@metamask-previews/gator-permissions-controller 0.1.0-preview-0c2c1149 → 0.1.0-preview-463efec

package/dist/decodePermission/index.d.mts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.mts","sourceRoot":"","sources":["../../src/decodePermission/index.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,6BAA6B,EAC7B,0BAA0B,EAC1B,4BAA4B,GAC7B,+BAA2B;AAE5B,YAAY,EAAE,iBAAiB,EAAE,oBAAgB"}

package/dist/decodePermission/index.mjs

@@ -0,0 +1,2 @@
+export { identifyPermissionByEnforcers, getPermissionDataAndExpiry, reconstructDecodedPermission } from "./decodePermission.mjs";
+//# sourceMappingURL=index.mjs.map

package/dist/decodePermission/index.mjs.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.mjs","sourceRoot":"","sources":["../../src/decodePermission/index.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,6BAA6B,EAC7B,0BAA0B,EAC1B,4BAA4B,EAC7B,+BAA2B","sourcesContent":["export {\n  identifyPermissionByEnforcers,\n  getPermissionDataAndExpiry,\n  reconstructDecodedPermission,\n} from './decodePermission';\n\nexport type { DecodedPermission } from './types';\n"]}

package/dist/decodePermission/types.cjs

@@ -0,0 +1,3 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+//# sourceMappingURL=types.cjs.map

package/dist/decodePermission/types.cjs.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.cjs","sourceRoot":"","sources":["../../src/decodePermission/types.ts"],"names":[],"mappings":"","sourcesContent":["import type {\n  PermissionRequest,\n  PermissionTypes,\n  Signer,\n} from '@metamask/7715-permission-types';\nimport type { DELEGATOR_CONTRACTS } from '@metamask/delegation-deployments';\n\nexport type DeployedContractsByName =\n  (typeof DELEGATOR_CONTRACTS)[number][number];\n\n// This is a somewhat convoluted type - it includes all of the fields that are decoded from the permission context.\n/**\n * A partially reconstructed permission object decoded from a permission context.\n *\n * This mirrors the shape of {@link PermissionRequest} for fields that can be\n * deterministically recovered from the encoded permission context, and it\n * augments the result with an explicit `expiry` property derived from the\n * `TimestampEnforcer` terms, as well as the `origin` property.\n */\nexport type DecodedPermission = Pick<\n  PermissionRequest<Signer, PermissionTypes>,\n  'chainId' | 'address' | 'signer'\n> & {\n  permission: Omit<\n    PermissionRequest<Signer, PermissionTypes>['permission'],\n    'isAdjustmentAllowed'\n  > & {\n    // PermissionRequest type does not work well without the specific permission type, so we amend it here\n    justification?: string;\n  };\n  expiry: number | null;\n  origin: string;\n};\n\n/**\n * Supported permission type identifiers that can be decoded from a permission context.\n */\nexport type PermissionType = DecodedPermission['permission']['type'];\n"]}

package/dist/decodePermission/types.d.cts

@@ -0,0 +1,23 @@
+import type { PermissionRequest, PermissionTypes, Signer } from "@metamask/7715-permission-types";
+import type { DELEGATOR_CONTRACTS } from "@metamask/delegation-deployments";
+export type DeployedContractsByName = (typeof DELEGATOR_CONTRACTS)[number][number];
+/**
+ * A partially reconstructed permission object decoded from a permission context.
+ *
+ * This mirrors the shape of {@link PermissionRequest} for fields that can be
+ * deterministically recovered from the encoded permission context, and it
+ * augments the result with an explicit `expiry` property derived from the
+ * `TimestampEnforcer` terms, as well as the `origin` property.
+ */
+export type DecodedPermission = Pick<PermissionRequest<Signer, PermissionTypes>, 'chainId' | 'address' | 'signer'> & {
+    permission: Omit<PermissionRequest<Signer, PermissionTypes>['permission'], 'isAdjustmentAllowed'> & {
+        justification?: string;
+    };
+    expiry: number | null;
+    origin: string;
+};
+/**
+ * Supported permission type identifiers that can be decoded from a permission context.
+ */
+export type PermissionType = DecodedPermission['permission']['type'];
+//# sourceMappingURL=types.d.cts.map

package/dist/decodePermission/types.d.cts.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.d.cts","sourceRoot":"","sources":["../../src/decodePermission/types.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EACV,iBAAiB,EACjB,eAAe,EACf,MAAM,EACP,wCAAwC;AACzC,OAAO,KAAK,EAAE,mBAAmB,EAAE,yCAAyC;AAE5E,MAAM,MAAM,uBAAuB,GACjC,CAAC,OAAO,mBAAmB,CAAC,CAAC,MAAM,CAAC,CAAC,MAAM,CAAC,CAAC;AAG/C;;;;;;;GAOG;AACH,MAAM,MAAM,iBAAiB,GAAG,IAAI,CAClC,iBAAiB,CAAC,MAAM,EAAE,eAAe,CAAC,EAC1C,SAAS,GAAG,SAAS,GAAG,QAAQ,CACjC,GAAG;IACF,UAAU,EAAE,IAAI,CACd,iBAAiB,CAAC,MAAM,EAAE,eAAe,CAAC,CAAC,YAAY,CAAC,EACxD,qBAAqB,CACtB,GAAG;QAEF,aAAa,CAAC,EAAE,MAAM,CAAC;KACxB,CAAC;IACF,MAAM,EAAE,MAAM,GAAG,IAAI,CAAC;IACtB,MAAM,EAAE,MAAM,CAAC;CAChB,CAAC;AAEF;;GAEG;AACH,MAAM,MAAM,cAAc,GAAG,iBAAiB,CAAC,YAAY,CAAC,CAAC,MAAM,CAAC,CAAC"}

package/dist/decodePermission/types.d.mts

@@ -0,0 +1,23 @@
+import type { PermissionRequest, PermissionTypes, Signer } from "@metamask/7715-permission-types";
+import type { DELEGATOR_CONTRACTS } from "@metamask/delegation-deployments";
+export type DeployedContractsByName = (typeof DELEGATOR_CONTRACTS)[number][number];
+/**
+ * A partially reconstructed permission object decoded from a permission context.
+ *
+ * This mirrors the shape of {@link PermissionRequest} for fields that can be
+ * deterministically recovered from the encoded permission context, and it
+ * augments the result with an explicit `expiry` property derived from the
+ * `TimestampEnforcer` terms, as well as the `origin` property.
+ */
+export type DecodedPermission = Pick<PermissionRequest<Signer, PermissionTypes>, 'chainId' | 'address' | 'signer'> & {
+    permission: Omit<PermissionRequest<Signer, PermissionTypes>['permission'], 'isAdjustmentAllowed'> & {
+        justification?: string;
+    };
+    expiry: number | null;
+    origin: string;
+};
+/**
+ * Supported permission type identifiers that can be decoded from a permission context.
+ */
+export type PermissionType = DecodedPermission['permission']['type'];
+//# sourceMappingURL=types.d.mts.map

