@nucypher/taco 0.7.0-alpha.2 → 0.7.0-dev.viem

package/README.md

@@ -64,6 +64,155 @@ const decryptedMessage = await decrypt(
 );
 ```
 
+## Viem Support
+
+The TACo SDK supports both [ethers.js](https://docs.ethers.org/) natively, and [viem](https://viem.sh). The same `encrypt` and `decrypt` functions work with both libraries. Here is how to use them with viem:
+
+```bash
+$ yarn add @nucypher/taco viem
+```
+
+```typescript
+import { encrypt, decrypt, conditions, domains, initialize } from '@nucypher/taco';
+import { createPublicClient, http } from 'viem';
+import { privateKeyToAccount } from 'viem/accounts';
+import { polygonAmoy } from 'viem/chains';
+
+// Initialize TACo
+await initialize();
+
+const viemClient = createPublicClient({
+  chain: polygonAmoy,
+  transport: http(),
+});
+const viemAccount = privateKeyToAccount('0x...');
+
+const ownsNFT = new conditions.predefined.ERC721Ownership({
+  contractAddress: '0x1e988ba4692e52Bc50b375bcC8585b95c48AaD77',
+  parameters: [3591],
+  chain: 5,
+});
+
+// Same function names work with viem - TypeScript automatically selects the right overload
+const messageKit = await encrypt(
+  viemClient,        // viem PublicClient
+  domains.TESTNET,
+  'my secret message',
+  ownsNFT,
+  ritualId,
+  viemAccount,       // viem Signer Account (`LocalAccount` or `WalletClient`)
+);
+
+// Decrypt with viem
+const decryptedMessage = await decrypt(
+  viemClient,
+  domains.TESTNET,
+  messageKit,
+);
+```
+
+### Automatic Library Detection
+
+TypeScript automatically detects which library objects you're passing and works seamlessly:
+
+```typescript
+// Using ethers.js - automatically uses ethers implementation
+const ethersEncrypted = await encrypt(
+  ethersProvider,    // ethers.providers.Provider
+  domains.TESTNET,
+  message,
+  condition,
+  ritualId,
+  ethersSigner       // ethers.Signer
+);
+
+// Using viem - automatically uses viem implementation  
+const viemEncrypted = await encrypt(
+  publicClient,  // viem PublicClient
+  domains.TESTNET,
+  message,
+  condition,
+  ritualId,
+  viemAccount        // viem Signer Account (`LocalAccount` or `WalletClient`)
+);
+```
+
+For detailed viem documentation, see [VIEM_SUPPORT.md](./VIEM_SUPPORT.md).
+
+## AccessClient - Object-Oriented Interface
+
+For applications requiring multiple TACo cryptographic operations or complex configuration management, the TACo SDK provides an optional object-oriented interface through the `AccessClient` class. This provides a stateful, higher-level abstraction over the functional API.
+
+The Object-Oriented API is fully backward compatible - you can use both APIs in
+the same application as needed. Except that the AccessClient has additional validations
+and hence throws some errors earlier with different error messages.
+
+NOTE: Using `AccessClient` is equivalent to using the functional API. 
+There are no specific recommendations on which approach to use. 
+Choose the one that best suits your development preferences.
+
+### Basic Usage
+
+```typescript
+import { AccessClient, ConditionContext, DOMAIN_NAMES } from '@nucypher/taco';
+import { createPublicClient, http } from 'viem';
+import { privateKeyToAccount } from 'viem/accounts';
+import { polygonAmoy } from 'viem/chains';
+
+// Initialize TACo
+await initialize();
+
+// Set up viem client and account
+const viemClient = createPublicClient({
+  chain: polygonAmoy,
+  transport: http(),
+});
+const viemAccount = privateKeyToAccount('0x...');
+
+// Create AccessClient instance with domain constants
+const accessClient = new AccessClient({
+  domain: DOMAIN_NAMES.TESTNET, // TESTNET -> 'tapir'
+  ritualId: 6,
+  viemClient
+});
+
+// Encrypt data
+const messageKit = await accessClient.encrypt('Hello, secret!', condition, viemAccount);
+
+// Decrypt
+const conditionContext = ConditionContext.fromMessageKit(messageKit);
+
+// if needed Add authentication for ":userAddress" in condition...
