@mysten/sui 2.17.0 → 2.19.0

package/dist/transactions/index.d.mts

@@ -5,7 +5,7 @@ import { SerializedTransactionDataV1 } from "./data/v1.mjs";
 import { SerializedTransactionDataV2 } from "./data/v2.mjs";
 import { TransactionDataBuilder } from "./TransactionData.mjs";
 import { BuildTransactionOptions, SerializeTransactionOptions, TransactionPlugin } from "./resolve.mjs";
-import { Transaction, TransactionObjectArgument, TransactionObjectInput, TransactionResult, isTransaction } from "./Transaction.mjs";
+import { Transaction, TransactionCopyOptions, TransactionObjectArgument, TransactionObjectInput, TransactionResult, isTransaction } from "./Transaction.mjs";
 import { getPureBcsSchema, normalizedTypeToMoveTypeSignature } from "./serializer.mjs";
 import { AsyncCache, ObjectCache } from "./ObjectCache.mjs";
 import { SerialTransactionExecutor } from "./executor/serial.mjs";
@@ -13,4 +13,4 @@ import { ParallelTransactionExecutor, ParallelTransactionExecutorOptions } from
 import { coinWithBalance } from "./intents/CoinWithBalance.mjs";
 import { Arguments } from "./Arguments.mjs";
 import { isArgument } from "./utils.mjs";
-export { type Argument, Arguments, AsyncCache, type BuildTransactionOptions, type CallArg, type Command, type GasData, Inputs, ObjectCache, type ObjectRef, ParallelTransactionExecutor, type ParallelTransactionExecutorOptions, SerialTransactionExecutor, type SerializeTransactionOptions, type SerializedTransactionDataV1, type SerializedTransactionDataV2, Transaction, type TransactionArgument, TransactionCommands, type TransactionData, TransactionDataBuilder, type TransactionInput, type TransactionObjectArgument, type TransactionObjectInput, type TransactionPlugin, type TransactionResult, UpgradePolicy, coinWithBalance, getPureBcsSchema, isArgument, isTransaction, normalizedTypeToMoveTypeSignature };
+export { type Argument, Arguments, AsyncCache, type BuildTransactionOptions, type CallArg, type Command, type GasData, Inputs, ObjectCache, type ObjectRef, ParallelTransactionExecutor, type ParallelTransactionExecutorOptions, SerialTransactionExecutor, type SerializeTransactionOptions, type SerializedTransactionDataV1, type SerializedTransactionDataV2, Transaction, type TransactionArgument, TransactionCommands, type TransactionCopyOptions, type TransactionData, TransactionDataBuilder, type TransactionInput, type TransactionObjectArgument, type TransactionObjectInput, type TransactionPlugin, type TransactionResult, UpgradePolicy, coinWithBalance, getPureBcsSchema, isArgument, isTransaction, normalizedTypeToMoveTypeSignature };

package/dist/verify/index.d.mts

@@ -1,2 +1,2 @@
-import { publicKeyFromRawBytes, publicKeyFromSuiBytes, verifyPersonalMessageSignature, verifySignature, verifyTransactionSignature } from "./verify.mjs";
-export { publicKeyFromRawBytes, publicKeyFromSuiBytes, verifyPersonalMessageSignature, verifySignature, verifyTransactionSignature };
+import { isValidPersonalMessageSignature, isValidSignature, isValidTransactionSignature, publicKeyFromRawBytes, publicKeyFromSuiBytes, verifyPersonalMessageSignature, verifySignature, verifyTransactionSignature } from "./verify.mjs";
+export { isValidPersonalMessageSignature, isValidSignature, isValidTransactionSignature, publicKeyFromRawBytes, publicKeyFromSuiBytes, verifyPersonalMessageSignature, verifySignature, verifyTransactionSignature };

package/dist/verify/index.mjs

@@ -1,3 +1,3 @@
-import { publicKeyFromRawBytes, publicKeyFromSuiBytes, verifyPersonalMessageSignature, verifySignature, verifyTransactionSignature } from "./verify.mjs";
+import { isValidPersonalMessageSignature, isValidSignature, isValidTransactionSignature, publicKeyFromRawBytes, publicKeyFromSuiBytes, verifyPersonalMessageSignature, verifySignature, verifyTransactionSignature } from "./verify.mjs";
 
-export { publicKeyFromRawBytes, publicKeyFromSuiBytes, verifyPersonalMessageSignature, verifySignature, verifyTransactionSignature };
+export { isValidPersonalMessageSignature, isValidSignature, isValidTransactionSignature, publicKeyFromRawBytes, publicKeyFromSuiBytes, verifyPersonalMessageSignature, verifySignature, verifyTransactionSignature };

package/dist/verify/verify.d.mts

@@ -4,6 +4,26 @@ import "../cryptography/index.mjs";
 import { ClientWithCoreApi } from "../client/core.mjs";
 
 //#region src/verify/verify.d.ts
+/**
+ * Whether `signature` is a valid signature over `bytes` (and, if `options.address`
+ * is given, was produced by that address). Returns `false` for a malformed or
+ * cryptographically invalid signature, or one that doesn't match the address;
+ * only an *environmental* failure (e.g. a zkLogin JWK/epoch lookup) throws, so a
+ * network blip is never reported as an invalid signature.
+ */
+declare function isValidSignature(bytes: Uint8Array, signature: string, options?: {
+  address?: string;
+}): Promise<boolean>;
+/** Like {@link isValidSignature}, for a personal message. */
+declare function isValidPersonalMessageSignature(message: Uint8Array, signature: string, options?: {
+  client?: ClientWithCoreApi;
+  address?: string;
+}): Promise<boolean>;
+/** Like {@link isValidSignature}, for transaction bytes. */
+declare function isValidTransactionSignature(transaction: Uint8Array, signature: string, options?: {
+  client?: ClientWithCoreApi;
+  address?: string;
+}): Promise<boolean>;
 declare function verifySignature(bytes: Uint8Array, signature: string, options?: {
   address?: string;
 }): Promise<PublicKey>;
@@ -24,5 +44,5 @@ declare function publicKeyFromSuiBytes(publicKey: string | Uint8Array, options?:
   address?: string;
 }): PublicKey;
 //#endregion
-export { publicKeyFromRawBytes, publicKeyFromSuiBytes, verifyPersonalMessageSignature, verifySignature, verifyTransactionSignature };
+export { isValidPersonalMessageSignature, isValidSignature, isValidTransactionSignature, publicKeyFromRawBytes, publicKeyFromSuiBytes, verifyPersonalMessageSignature, verifySignature, verifyTransactionSignature };
 //# sourceMappingURL=verify.d.mts.map

package/dist/verify/verify.d.mts.map

@@ -1 +1 @@
-{"version":3,"file":"verify.d.mts","names":[],"sources":["../../src/verify/verify.ts"],"mappings":";;;;;;iBAesB,eAAA,CACrB,KAAA,EAAO,UAAA,EACP,SAAA,UACA,OAAA;EACC,OAAA;AAAA,IAEC,OAAA,CAAQ,SAAA;AAAA,iBAcW,8BAAA,CACrB,OAAA,EAAS,UAAA,EACT,SAAA,UACA,OAAA;EAAW,MAAA,GAAS,iBAAA;EAAmB,OAAA;AAAA,IACrC,OAAA,CAAQ,SAAA;AAAA,iBAmBW,0BAAA,CACrB,WAAA,EAAa,UAAA,EACb,SAAA,UACA,OAAA;EAAW,MAAA,GAAS,iBAAA;EAAmB,OAAA;AAAA,IACrC,OAAA,CAAQ,SAAA;AAAA,iBAwCK,qBAAA,CACf,eAAA,EAAiB,eAAA,EACjB,KAAA,EAAO,UAAA,EACP,OAAA;EAAW,MAAA,GAAS,iBAAA;EAAmB,OAAA;AAAA,IACrC,SAAA;AAAA,iBAgCa,qBAAA,CACf,SAAA,WAAoB,UAAA,EACpB,OAAA;EAAW,MAAA,GAAS,iBAAA;EAAmB,OAAA;AAAA,IAAuB,SAAA"}
+{"version":3,"file":"verify.d.mts","names":[],"sources":["../../src/verify/verify.ts"],"mappings":";;;;;;;;;;AAsBA;;;iBAAsB,gBAAA,CACrB,KAAA,EAAO,UAAA,EACP,SAAA,UACA,OAAA;EAAW,OAAA;AAAA,IACT,OAAA;;iBAQmB,+BAAA,CACrB,OAAA,EAAS,UAAA,EACT,SAAA,UACA,OAAA;EAAW,MAAA,GAAS,iBAAA;EAAmB,OAAA;AAAA,IACrC,OAAA;;iBAUmB,2BAAA,CACrB,WAAA,EAAa,UAAA,EACb,SAAA,UACA,OAAA;EAAW,MAAA,GAAS,iBAAA;EAAmB,OAAA;AAAA,IACrC,OAAA;AAAA,iBASmB,eAAA,CACrB,KAAA,EAAO,UAAA,EACP,SAAA,UACA,OAAA;EAAW,OAAA;AAAA,IACT,OAAA,CAAQ,SAAA;AAAA,iBAWW,8BAAA,CACrB,OAAA,EAAS,UAAA,EACT,SAAA,UACA,OAAA;EAAW,MAAA,GAAS,iBAAA;EAAmB,OAAA;AAAA,IACrC,OAAA,CAAQ,SAAA;AAAA,iBAWW,0BAAA,CACrB,WAAA,EAAa,UAAA,EACb,SAAA,UACA,OAAA;EAAW,MAAA,GAAS,iBAAA;EAAmB,OAAA;AAAA,IACrC,OAAA,CAAQ,SAAA;AAAA,iBAyCK,qBAAA,CACf,eAAA,EAAiB,eAAA,EACjB,KAAA,EAAO,UAAA,EACP,OAAA;EAAW,MAAA,GAAS,iBAAA;EAAmB,OAAA;AAAA,IACrC,SAAA;AAAA,iBAgCa,qBAAA,CACf,SAAA,WAAoB,UAAA,EACpB,OAAA;EAAW,MAAA,GAAS,iBAAA;EAAmB,OAAA;AAAA,IAAuB,SAAA"}

package/dist/verify/verify.mjs

@@ -9,23 +9,50 @@ import { MultiSigPublicKey } from "../multisig/publickey.mjs";
 import { fromBase64 } from "@mysten/bcs";
 