package/dist/decodePermission/types.d.mts.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.d.mts","sourceRoot":"","sources":["../../src/decodePermission/types.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EACV,iBAAiB,EACjB,eAAe,EACf,MAAM,EACP,wCAAwC;AACzC,OAAO,KAAK,EAAE,mBAAmB,EAAE,yCAAyC;AAE5E,MAAM,MAAM,uBAAuB,GACjC,CAAC,OAAO,mBAAmB,CAAC,CAAC,MAAM,CAAC,CAAC,MAAM,CAAC,CAAC;AAG/C;;;;;;;GAOG;AACH,MAAM,MAAM,iBAAiB,GAAG,IAAI,CAClC,iBAAiB,CAAC,MAAM,EAAE,eAAe,CAAC,EAC1C,SAAS,GAAG,SAAS,GAAG,QAAQ,CACjC,GAAG;IACF,UAAU,EAAE,IAAI,CACd,iBAAiB,CAAC,MAAM,EAAE,eAAe,CAAC,CAAC,YAAY,CAAC,EACxD,qBAAqB,CACtB,GAAG;QAEF,aAAa,CAAC,EAAE,MAAM,CAAC;KACxB,CAAC;IACF,MAAM,EAAE,MAAM,GAAG,IAAI,CAAC;IACtB,MAAM,EAAE,MAAM,CAAC;CAChB,CAAC;AAEF;;GAEG;AACH,MAAM,MAAM,cAAc,GAAG,iBAAiB,CAAC,YAAY,CAAC,CAAC,MAAM,CAAC,CAAC"}

package/dist/decodePermission/types.mjs

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=types.mjs.map

package/dist/decodePermission/types.mjs.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.mjs","sourceRoot":"","sources":["../../src/decodePermission/types.ts"],"names":[],"mappings":"","sourcesContent":["import type {\n  PermissionRequest,\n  PermissionTypes,\n  Signer,\n} from '@metamask/7715-permission-types';\nimport type { DELEGATOR_CONTRACTS } from '@metamask/delegation-deployments';\n\nexport type DeployedContractsByName =\n  (typeof DELEGATOR_CONTRACTS)[number][number];\n\n// This is a somewhat convoluted type - it includes all of the fields that are decoded from the permission context.\n/**\n * A partially reconstructed permission object decoded from a permission context.\n *\n * This mirrors the shape of {@link PermissionRequest} for fields that can be\n * deterministically recovered from the encoded permission context, and it\n * augments the result with an explicit `expiry` property derived from the\n * `TimestampEnforcer` terms, as well as the `origin` property.\n */\nexport type DecodedPermission = Pick<\n  PermissionRequest<Signer, PermissionTypes>,\n  'chainId' | 'address' | 'signer'\n> & {\n  permission: Omit<\n    PermissionRequest<Signer, PermissionTypes>['permission'],\n    'isAdjustmentAllowed'\n  > & {\n    // PermissionRequest type does not work well without the specific permission type, so we amend it here\n    justification?: string;\n  };\n  expiry: number | null;\n  origin: string;\n};\n\n/**\n * Supported permission type identifiers that can be decoded from a permission context.\n */\nexport type PermissionType = DecodedPermission['permission']['type'];\n"]}