+
+const decryptedMessage = await accessClient.decrypt(messageKit, conditionContext);
+// OR with encrypted bytes:
+// const decryptedMessage = await accessClient.decrypt(messageKit.toBytes(), conditionContext);
+```
+
+### Dual Configuration Support
+
+AccessClient supports both viem and ethers.js configurations:
+
+```typescript
+import { AccessClient, DOMAIN_NAMES } from '@nucypher/taco';
+
+// With viem
+const accessClientViem = new AccessClient({
+  domain: DOMAIN_NAMES.TESTNET,
+  ritualId: 6,
+  viemClient
+});
+const messageKit = await accessClientViem.encrypt(data, condition, viemAccount);
+
+// With ethers.js
+const accessClientEthers = new AccessClient({
+  domain: DOMAIN_NAMES.TESTNET,
+  ritualId: 6,
+  ethersProvider
+});
+const messageKit2 = await accessClientEthers.encrypt(data, condition, ethersSigner);
+```
+
 ## Learn more
 
 Please find developer documentation for

package/dist/cjs/access-client/client.d.ts

@@ -0,0 +1,237 @@
+import { DkgPublicKey, ThresholdMessageKit } from '@nucypher/nucypher-core';
+import { SignerAccount } from '@nucypher/shared';
+import { ethers } from 'ethers';
+import { Condition } from '../conditions/condition.js';
+import { ConditionContext } from '../conditions/context/index.js';
+import { type AccessClientConfig } from './config.js';
+/**
+ * AccessClient provides an object-oriented interface for TACo cryptographic operations
+ *
+ * This class encapsulates TACo access-control configuration and provides simplified methods
+ * for encryption and decryption operations. It handles configuration validation,
+ * automatic WASM initialization, and provides enhanced error messages.
+ *
+ * @example Using with viem:
+ * ```typescript
+ * import { AccessClient, DOMAIN_NAMES } from '@nucypher/taco';
+ * import { createPublicClient, http } from 'viem';
+ * import { polygonAmoy } from 'viem/chains';
+ * import { privateKeyToAccount } from 'viem/accounts';
+ *
+ * // Create viem client and account
+ * const viemClient = createPublicClient({
+ *   chain: polygonAmoy,
+ *   transport: http()
+ * });
+ * const viemAccount = privateKeyToAccount('0x...');
+ *
+ * // Create AccessClient - WASM initializes automatically
+ * const accessClient = new AccessClient({
+ *   domain: DOMAIN_NAMES.TESTNET, // 'tapir'
+ *   ritualId: 6,
+ *   viemClient
+ * });
+ *
+ * // Pass signer to encrypt operation
+ * const messageKit = await accessClient.encrypt('Hello, secret!', condition, viemAccount);
+ * // Decrypt doesn't require signer
+ * const decrypted = await accessClient.decrypt(messageKit, conditionContext);
+ * ```
+ *
+ * @example Using with ethers.js:
+ * ```typescript
+ * import { AccessClient, DOMAIN_NAMES } from '@nucypher/taco';
+ * import { ethers } from 'ethers';
+ *
+ * // Create ethers provider and signer
+ * const ethersProvider = new ethers.providers.JsonRpcProvider('https://rpc-amoy.polygon.technology');
+ * const ethersSigner = new ethers.Wallet('0x...', ethersProvider);
+ *
+ * // Create AccessClient - WASM initializes automatically
+ * const accessClient = new AccessClient({
+ *   domain: DOMAIN_NAMES.TESTNET,
+ *   ritualId: 6,
+ *   ethersProvider
+ * });
+ *
+ * // Pass signer to encrypt operation
+ * const messageKit = await accessClient.encrypt('Hello, secret!', condition, ethersSigner);
+ * // Decrypt doesn't require signer
+ * const decrypted = await accessClient.decrypt(messageKit, conditionContext);
+ * ```
+ */
+export declare class AccessClient {
+    private config;
+    private static initializationPromise;
+    /**
+     * Initialize TACo WASM globally (singleton pattern)
+     *
+     * This method ensures TACo WASM is initialized exactly once across all AccessClient instances.
+     * Initialization happens automatically when creating clients or calling operations, but you can
+     * call this explicitly for performance optimization or error handling.
+     *
+     * @returns {Promise<void>} Promise that resolves when TACo WASM is initialized
+     *
+     * @example
+     * ```typescript
+     * // Optional: Pre-initialize for better performance
+     * await AccessClient.initialize();
+     *
+     * // All AccessClient instances share the same initialization
+     * const client1 = new AccessClient(config1);
+     * const client2 = new AccessClient(config2);
+     *
+     * // Operations automatically wait for initialization
+     * const encrypted = await client1.encrypt(data, condition);
+     * ```
+     */
+    static initialize(): Promise<void>;
+    /**
+     * Create a new AccessClient instance
+     *
+     * @param {AccessClientConfig} config - Configuration for the AccessClient
+     * @throws {Error} If configuration is invalid
+     */
+    constructor(config: AccessClientConfig);
+    /**
+     * Fully validate the configuration including network provider checks
+     *
+     * This method performs comprehensive validation including:
+     * - Domain and ritual ID validation
+     * - Provider/signer configuration validation
+     * - Network compatibility check (calls provider to verify chain ID matches domain)
+     *
+     * @returns {Promise<ValidationResult>} Promise resolving to validation result with isValid boolean and errors array
+     * @throws {Error} If configuration validation fails
+     *
+     * @example
+     * ```typescript
+     * try {
+     *   await accessClient.validateConfig();
+     *   console.log('Configuration is valid.');
+     * } catch (error) {
+     *   console.error('Configuration validation failed:', error.message);
+     * }
+     * ```
+     */
+    validateConfig(): Promise<void>;
+    /**
+     * Encrypt data with the given access condition.
