x...\"\n```\n\n### Create Wallet (via SDK)\nFor wallet creation, use the Node.js SDK (handles DKG client-side):\n```typescript\nimport { KairoClient } from \"@kairo/sdk\";\nconst kairo = new KairoClient({ apiKey: process.env.KAIRO_API_KEY! });\nconst wallet = await kairo.createWallet({ curve: \"secp256k1\" });\n```\nSee `.cursor/skills/kairo/references/sdk.md` for full SDK docs.\n\n### Provision Wallet into Vault\nRequires: policy version registered first.\n```bash\nnpx kairo vault-provision --wallet-id \"0x...\" --policy-id \"0x...\" --stable-id \"my-policy\"\n```\n\n### Mint Policy Receipt\n```bash\nnpx kairo receipt-mint --policy-id \"0x...\" --binding-id \"0x...\" --destination \"0x742d35Cc...\" --intent-hash \"0xabab...\"\n```\n\n### Check Vault Status\n```bash\nnpx kairo vault-status --wallet-id \"0x...\"\n```\n\n### View Audit Events\n```bash\nnpx kairo audit --limit 20\n```\n\n## Full Agent Flow (End to End)\n\n1. `npx @kairo/sdk init <key>` \u2014 store API key, install skill\n2. `npx kairo policy-create` \u2014 create transaction policy with allowed addresses\n3. `npx kairo policy-register` \u2014 register version in on-chain registry\n4. Create wallet via SDK `createWallet()` \u2014 runs DKG locally, secret share stays on agent\n5. `npx kairo vault-provision` \u2014 bind policy + register wallet in vault (atomic)\n6. `npx kairo receipt-mint` \u2014 request policy check for a transaction\n7. Sign via SDK \u2014 both shares combine, only if policy allows\n\n## Trust Model\n\n- Agent's key share stays local (`~/.kairo/keys/`)\n- Server's key share stays on Kairo backend\n- Neither party can sign alone\n- Policy engine gates every transaction before server releases its share\n- All policy decisions are on-chain (Sui) and verifiable\n\n## Troubleshooting\n\n- **401 Unauthorized**: API key missing/invalid or not registered in backend key store. Re-run `npx @kairo/sdk init <key>` with a valid key.\n- **403 Forbidden: key does not own wallet**: Wallet wasn't created/provisioned with this API key (ownership mismatch).\n- **429 Rate limit**: Public Sui RPC throttled \u2014 use Shinami or own RPC provider.\n- **MoveAbort code 102**: Policy version not registered \u2014 call `npx kairo policy-register` before `vault-provision`.\n- **`nonce too low` / `already known`**: Rapid reruns or duplicate raw tx; wait for pending tx, then re-sign and rebroadcast.\n- **AwaitingKeyHolderSignature**: Wallet needs activation after DKG \u2014 SDK activation flow required.\n";
+export declare const API_REFERENCE_MD = "# Kairo API Reference\n\n## Authentication\nAll write endpoints require `X-Kairo-Api-Key` header.\nThe CLI reads the key from `~/.kairo/config.json` automatically.\nOpen endpoints: `/health`, `/api/vault/info`, `/api/vault/status/:id`, `/api/audit/events`\n\n## Key Registration\n```bash\nnpx kairo register --label \"my-agent\"\n```\n\n## Wallet Creation (via SDK)\nThe SDK handles DKG client-side. Agent keeps their secret share locally.\n```typescript\nimport { KairoClient } from \"@kairo/sdk\";\nconst kairo = new KairoClient({ apiKey: process.env.KAIRO_API_KEY! });\nconst wallet = await kairo.createWallet({ curve: \"secp256k1\" });\n// wallet.walletId, wallet.address\n```\n\n## Policy Management\n\n### Create Policy\n```bash\nnpx kairo policy-create --stable-id \"my-policy\" --version \"1.0.0\" --allow \"0x<address>\"\n```\n\nRule types:\n- `1` = MaxNativeValue (max single transaction value)\n- `10` = PeriodLimit (cumulative spend limit per time window)\n\n### Register Policy Version\n```bash\nnpx kairo policy-register --policy-id \"0x...\"\n```\n\n### Get Policy Details\n```bash\nnpx kairo policy-details --policy-id \"0x...\"\n```\n\n## Vault\n\n### Provision (atomic binding + vault registration)\n```bash\nnpx kairo vault-provision --wallet-id \"0x...\" --policy-id \"0x...\" --stable-id \"my-policy\"\n```\nNote: Register policy version BEFORE calling provision.\n\n### Check Status\n```bash\nnpx kairo vault-status --wallet-id \"0x...\"\n```\n\n## Receipt Minting\n```bash\nnpx kairo receipt-mint --policy-id \"0x...\" --binding-id \"0x...\" --destination \"0x...\" --intent-hash \"0x...\"\n```\nNamespace: 1=EVM, 2=Bitcoin, 3=Solana\n\n## Utility\n```bash\nnpx kairo health          # Server health\nnpx kairo audit --limit 20  # Recent audit events\n```\n";
+export declare const SDK_REFERENCE_MD = "# Kairo SDK Reference\n\n## Installation\n```bash\nnpm install @kairo/sdk\n```\n\nRequires: `@ika.xyz/sdk`, `@mysten/sui`\n\n## KairoClient\n\n```typescript\nimport { KairoClient } from \"@kairo/sdk\";\n\nconst kairo = new KairoClient({\n  apiKey: process.env.KAIRO_API_KEY!,\n  storePath: \"~/.kairo/keys\",        // local secret share storage (default)\n  network: \"testnet\",                 // or \"mainnet\"\n  suiRpcUrl: \"https://...\",           // optional, defaults to public testnet\n});\n```\n\n### createWallet(opts?)\nCreates a dWallet via client-side DKG. Secret share stays local.\n\n```typescript\nconst wallet = await kairo.createWallet({\n  curve: \"secp256k1\",           // or \"ed25519\" for Solana\n  policyObjectId: \"0x...\",      // optional: auto-provision into vault\n  stableId: \"my-policy\",        // optional: binding label\n});\n// Returns: { walletId, address, curve, bindingObjectId?, createdAt }\n```\n\n**Important:** If providing `policyObjectId`, register the policy version first.\n\n### listWallets()\nLists all wallets in local key store.\n```typescript\nconst wallets = kairo.listWallets();\n```\n\n### getWallet(walletId)\nGets a specific wallet from local store.\n```typescript\nconst w = kairo.getWallet(\"0x...\");\n```\n\n## BackendClient (HTTP wrapper)\nLower-level HTTP client for direct API calls.\n\n```typescript\nimport { BackendClient } from \"@kairo/sdk\";\n\nconst client = new BackendClient({ apiKey: \"your-key\" });\n\nawait client.register(\"my-agent\");\nawait client.getHealth();\nawait client.submitDKG({...});\nawait client.getDKGStatus(requestId);\nawait client.provision({...});\nawait client.mintReceipt({...});\n```\n\n## KeyStore (local storage)\nFile-based secret share storage at `~/.kairo/keys/`.\n\n```typescript\nimport { KeyStore } from \"@kairo/sdk\";\n\nconst store = new KeyStore(\"~/.kairo/keys\");\nstore.save(record);\nstore.load(\"0x...\");\nstore.list();\nstore.delete(\"0x...\");\n```\n\n## Trust Model\n- Agent's secret share -> stored locally (KeyStore), never sent to server\n- Server's share -> held by Kairo backend\n- Full signing -> requires BOTH shares + policy approval\n- Kairo alone cannot sign (missing agent share)\n- Agent alone cannot sign (missing server share)\n";