package/dist/decodePermission/utils.cjs

@@ -0,0 +1,181 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.splitHex = exports.getTermsByEnforcer = exports.isSubset = exports.createPermissionRulesForChainId = exports.getChecksumEnforcersByChainId = void 0;
+const utils_1 = require("@metamask/utils");
+/**
+ * The names of the enforcer contracts for each permission type.
+ */
+const ENFORCER_CONTRACT_NAMES = {
+    ERC20PeriodTransferEnforcer: 'ERC20PeriodTransferEnforcer',
+    ERC20StreamingEnforcer: 'ERC20StreamingEnforcer',
+    ExactCalldataEnforcer: 'ExactCalldataEnforcer',
+    NativeTokenPeriodTransferEnforcer: 'NativeTokenPeriodTransferEnforcer',
+    NativeTokenStreamingEnforcer: 'NativeTokenStreamingEnforcer',
+    TimestampEnforcer: 'TimestampEnforcer',
+    ValueLteEnforcer: 'ValueLteEnforcer',
+    NonceEnforcer: 'NonceEnforcer',
+};
+/**
+ * Resolves and returns checksummed addresses of all known enforcer contracts
+ * for a given `chainId` under the current delegation framework version.
+ *
+ * @param contracts - The deployed contracts for the chain.
+ * @returns An object mapping enforcer names to checksummed contract addresses.
+ * @throws If the chain or an expected enforcer contract is not found.
+ */
+const getChecksumEnforcersByChainId = (contracts) => {
+    const getChecksumContractAddress = (contractName) => {
+        const address = contracts[contractName];
+        if (!address) {
+            throw new Error(`Contract not found: ${contractName}`);
+        }
+        return (0, utils_1.getChecksumAddress)(address);
+    };
+    // permission type specific enforcers
+    const erc20StreamingEnforcer = getChecksumContractAddress(ENFORCER_CONTRACT_NAMES.ERC20StreamingEnforcer);
+    const erc20PeriodicEnforcer = getChecksumContractAddress(ENFORCER_CONTRACT_NAMES.ERC20PeriodTransferEnforcer);
+    const nativeTokenStreamingEnforcer = getChecksumContractAddress(ENFORCER_CONTRACT_NAMES.NativeTokenStreamingEnforcer);
+    const nativeTokenPeriodicEnforcer = getChecksumContractAddress(ENFORCER_CONTRACT_NAMES.NativeTokenPeriodTransferEnforcer);
+    // general enforcers
+    const exactCalldataEnforcer = getChecksumContractAddress(ENFORCER_CONTRACT_NAMES.ExactCalldataEnforcer);
+    const valueLteEnforcer = getChecksumContractAddress(ENFORCER_CONTRACT_NAMES.ValueLteEnforcer);
+    const timestampEnforcer = getChecksumContractAddress(ENFORCER_CONTRACT_NAMES.TimestampEnforcer);
+    const nonceEnforcer = getChecksumContractAddress(ENFORCER_CONTRACT_NAMES.NonceEnforcer);
+    return {
+        erc20StreamingEnforcer,
+        erc20PeriodicEnforcer,
+        nativeTokenStreamingEnforcer,
+        nativeTokenPeriodicEnforcer,
+        exactCalldataEnforcer,
+        valueLteEnforcer,
+        timestampEnforcer,
+        nonceEnforcer,
+    };
+};
+exports.getChecksumEnforcersByChainId = getChecksumEnforcersByChainId;
+/**
+ * Builds the canonical set of permission matching rules for a chain.
+ *
+ * Each rule specifies the `permissionType`, the set of `requiredEnforcers`
+ * that must be present, and the set of `allowedEnforcers` that may appear in
+ * addition to the required set.
+ *
+ * @param contracts - The deployed contracts for the chain.
+ * @returns A list of permission rules used to identify permission types.
+ * @throws Propagates any errors from resolving enforcer addresses.
+ */
+const createPermissionRulesForChainId = (contracts) => {
+    const { erc20StreamingEnforcer, erc20PeriodicEnforcer, nativeTokenStreamingEnforcer, nativeTokenPeriodicEnforcer, exactCalldataEnforcer, valueLteEnforcer, timestampEnforcer, nonceEnforcer, } = (0, exports.getChecksumEnforcersByChainId)(contracts);
+    // the allowed enforcers are the same for all permission types
+    const allowedEnforcers = new Set([timestampEnforcer]);
+    const permissionRules = [
+        {
+            requiredEnforcers: new Set([
+                nativeTokenStreamingEnforcer,
+                exactCalldataEnforcer,
+                nonceEnforcer,
+            ]),
+            allowedEnforcers,
+            permissionType: 'native-token-stream',
+        },
+        {
+            requiredEnforcers: new Set([
+                nativeTokenPeriodicEnforcer,
+                exactCalldataEnforcer,
+                nonceEnforcer,
+            ]),
+            allowedEnforcers,
+            permissionType: 'native-token-periodic',
+        },
+        {
+            requiredEnforcers: new Set([
+                erc20StreamingEnforcer,
+                valueLteEnforcer,
+                nonceEnforcer,
+            ]),
+            allowedEnforcers,
+            permissionType: 'erc20-token-stream',
+        },
+        {
+            requiredEnforcers: new Set([
+                erc20PeriodicEnforcer,
+                valueLteEnforcer,
+                nonceEnforcer,
+            ]),
+            allowedEnforcers,
+            permissionType: 'erc20-token-periodic',
+        },
+    ];
+    return permissionRules;
+};
+exports.createPermissionRulesForChainId = createPermissionRulesForChainId;
+/**
+ * Determines whether all elements of `subset` are contained within `superset`.
+ *
+ * @param subset - The candidate subset to test.
+ * @param superset - The set expected to contain all elements of `subset`.
+ * @returns `true` if `subset` ⊆ `superset`, otherwise `false`.
+ */
+const isSubset = (subset, superset) => {
+    for (const x of subset) {
+        if (!superset.has(x)) {
+            return false;
+        }
+    }
+    return true;
+};
+exports.isSubset = isSubset;
+/**
+ * Gets the terms for a given enforcer from a list of caveats.
+ *
+ * @param args - The arguments to this function.
+ * @param  args.throwIfNotFound - Whether to throw an error if no matching enforcer is found. Default is true.
+ * @param args.caveats - The list of caveats to search.
+ * @param args.enforcer - The enforcer to search for.
+ * @returns The terms for the given enforcer.
+ */
+function getTermsByEnforcer({ caveats, enforcer, throwIfNotFound, }) {
+    const matchingCaveats = caveats.filter((caveat) => caveat.enforcer === enforcer);
+    if (matchingCaveats.length === 0) {
+        if (throwIfNotFound ?? true) {
+            throw new Error('Invalid caveats');
+        }
+        return null;
+    }
+    if (matchingCaveats.length > 1) {
+        throw new Error('Invalid caveats');
+    }
+    return matchingCaveats[0].terms;
+}
+exports.getTermsByEnforcer = getTermsByEnforcer;
+/**
+ * Splits a 0x-prefixed hex string into parts according to the provided byte lengths.
+ *
+ * Each entry in `lengths` represents a part length in bytes; internally this is
+ * multiplied by 2 to derive the number of hexadecimal characters to slice. The
+ * returned substrings do not include the `0x` prefix and preserve leading zeros.
+ *
+ * Note: This function does not perform input validation (e.g., verifying the
+ * payload length equals the sum of requested lengths). Callers are expected to
+ * provide well-formed inputs.
+ *
+ * Example:
+ * splitHex('0x12345678', [1, 3]) => ['0x12', '0x345678']
+ *
+ * @param value - The 0x-prefixed hex string to split.
+ * @param lengths - The lengths of each part, in bytes.
+ * @returns An array of hex substrings (each with `0x` prefix), one for each part.
+ */
+function splitHex(value, lengths) {
+    let start = 2;
+    const parts = [];
+    for (const partLength of lengths) {
+        const partCharLength = partLength * 2;
+        const part = value.slice(start, start + partCharLength);
+        start += partCharLength;
+        parts.push(`0x${part}`);
+    }
+    return parts;
+}
+exports.splitHex = splitHex;
+//# sourceMappingURL=utils.cjs.map