 //#region src/verify/verify.ts
-async function verifySignature(bytes, signature, options) {
-	const parsedSignature = parseSignature(signature);
-	if (!await parsedSignature.publicKey.verify(bytes, parsedSignature.serializedSignature)) throw new Error(`Signature is not valid for the provided data`);
-	if (options?.address && !parsedSignature.publicKey.verifyAddress(options.address)) throw new Error(`Signature is not valid for the provided address`);
-	return parsedSignature.publicKey;
+/**
+* Whether `signature` is a valid signature over `bytes` (and, if `options.address`
+* is given, was produced by that address). Returns `false` for a malformed or
+* cryptographically invalid signature, or one that doesn't match the address;
+* only an *environmental* failure (e.g. a zkLogin JWK/epoch lookup) throws, so a
+* network blip is never reported as an invalid signature.
+*/
+async function isValidSignature(bytes, signature, options = {}) {
+	const parsed = tryParseSignature(signature);
+	if (!parsed) return false;
+	if (!await parsed.publicKey.verify(bytes, parsed.serializedSignature)) return false;
+	return options.address ? parsed.publicKey.verifyAddress(options.address) : true;
+}
+/** Like {@link isValidSignature}, for a personal message. */
+async function isValidPersonalMessageSignature(message, signature, options = {}) {
+	const parsed = tryParseSignature(signature, { client: options.client });
+	if (!parsed) return false;
+	if (!await parsed.publicKey.verifyPersonalMessage(message, parsed.serializedSignature)) return false;
+	return options.address ? parsed.publicKey.verifyAddress(options.address) : true;
+}
+/** Like {@link isValidSignature}, for transaction bytes. */
+async function isValidTransactionSignature(transaction, signature, options = {}) {
+	const parsed = tryParseSignature(signature, { client: options.client });
+	if (!parsed) return false;
+	if (!await parsed.publicKey.verifyTransaction(transaction, parsed.serializedSignature)) return false;
+	return options.address ? parsed.publicKey.verifyAddress(options.address) : true;
+}
+async function verifySignature(bytes, signature, options = {}) {
+	const { publicKey } = parseSignature(signature);
+	if (!await isValidSignature(bytes, signature)) throw new Error(`Signature is not valid for the provided data`);
+	if (options.address && !publicKey.verifyAddress(options.address)) throw new Error(`Signature is not valid for the provided address`);
+	return publicKey;
 }
 async function verifyPersonalMessageSignature(message, signature, options = {}) {
-	const parsedSignature = parseSignature(signature, options);
-	if (!await parsedSignature.publicKey.verifyPersonalMessage(message, parsedSignature.serializedSignature)) throw new Error(`Signature is not valid for the provided message`);
-	if (options?.address && !parsedSignature.publicKey.verifyAddress(options.address)) throw new Error(`Signature is not valid for the provided address`);
-	return parsedSignature.publicKey;
+	const { publicKey } = parseSignature(signature, options);
+	if (!await isValidPersonalMessageSignature(message, signature, { client: options.client })) throw new Error(`Signature is not valid for the provided message`);
+	if (options.address && !publicKey.verifyAddress(options.address)) throw new Error(`Signature is not valid for the provided address`);
+	return publicKey;
 }
 async function verifyTransactionSignature(transaction, signature, options = {}) {
-	const parsedSignature = parseSignature(signature, options);
-	if (!await parsedSignature.publicKey.verifyTransaction(transaction, parsedSignature.serializedSignature)) throw new Error(`Signature is not valid for the provided Transaction`);
-	if (options?.address && !parsedSignature.publicKey.verifyAddress(options.address)) throw new Error(`Signature is not valid for the provided address`);
-	return parsedSignature.publicKey;
+	const { publicKey } = parseSignature(signature, options);
+	if (!await isValidTransactionSignature(transaction, signature, { client: options.client })) throw new Error(`Signature is not valid for the provided Transaction`);
+	if (options.address && !publicKey.verifyAddress(options.address)) throw new Error(`Signature is not valid for the provided address`);
+	return publicKey;
 }
 function parseSignature(signature, options = {}) {
 	const parsedSignature = parseSerializedSignature(signature);
@@ -39,6 +66,14 @@ function parseSignature(signature, options = {}) {
 		publicKey
 	};
 }
+/** {@link parseSignature}, returning `null` instead of throwing on a malformed signature. */
+function tryParseSignature(signature, options = {}) {
+	try {
+		return parseSignature(signature, options);
+	} catch {
+		return null;
+	}
+}
 function publicKeyFromRawBytes(signatureScheme, bytes, options = {}) {
 	let publicKey;
 	switch (signatureScheme) {
@@ -72,5 +107,5 @@ function publicKeyFromSuiBytes(publicKey, options = {}) {
 }
 
 //#endregion
-export { publicKeyFromRawBytes, publicKeyFromSuiBytes, verifyPersonalMessageSignature, verifySignature, verifyTransactionSignature };
+export { isValidPersonalMessageSignature, isValidSignature, isValidTransactionSignature, publicKeyFromRawBytes, publicKeyFromSuiBytes, verifyPersonalMessageSignature, verifySignature, verifyTransactionSignature };
 //# sourceMappingURL=verify.mjs.map

