@kairoguard/sdk 0.0.13 → 0.0.16

package/dist/backend.d.ts

@@ -56,6 +56,16 @@ export interface ProvisionResponse {
     dwalletObjectId: string;
     walletState: string;
 }
+export interface MintReceiptResponse {
+    success: boolean;
+    receiptId?: string;
+    receiptObjectId?: string;
+    allowed?: boolean;
+    denialReason?: number;
+    denialReasonName?: string;
+    digest?: string;
+    error?: string;
+}
 export interface RegisterKeyRequest {
     label: string;
     email?: string;
@@ -307,7 +317,7 @@ export declare class BackendClient {
     submitDKG(data: DKGSubmitRequest): Promise<DKGSubmitResponse>;
     getDKGStatus(requestId: string): Promise<DKGStatusResponse>;
     provision(params: ProvisionRequest): Promise<ProvisionResponse>;
-    mintReceipt(params: Record<string, unknown>): Promise<Record<string, unknown>>;
+    mintReceipt(params: Record<string, unknown>): Promise<MintReceiptResponse>;
     requestPresign(params: PresignRequestParams): Promise<PresignRequestResponse>;
     getPresignStatus(requestId: string): Promise<PresignStatusResponse>;
     requestSign(params: SignRequestParams): Promise<SignRequestResponse>;

package/dist/client.d.ts

@@ -50,6 +50,11 @@ export interface SignResult {
     presignId: string;
     signatureHex: Hex;
 }
+export declare class PolicyDeniedError extends Error {
+    readonly denialReason: number;
+    readonly denialReasonName: string;
+    constructor(denialReason: number, denialReasonName?: string);
+}
 export interface SignEvmParams {
     walletId: string;
     to: Hex;

package/dist/client.js

@@ -9,11 +9,23 @@
  *   // { walletId: "0xabc...", address: "0x742d...", curve: "secp256k1" }
  */
 import { BackendClient, } from "./backend.js";
+import { getDenialReasonName } from "./denialReasons.js";
 import { KeyStore } from "./keystore.js";
 import { Curve, fetchProtocolParams, deriveEncryptionKeys, generateSeed, generateSessionIdentifier, runDKG, computeUserOutputSignature, fetchDWallet, waitForDWalletState, } from "./ika-protocol.js";
 import { Hash, SignatureAlgorithm, createUserSignMessageWithPublicOutput } from "@ika.xyz/sdk";
 import { computeEvmIntentFromUnsignedTxBytes } from "./evmIntent.js";
 import { keccak256, recoverTransactionAddress, serializeTransaction, } from "viem";
+export class PolicyDeniedError extends Error {
+    denialReason;
+    denialReasonName;
+    constructor(denialReason, denialReasonName) {
+        const resolvedName = denialReasonName?.trim() || getDenialReasonName(denialReason);
+        super(`Policy denied: ${resolvedName}`);
+        this.name = "PolicyDeniedError";
+        this.denialReason = denialReason;
+        this.denialReasonName = resolvedName;
+    }
+}
 const FALLBACK_SUI_RPC = "https://fullnode.testnet.sui.io:443";
 async function testRpcEndpoint(url) {
     try {
@@ -752,7 +764,7 @@ export class KairoClient {
         if (!wallet.policyObjectId || !wallet.bindingObjectId) {
             throw new Error("Wallet is missing policy binding metadata. Provision the wallet via dashboard or SDK before signing.");
         }
-        const mintOnce = () => this.backend.mintReceipt({
+        const mintOnce = async () => this.backend.mintReceipt({
             policyObjectId: wallet.policyObjectId ?? undefined,
             bindingObjectId: wallet.bindingObjectId,
             namespace: ctx.namespace,
@@ -773,7 +785,8 @@ export class KairoClient {
             throw new Error(String(response.error ?? "Failed to mint policy receipt"));
         }
         if (response.allowed === false) {
-            throw new Error("Policy denied this signing intent");
+            const denialReason = Number(response.denialReason ?? 0);
+            throw new PolicyDeniedError(denialReason, response.denialReasonName);
         }
         const receiptId = String(response.receiptId ?? response.receiptObjectId ?? "");
         if (!receiptId.startsWith("0x")) {

package/dist/denialReasons.d.ts

@@ -0,0 +1,5 @@
+export declare const DENIAL_REASONS: Record<number, {
+    code: string;
+    message: string;
+}>;
+export declare function getDenialReasonName(code: number | undefined): string;