package/dist/decodePermission/utils.cjs.map

@@ -0,0 +1 @@
+{"version":3,"file":"utils.cjs","sourceRoot":"","sources":["../../src/decodePermission/utils.ts"],"names":[],"mappings":";;;AACA,2CAA+D;AAa/D;;GAEG;AACH,MAAM,uBAAuB,GAAG;IAC9B,2BAA2B,EAAE,6BAA6B;IAC1D,sBAAsB,EAAE,wBAAwB;IAChD,qBAAqB,EAAE,uBAAuB;IAC9C,iCAAiC,EAAE,mCAAmC;IACtE,4BAA4B,EAAE,8BAA8B;IAC5D,iBAAiB,EAAE,mBAAmB;IACtC,gBAAgB,EAAE,kBAAkB;IACpC,aAAa,EAAE,eAAe;CAC/B,CAAC;AAEF;;;;;;;GAOG;AACI,MAAM,6BAA6B,GAAG,CAC3C,SAAkC,EAClC,EAAE;IACF,MAAM,0BAA0B,GAAG,CAAC,YAAoB,EAAE,EAAE;QAC1D,MAAM,OAAO,GAAG,SAAS,CAAC,YAAY,CAAC,CAAC;QAExC,IAAI,CAAC,OAAO,EAAE;YACZ,MAAM,IAAI,KAAK,CAAC,uBAAuB,YAAY,EAAE,CAAC,CAAC;SACxD;QAED,OAAO,IAAA,0BAAkB,EAAC,OAAO,CAAC,CAAC;IACrC,CAAC,CAAC;IAEF,qCAAqC;IACrC,MAAM,sBAAsB,GAAG,0BAA0B,CACvD,uBAAuB,CAAC,sBAAsB,CAC/C,CAAC;IACF,MAAM,qBAAqB,GAAG,0BAA0B,CACtD,uBAAuB,CAAC,2BAA2B,CACpD,CAAC;IACF,MAAM,4BAA4B,GAAG,0BAA0B,CAC7D,uBAAuB,CAAC,4BAA4B,CACrD,CAAC;IACF,MAAM,2BAA2B,GAAG,0BAA0B,CAC5D,uBAAuB,CAAC,iCAAiC,CAC1D,CAAC;IAEF,oBAAoB;IACpB,MAAM,qBAAqB,GAAG,0BAA0B,CACtD,uBAAuB,CAAC,qBAAqB,CAC9C,CAAC;IACF,MAAM,gBAAgB,GAAG,0BAA0B,CACjD,uBAAuB,CAAC,gBAAgB,CACzC,CAAC;IACF,MAAM,iBAAiB,GAAG,0BAA0B,CAClD,uBAAuB,CAAC,iBAAiB,CAC1C,CAAC;IACF,MAAM,aAAa,GAAG,0BAA0B,CAC9C,uBAAuB,CAAC,aAAa,CACtC,CAAC;IAEF,OAAO;QACL,sBAAsB;QACtB,qBAAqB;QACrB,4BAA4B;QAC5B,2BAA2B;QAC3B,qBAAqB;QACrB,gBAAgB;QAChB,iBAAiB;QACjB,aAAa;KACd,CAAC;AACJ,CAAC,CAAC;AAnDW,QAAA,6BAA6B,iCAmDxC;AAEF;;;;;;;;;;GAUG;AACI,MAAM,+BAA+B,GAEpB,CAAC,SAAkC,EAAE,EAAE;IAC7D,MAAM,EACJ,sBAAsB,EACtB,qBAAqB,EACrB,4BAA4B,EAC5B,2BAA2B,EAC3B,qBAAqB,EACrB,gBAAgB,EAChB,iBAAiB,EACjB,aAAa,GACd,GAAG,IAAA,qCAA6B,EAAC,SAAS,CAAC,CAAC;IAE7C,8DAA8D;IAC9D,MAAM,gBAAgB,GAAG,IAAI,GAAG,CAAM,CAAC,iBAAiB,CAAC,CAAC,CAAC;IAE3D,MAAM,eAAe,GAAqB;QACxC;YACE,iBAAiB,EAAE,IAAI,GAAG,CAAM;gBAC9B,4BAA4B;gBAC5B,qBAAqB;gBACrB,aAAa;aACd,CAAC;YACF,gBAAgB;YAChB,cAAc,EAAE,qBAAqB;SACtC;QACD;YACE,iBAAiB,EAAE,IAAI,GAAG,CAAM;gBAC9B,2BAA2B;gBAC3B,qBAAqB;gBACrB,aAAa;aACd,CAAC;YACF,gBAAgB;YAChB,cAAc,EAAE,uBAAuB;SACxC;QACD;YACE,iBAAiB,EAAE,IAAI,GAAG,CAAM;gBAC9B,sBAAsB;gBACtB,gBAAgB;gBAChB,aAAa;aACd,CAAC;YACF,gBAAgB;YAChB,cAAc,EAAE,oBAAoB;SACrC;QACD;YACE,iBAAiB,EAAE,IAAI,GAAG,CAAM;gBAC9B,qBAAqB;gBACrB,gBAAgB;gBAChB,aAAa;aACd,CAAC;YACF,gBAAgB;YAChB,cAAc,EAAE,sBAAsB;SACvC;KACF,CAAC;IAEF,OAAO,eAAe,CAAC;AACzB,CAAC,CAAC;AAzDW,QAAA,+BAA+B,mCAyD1C;AAEF;;;;;;GAMG;AACI,MAAM,QAAQ,GAAG,CAAI,MAAc,EAAE,QAAgB,EAAW,EAAE;IACvE,KAAK,MAAM,CAAC,IAAI,MAAM,EAAE;QACtB,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE;YACpB,OAAO,KAAK,CAAC;SACd;KACF;IACD,OAAO,IAAI,CAAC;AACd,CAAC,CAAC;AAPW,QAAA,QAAQ,YAOnB;AAEF;;;;;;;;GAQG;AACH,SAAgB,kBAAkB,CAA0C,EAC1E,OAAO,EACP,QAAQ,EACR,eAAe,GAKhB;IACC,MAAM,eAAe,GAAG,OAAO,CAAC,MAAM,CACpC,CAAC,MAAM,EAAE,EAAE,CAAC,MAAM,CAAC,QAAQ,KAAK,QAAQ,CACzC,CAAC;IAEF,IAAI,eAAe,CAAC,MAAM,KAAK,CAAC,EAAE;QAChC,IAAI,eAAe,IAAI,IAAI,EAAE;YAC3B,MAAM,IAAI,KAAK,CAAC,iBAAiB,CAAC,CAAC;SACpC;QACD,OAAO,IAAwD,CAAC;KACjE;IAED,IAAI,eAAe,CAAC,MAAM,GAAG,CAAC,EAAE;QAC9B,MAAM,IAAI,KAAK,CAAC,iBAAiB,CAAC,CAAC;KACpC;IAED,OAAO,eAAe,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC;AAClC,CAAC;AAzBD,gDAyBC;AAED;;;;;;;;;;;;;;;;;GAiBG;AACH,SAAgB,QAAQ,CAAC,KAAU,EAAE,OAAiB;IACpD,IAAI,KAAK,GAAG,CAAC,CAAC;IACd,MAAM,KAAK,GAAU,EAAE,CAAC;IACxB,KAAK,MAAM,UAAU,IAAI,OAAO,EAAE;QAChC,MAAM,cAAc,GAAG,UAAU,GAAG,CAAC,CAAC;QACtC,MAAM,IAAI,GAAG,KAAK,CAAC,KAAK,CAAC,KAAK,EAAE,KAAK,GAAG,cAAc,CAAC,CAAC;QACxD,KAAK,IAAI,cAAc,CAAC;QACxB,KAAK,CAAC,IAAI,CAAC,KAAK,IAAI,EAAS,CAAC,CAAC;KAChC;IACD,OAAO,KAAK,CAAC;AACf,CAAC;AAVD,4BAUC","sourcesContent":["import type { Caveat } from '@metamask/delegation-core';\nimport { getChecksumAddress, type Hex } from '@metamask/utils';\n\nimport type { DeployedContractsByName, PermissionType } from './types';\n\n/**\n * A rule that defines the required and allowed enforcers for a permission type.\n */\nexport type PermissionRule = {\n  permissionType: PermissionType;\n  requiredEnforcers: Set<Hex>;\n  allowedEnforcers: Set<Hex>;\n};\n\n/**\n * The names of the enforcer contracts for each permission type.\n */\nconst ENFORCER_CONTRACT_NAMES = {\n  ERC20PeriodTransferEnforcer: 'ERC20PeriodTransferEnforcer',\n  ERC20StreamingEnforcer: 'ERC20StreamingEnforcer',\n  ExactCalldataEnforcer: 'ExactCalldataEnforcer',\n  NativeTokenPeriodTransferEnforcer: 'NativeTokenPeriodTransferEnforcer',\n  NativeTokenStreamingEnforcer: 'NativeTokenStreamingEnforcer',\n  TimestampEnforcer: 'TimestampEnforcer',\n  ValueLteEnforcer: 'ValueLteEnforcer',\n  NonceEnforcer: 'NonceEnforcer',\n};\n\n/**\n * Resolves and returns checksummed addresses of all known enforcer contracts\n * for a given `chainId` under the current delegation framework version.\n *\n * @param contracts - The deployed contracts for the chain.\n * @returns An object mapping enforcer names to checksummed contract addresses.\n * @throws If the chain or an expected enforcer contract is not found.