package/dist/verify/verify.mjs.map

@@ -1 +1 @@
-{"version":3,"file":"verify.mjs","names":[],"sources":["../../src/verify/verify.ts"],"sourcesContent":["// Copyright (c) Mysten Labs, Inc.\n// SPDX-License-Identifier: Apache-2.0\n\nimport { fromBase64 } from '@mysten/bcs';\n\nimport type { PublicKey, SignatureFlag, SignatureScheme } from '../cryptography/index.js';\nimport { parseSerializedSignature, SIGNATURE_FLAG_TO_SCHEME } from '../cryptography/index.js';\nimport { Ed25519PublicKey } from '../keypairs/ed25519/publickey.js';\nimport { PasskeyPublicKey } from '../keypairs/passkey/publickey.js';\nimport { Secp256k1PublicKey } from '../keypairs/secp256k1/publickey.js';\nimport { Secp256r1PublicKey } from '../keypairs/secp256r1/publickey.js';\nimport { MultiSigPublicKey } from '../multisig/publickey.js';\nimport { ZkLoginPublicIdentifier } from '../zklogin/publickey.js';\nimport type { ClientWithCoreApi } from '../client/core.js';\n\nexport async function verifySignature(\n\tbytes: Uint8Array,\n\tsignature: string,\n\toptions?: {\n\t\taddress?: string;\n\t},\n): Promise<PublicKey> {\n\tconst parsedSignature = parseSignature(signature);\n\n\tif (!(await parsedSignature.publicKey.verify(bytes, parsedSignature.serializedSignature))) {\n\t\tthrow new Error(`Signature is not valid for the provided data`);\n\t}\n\n\tif (options?.address && !parsedSignature.publicKey.verifyAddress(options.address)) {\n\t\tthrow new Error(`Signature is not valid for the provided address`);\n\t}\n\n\treturn parsedSignature.publicKey;\n}\n\nexport async function verifyPersonalMessageSignature(\n\tmessage: Uint8Array,\n\tsignature: string,\n\toptions: { client?: ClientWithCoreApi; address?: string } = {},\n): Promise<PublicKey> {\n\tconst parsedSignature = parseSignature(signature, options);\n\n\tif (\n\t\t!(await parsedSignature.publicKey.verifyPersonalMessage(\n\t\t\tmessage,\n\t\t\tparsedSignature.serializedSignature,\n\t\t))\n\t) {\n\t\tthrow new Error(`Signature is not valid for the provided message`);\n\t}\n\n\tif (options?.address && !parsedSignature.publicKey.verifyAddress(options.address)) {\n\t\tthrow new Error(`Signature is not valid for the provided address`);\n\t}\n\n\treturn parsedSignature.publicKey;\n}\n\nexport async function verifyTransactionSignature(\n\ttransaction: Uint8Array,\n\tsignature: string,\n\toptions: { client?: ClientWithCoreApi; address?: string } = {},\n): Promise<PublicKey> {\n\tconst parsedSignature = parseSignature(signature, options);\n\n\tif (\n\t\t!(await parsedSignature.publicKey.verifyTransaction(\n\t\t\ttransaction,\n\t\t\tparsedSignature.serializedSignature,\n\t\t))\n\t) {\n\t\tthrow new Error(`Signature is not valid for the provided Transaction`);\n\t}\n\n\tif (options?.address && !parsedSignature.publicKey.verifyAddress(options.address)) {\n\t\tthrow new Error(`Signature is not valid for the provided address`);\n\t}\n\n\treturn parsedSignature.publicKey;\n}\n\nfunction parseSignature(signature: string, options: { client?: ClientWithCoreApi } = {}) {\n\tconst parsedSignature = parseSerializedSignature(signature);\n\n\tif (parsedSignature.signatureScheme === 'MultiSig') {\n\t\treturn {\n\t\t\t...parsedSignature,\n\t\t\tpublicKey: new MultiSigPublicKey(parsedSignature.multisig.multisig_pk),\n\t\t};\n\t}\n\n\tconst publicKey = publicKeyFromRawBytes(\n\t\tparsedSignature.signatureScheme,\n\t\tparsedSignature.publicKey,\n\t\toptions,\n\t);\n\treturn {\n\t\t...parsedSignature,\n\t\tpublicKey,\n\t};\n}\n\nexport function publicKeyFromRawBytes(\n\tsignatureScheme: SignatureScheme,\n\tbytes: Uint8Array,\n\toptions: { client?: ClientWithCoreApi; address?: string } = {},\n): PublicKey {\n\tlet publicKey: PublicKey;\n\tswitch (signatureScheme) {\n\t\tcase 'ED25519':\n\t\t\tpublicKey = new Ed25519PublicKey(bytes);\n\t\t\tbreak;\n\t\tcase 'Secp256k1':\n\t\t\tpublicKey = new Secp256k1PublicKey(bytes);\n\t\t\tbreak;\n\t\tcase 'Secp256r1':\n\t\t\tpublicKey = new Secp256r1PublicKey(bytes);\n\t\t\tbreak;\n\t\tcase 'MultiSig':\n\t\t\tpublicKey = new MultiSigPublicKey(bytes);\n\t\t\tbreak;\n\t\tcase 'ZkLogin':\n\t\t\tpublicKey = ZkLoginPublicIdentifier.fromBytes(bytes, options);\n\t\t\tbreak;\n\t\tcase 'Passkey':\n\t\t\tpublicKey = new PasskeyPublicKey(bytes);\n\t\t\tbreak;\n\t\tdefault:\n\t\t\tthrow new Error(`Unsupported signature scheme ${signatureScheme}`);\n\t}\n\n\tif (options.address && publicKey.toSuiAddress() !== options.address) {\n\t\tthrow new Error(`Public key bytes do not match the provided address`);\n\t}\n\n\treturn publicKey;\n}\n\nexport function publicKeyFromSuiBytes(\n\tpublicKey: string | Uint8Array,\n\toptions: { client?: ClientWithCoreApi; address?: string } = {},\n) {\n\tconst bytes = typeof publicKey === 'string' ? fromBase64(publicKey) : publicKey;\n\n\tconst signatureScheme = SIGNATURE_FLAG_TO_SCHEME[bytes[0] as SignatureFlag];\n\n\treturn publicKeyFromRawBytes(signatureScheme, bytes.slice(1), options);\n}\n"],"mappings":";;;;;;;;;;;AAeA,eAAsB,gBACrB,OACA,WACA,SAGqB;CACrB,MAAM,kBAAkB,eAAe,UAAU;AAEjD,KAAI,CAAE,MAAM,gBAAgB,UAAU,OAAO,OAAO,gBAAgB,oBAAoB,CACvF,OAAM,IAAI,MAAM,+CAA+C;AAGhE,KAAI,SAAS,WAAW,CAAC,gBAAgB,UAAU,cAAc,QAAQ,QAAQ,CAChF,OAAM,IAAI,MAAM,kDAAkD;AAGnE,QAAO,gBAAgB;;AAGxB,eAAsB,+BACrB,SACA,WACA,UAA4D,EAAE,EACzC;CACrB,MAAM,kBAAkB,eAAe,WAAW,QAAQ;AAE1D,KACC,CAAE,MAAM,gBAAgB,UAAU,sBACjC,SACA,gBAAgB,oBAChB,CAED,OAAM,IAAI,MAAM,kDAAkD;AAGnE,KAAI,SAAS,WAAW,CAAC,gBAAgB,UAAU,cAAc,QAAQ,QAAQ,CAChF,OAAM,IAAI,MAAM,kDAAkD;AAGnE,QAAO,gBAAgB;;AAGxB,eAAsB,2BACrB,aACA,WACA,UAA4D,EAAE,EACzC;CACrB,MAAM,kBAAkB,eAAe,WAAW,QAAQ;AAE1D,KACC,CAAE,MAAM,gBAAgB,UAAU,kBACjC,aACA,gBAAgB,oBAChB,CAED,OAAM,IAAI,MAAM,sDAAsD;AAGvE,KAAI,SAAS,WAAW,CAAC,gBAAgB,UAAU,cAAc,QAAQ,QAAQ,CAChF,OAAM,IAAI,MAAM,kDAAkD;AAGnE,QAAO,gBAAgB;;AAGxB,SAAS,eAAe,WAAmB,UAA0C,EAAE,EAAE;CACxF,MAAM,kBAAkB,yBAAyB,UAAU;AAE3D,KAAI,gBAAgB,oBAAoB,WACvC,QAAO;EACN,GAAG;EACH,WAAW,IAAI,kBAAkB,gBAAgB,SAAS,YAAY;EACtE;CAGF,MAAM,YAAY,sBACjB,gBAAgB,iBAChB,gBAAgB,WAChB,QACA;AACD,QAAO;EACN,GAAG;EACH;EACA;;AAGF,SAAgB,sBACf,iBACA,OACA,UAA4D,EAAE,EAClD;CACZ,IAAI;AACJ,SAAQ,iBAAR;EACC,KAAK;AACJ,eAAY,IAAI,iBAAiB,MAAM;AACvC;EACD,KAAK;AACJ,eAAY,IAAI,mBAAmB,MAAM;AACzC;EACD,KAAK;AACJ,eAAY,IAAI,mBAAmB,MAAM;AACzC;EACD,KAAK;AACJ,eAAY,IAAI,kBAAkB,MAAM;AACxC;EACD,KAAK;AACJ,eAAY,wBAAwB,UAAU,OAAO,QAAQ;AAC7D;EACD,KAAK;AACJ,eAAY,IAAI,iBAAiB,MAAM;AACvC;EACD,QACC,OAAM,IAAI,MAAM,gCAAgC,kBAAkB;;AAGpE,KAAI,QAAQ,WAAW,UAAU,cAAc,KAAK,QAAQ,QAC3D,OAAM,IAAI,MAAM,qDAAqD;AAGtE,QAAO;;AAGR,SAAgB,sBACf,WACA,UAA4D,EAAE,EAC7D;CACD,MAAM,QAAQ,OAAO,cAAc,WAAW,WAAW,UAAU,GAAG;CAEtE,MAAM,kBAAkB,yBAAyB,MAAM;AAEvD,QAAO,sBAAsB,iBAAiB,MAAM,MAAM,EAAE,EAAE,QAAQ"}
+{"version":3,"file":"verify.mjs","names":[],"sources":["../../src/verify/verify.ts"],"sourcesContent":["// Copyright (c) Mysten Labs, Inc.\n// SPDX-License-Identifier: Apache-2.0\n\nimport { fromBase64 } from '@mysten/bcs';\n\nimport type { PublicKey, SignatureFlag, SignatureScheme } from '../cryptography/index.js';\nimport { parseSerializedSignature, SIGNATURE_FLAG_TO_SCHEME } from '../cryptography/index.js';\nimport { Ed25519PublicKey } from '../keypairs/ed25519/publickey.js';\nimport { PasskeyPublicKey } from '../keypairs/passkey/publickey.js';\nimport { Secp256k1PublicKey } from '../keypairs/secp256k1/publickey.js';\nimport { Secp256r1PublicKey } from '../keypairs/secp256r1/publickey.js';\nimport { MultiSigPublicKey } from '../multisig/publickey.js';\nimport { ZkLoginPublicIdentifier } from '../zklogin/publickey.js';\nimport type { ClientWithCoreApi } from '../client/core.js';\n\n/**\n * Whether `signature` is a valid signature over `bytes` (and, if `options.address`\n * is given, was produced by that address). Returns `false` for a malformed or\n * cryptographically invalid signature, or one that doesn't match the address;\n * only an *environmental* failure (e.g. a zkLogin JWK/epoch lookup) throws, so a\n * network blip is never reported as an invalid signature.\n */\nexport async function isValidSignature(\n\tbytes: Uint8Array,\n\tsignature: string,\n\toptions: { address?: string } = {},\n): Promise<boolean> {\n\tconst parsed = tryParseSignature(signature);\n\tif (!parsed) return false;\n\tif (!(await parsed.publicKey.verify(bytes, parsed.serializedSignature))) return false;\n\treturn options.address ? parsed.publicKey.verifyAddress(options.address) : true;\n}\n\n/** Like {@link isValidSignature}, for a personal message. */\nexport async function isValidPersonalMessageSignature(\n\tmessage: Uint8Array,\n\tsignature: string,\n\toptions: { client?: ClientWithCoreApi; address?: string } = {},\n): Promise<boolean> {\n\tconst parsed = tryParseSignature(signature, { client: options.client });\n\tif (!parsed) return false;\n\tif (!(await parsed.publicKey.verifyPersonalMessage(message, parsed.serializedSignature))) {\n\t\treturn false;\n\t}\n\treturn options.address ? parsed.publicKey.verifyAddress(options.address) : true;\n}\n\n/** Like {@link isValidSignature}, for transaction bytes. */\nexport async function isValidTransactionSignature(\n\ttransaction: Uint8Array,\n\tsignature: string,\n\toptions: { client?: ClientWithCoreApi; address?: string } = {},\n): Promise<boolean> {\n\tconst parsed = tryParseSignature(signature, { client: options.client });\n\tif (!parsed) return false;\n\tif (!(await parsed.publicKey.verifyTransaction(transaction, parsed.serializedSignature))) {\n\t\treturn false;\n\t}\n\treturn options.address ? parsed.publicKey.verifyAddress(options.address) : true;\n}\n\nexport async function verifySignature(\n\tbytes: Uint8Array,\n\tsignature: string,\n\toptions: { address?: string } = {},\n): Promise<PublicKey> {\n\tconst { publicKey } = parseSignature(signature);\n\tif (!(await isValidSignature(bytes, signature))) {\n\t\tthrow new Error(`Signature is not valid for the provided data`);\n\t}\n\tif (options.address && !publicKey.verifyAddress(options.address)) {\n\t\tthrow new Error(`Signature is not valid for the provided address`);\n\t}\n\treturn publicKey;\n}\n\nexport async function verifyPersonalMessageSignature(\n\tmessage: Uint8Array,\n\tsignature: string,\n\toptions: { client?: ClientWithCoreApi; address?: string } = {},\n): Promise<PublicKey> {\n\tconst { publicKey } = parseSignature(signature, options);\n\tif (!(await isValidPersonalMessageSignature(message, signature, { client: options.client }))) {\n\t\tthrow new Error(`Signature is not valid for the provided message`);\n\t}\n\tif (options.address && !publicKey.verifyAddress(options.address)) {\n\t\tthrow new Error(`Signature is not valid for the provided address`);\n\t}\n\treturn publicKey;\n}\n\nexport async function verifyTransactionSignature(\n\ttransaction: Uint8Array,\n\tsignature: string,\n\toptions: { client?: ClientWithCoreApi; address?: string } = {},\n): Promise<PublicKey> {\n\tconst { publicKey } = parseSignature(signature, options);\n\tif (!(await isValidTransactionSignature(transaction, signature, { client: options.client }))) {\n\t\tthrow new Error(`Signature is not valid for the provided Transaction`);\n\t}\n\tif (options.address && !publicKey.verifyAddress(options.address)) {\n\t\tthrow new Error(`Signature is not valid for the provided address`);\n\t}\n\treturn publicKey;\n}\n\nfunction parseSignature(signature: string, options: { client?: ClientWithCoreApi } = {}) {\n\tconst parsedSignature = parseSerializedSignature(signature);\n\n\tif (parsedSignature.signatureScheme === 'MultiSig') {\n\t\treturn {\n\t\t\t...parsedSignature,\n\t\t\tpublicKey: new MultiSigPublicKey(parsedSignature.multisig.multisig_pk),\n\t\t};\n\t}\n\n\tconst publicKey = publicKeyFromRawBytes(\n\t\tparsedSignature.signatureScheme,\n\t\tparsedSignature.publicKey,\n\t\toptions,\n\t);\n\treturn {\n\t\t...parsedSignature,\n\t\tpublicKey,\n\t};\n}\n\n/** {@link parseSignature}, returning `null` instead of throwing on a malformed signature. */\nfunction tryParseSignature(signature: string, options: { client?: ClientWithCoreApi } = {}) {\n\ttry {\n\t\treturn parseSignature(signature, options);\n\t} catch {\n\t\treturn null;\n\t}\n}\n\nexport function publicKeyFromRawBytes(\n\tsignatureScheme: SignatureScheme,\n\tbytes: Uint8Array,\n\toptions: { client?: ClientWithCoreApi; address?: string } = {},\n): PublicKey {\n\tlet publicKey: PublicKey;\n\tswitch (signatureScheme) {\n\t\tcase 'ED25519':\n\t\t\tpublicKey = new Ed25519PublicKey(bytes);\n\t\t\tbreak;\n\t\tcase 'Secp256k1':\n\t\t\tpublicKey = new Secp256k1PublicKey(bytes);\n\t\t\tbreak;\n\t\tcase 'Secp256r1':\n\t\t\tpublicKey = new Secp256r1PublicKey(bytes);\n\t\t\tbreak;\n\t\tcase 'MultiSig':\n\t\t\tpublicKey = new MultiSigPublicKey(bytes);\n\t\t\tbreak;\n\t\tcase 'ZkLogin':\n\t\t\tpublicKey = ZkLoginPublicIdentifier.fromBytes(bytes, options);\n\t\t\tbreak;\n\t\tcase 'Passkey':\n\t\t\tpublicKey = new PasskeyPublicKey(bytes);\n\t\t\tbreak;\n\t\tdefault:\n\t\t\tthrow new Error(`Unsupported signature scheme ${signatureScheme}`);\n\t}\n\n\tif (options.address && publicKey.toSuiAddress() !== options.address) {\n\t\tthrow new Error(`Public key bytes do not match the provided address`);\n\t}\n\n\treturn publicKey;\n}\n\nexport function publicKeyFromSuiBytes(\n\tpublicKey: string | Uint8Array,\n\toptions: { client?: ClientWithCoreApi; address?: string } = {},\n) {\n\tconst bytes = typeof publicKey === 'string' ? fromBase64(publicKey) : publicKey;\n\n\tconst signatureScheme = SIGNATURE_FLAG_TO_SCHEME[bytes[0] as SignatureFlag];\n\n\treturn publicKeyFromRawBytes(signatureScheme, bytes.slice(1), options);\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;AAsBA,eAAsB,iBACrB,OACA,WACA,UAAgC,EAAE,EACf;CACnB,MAAM,SAAS,kBAAkB,UAAU;AAC3C,KAAI,CAAC,OAAQ,QAAO;AACpB,KAAI,CAAE,MAAM,OAAO,UAAU,OAAO,OAAO,OAAO,oBAAoB,CAAG,QAAO;AAChF,QAAO,QAAQ,UAAU,OAAO,UAAU,cAAc,QAAQ,QAAQ,GAAG;;;AAI5E,eAAsB,gCACrB,SACA,WACA,UAA4D,EAAE,EAC3C;CACnB,MAAM,SAAS,kBAAkB,WAAW,EAAE,QAAQ,QAAQ,QAAQ,CAAC;AACvE,KAAI,CAAC,OAAQ,QAAO;AACpB,KAAI,CAAE,MAAM,OAAO,UAAU,sBAAsB,SAAS,OAAO,oBAAoB,CACtF,QAAO;AAER,QAAO,QAAQ,UAAU,OAAO,UAAU,cAAc,QAAQ,QAAQ,GAAG;;;AAI5E,eAAsB,4BACrB,aACA,WACA,UAA4D,EAAE,EAC3C;CACnB,MAAM,SAAS,kBAAkB,WAAW,EAAE,QAAQ,QAAQ,QAAQ,CAAC;AACvE,KAAI,CAAC,OAAQ,QAAO;AACpB,KAAI,CAAE,MAAM,OAAO,UAAU,kBAAkB,aAAa,OAAO,oBAAoB,CACtF,QAAO;AAER,QAAO,QAAQ,UAAU,OAAO,UAAU,cAAc,QAAQ,QAAQ,GAAG;;AAG5E,eAAsB,gBACrB,OACA,WACA,UAAgC,EAAE,EACb;CACrB,MAAM,EAAE,cAAc,eAAe,UAAU;AAC/C,KAAI,CAAE,MAAM,iBAAiB,OAAO,UAAU,CAC7C,OAAM,IAAI,MAAM,+CAA+C;AAEhE,KAAI,QAAQ,WAAW,CAAC,UAAU,cAAc,QAAQ,QAAQ,CAC/D,OAAM,IAAI,MAAM,kDAAkD;AAEnE,QAAO;;AAGR,eAAsB,+BACrB,SACA,WACA,UAA4D,EAAE,EACzC;CACrB,MAAM,EAAE,cAAc,eAAe,WAAW,QAAQ;AACxD,KAAI,CAAE,MAAM,gCAAgC,SAAS,WAAW,EAAE,QAAQ,QAAQ,QAAQ,CAAC,CAC1F,OAAM,IAAI,MAAM,kDAAkD;AAEnE,KAAI,QAAQ,WAAW,CAAC,UAAU,cAAc,QAAQ,QAAQ,CAC/D,OAAM,IAAI,MAAM,kDAAkD;AAEnE,QAAO;;AAGR,eAAsB,2BACrB,aACA,WACA,UAA4D,EAAE,EACzC;CACrB,MAAM,EAAE,cAAc,eAAe,WAAW,QAAQ;AACxD,KAAI,CAAE,MAAM,4BAA4B,aAAa,WAAW,EAAE,QAAQ,QAAQ,QAAQ,CAAC,CAC1F,OAAM,IAAI,MAAM,sDAAsD;AAEvE,KAAI,QAAQ,WAAW,CAAC,UAAU,cAAc,QAAQ,QAAQ,CAC/D,OAAM,IAAI,MAAM,kDAAkD;AAEnE,QAAO;;AAGR,SAAS,eAAe,WAAmB,UAA0C,EAAE,EAAE;CACxF,MAAM,kBAAkB,yBAAyB,UAAU;AAE3D,KAAI,gBAAgB,oBAAoB,WACvC,QAAO;EACN,GAAG;EACH,WAAW,IAAI,kBAAkB,gBAAgB,SAAS,YAAY;EACtE;CAGF,MAAM,YAAY,sBACjB,gBAAgB,iBAChB,gBAAgB,WAChB,QACA;AACD,QAAO;EACN,GAAG;EACH;EACA;;;AAIF,SAAS,kBAAkB,WAAmB,UAA0C,EAAE,EAAE;AAC3F,KAAI;AACH,SAAO,eAAe,WAAW,QAAQ;SAClC;AACP,SAAO;;;AAIT,SAAgB,sBACf,iBACA,OACA,UAA4D,EAAE,EAClD;CACZ,IAAI;AACJ,SAAQ,iBAAR;EACC,KAAK;AACJ,eAAY,IAAI,iBAAiB,MAAM;AACvC;EACD,KAAK;AACJ,eAAY,IAAI,mBAAmB,MAAM;AACzC;EACD,KAAK;AACJ,eAAY,IAAI,mBAAmB,MAAM;AACzC;EACD,KAAK;AACJ,eAAY,IAAI,kBAAkB,MAAM;AACxC;EACD,KAAK;AACJ,eAAY,wBAAwB,UAAU,OAAO,QAAQ;AAC7D;EACD,KAAK;AACJ,eAAY,IAAI,iBAAiB,MAAM;AACvC;EACD,QACC,OAAM,IAAI,MAAM,gCAAgC,kBAAkB;;AAGpE,KAAI,QAAQ,WAAW,UAAU,cAAc,KAAK,QAAQ,QAC3D,OAAM,IAAI,MAAM,qDAAqD;AAGtE,QAAO;;AAGR,SAAgB,sBACf,WACA,UAA4D,EAAE,EAC7D;CACD,MAAM,QAAQ,OAAO,cAAc,WAAW,WAAW,UAAU,GAAG;CAEtE,MAAM,kBAAkB,yBAAyB,MAAM;AAEvD,QAAO,sBAAsB,iBAAiB,MAAM,MAAM,EAAE,EAAE,QAAQ"}