package/dist/denialReasons.js

@@ -0,0 +1,28 @@
+export const DENIAL_REASONS = {
+    0: { code: "NONE", message: "No denial (allowed)" },
+    1: { code: "EXPIRED", message: "Policy has expired" },
+    2: { code: "DENYLIST", message: "Destination address is on the denylist" },
+    3: { code: "NOT_IN_ALLOWLIST", message: "Destination address is not in the allowlist" },
+    4: { code: "BAD_FORMAT", message: "Invalid intent format" },
+    10: { code: "CHAIN_NOT_ALLOWED", message: "This chain/network is not allowed by policy" },
+    11: { code: "BAD_SELECTOR_FORMAT", message: "Invalid EVM function selector format" },
+    12: { code: "SELECTOR_DENYLIST", message: "This contract function is on the denylist" },
+    13: { code: "SELECTOR_NOT_ALLOWED", message: "This contract function is not in the allowlist" },
+    14: { code: "BAD_AMOUNT_FORMAT", message: "Invalid ERC20 amount format" },
+    15: { code: "ERC20_AMOUNT_EXCEEDS_MAX", message: "ERC20 transfer amount exceeds policy limit" },
+    16: { code: "NO_POLICY_VERSION", message: "No active policy version found" },
+    20: { code: "NAMESPACE_NOT_ALLOWED", message: "This blockchain type (EVM/Bitcoin/Solana) is not allowed" },
+    21: { code: "BTC_SCRIPT_TYPE_NOT_ALLOWED", message: "Bitcoin address type not allowed by policy" },
+    22: { code: "BTC_FEE_RATE_EXCEEDED", message: "Bitcoin fee rate exceeds policy limit" },
+    23: { code: "SOL_PROGRAM_DENYLISTED", message: "Solana program is on the denylist" },
+    24: { code: "SOL_PROGRAM_NOT_ALLOWED", message: "Solana program is not in the allowlist" },
+    30: { code: "NATIVE_VALUE_EXCEEDED", message: "Native value exceeds policy limit" },
+    31: { code: "TIME_WINDOW_BLOCKED", message: "Transaction blocked by time window rule" },
+    32: { code: "PERIOD_LIMIT_EXCEEDED", message: "Period spending limit exceeded" },
+    33: { code: "RATE_LIMIT_EXCEEDED", message: "Rate limit exceeded" },
+};
+export function getDenialReasonName(code) {
+    if (code === undefined || code === null)
+        return "Unknown denial reason";
+    return DENIAL_REASONS[code]?.message ?? `Unknown denial reason (${code})`;
+}

package/dist/index.d.ts

@@ -8,6 +8,7 @@ export * from "./suiResult.js";
 export * from "./suiTxBuilders.js";
 export * from "./auditBundle.js";
 export * from "./suiCustody.js";
-export { KairoClient, type KairoClientOpts, type CreateWalletOpts, type WalletInfo, type ProposePolicyUpdateParams, type PolicyUpdateProposalResult, type ApprovePolicyUpdateParams, type ExecutePolicyUpdateParams, type PolicyUpdateStatus, } from "./client.js";
+export * from "./denialReasons.js";
+export { KairoClient, PolicyDeniedError, type KairoClientOpts, type CreateWalletOpts, type WalletInfo, type ProposePolicyUpdateParams, type PolicyUpdateProposalResult, type ApprovePolicyUpdateParams, type ExecutePolicyUpdateParams, type PolicyUpdateStatus, } from "./client.js";
 export { KeyStore, type WalletRecord } from "./keystore.js";
 export { BackendClient, DEFAULT_BACKEND_URL, type BackendClientOpts } from "./backend.js";

package/dist/index.js

@@ -8,6 +8,7 @@ export * from "./suiResult.js";
 export * from "./suiTxBuilders.js";
 export * from "./auditBundle.js";
 export * from "./suiCustody.js";
-export { KairoClient, } from "./client.js";
+export * from "./denialReasons.js";
+export { KairoClient, PolicyDeniedError, } from "./client.js";
 export { KeyStore } from "./keystore.js";
 export { BackendClient, DEFAULT_BACKEND_URL } from "./backend.js";

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@kairoguard/sdk",
-  "version": "0.0.13",
+  "version": "0.0.16",
   "description": "Kairo SDK for multi-chain policy-based transaction signing with dWallet support (EVM, Bitcoin, Solana, Sui)",
   "license": "MIT",
   "author": "Kairo <mehraab@thewidercollective.com>",