\n */\nexport const getChecksumEnforcersByChainId = (\n  contracts: DeployedContractsByName,\n) => {\n  const getChecksumContractAddress = (contractName: string) => {\n    const address = contracts[contractName];\n\n    if (!address) {\n      throw new Error(`Contract not found: ${contractName}`);\n    }\n\n    return getChecksumAddress(address);\n  };\n\n  // permission type specific enforcers\n  const erc20StreamingEnforcer = getChecksumContractAddress(\n    ENFORCER_CONTRACT_NAMES.ERC20StreamingEnforcer,\n  );\n  const erc20PeriodicEnforcer = getChecksumContractAddress(\n    ENFORCER_CONTRACT_NAMES.ERC20PeriodTransferEnforcer,\n  );\n  const nativeTokenStreamingEnforcer = getChecksumContractAddress(\n    ENFORCER_CONTRACT_NAMES.NativeTokenStreamingEnforcer,\n  );\n  const nativeTokenPeriodicEnforcer = getChecksumContractAddress(\n    ENFORCER_CONTRACT_NAMES.NativeTokenPeriodTransferEnforcer,\n  );\n\n  // general enforcers\n  const exactCalldataEnforcer = getChecksumContractAddress(\n    ENFORCER_CONTRACT_NAMES.ExactCalldataEnforcer,\n  );\n  const valueLteEnforcer = getChecksumContractAddress(\n    ENFORCER_CONTRACT_NAMES.ValueLteEnforcer,\n  );\n  const timestampEnforcer = getChecksumContractAddress(\n    ENFORCER_CONTRACT_NAMES.TimestampEnforcer,\n  );\n  const nonceEnforcer = getChecksumContractAddress(\n    ENFORCER_CONTRACT_NAMES.NonceEnforcer,\n  );\n\n  return {\n    erc20StreamingEnforcer,\n    erc20PeriodicEnforcer,\n    nativeTokenStreamingEnforcer,\n    nativeTokenPeriodicEnforcer,\n    exactCalldataEnforcer,\n    valueLteEnforcer,\n    timestampEnforcer,\n    nonceEnforcer,\n  };\n};\n\n/**\n * Builds the canonical set of permission matching rules for a chain.\n *\n * Each rule specifies the `permissionType`, the set of `requiredEnforcers`\n * that must be present, and the set of `allowedEnforcers` that may appear in\n * addition to the required set.\n *\n * @param contracts - The deployed contracts for the chain.\n * @returns A list of permission rules used to identify permission types.\n * @throws Propagates any errors from resolving enforcer addresses.\n */\nexport const createPermissionRulesForChainId: (\n  contracts: DeployedContractsByName,\n) => PermissionRule[] = (contracts: DeployedContractsByName) => {\n  const {\n    erc20StreamingEnforcer,\n    erc20PeriodicEnforcer,\n    nativeTokenStreamingEnforcer,\n    nativeTokenPeriodicEnforcer,\n    exactCalldataEnforcer,\n    valueLteEnforcer,\n    timestampEnforcer,\n    nonceEnforcer,\n  } = getChecksumEnforcersByChainId(contracts);\n\n  // the allowed enforcers are the same for all permission types\n  const allowedEnforcers = new Set<Hex>([timestampEnforcer]);\n\n  const permissionRules: PermissionRule[] = [\n    {\n      requiredEnforcers: new Set<Hex>([\n        nativeTokenStreamingEnforcer,\n        exactCalldataEnforcer,\n        nonceEnforcer,\n      ]),\n      allowedEnforcers,\n      permissionType: 'native-token-stream',\n    },\n    {\n      requiredEnforcers: new Set<Hex>([\n        nativeTokenPeriodicEnforcer,\n        exactCalldataEnforcer,\n        nonceEnforcer,\n      ]),\n      allowedEnforcers,\n      permissionType: 'native-token-periodic',\n    },\n    {\n      requiredEnforcers: new Set<Hex>([\n        erc20StreamingEnforcer,\n        valueLteEnforcer,\n        nonceEnforcer,\n      ]),\n      allowedEnforcers,\n      permissionType: 'erc20-token-stream',\n    },\n    {\n      requiredEnforcers: new Set<Hex>([\n        erc20PeriodicEnforcer,\n        valueLteEnforcer,\n        nonceEnforcer,\n      ]),\n      allowedEnforcers,\n      permissionType: 'erc20-token-periodic',\n    },\n  ];\n\n  return permissionRules;\n};\n\n/**\n * Determines whether all elements of `subset` are contained within `superset`.\n *\n * @param subset - The candidate subset to test.\n * @param superset - The set expected to contain all elements of `subset`.\n * @returns `true` if `subset` ⊆ `superset`, otherwise `false`.\n */\nexport const isSubset = <T>(subset: Set<T>, superset: Set<T>): boolean => {\n  for (const x of subset) {\n    if (!superset.has(x)) {\n      return false;\n    }\n  }\n  return true;\n};\n\n/**\n * Gets the terms for a given enforcer from a list of caveats.\n *\n * @param args - The arguments to this function.\n * @param  args.throwIfNotFound - Whether to throw an error if no matching enforcer is found. Default is true.\n * @param args.caveats - The list of caveats to search.\n * @param args.enforcer - The enforcer to search for.\n * @returns The terms for the given enforcer.\n */\nexport function getTermsByEnforcer<TThrowIfNotFound extends boolean = true>({\n  caveats,\n  enforcer,\n  throwIfNotFound,\n}: {\n  caveats: Caveat<Hex>[];\n  enforcer: Hex;\n  throwIfNotFound?: TThrowIfNotFound;\n}): TThrowIfNotFound extends true ? Hex : Hex | null {\n  const matchingCaveats = caveats.filter(\n    (caveat) => caveat.enforcer === enforcer,\n  );\n\n  if (matchingCaveats.length === 0) {\n    if (throwIfNotFound ?? true) {\n      throw new Error('Invalid caveats');\n    }\n    return null as TThrowIfNotFound extends true ? Hex : Hex | null;\n  }\n\n  if (matchingCaveats.length > 1) {\n    throw new Error('Invalid caveats');\n  }\n\n  return matchingCaveats[0].terms;\n}\n\n/**\n * Splits a 0x-prefixed hex string into parts according to the provided byte lengths.\n *\n * Each entry in `lengths` represents a part length in bytes; internally this is\n * multiplied by 2 to derive the number of hexadecimal characters to slice. The\n * returned substrings do not include the `0x` prefix and preserve leading zeros.\n *\n * Note: This function does not perform input validation (e.g., verifying the\n * payload length equals the sum of requested lengths). Callers are expected to\n * provide well-formed inputs.\n *\n * Example:\n * splitHex('0x12345678', [1, 3]) => ['0x12', '0x345678']\n *\n * @param value - The 0x-prefixed hex string to split.\n * @param lengths - The lengths of each part, in bytes.\n * @returns An array of hex substrings (each with `0x` prefix), one for each part.\n */\nexport function splitHex(value: Hex, lengths: number[]): Hex[] {\n  let start = 2;\n  const parts: Hex[] = [];\n  for (const partLength of lengths) {\n    const partCharLength = partLength * 2;\n    const part = value.slice(start, start + partCharLength);\n    start += partCharLength;\n    parts.push(`0x${part}` as Hex);\n  }\n  return parts;\n}\n"]}