package/dist/version.mjs

@@ -1,5 +1,5 @@
 //#region src/version.ts
-const PACKAGE_VERSION = "2.17.0";
+const PACKAGE_VERSION = "2.19.0";
 
 //#endregion
 export { PACKAGE_VERSION };

package/dist/version.mjs.map

@@ -1 +1 @@
-{"version":3,"file":"version.mjs","names":[],"sources":["../src/version.ts"],"sourcesContent":["// Copyright (c) Mysten Labs, Inc.\n// SPDX-License-Identifier: Apache-2.0\n\n// This file is generated by genversion.mjs. Do not edit it directly.\n\nexport const PACKAGE_VERSION = '2.17.0';\n"],"mappings":";AAKA,MAAa,kBAAkB"}
+{"version":3,"file":"version.mjs","names":[],"sources":["../src/version.ts"],"sourcesContent":["// Copyright (c) Mysten Labs, Inc.\n// SPDX-License-Identifier: Apache-2.0\n\n// This file is generated by genversion.mjs. Do not edit it directly.\n\nexport const PACKAGE_VERSION = '2.19.0';\n"],"mappings":";AAKA,MAAa,kBAAkB"}

package/dist/zklogin/jwt-utils.d.mts.map

@@ -1 +1 @@
-{"version":3,"file":"jwt-utils.d.mts","names":[],"sources":["../../src/zklogin/jwt-utils.ts"],"mappings":";;;iBAsHgB,SAAA,CAAU,GAAA,WAAc,IAAA,CAAK,UAAA;EAC5C,GAAA;EACA,GAAA;EACA,GAAA;EACA,MAAA;AAAA"}
+{"version":3,"file":"jwt-utils.d.mts","names":[],"sources":["../../src/zklogin/jwt-utils.ts"],"mappings":";;;iBAyHgB,SAAA,CAAU,GAAA,WAAc,IAAA,CAAK,UAAA;EAC5C,GAAA;EACA,GAAA;EACA,GAAA;EACA,MAAA;AAAA"}