package/dist/decodePermission/utils.d.cts

@@ -0,0 +1,83 @@
+import type { Caveat } from "@metamask/delegation-core";
+import { type Hex } from "@metamask/utils";
+import type { DeployedContractsByName, PermissionType } from "./types.cjs";
+/**
+ * A rule that defines the required and allowed enforcers for a permission type.
+ */
+export type PermissionRule = {
+    permissionType: PermissionType;
+    requiredEnforcers: Set<Hex>;
+    allowedEnforcers: Set<Hex>;
+};
+/**
+ * Resolves and returns checksummed addresses of all known enforcer contracts
+ * for a given `chainId` under the current delegation framework version.
+ *
+ * @param contracts - The deployed contracts for the chain.
+ * @returns An object mapping enforcer names to checksummed contract addresses.
+ * @throws If the chain or an expected enforcer contract is not found.
+ */
+export declare const getChecksumEnforcersByChainId: (contracts: DeployedContractsByName) => {
+    erc20StreamingEnforcer: `0x${string}`;
+    erc20PeriodicEnforcer: `0x${string}`;
+    nativeTokenStreamingEnforcer: `0x${string}`;
+    nativeTokenPeriodicEnforcer: `0x${string}`;
+    exactCalldataEnforcer: `0x${string}`;
+    valueLteEnforcer: `0x${string}`;
+    timestampEnforcer: `0x${string}`;
+    nonceEnforcer: `0x${string}`;
+};
+/**
+ * Builds the canonical set of permission matching rules for a chain.
+ *
+ * Each rule specifies the `permissionType`, the set of `requiredEnforcers`
+ * that must be present, and the set of `allowedEnforcers` that may appear in
+ * addition to the required set.
+ *
+ * @param contracts - The deployed contracts for the chain.
+ * @returns A list of permission rules used to identify permission types.
+ * @throws Propagates any errors from resolving enforcer addresses.
+ */
+export declare const createPermissionRulesForChainId: (contracts: DeployedContractsByName) => PermissionRule[];
+/**
+ * Determines whether all elements of `subset` are contained within `superset`.
+ *
+ * @param subset - The candidate subset to test.
+ * @param superset - The set expected to contain all elements of `subset`.
+ * @returns `true` if `subset` ⊆ `superset`, otherwise `false`.
+ */
+export declare const isSubset: <T>(subset: Set<T>, superset: Set<T>) => boolean;
+/**
+ * Gets the terms for a given enforcer from a list of caveats.
+ *
+ * @param args - The arguments to this function.
+ * @param  args.throwIfNotFound - Whether to throw an error if no matching enforcer is found. Default is true.
+ * @param args.caveats - The list of caveats to search.
+ * @param args.enforcer - The enforcer to search for.
+ * @returns The terms for the given enforcer.
+ */
+export declare function getTermsByEnforcer<TThrowIfNotFound extends boolean = true>({ caveats, enforcer, throwIfNotFound, }: {
+    caveats: Caveat<Hex>[];
+    enforcer: Hex;
+    throwIfNotFound?: TThrowIfNotFound;
+}): TThrowIfNotFound extends true ? Hex : Hex | null;
+/**
+ * Splits a 0x-prefixed hex string into parts according to the provided byte lengths.
+ *
+ * Each entry in `lengths` represents a part length in bytes; internally this is
+ * multiplied by 2 to derive the number of hexadecimal characters to slice. The
+ * returned substrings do not include the `0x` prefix and preserve leading zeros.
+ *
+ * Note: This function does not perform input validation (e.g., verifying the
+ * payload length equals the sum of requested lengths). Callers are expected to
+ * provide well-formed inputs.
+ *
+ * Example:
+ * splitHex('0x12345678', [1, 3]) => ['0x12', '0x345678']
+ *
+ * @param value - The 0x-prefixed hex string to split.
+ * @param lengths - The lengths of each part, in bytes.
+ * @returns An array of hex substrings (each with `0x` prefix), one for each part.
+ */
+export declare function splitHex(value: Hex, lengths: number[]): Hex[];
+//# sourceMappingURL=utils.d.cts.map

package/dist/decodePermission/utils.d.cts.map

@@ -0,0 +1 @@
+{"version":3,"file":"utils.d.cts","sourceRoot":"","sources":["../../src/decodePermission/utils.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,MAAM,EAAE,kCAAkC;AACxD,OAAO,EAAsB,KAAK,GAAG,EAAE,wBAAwB;AAE/D,OAAO,KAAK,EAAE,uBAAuB,EAAE,cAAc,EAAE,oBAAgB;AAEvE;;GAEG;AACH,MAAM,MAAM,cAAc,GAAG;IAC3B,cAAc,EAAE,cAAc,CAAC;IAC/B,iBAAiB,EAAE,GAAG,CAAC,GAAG,CAAC,CAAC;IAC5B,gBAAgB,EAAE,GAAG,CAAC,GAAG,CAAC,CAAC;CAC5B,CAAC;AAgBF;;;;;;;GAOG;AACH,eAAO,MAAM,6BAA6B,cAC7B,uBAAuB;;;;;;;;;CAkDnC,CAAC;AAEF;;;;;;;;;;GAUG;AACH,eAAO,MAAM,+BAA+B,EAAE,CAC5C,SAAS,EAAE,uBAAuB,KAC/B,cAAc,EAuDlB,CAAC;AAEF;;;;;;GAMG;AACH,eAAO,MAAM,QAAQ,2CAA0C,OAO9D,CAAC;AAEF;;;;;;;;GAQG;AACH,wBAAgB,kBAAkB,CAAC,gBAAgB,SAAS,OAAO,GAAG,IAAI,EAAE,EAC1E,OAAO,EACP,QAAQ,EACR,eAAe,GAChB,EAAE;IACD,OAAO,EAAE,MAAM,CAAC,GAAG,CAAC,EAAE,CAAC;IACvB,QAAQ,EAAE,GAAG,CAAC;IACd,eAAe,CAAC,EAAE,gBAAgB,CAAC;CACpC,GAAG,gBAAgB,SAAS,IAAI,GAAG,GAAG,GAAG,GAAG,GAAG,IAAI,CAiBnD;AAED;;;;;;;;;;;;;;;;;GAiBG;AACH,wBAAgB,QAAQ,CAAC,KAAK,EAAE,GAAG,EAAE,OAAO,EAAE,MAAM,EAAE,GAAG,GAAG,EAAE,CAU7D"}

package/dist/decodePermission/utils.d.mts

@@ -0,0 +1,83 @@
+import type { Caveat } from "@metamask/delegation-core";
+import { type Hex } from "@metamask/utils";
+import type { DeployedContractsByName, PermissionType } from "./types.mjs";
+/**
+ * A rule that defines the required and allowed enforcers for a permission type.
+ */
+export type PermissionRule = {
+    permissionType: PermissionType;
+    requiredEnforcers: Set<Hex>;
+    allowedEnforcers: Set<Hex>;
+};
+/**
+ * Resolves and returns checksummed addresses of all known enforcer contracts
+ * for a given `chainId` under the current delegation framework version.
+ *
+ * @param contracts - The deployed contracts for the chain.
+ * @returns An object mapping enforcer names to checksummed contract addresses.
+ * @throws If the chain or an expected enforcer contract is not found.
+ */
+export declare const getChecksumEnforcersByChainId: (contracts: DeployedContractsByName) => {
+    erc20StreamingEnforcer: `0x${string}`;
+    erc20PeriodicEnforcer: `0x${string}`;
+    nativeTokenStreamingEnforcer: `0x${string}`;
+    nativeTokenPeriodicEnforcer: `0x${string}`;
+    exactCalldataEnforcer: `0x${string}`;
+    valueLteEnforcer: `0x${string}`;
+    timestampEnforcer: `0x${string}`;
+    nonceEnforcer: `0x${string}`;
+};
+/**
+ * Builds the canonical set of permission matching rules for a chain.
+ *
+ * Each rule specifies the `permissionType`, the set of `requiredEnforcers`
+ * that must be present, and the set of `allowedEnforcers` that may appear in
+ * addition to the required set.
+ *
+ * @param contracts - The deployed contracts for the chain.
+ * @returns A list of permission rules used to identify permission types.
+ * @throws Propagates any errors from resolving enforcer addresses.
+ */
+export declare const createPermissionRulesForChainId: (contracts: DeployedContractsByName) => PermissionRule[];
+/**
+ * Determines whether all elements of `subset` are contained within `superset`.
+ *
+ * @param subset - The candidate subset to test.
+ * @param superset - The set expected to contain all elements of `subset`.
+ * @returns `true` if `subset` ⊆ `superset`, otherwise `false`.
+ */
+export declare const isSubset: <T>(subset: Set<T>, superset: Set<T>) => boolean;
+/**
+ * Gets the terms for a given enforcer from a list of caveats.
+ *
+ * @param args - The arguments to this function.
+ * @param  args.throwIfNotFound - Whether to throw an error if no matching enforcer is found. Default is true.
+ * @param args.caveats - The list of caveats to search.
+ * @param args.enforcer - The enforcer to search for.
+ * @returns The terms for the given enforcer.
+ */
+export declare function getTermsByEnforcer<TThrowIfNotFound extends boolean = true>({ caveats, enforcer, throwIfNotFound, }: {
+    caveats: Caveat<Hex>[];
+    enforcer: Hex;
+    throwIfNotFound?: TThrowIfNotFound;
+}): TThrowIfNotFound extends true ? Hex : Hex | null;
+/**
+ * Splits a 0x-prefixed hex string into parts according to the provided byte lengths.
+ *
+ * Each entry in `lengths` represents a part length in bytes; internally this is
+ * multiplied by 2 to derive the number of hexadecimal characters to slice. The
+ * returned substrings do not include the `0x` prefix and preserve leading zeros.
+ *
+ * Note: This function does not perform input validation (e.g., verifying the
+ * payload length equals the sum of requested lengths). Callers are expected to
+ * provide well-formed inputs.
+ *
+ * Example:
+ * splitHex('0x12345678', [1, 3]) => ['0x12', '0x345678']
+ *
+ * @param value - The 0x-prefixed hex string to split.
+ * @param lengths - The lengths of each part, in bytes.
+ * @returns An array of hex substrings (each with `0x` prefix), one for each part.
+ */
+export declare function splitHex(value: Hex, lengths: number[]): Hex[];
+//# sourceMappingURL=utils.d.mts.map

package/dist/decodePermission/utils.d.mts.map

@@ -0,0 +1 @@
+{"version":3,"file":"utils.d.mts","sourceRoot":"","sources":["../../src/decodePermission/utils.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,MAAM,EAAE,kCAAkC;AACxD,OAAO,EAAsB,KAAK,GAAG,EAAE,wBAAwB;AAE/D,OAAO,KAAK,EAAE,uBAAuB,EAAE,cAAc,EAAE,oBAAgB;AAEvE;;GAEG;AACH,MAAM,MAAM,cAAc,GAAG;IAC3B,cAAc,EAAE,cAAc,CAAC;IAC/B,iBAAiB,EAAE,GAAG,CAAC,GAAG,CAAC,CAAC;IAC5B,gBAAgB,EAAE,GAAG,CAAC,GAAG,CAAC,CAAC;CAC5B,CAAC;AAgBF;;;;;;;GAOG;AACH,eAAO,MAAM,6BAA6B,cAC7B,uBAAuB;;;;;;;;;CAkDnC,CAAC;AAEF;;;;;;;;;;GAUG;AACH,eAAO,MAAM,+BAA+B,EAAE,CAC5C,SAAS,EAAE,uBAAuB,KAC/B,cAAc,EAuDlB,CAAC;AAEF;;;;;;GAMG;AACH,eAAO,MAAM,QAAQ,2CAA0C,OAO9D,CAAC;AAEF;;;;;;;;GAQG;AACH,wBAAgB,kBAAkB,CAAC,gBAAgB,SAAS,OAAO,GAAG,IAAI,EAAE,EAC1E,OAAO,EACP,QAAQ,EACR,eAAe,GAChB,EAAE;IACD,OAAO,EAAE,MAAM,CAAC,GAAG,CAAC,EAAE,CAAC;IACvB,QAAQ,EAAE,GAAG,CAAC;IACd,eAAe,CAAC,EAAE,gBAAgB,CAAC;CACpC,GAAG,gBAAgB,SAAS,IAAI,GAAG,GAAG,GAAG,GAAG,GAAG,IAAI,CAiBnD;AAED;;;;;;;;;;;;;;;;;GAiBG;AACH,wBAAgB,QAAQ,CAAC,KAAK,EAAE,GAAG,EAAE,OAAO,EAAE,MAAM,EAAE,GAAG,GAAG,EAAE,CAU7D"}