package/dist/zklogin/jwt-utils.mjs.map

@@ -1 +1 @@
-{"version":3,"file":"jwt-utils.mjs","names":["i"],"sources":["../../src/zklogin/jwt-utils.ts"],"sourcesContent":["// Copyright (c) Mysten Labs, Inc.\n// SPDX-License-Identifier: Apache-2.0\n\nimport type { JwtPayload } from './jwt-decode.js';\nimport { jwtDecode } from './jwt-decode.js';\nimport { normalizeZkLoginIssuer } from './utils.js';\n\nfunction base64UrlCharTo6Bits(base64UrlChar: string): number[] {\n\tif (base64UrlChar.length !== 1) {\n\t\tthrow new Error('Invalid base64Url character: ' + base64UrlChar);\n\t}\n\n\t// Define the base64URL character set\n\tconst base64UrlCharacterSet = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789-_';\n\n\t// Find the index of the input character in the base64URL character set\n\tconst index = base64UrlCharacterSet.indexOf(base64UrlChar);\n\n\tif (index === -1) {\n\t\tthrow new Error('Invalid base64Url character: ' + base64UrlChar);\n\t}\n\n\t// Convert the index to a 6-bit binary string\n\tconst binaryString = index.toString(2).padStart(6, '0');\n\n\t// Convert the binary string to an array of bits\n\tconst bits = Array.from(binaryString).map(Number);\n\n\treturn bits;\n}\n\nfunction base64UrlStringToBitVector(base64UrlString: string) {\n\tlet bitVector: number[] = [];\n\tfor (let i = 0; i < base64UrlString.length; i++) {\n\t\tconst base64UrlChar = base64UrlString.charAt(i);\n\t\tconst bits = base64UrlCharTo6Bits(base64UrlChar);\n\t\tbitVector = bitVector.concat(bits);\n\t}\n\treturn bitVector;\n}\n\nfunction decodeBase64URL(s: string, i: number): string {\n\tif (s.length < 2) {\n\t\tthrow new Error(`Input (s = ${s}) is not tightly packed because s.length < 2`);\n\t}\n\tlet bits = base64UrlStringToBitVector(s);\n\n\tconst firstCharOffset = i % 4;\n\tif (firstCharOffset === 0) {\n\t\t// skip\n\t} else if (firstCharOffset === 1) {\n\t\tbits = bits.slice(2);\n\t} else if (firstCharOffset === 2) {\n\t\tbits = bits.slice(4);\n\t} else {\n\t\t// (offset == 3)\n\t\tthrow new Error(`Input (s = ${s}) is not tightly packed because i%4 = 3 (i = ${i}))`);\n\t}\n\n\tconst lastCharOffset = (i + s.length - 1) % 4;\n\tif (lastCharOffset === 3) {\n\t\t// skip\n\t} else if (lastCharOffset === 2) {\n\t\tbits = bits.slice(0, bits.length - 2);\n\t} else if (lastCharOffset === 1) {\n\t\tbits = bits.slice(0, bits.length - 4);\n\t} else {\n\t\t// (offset == 0)\n\t\tthrow new Error(\n\t\t\t`Input (s = ${s}) is not tightly packed because (i + s.length - 1)%4 = 0 (i = ${i}))`,\n\t\t);\n\t}\n\n\tif (bits.length % 8 !== 0) {\n\t\tthrow new Error(`We should never reach here...`);\n\t}\n\n\tconst bytes = new Uint8Array(Math.floor(bits.length / 8));\n\tlet currentByteIndex = 0;\n\tfor (let i = 0; i < bits.length; i += 8) {\n\t\tconst bitChunk = bits.slice(i, i + 8);\n\n\t\t// Convert the 8-bit chunk to a byte and add it to the bytes array\n\t\tconst byte = parseInt(bitChunk.join(''), 2);\n\t\tbytes[currentByteIndex++] = byte;\n\t}\n\treturn new TextDecoder().decode(bytes);\n}\n\nfunction verifyExtendedClaim(claim: string) {\n\t// Last character of each extracted_claim must be '}' or ','\n\tif (!(claim.slice(-1) === '}' || claim.slice(-1) === ',')) {\n\t\tthrow new Error('Invalid claim');\n\t}\n\n\t// A hack to parse the JSON key-value pair.. but it should work\n\tconst json = JSON.parse('{' + claim.slice(0, -1) + '}');\n\tif (Object.keys(json).length !== 1) {\n\t\tthrow new Error('Invalid claim');\n\t}\n\tconst key = Object.keys(json)[0];\n\treturn [key, json[key]];\n}\n\nexport type Claim = {\n\tvalue: string;\n\tindexMod4: number;\n};\n\nexport function extractClaimValue<R>(claim: Claim, claimName: string): R {\n\tconst extendedClaim = decodeBase64URL(claim.value, claim.indexMod4);\n\tconst [name, value] = verifyExtendedClaim(extendedClaim);\n\tif (name !== claimName) {\n\t\tthrow new Error(`Invalid field name: found ${name} expected ${claimName}`);\n\t}\n\treturn value;\n}\n\nexport function decodeJwt(jwt: string): Omit<JwtPayload, 'iss' | 'aud' | 'sub'> & {\n\tiss: string;\n\taud: string;\n\tsub: string;\n\trawIss: string;\n} {\n\tconst { iss, aud, sub, ...decodedJWT } = jwtDecode(jwt);\n\n\tif (!sub || !iss || !aud) {\n\t\tthrow new Error('Missing jwt data');\n\t}\n\n\tif (Array.isArray(aud)) {\n\t\tthrow new Error('Not supported aud. Aud is an array, string was expected.');\n\t}\n\n\treturn {\n\t\t...decodedJWT,\n\t\tiss: normalizeZkLoginIssuer(iss),\n\t\trawIss: iss,\n\t\taud,\n\t\tsub,\n\t};\n}\n"],"mappings":";;;;AAOA,SAAS,qBAAqB,eAAiC;AAC9D,KAAI,cAAc,WAAW,EAC5B,OAAM,IAAI,MAAM,kCAAkC,cAAc;CAOjE,MAAM,QAHwB,mEAGM,QAAQ,cAAc;AAE1D,KAAI,UAAU,GACb,OAAM,IAAI,MAAM,kCAAkC,cAAc;CAIjE,MAAM,eAAe,MAAM,SAAS,EAAE,CAAC,SAAS,GAAG,IAAI;AAKvD,QAFa,MAAM,KAAK,aAAa,CAAC,IAAI,OAAO;;AAKlD,SAAS,2BAA2B,iBAAyB;CAC5D,IAAI,YAAsB,EAAE;AAC5B,MAAK,IAAI,IAAI,GAAG,IAAI,gBAAgB,QAAQ,KAAK;EAEhD,MAAM,OAAO,qBADS,gBAAgB,OAAO,EAAE,CACC;AAChD,cAAY,UAAU,OAAO,KAAK;;AAEnC,QAAO;;AAGR,SAAS,gBAAgB,GAAW,GAAmB;AACtD,KAAI,EAAE,SAAS,EACd,OAAM,IAAI,MAAM,cAAc,EAAE,8CAA8C;CAE/E,IAAI,OAAO,2BAA2B,EAAE;CAExC,MAAM,kBAAkB,IAAI;AAC5B,KAAI,oBAAoB,GAAG,YAEhB,oBAAoB,EAC9B,QAAO,KAAK,MAAM,EAAE;UACV,oBAAoB,EAC9B,QAAO,KAAK,MAAM,EAAE;KAGpB,OAAM,IAAI,MAAM,cAAc,EAAE,+CAA+C,EAAE,IAAI;CAGtF,MAAM,kBAAkB,IAAI,EAAE,SAAS,KAAK;AAC5C,KAAI,mBAAmB,GAAG,YAEf,mBAAmB,EAC7B,QAAO,KAAK,MAAM,GAAG,KAAK,SAAS,EAAE;UAC3B,mBAAmB,EAC7B,QAAO,KAAK,MAAM,GAAG,KAAK,SAAS,EAAE;KAGrC,OAAM,IAAI,MACT,cAAc,EAAE,gEAAgE,EAAE,IAClF;AAGF,KAAI,KAAK,SAAS,MAAM,EACvB,OAAM,IAAI,MAAM,gCAAgC;CAGjD,MAAM,QAAQ,IAAI,WAAW,KAAK,MAAM,KAAK,SAAS,EAAE,CAAC;CACzD,IAAI,mBAAmB;AACvB,MAAK,IAAIA,MAAI,GAAGA,MAAI,KAAK,QAAQ,OAAK,GAAG;EACxC,MAAM,WAAW,KAAK,MAAMA,KAAGA,MAAI,EAAE;EAGrC,MAAM,OAAO,SAAS,SAAS,KAAK,GAAG,EAAE,EAAE;AAC3C,QAAM,sBAAsB;;AAE7B,QAAO,IAAI,aAAa,CAAC,OAAO,MAAM;;AAGvC,SAAS,oBAAoB,OAAe;AAE3C,KAAI,EAAE,MAAM,MAAM,GAAG,KAAK,OAAO,MAAM,MAAM,GAAG,KAAK,KACpD,OAAM,IAAI,MAAM,gBAAgB;CAIjC,MAAM,OAAO,KAAK,MAAM,MAAM,MAAM,MAAM,GAAG,GAAG,GAAG,IAAI;AACvD,KAAI,OAAO,KAAK,KAAK,CAAC,WAAW,EAChC,OAAM,IAAI,MAAM,gBAAgB;CAEjC,MAAM,MAAM,OAAO,KAAK,KAAK,CAAC;AAC9B,QAAO,CAAC,KAAK,KAAK,KAAK;;AAQxB,SAAgB,kBAAqB,OAAc,WAAsB;CAExE,MAAM,CAAC,MAAM,SAAS,oBADA,gBAAgB,MAAM,OAAO,MAAM,UAAU,CACX;AACxD,KAAI,SAAS,UACZ,OAAM,IAAI,MAAM,6BAA6B,KAAK,YAAY,YAAY;AAE3E,QAAO;;AAGR,SAAgB,UAAU,KAKxB;CACD,MAAM,EAAE,KAAK,KAAK,KAAK,GAAG,eAAe,UAAU,IAAI;AAEvD,KAAI,CAAC,OAAO,CAAC,OAAO,CAAC,IACpB,OAAM,IAAI,MAAM,mBAAmB;AAGpC,KAAI,MAAM,QAAQ,IAAI,CACrB,OAAM,IAAI,MAAM,2DAA2D;AAG5E,QAAO;EACN,GAAG;EACH,KAAK,uBAAuB,IAAI;EAChC,QAAQ;EACR;EACA;EACA"}
+{"version":3,"file":"jwt-utils.mjs","names":["i"],"sources":["../../src/zklogin/jwt-utils.ts"],"sourcesContent":["// Copyright (c) Mysten Labs, Inc.\n// SPDX-License-Identifier: Apache-2.0\n\nimport type { JwtPayload } from './jwt-decode.js';\nimport { jwtDecode } from './jwt-decode.js';\nimport { normalizeZkLoginIssuer } from './utils.js';\n\nfunction base64UrlCharTo6Bits(base64UrlChar: string): number[] {\n\tif (base64UrlChar.length !== 1) {\n\t\tthrow new Error('Invalid base64Url character: ' + base64UrlChar);\n\t}\n\n\t// Define the base64URL character set\n\tconst base64UrlCharacterSet = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789-_';\n\n\t// Find the index of the input character in the base64URL character set\n\tconst index = base64UrlCharacterSet.indexOf(base64UrlChar);\n\n\tif (index === -1) {\n\t\tthrow new Error('Invalid base64Url character: ' + base64UrlChar);\n\t}\n\n\t// Convert the index to a 6-bit binary string\n\tconst binaryString = index.toString(2).padStart(6, '0');\n\n\t// Convert the binary string to an array of bits\n\tconst bits = Array.from(binaryString).map(Number);\n\n\treturn bits;\n}\n\nfunction base64UrlStringToBitVector(base64UrlString: string) {\n\tlet bitVector: number[] = [];\n\tfor (let i = 0; i < base64UrlString.length; i++) {\n\t\tconst base64UrlChar = base64UrlString.charAt(i);\n\t\tconst bits = base64UrlCharTo6Bits(base64UrlChar);\n\t\tbitVector = bitVector.concat(bits);\n\t}\n\treturn bitVector;\n}\n\nfunction decodeBase64URL(s: string, i: number): string {\n\tif (s.length < 2) {\n\t\tthrow new Error(`Input (s = ${s}) is not tightly packed because s.length < 2`);\n\t}\n\tlet bits = base64UrlStringToBitVector(s);\n\n\tconst firstCharOffset = i % 4;\n\tif (firstCharOffset === 0) {\n\t\t// skip\n\t} else if (firstCharOffset === 1) {\n\t\tbits = bits.slice(2);\n\t} else if (firstCharOffset === 2) {\n\t\tbits = bits.slice(4);\n\t} else {\n\t\t// (offset == 3)\n\t\tthrow new Error(`Input (s = ${s}) is not tightly packed because i%4 = 3 (i = ${i}))`);\n\t}\n\n\tconst lastCharOffset = (i + s.length - 1) % 4;\n\tif (lastCharOffset === 3) {\n\t\t// skip\n\t} else if (lastCharOffset === 2) {\n\t\tbits = bits.slice(0, bits.length - 2);\n\t} else if (lastCharOffset === 1) {\n\t\tbits = bits.slice(0, bits.length - 4);\n\t} else {\n\t\t// (offset == 0)\n\t\tthrow new Error(\n\t\t\t`Input (s = ${s}) is not tightly packed because (i + s.length - 1)%4 = 0 (i = ${i}))`,\n\t\t);\n\t}\n\n\tif (bits.length % 8 !== 0) {\n\t\tthrow new Error(`We should never reach here...`);\n\t}\n\n\tconst bytes = new Uint8Array(Math.floor(bits.length / 8));\n\tlet currentByteIndex = 0;\n\tfor (let i = 0; i < bits.length; i += 8) {\n\t\tconst bitChunk = bits.slice(i, i + 8);\n\n\t\t// Convert the 8-bit chunk to a byte and add it to the bytes array\n\t\tconst byte = parseInt(bitChunk.join(''), 2);\n\t\tbytes[currentByteIndex++] = byte;\n\t}\n\treturn new TextDecoder().decode(bytes);\n}\n\nfunction verifyExtendedClaim(claim: string) {\n\t// Last character of each extracted_claim must be '}' or ','\n\tif (!(claim.slice(-1) === '}' || claim.slice(-1) === ',')) {\n\t\tthrow new Error('Invalid claim');\n\t}\n\n\t// A hack to parse the JSON key-value pair.. but it should work\n\tconst json = JSON.parse('{' + claim.slice(0, -1) + '}');\n\tif (Object.keys(json).length !== 1) {\n\t\tthrow new Error('Invalid claim');\n\t}\n\tconst key = Object.keys(json)[0];\n\treturn [key, json[key]];\n}\n\nexport type Claim = {\n\tvalue: string;\n\tindexMod4: number;\n};\n\nexport function extractClaimValue<R>(claim: Claim, claimName: string): R {\n\tconst extendedClaim = decodeBase64URL(claim.value, claim.indexMod4);\n\tconst [name, value] = verifyExtendedClaim(extendedClaim);\n\tif (name !== claimName) {\n\t\tthrow new Error(`Invalid field name: found ${name} expected ${claimName}`);\n\t}\n\treturn value;\n}\n\n// TODO: root cause of the claim-escaping bug — jwtDecode resolves JSON escapes, but the\n// circuit derives the address seed from raw JWT bytes, so escaped claim values decode\n// differently here than the circuit hashes. Real fix: parse claims over raw bytes.\nexport function decodeJwt(jwt: string): Omit<JwtPayload, 'iss' | 'aud' | 'sub'> & {\n\tiss: string;\n\taud: string;\n\tsub: string;\n\trawIss: string;\n} {\n\tconst { iss, aud, sub, ...decodedJWT } = jwtDecode(jwt);\n\n\tif (!sub || !iss || !aud) {\n\t\tthrow new Error('Missing jwt data');\n\t}\n\n\tif (Array.isArray(aud)) {\n\t\tthrow new Error('Not supported aud. Aud is an array, string was expected.');\n\t}\n\n\treturn {\n\t\t...decodedJWT,\n\t\tiss: normalizeZkLoginIssuer(iss),\n\t\trawIss: iss,\n\t\taud,\n\t\tsub,\n\t};\n}\n"],"mappings":";;;;AAOA,SAAS,qBAAqB,eAAiC;AAC9D,KAAI,cAAc,WAAW,EAC5B,OAAM,IAAI,MAAM,kCAAkC,cAAc;CAOjE,MAAM,QAHwB,mEAGM,QAAQ,cAAc;AAE1D,KAAI,UAAU,GACb,OAAM,IAAI,MAAM,kCAAkC,cAAc;CAIjE,MAAM,eAAe,MAAM,SAAS,EAAE,CAAC,SAAS,GAAG,IAAI;AAKvD,QAFa,MAAM,KAAK,aAAa,CAAC,IAAI,OAAO;;AAKlD,SAAS,2BAA2B,iBAAyB;CAC5D,IAAI,YAAsB,EAAE;AAC5B,MAAK,IAAI,IAAI,GAAG,IAAI,gBAAgB,QAAQ,KAAK;EAEhD,MAAM,OAAO,qBADS,gBAAgB,OAAO,EAAE,CACC;AAChD,cAAY,UAAU,OAAO,KAAK;;AAEnC,QAAO;;AAGR,SAAS,gBAAgB,GAAW,GAAmB;AACtD,KAAI,EAAE,SAAS,EACd,OAAM,IAAI,MAAM,cAAc,EAAE,8CAA8C;CAE/E,IAAI,OAAO,2BAA2B,EAAE;CAExC,MAAM,kBAAkB,IAAI;AAC5B,KAAI,oBAAoB,GAAG,YAEhB,oBAAoB,EAC9B,QAAO,KAAK,MAAM,EAAE;UACV,oBAAoB,EAC9B,QAAO,KAAK,MAAM,EAAE;KAGpB,OAAM,IAAI,MAAM,cAAc,EAAE,+CAA+C,EAAE,IAAI;CAGtF,MAAM,kBAAkB,IAAI,EAAE,SAAS,KAAK;AAC5C,KAAI,mBAAmB,GAAG,YAEf,mBAAmB,EAC7B,QAAO,KAAK,MAAM,GAAG,KAAK,SAAS,EAAE;UAC3B,mBAAmB,EAC7B,QAAO,KAAK,MAAM,GAAG,KAAK,SAAS,EAAE;KAGrC,OAAM,IAAI,MACT,cAAc,EAAE,gEAAgE,EAAE,IAClF;AAGF,KAAI,KAAK,SAAS,MAAM,EACvB,OAAM,IAAI,MAAM,gCAAgC;CAGjD,MAAM,QAAQ,IAAI,WAAW,KAAK,MAAM,KAAK,SAAS,EAAE,CAAC;CACzD,IAAI,mBAAmB;AACvB,MAAK,IAAIA,MAAI,GAAGA,MAAI,KAAK,QAAQ,OAAK,GAAG;EACxC,MAAM,WAAW,KAAK,MAAMA,KAAGA,MAAI,EAAE;EAGrC,MAAM,OAAO,SAAS,SAAS,KAAK,GAAG,EAAE,EAAE;AAC3C,QAAM,sBAAsB;;AAE7B,QAAO,IAAI,aAAa,CAAC,OAAO,MAAM;;AAGvC,SAAS,oBAAoB,OAAe;AAE3C,KAAI,EAAE,MAAM,MAAM,GAAG,KAAK,OAAO,MAAM,MAAM,GAAG,KAAK,KACpD,OAAM,IAAI,MAAM,gBAAgB;CAIjC,MAAM,OAAO,KAAK,MAAM,MAAM,MAAM,MAAM,GAAG,GAAG,GAAG,IAAI;AACvD,KAAI,OAAO,KAAK,KAAK,CAAC,WAAW,EAChC,OAAM,IAAI,MAAM,gBAAgB;CAEjC,MAAM,MAAM,OAAO,KAAK,KAAK,CAAC;AAC9B,QAAO,CAAC,KAAK,KAAK,KAAK;;AAQxB,SAAgB,kBAAqB,OAAc,WAAsB;CAExE,MAAM,CAAC,MAAM,SAAS,oBADA,gBAAgB,MAAM,OAAO,MAAM,UAAU,CACX;AACxD,KAAI,SAAS,UACZ,OAAM,IAAI,MAAM,6BAA6B,KAAK,YAAY,YAAY;AAE3E,QAAO;;AAMR,SAAgB,UAAU,KAKxB;CACD,MAAM,EAAE,KAAK,KAAK,KAAK,GAAG,eAAe,UAAU,IAAI;AAEvD,KAAI,CAAC,OAAO,CAAC,OAAO,CAAC,IACpB,OAAM,IAAI,MAAM,mBAAmB;AAGpC,KAAI,MAAM,QAAQ,IAAI,CACrB,OAAM,IAAI,MAAM,2DAA2D;AAG5E,QAAO;EACN,GAAG;EACH,KAAK,uBAAuB,IAAI;EAChC,QAAQ;EACR;EACA;EACA"}

package/dist/zklogin/utils.d.mts.map

@@ -1 +1 @@
-{"version":3,"file":"utils.d.mts","names":[],"sources":["../../src/zklogin/utils.ts"],"mappings":";;;iBAwBgB,sBAAA,CAAuB,GAAA,UAAa,KAAA,WAAgB,UAAA;AAAA,iBAMpD,gBAAA,CAAiB,GAAA,UAAa,KAAA,WAAgB,UAAA;AAAA,iBAY9C,6BAAA,CAA8B,SAAA,EAAW,SAAA;AAAA,iBA8BzC,mBAAA,CAAoB,GAAA,UAAa,OAAA;AAAA,iBAiBjC,cAAA,CACf,IAAA,mBACA,IAAA,UACA,KAAA,UACA,GAAA,UACA,eAAA,WACA,gBAAA,WACA,cAAA"}
+{"version":3,"file":"utils.d.mts","names":[],"sources":["../../src/zklogin/utils.ts"],"mappings":";;;iBAwBgB,sBAAA,CAAuB,GAAA,UAAa,KAAA,WAAgB,UAAA;AAAA,iBAMpD,gBAAA,CAAiB,GAAA,UAAa,KAAA,WAAgB,UAAA;AAAA,iBAY9C,6BAAA,CAA8B,SAAA,EAAW,SAAA;AAAA,iBA8BzC,mBAAA,CAAoB,GAAA,UAAa,OAAA;AAAA,iBA+BjC,cAAA,CACf,IAAA,mBACA,IAAA,UACA,KAAA,UACA,GAAA,UACA,eAAA,WACA,gBAAA,WACA,cAAA"}

package/dist/zklogin/utils.mjs

@@ -45,7 +45,16 @@ function hashASCIIStrToField(str, maxSize) {
 	if (str.length > maxSize) throw new Error(`String ${str} is longer than ${maxSize} chars`);
 	return poseidonHash(chunkArray(str.padEnd(maxSize, String.fromCharCode(0)).split("").map((c) => c.charCodeAt(0)), PACK_WIDTH / 8).map((chunk) => bytesBEToBigInt(chunk)));
 }
+function assertNoJsonEscape(value, label) {
+	for (let i = 0; i < value.length; i++) {
+		const c = value.charCodeAt(i);
+		if (c < 32 || c === 34 || c === 92) throw new Error(`zkLogin ${label} contains a JSON-escaped character (code ${c}); the circuit hashes raw JWT bytes, so claim values with escapes are not supported`);
+	}
+}
 function genAddressSeed(salt, name, value, aud, max_name_length = MAX_KEY_CLAIM_NAME_LENGTH, max_value_length = MAX_KEY_CLAIM_VALUE_LENGTH, max_aud_length = MAX_AUD_VALUE_LENGTH) {
+	assertNoJsonEscape(name, "key claim name");
+	assertNoJsonEscape(value, "key claim value");
+	assertNoJsonEscape(aud, "aud");
 	return poseidonHash([
 		hashASCIIStrToField(name, max_name_length),
 		hashASCIIStrToField(value, max_value_length),