package/dist/decodePermission/utils.mjs

@@ -0,0 +1,173 @@
+import { getChecksumAddress } from "@metamask/utils";
+/**
+ * The names of the enforcer contracts for each permission type.
+ */
+const ENFORCER_CONTRACT_NAMES = {
+    ERC20PeriodTransferEnforcer: 'ERC20PeriodTransferEnforcer',
+    ERC20StreamingEnforcer: 'ERC20StreamingEnforcer',
+    ExactCalldataEnforcer: 'ExactCalldataEnforcer',
+    NativeTokenPeriodTransferEnforcer: 'NativeTokenPeriodTransferEnforcer',
+    NativeTokenStreamingEnforcer: 'NativeTokenStreamingEnforcer',
+    TimestampEnforcer: 'TimestampEnforcer',
+    ValueLteEnforcer: 'ValueLteEnforcer',
+    NonceEnforcer: 'NonceEnforcer',
+};
+/**
+ * Resolves and returns checksummed addresses of all known enforcer contracts
+ * for a given `chainId` under the current delegation framework version.
+ *
+ * @param contracts - The deployed contracts for the chain.
+ * @returns An object mapping enforcer names to checksummed contract addresses.
+ * @throws If the chain or an expected enforcer contract is not found.
+ */
+export const getChecksumEnforcersByChainId = (contracts) => {
+    const getChecksumContractAddress = (contractName) => {
+        const address = contracts[contractName];
+        if (!address) {
+            throw new Error(`Contract not found: ${contractName}`);
+        }
+        return getChecksumAddress(address);
+    };
+    // permission type specific enforcers
+    const erc20StreamingEnforcer = getChecksumContractAddress(ENFORCER_CONTRACT_NAMES.ERC20StreamingEnforcer);
+    const erc20PeriodicEnforcer = getChecksumContractAddress(ENFORCER_CONTRACT_NAMES.ERC20PeriodTransferEnforcer);
+    const nativeTokenStreamingEnforcer = getChecksumContractAddress(ENFORCER_CONTRACT_NAMES.NativeTokenStreamingEnforcer);
+    const nativeTokenPeriodicEnforcer = getChecksumContractAddress(ENFORCER_CONTRACT_NAMES.NativeTokenPeriodTransferEnforcer);
+    // general enforcers
+    const exactCalldataEnforcer = getChecksumContractAddress(ENFORCER_CONTRACT_NAMES.ExactCalldataEnforcer);
+    const valueLteEnforcer = getChecksumContractAddress(ENFORCER_CONTRACT_NAMES.ValueLteEnforcer);
+    const timestampEnforcer = getChecksumContractAddress(ENFORCER_CONTRACT_NAMES.TimestampEnforcer);
+    const nonceEnforcer = getChecksumContractAddress(ENFORCER_CONTRACT_NAMES.NonceEnforcer);
+    return {
+        erc20StreamingEnforcer,
+        erc20PeriodicEnforcer,
+        nativeTokenStreamingEnforcer,
+        nativeTokenPeriodicEnforcer,
+        exactCalldataEnforcer,
+        valueLteEnforcer,
+        timestampEnforcer,
+        nonceEnforcer,
+    };
+};
+/**
+ * Builds the canonical set of permission matching rules for a chain.
+ *
+ * Each rule specifies the `permissionType`, the set of `requiredEnforcers`
+ * that must be present, and the set of `allowedEnforcers` that may appear in
+ * addition to the required set.
+ *
+ * @param contracts - The deployed contracts for the chain.
+ * @returns A list of permission rules used to identify permission types.
+ * @throws Propagates any errors from resolving enforcer addresses.
+ */
+export const createPermissionRulesForChainId = (contracts) => {
+    const { erc20StreamingEnforcer, erc20PeriodicEnforcer, nativeTokenStreamingEnforcer, nativeTokenPeriodicEnforcer, exactCalldataEnforcer, valueLteEnforcer, timestampEnforcer, nonceEnforcer, } = getChecksumEnforcersByChainId(contracts);
+    // the allowed enforcers are the same for all permission types
+    const allowedEnforcers = new Set([timestampEnforcer]);
+    const permissionRules = [
+        {
+            requiredEnforcers: new Set([
+                nativeTokenStreamingEnforcer,
+                exactCalldataEnforcer,
+                nonceEnforcer,
+            ]),
+            allowedEnforcers,
+            permissionType: 'native-token-stream',
+        },
+        {
+            requiredEnforcers: new Set([
+                nativeTokenPeriodicEnforcer,
+                exactCalldataEnforcer,
+                nonceEnforcer,
+            ]),
+            allowedEnforcers,
+            permissionType: 'native-token-periodic',
+        },
+        {
+            requiredEnforcers: new Set([
+                erc20StreamingEnforcer,
+                valueLteEnforcer,
+                nonceEnforcer,
+            ]),
+            allowedEnforcers,
+            permissionType: 'erc20-token-stream',
+        },
+        {
+            requiredEnforcers: new Set([
+                erc20PeriodicEnforcer,
+                valueLteEnforcer,
+                nonceEnforcer,
+            ]),
+            allowedEnforcers,
+            permissionType: 'erc20-token-periodic',
+        },
+    ];
+    return permissionRules;
+};
+/**
+ * Determines whether all elements of `subset` are contained within `superset`.
+ *
+ * @param subset - The candidate subset to test.
+ * @param superset - The set expected to contain all elements of `subset`.
+ * @returns `true` if `subset` ⊆ `superset`, otherwise `false`.
+ */
+export const isSubset = (subset, superset) => {
+    for (const x of subset) {
+        if (!superset.has(x)) {
+            return false;
+        }
+    }
+    return true;
+};
+/**
+ * Gets the terms for a given enforcer from a list of caveats.
+ *
+ * @param args - The arguments to this function.
+ * @param  args.throwIfNotFound - Whether to throw an error if no matching enforcer is found. Default is true.
+ * @param args.caveats - The list of caveats to search.
+ * @param args.enforcer - The enforcer to search for.
+ * @returns The terms for the given enforcer.
+ */
+export function getTermsByEnforcer({ caveats, enforcer, throwIfNotFound, }) {
+    const matchingCaveats = caveats.filter((caveat) => caveat.enforcer === enforcer);
+    if (matchingCaveats.length === 0) {
+        if (throwIfNotFound ?? true) {
+            throw new Error('Invalid caveats');
+        }
+        return null;
+    }
+    if (matchingCaveats.length > 1) {
+        throw new Error('Invalid caveats');
+    }
+    return matchingCaveats[0].terms;
+}
+/**
+ * Splits a 0x-prefixed hex string into parts according to the provided byte lengths.
+ *
+ * Each entry in `lengths` represents a part length in bytes; internally this is
+ * multiplied by 2 to derive the number of hexadecimal characters to slice. The
+ * returned substrings do not include the `0x` prefix and preserve leading zeros.
+ *
+ * Note: This function does not perform input validation (e.g., verifying the
+ * payload length equals the sum of requested lengths). Callers are expected to
+ * provide well-formed inputs.
+ *
+ * Example:
+ * splitHex('0x12345678', [1, 3]) => ['0x12', '0x345678']
+ *
+ * @param value - The 0x-prefixed hex string to split.
+ * @param lengths - The lengths of each part, in bytes.
+ * @returns An array of hex substrings (each with `0x` prefix), one for each part.
+ */
+export function splitHex(value, lengths) {
+    let start = 2;
+    const parts = [];
+    for (const partLength of lengths) {
+        const partCharLength = partLength * 2;
+        const part = value.slice(start, start + partCharLength);
+        start += partCharLength;
+        parts.push(`0x${part}`);
+    }
+    return parts;
+}
+//# sourceMappingURL=utils.mjs.map