package/dist/zklogin/utils.mjs.map

@@ -1 +1 @@
-{"version":3,"file":"utils.mjs","names":[],"sources":["../../src/zklogin/utils.ts"],"sourcesContent":["// Copyright (c) Mysten Labs, Inc.\n// SPDX-License-Identifier: Apache-2.0\n\nimport { hexToBytes } from '@noble/hashes/utils.js';\n\nimport type { PublicKey } from '../cryptography/publickey.js';\nimport { poseidonHash } from './poseidon.js';\n\nconst MAX_KEY_CLAIM_NAME_LENGTH = 32;\nconst MAX_KEY_CLAIM_VALUE_LENGTH = 115;\nconst MAX_AUD_VALUE_LENGTH = 145;\nconst PACK_WIDTH = 248;\n\nfunction findFirstNonZeroIndex(bytes: Uint8Array) {\n\tfor (let i = 0; i < bytes.length; i++) {\n\t\tif (bytes[i] !== 0) {\n\t\t\treturn i;\n\t\t}\n\t}\n\n\treturn -1;\n}\n\n// Derive bytearray from num where the bytearray is padded to the left with 0s to the specified width.\nexport function toPaddedBigEndianBytes(num: bigint, width: number): Uint8Array {\n\tconst hex = num.toString(16);\n\treturn hexToBytes(hex.padStart(width * 2, '0').slice(-width * 2));\n}\n\n// Derive bytearray from num where the bytearray is not padded with 0.\nexport function toBigEndianBytes(num: bigint, width: number): Uint8Array {\n\tconst bytes = toPaddedBigEndianBytes(num, width);\n\n\tconst firstNonZeroIndex = findFirstNonZeroIndex(bytes);\n\n\tif (firstNonZeroIndex === -1) {\n\t\treturn new Uint8Array([0]);\n\t}\n\n\treturn bytes.slice(firstNonZeroIndex);\n}\n\nexport function getExtendedEphemeralPublicKey(publicKey: PublicKey) {\n\treturn publicKey.toSuiPublicKey();\n}\n\n/**\n * Splits an array into chunks of size chunk_size. If the array is not evenly\n * divisible by chunk_size, the first chunk will be smaller than chunk_size.\n *\n * E.g., arrayChunk([1, 2, 3, 4, 5], 2) => [[1], [2, 3], [4, 5]]\n *\n * Note: Can be made more efficient by avoiding the reverse() calls.\n */\nexport function chunkArray<T>(array: T[], chunk_size: number): T[][] {\n\tconst chunks = Array(Math.ceil(array.length / chunk_size));\n\tconst revArray = array.reverse();\n\tfor (let i = 0; i < chunks.length; i++) {\n\t\tchunks[i] = revArray.slice(i * chunk_size, (i + 1) * chunk_size).reverse();\n\t}\n\treturn chunks.reverse();\n}\n\nfunction bytesBEToBigInt(bytes: number[]): bigint {\n\tconst hex = bytes.map((b) => b.toString(16).padStart(2, '0')).join('');\n\tif (hex.length === 0) {\n\t\treturn BigInt(0);\n\t}\n\treturn BigInt('0x' + hex);\n}\n\n// hashes an ASCII string to a field element\nexport function hashASCIIStrToField(str: string, maxSize: number) {\n\tif (str.length > maxSize) {\n\t\tthrow new Error(`String ${str} is longer than ${maxSize} chars`);\n\t}\n\n\t// Note: Padding with zeroes is safe because we are only using this function to map human-readable sequence of bytes.\n\t// So the ASCII values of those characters will never be zero (null character).\n\tconst strPadded = str\n\t\t.padEnd(maxSize, String.fromCharCode(0))\n\t\t.split('')\n\t\t.map((c) => c.charCodeAt(0));\n\n\tconst chunkSize = PACK_WIDTH / 8;\n\tconst packed = chunkArray(strPadded, chunkSize).map((chunk) => bytesBEToBigInt(chunk));\n\treturn poseidonHash(packed);\n}\n\nexport function genAddressSeed(\n\tsalt: string | bigint,\n\tname: string,\n\tvalue: string,\n\taud: string,\n\tmax_name_length = MAX_KEY_CLAIM_NAME_LENGTH,\n\tmax_value_length = MAX_KEY_CLAIM_VALUE_LENGTH,\n\tmax_aud_length = MAX_AUD_VALUE_LENGTH,\n): bigint {\n\treturn poseidonHash([\n\t\thashASCIIStrToField(name, max_name_length),\n\t\thashASCIIStrToField(value, max_value_length),\n\t\thashASCIIStrToField(aud, max_aud_length),\n\t\tposeidonHash([BigInt(salt)]),\n\t]);\n}\n\nexport function normalizeZkLoginIssuer(iss: string) {\n\tif (iss === 'accounts.google.com') {\n\t\treturn 'https://accounts.google.com';\n\t}\n\treturn iss;\n}\n"],"mappings":";;;;AAQA,MAAM,4BAA4B;AAClC,MAAM,6BAA6B;AACnC,MAAM,uBAAuB;AAC7B,MAAM,aAAa;AAEnB,SAAS,sBAAsB,OAAmB;AACjD,MAAK,IAAI,IAAI,GAAG,IAAI,MAAM,QAAQ,IACjC,KAAI,MAAM,OAAO,EAChB,QAAO;AAIT,QAAO;;AAIR,SAAgB,uBAAuB,KAAa,OAA2B;AAE9E,QAAO,WADK,IAAI,SAAS,GAAG,CACN,SAAS,QAAQ,GAAG,IAAI,CAAC,MAAM,CAAC,QAAQ,EAAE,CAAC;;AAIlE,SAAgB,iBAAiB,KAAa,OAA2B;CACxE,MAAM,QAAQ,uBAAuB,KAAK,MAAM;CAEhD,MAAM,oBAAoB,sBAAsB,MAAM;AAEtD,KAAI,sBAAsB,GACzB,QAAO,IAAI,WAAW,CAAC,EAAE,CAAC;AAG3B,QAAO,MAAM,MAAM,kBAAkB;;AAGtC,SAAgB,8BAA8B,WAAsB;AACnE,QAAO,UAAU,gBAAgB;;;;;;;;;;AAWlC,SAAgB,WAAc,OAAY,YAA2B;CACpE,MAAM,SAAS,MAAM,KAAK,KAAK,MAAM,SAAS,WAAW,CAAC;CAC1D,MAAM,WAAW,MAAM,SAAS;AAChC,MAAK,IAAI,IAAI,GAAG,IAAI,OAAO,QAAQ,IAClC,QAAO,KAAK,SAAS,MAAM,IAAI,aAAa,IAAI,KAAK,WAAW,CAAC,SAAS;AAE3E,QAAO,OAAO,SAAS;;AAGxB,SAAS,gBAAgB,OAAyB;CACjD,MAAM,MAAM,MAAM,KAAK,MAAM,EAAE,SAAS,GAAG,CAAC,SAAS,GAAG,IAAI,CAAC,CAAC,KAAK,GAAG;AACtE,KAAI,IAAI,WAAW,EAClB,QAAO,OAAO,EAAE;AAEjB,QAAO,OAAO,OAAO,IAAI;;AAI1B,SAAgB,oBAAoB,KAAa,SAAiB;AACjE,KAAI,IAAI,SAAS,QAChB,OAAM,IAAI,MAAM,UAAU,IAAI,kBAAkB,QAAQ,QAAQ;AAYjE,QAAO,aADQ,WANG,IAChB,OAAO,SAAS,OAAO,aAAa,EAAE,CAAC,CACvC,MAAM,GAAG,CACT,KAAK,MAAM,EAAE,WAAW,EAAE,CAAC,EAEX,aAAa,EACgB,CAAC,KAAK,UAAU,gBAAgB,MAAM,CAAC,CAC3D;;AAG5B,SAAgB,eACf,MACA,MACA,OACA,KACA,kBAAkB,2BAClB,mBAAmB,4BACnB,iBAAiB,sBACR;AACT,QAAO,aAAa;EACnB,oBAAoB,MAAM,gBAAgB;EAC1C,oBAAoB,OAAO,iBAAiB;EAC5C,oBAAoB,KAAK,eAAe;EACxC,aAAa,CAAC,OAAO,KAAK,CAAC,CAAC;EAC5B,CAAC;;AAGH,SAAgB,uBAAuB,KAAa;AACnD,KAAI,QAAQ,sBACX,QAAO;AAER,QAAO"}
+{"version":3,"file":"utils.mjs","names":[],"sources":["../../src/zklogin/utils.ts"],"sourcesContent":["// Copyright (c) Mysten Labs, Inc.\n// SPDX-License-Identifier: Apache-2.0\n\nimport { hexToBytes } from '@noble/hashes/utils.js';\n\nimport type { PublicKey } from '../cryptography/publickey.js';\nimport { poseidonHash } from './poseidon.js';\n\nconst MAX_KEY_CLAIM_NAME_LENGTH = 32;\nconst MAX_KEY_CLAIM_VALUE_LENGTH = 115;\nconst MAX_AUD_VALUE_LENGTH = 145;\nconst PACK_WIDTH = 248;\n\nfunction findFirstNonZeroIndex(bytes: Uint8Array) {\n\tfor (let i = 0; i < bytes.length; i++) {\n\t\tif (bytes[i] !== 0) {\n\t\t\treturn i;\n\t\t}\n\t}\n\n\treturn -1;\n}\n\n// Derive bytearray from num where the bytearray is padded to the left with 0s to the specified width.\nexport function toPaddedBigEndianBytes(num: bigint, width: number): Uint8Array {\n\tconst hex = num.toString(16);\n\treturn hexToBytes(hex.padStart(width * 2, '0').slice(-width * 2));\n}\n\n// Derive bytearray from num where the bytearray is not padded with 0.\nexport function toBigEndianBytes(num: bigint, width: number): Uint8Array {\n\tconst bytes = toPaddedBigEndianBytes(num, width);\n\n\tconst firstNonZeroIndex = findFirstNonZeroIndex(bytes);\n\n\tif (firstNonZeroIndex === -1) {\n\t\treturn new Uint8Array([0]);\n\t}\n\n\treturn bytes.slice(firstNonZeroIndex);\n}\n\nexport function getExtendedEphemeralPublicKey(publicKey: PublicKey) {\n\treturn publicKey.toSuiPublicKey();\n}\n\n/**\n * Splits an array into chunks of size chunk_size. If the array is not evenly\n * divisible by chunk_size, the first chunk will be smaller than chunk_size.\n *\n * E.g., arrayChunk([1, 2, 3, 4, 5], 2) => [[1], [2, 3], [4, 5]]\n *\n * Note: Can be made more efficient by avoiding the reverse() calls.\n */\nexport function chunkArray<T>(array: T[], chunk_size: number): T[][] {\n\tconst chunks = Array(Math.ceil(array.length / chunk_size));\n\tconst revArray = array.reverse();\n\tfor (let i = 0; i < chunks.length; i++) {\n\t\tchunks[i] = revArray.slice(i * chunk_size, (i + 1) * chunk_size).reverse();\n\t}\n\treturn chunks.reverse();\n}\n\nfunction bytesBEToBigInt(bytes: number[]): bigint {\n\tconst hex = bytes.map((b) => b.toString(16).padStart(2, '0')).join('');\n\tif (hex.length === 0) {\n\t\treturn BigInt(0);\n\t}\n\treturn BigInt('0x' + hex);\n}\n\n// hashes an ASCII string to a field element\nexport function hashASCIIStrToField(str: string, maxSize: number) {\n\tif (str.length > maxSize) {\n\t\tthrow new Error(`String ${str} is longer than ${maxSize} chars`);\n\t}\n\n\t// Note: Padding with zeroes is safe because we are only using this function to map human-readable sequence of bytes.\n\t// So the ASCII values of those characters will never be zero (null character).\n\tconst strPadded = str\n\t\t.padEnd(maxSize, String.fromCharCode(0))\n\t\t.split('')\n\t\t.map((c) => c.charCodeAt(0));\n\n\tconst chunkSize = PACK_WIDTH / 8;\n\tconst packed = chunkArray(strPadded, chunkSize).map((chunk) => bytesBEToBigInt(chunk));\n\treturn poseidonHash(packed);\n}\n\n// Reject claim inputs whose decoded form reveals a JSON escape ('\"', '\\', control char):\n// the circuit hashes raw JWT bytes, so an escaped value would derive a different address.\nfunction assertNoJsonEscape(value: string, label: string) {\n\tfor (let i = 0; i < value.length; i++) {\n\t\tconst c = value.charCodeAt(i);\n\t\tif (c < 0x20 || c === 0x22 || c === 0x5c) {\n\t\t\tthrow new Error(\n\t\t\t\t`zkLogin ${label} contains a JSON-escaped character (code ${c}); the circuit ` +\n\t\t\t\t\t`hashes raw JWT bytes, so claim values with escapes are not supported`,\n\t\t\t);\n\t\t}\n\t}\n}\n\nexport function genAddressSeed(\n\tsalt: string | bigint,\n\tname: string,\n\tvalue: string,\n\taud: string,\n\tmax_name_length = MAX_KEY_CLAIM_NAME_LENGTH,\n\tmax_value_length = MAX_KEY_CLAIM_VALUE_LENGTH,\n\tmax_aud_length = MAX_AUD_VALUE_LENGTH,\n): bigint {\n\tassertNoJsonEscape(name, 'key claim name');\n\tassertNoJsonEscape(value, 'key claim value');\n\tassertNoJsonEscape(aud, 'aud');\n\treturn poseidonHash([\n\t\thashASCIIStrToField(name, max_name_length),\n\t\thashASCIIStrToField(value, max_value_length),\n\t\thashASCIIStrToField(aud, max_aud_length),\n\t\tposeidonHash([BigInt(salt)]),\n\t]);\n}\n\nexport function normalizeZkLoginIssuer(iss: string) {\n\tif (iss === 'accounts.google.com') {\n\t\treturn 'https://accounts.google.com';\n\t}\n\treturn iss;\n}\n"],"mappings":";;;;AAQA,MAAM,4BAA4B;AAClC,MAAM,6BAA6B;AACnC,MAAM,uBAAuB;AAC7B,MAAM,aAAa;AAEnB,SAAS,sBAAsB,OAAmB;AACjD,MAAK,IAAI,IAAI,GAAG,IAAI,MAAM,QAAQ,IACjC,KAAI,MAAM,OAAO,EAChB,QAAO;AAIT,QAAO;;AAIR,SAAgB,uBAAuB,KAAa,OAA2B;AAE9E,QAAO,WADK,IAAI,SAAS,GAAG,CACN,SAAS,QAAQ,GAAG,IAAI,CAAC,MAAM,CAAC,QAAQ,EAAE,CAAC;;AAIlE,SAAgB,iBAAiB,KAAa,OAA2B;CACxE,MAAM,QAAQ,uBAAuB,KAAK,MAAM;CAEhD,MAAM,oBAAoB,sBAAsB,MAAM;AAEtD,KAAI,sBAAsB,GACzB,QAAO,IAAI,WAAW,CAAC,EAAE,CAAC;AAG3B,QAAO,MAAM,MAAM,kBAAkB;;AAGtC,SAAgB,8BAA8B,WAAsB;AACnE,QAAO,UAAU,gBAAgB;;;;;;;;;;AAWlC,SAAgB,WAAc,OAAY,YAA2B;CACpE,MAAM,SAAS,MAAM,KAAK,KAAK,MAAM,SAAS,WAAW,CAAC;CAC1D,MAAM,WAAW,MAAM,SAAS;AAChC,MAAK,IAAI,IAAI,GAAG,IAAI,OAAO,QAAQ,IAClC,QAAO,KAAK,SAAS,MAAM,IAAI,aAAa,IAAI,KAAK,WAAW,CAAC,SAAS;AAE3E,QAAO,OAAO,SAAS;;AAGxB,SAAS,gBAAgB,OAAyB;CACjD,MAAM,MAAM,MAAM,KAAK,MAAM,EAAE,SAAS,GAAG,CAAC,SAAS,GAAG,IAAI,CAAC,CAAC,KAAK,GAAG;AACtE,KAAI,IAAI,WAAW,EAClB,QAAO,OAAO,EAAE;AAEjB,QAAO,OAAO,OAAO,IAAI;;AAI1B,SAAgB,oBAAoB,KAAa,SAAiB;AACjE,KAAI,IAAI,SAAS,QAChB,OAAM,IAAI,MAAM,UAAU,IAAI,kBAAkB,QAAQ,QAAQ;AAYjE,QAAO,aADQ,WANG,IAChB,OAAO,SAAS,OAAO,aAAa,EAAE,CAAC,CACvC,MAAM,GAAG,CACT,KAAK,MAAM,EAAE,WAAW,EAAE,CAAC,EAEX,aAAa,EACgB,CAAC,KAAK,UAAU,gBAAgB,MAAM,CAAC,CAC3D;;AAK5B,SAAS,mBAAmB,OAAe,OAAe;AACzD,MAAK,IAAI,IAAI,GAAG,IAAI,MAAM,QAAQ,KAAK;EACtC,MAAM,IAAI,MAAM,WAAW,EAAE;AAC7B,MAAI,IAAI,MAAQ,MAAM,MAAQ,MAAM,GACnC,OAAM,IAAI,MACT,WAAW,MAAM,2CAA2C,EAAE,qFAE9D;;;AAKJ,SAAgB,eACf,MACA,MACA,OACA,KACA,kBAAkB,2BAClB,mBAAmB,4BACnB,iBAAiB,sBACR;AACT,oBAAmB,MAAM,iBAAiB;AAC1C,oBAAmB,OAAO,kBAAkB;AAC5C,oBAAmB,KAAK,MAAM;AAC9B,QAAO,aAAa;EACnB,oBAAoB,MAAM,gBAAgB;EAC1C,oBAAoB,OAAO,iBAAiB;EAC5C,oBAAoB,KAAK,eAAe;EACxC,aAAa,CAAC,OAAO,KAAK,CAAC,CAAC;EAC5B,CAAC;;AAGH,SAAgB,uBAAuB,KAAa;AACnD,KAAI,QAAQ,sBACX,QAAO;AAER,QAAO"}

package/docs/bcs.md

@@ -35,7 +35,6 @@ the following pre-defined schemes:
 - `SharedObjectRef`
 - `StructTag`
 - `SuiObjectRef`
-- `Transaction`
 - `TransactionData`
 - `TransactionDataV1`
 - `TransactionExpiration`
@@ -85,12 +84,18 @@ object response, so you typically only need `content`.
 
 ```typescript
 
-// Parse a full object envelope (from objectBcs include option)
-const envelope = bcs.Object.parse(object.objectBcs);
-console.log('Owner:', envelope.owner);
-console.log('Inner struct bytes:', envelope.data.Move.contents);
+// Parse a BCS-encoded object
+const { objects } = await grpcClient.getObjects({
+	objectIds: [objectId],
+	include: { objectBcs: true },
+});
+
+const parsed = bcs.Object.parse(objects[0].objectBcs);
+console.log('Owner:', parsed.owner);
+console.log('Previous Transaction:', parsed.previousTransaction);
+console.log('Storage Rebate:', parsed.storageRebate);
 
-// Serialize a full object envelope
+// Serialize an object
 const serialized = bcs.Object.serialize({
 	data: {
 		Move: {

package/docs/clients/core.md

@@ -178,13 +178,14 @@ The `display` field is `null` when the object's type has no registered Display t
 Get the balance of a specific coin type for an owner.
 
 ```typescript
-const balance = await client.core.getBalance({
+const { balance } = await client.core.getBalance({
 	owner: '0xabc...',
 	coinType: '0x2::sui::SUI', // Optional, defaults to SUI
 });
 
-console.log(balance.totalBalance); // Total balance as bigint
-console.log(balance.coinObjectCount); // Number of coin objects
+console.log(balance.balance); // Total balance (coin objects + address balance)
+console.log(balance.coinBalance); // Balance from coin objects only
+console.log(balance.addressBalance); // Balance from address balance only
 ```
 
 ### `listBalances`
@@ -197,7 +198,7 @@ const { balances } = await client.core.listBalances({
 });
 
 for (const balance of balances) {
-	console.log(balance.coinType, balance.totalBalance);
+	console.log(balance.coinType, balance.balance);
 }
 ```
 
@@ -212,7 +213,7 @@ const result = await client.core.listCoins({
 	limit: 10,
 });
 
-for (const coin of result.coins) {
+for (const coin of result.objects) {
 	console.log(coin.objectId, coin.balance);
 }
 ```
@@ -454,7 +455,7 @@ console.log(referenceGasPrice); // bigint
 Get the current system state including epoch information.
 
 ```typescript
-const systemState = await client.core.getCurrentSystemState();
+const { systemState } = await client.core.getCurrentSystemState();
 console.log(systemState.epoch);
 console.log(systemState.systemStateVersion);
 ```
@@ -478,7 +479,7 @@ Get information about a Move function.
 const { function: fn } = await client.core.getMoveFunction({
 	packageId: '0x2',
 	moduleName: 'coin',
-	name: 'transfer',
+	name: 'value',
 });
 
 console.log(fn.name);
@@ -566,7 +567,7 @@ function processObject(obj: SuiClientTypes.Object<{ content: true }>) {
 async function fetchBalance(
 	client: ClientWithCoreApi,
 	owner: string,
-): Promise<SuiClientTypes.CoinBalance> {
+): Promise<SuiClientTypes.Balance> {
 	const { balance } = await client.core.getBalance({ owner });
 	return balance;
 }
@@ -584,7 +585,7 @@ const options: SuiClientTypes.GetObjectOptions<{ content: true }> = {
 | ---------------------- | ------------------------------------------- |
 | `Object<Include>`      | Fetched object with optional included data  |
 | `Coin`                 | Coin object with balance                    |
-| `CoinBalance`          | Balance summary for a coin type             |
+| `Balance`              | Balance summary for a coin type             |
 | `CoinMetadata`         | Metadata for a coin type                    |
 | `Transaction<Include>` | Executed transaction with optional data     |
 | `TransactionResult`    | Success or failure result from execution    |

package/docs/clients/grpc.md

@@ -179,7 +179,7 @@ const { response: fields } = await grpcClient.stateService.listDynamicFields({
 const { response } = await grpcClient.movePackageService.getFunction({
 	packageId: '0x2',
 	moduleName: 'coin',
-	name: 'transfer',
+	name: 'value',
 });
 ```