+     *
+     * Use this overload when your application uses ethers.js.
+     *
+     * @export
+     * @param {string | Uint8Array} data - String or Uint8Array to encrypt
+     * @param {Condition} accessCondition - Access condition (single or composite) that must be satisfied at decryption time.
+     * @param {ethers.Signer} authSigner - Signer used to identify encryptor and verify authorization.
+     *
+     * @returns {Promise<ThresholdMessageKit>} Encrypted message kit representing the ciphertext and associated metadata.
+     *
+     * @throws {Error} If the ritual cannot be retrieved or encryption fails.
+     *
+     * @example
+     * ```typescript
+     * const messageKit = await accessClient.encrypt('Hello, secret!', condition, authSigner);
+     * ```
+     */
+    encrypt(data: string | Uint8Array, accessCondition: Condition, authSigner: ethers.Signer): Promise<ThresholdMessageKit>;
+    /**
+     * Encrypt data with the given access condition.
+     *
+     * Use this overload when your application uses viem.
+     *
+     * @export
+     * @param {string | Uint8Array} data - String or Uint8Array to encrypt
+     * @param {Condition} accessCondition - Access condition (single or composite) that must be satisfied at decryption time.
+     * @param {SignerAccount} authAccount - Viem account used to identify encryptor and verify authorization.
+     *
+     * @returns {Promise<ThresholdMessageKit>} Encrypted message kit representing the ciphertext and associated metadata.
+     *
+     * @throws {Error} If the ritual cannot be retrieved or encryption fails.
+     * @example
+     * ```typescript
+     * const messageKit = await accessClient.encrypt('Hello, secret!', condition, authAccount);
+     * ```
+     */
+    encrypt(data: string | Uint8Array, accessCondition: Condition, authAccount: SignerAccount): Promise<ThresholdMessageKit>;
+    /**
+     * Encrypt data with a provided DKG public key under a specified condition
+     *
+     * This method can be used offline since it doesn't require network access to fetch
+     * the DKG public key (unlike the `encrypt` method which fetches it from the ritual).
+     *
+     * Use this overload when your application uses ethers.js.
+     *
+     * @export
+     * @param {string | Uint8Array} data - String or Uint8Array to encrypt
+     * @param {Condition} condition - Access condition (single or composite) that must be satisfied at decryption time.
+     * @param {DkgPublicKey} dkgPublicKey - The public key of an active DKG Ritual to be used for encryption
+     * @param {ethers.Signer} authSigner - ethers.Signer used to identify encryptor and verify authorization.
+     *
+     * @returns {Promise<ThresholdMessageKit>} Encrypted message kit representing the ciphertext and associated metadata.
+     *
+     * @throws {Error} If encryption fails
+     *
+     * @example
+     * ```typescript
+     * // Get DKG public key from ritual or cache
+     * const dkgPublicKey = await getDkgPublicKey(domain, ritualId);
+     *
+     * // Encrypt offline using the public key
+     * const messageKit = await accessClient.encryptWithPublicKey('Hello, secret!', condition, dkgPublicKey, authSigner);
+     * ```
+     */
+    encryptWithPublicKey(data: Uint8Array | string, condition: Condition, dkgPublicKey: DkgPublicKey, authSigner: ethers.Signer): Promise<ThresholdMessageKit>;
+    /**
+     * Encrypt data with a provided DKG public key under a specified condition
+     *
+     * This method can be used offline since it doesn't require network access to fetch
+     * the DKG public key (unlike the `encrypt` method which fetches it from the ritual).
+     *
+     * Use this overload when your application uses viem.
+     *
+     * @export
+     * @param {string | Uint8Array} data - String or Uint8Array to encrypt
+     * @param {Condition} condition - Access condition (single or composite) that must be satisfied at decryption time.
+     * @param {DkgPublicKey} dkgPublicKey - The public key of an active DKG Ritual to be used for encryption
+     * @param {SignerAccount} authAccount - Viem signer account used to identify encryptor and verify authorization.
+     *
+     * @returns {Promise<ThresholdMessageKit>} Encrypted message kit representing the ciphertext and associated metadata.
+     *
+     * @throws {Error} If encryption fails
+     *
+     * @example
+     * ```typescript
+     * // Get DKG public key from ritual or cache
+     * const dkgPublicKey = await getDkgPublicKey(domain, ritualId);
+     *
+     * // Encrypt offline using the public key
+     * const messageKit = await accessClient.encryptWithPublicKey('Hello, secret!', condition, dkgPublicKey, authAccount);
+     * ```
+     */
+    encryptWithPublicKey(data: Uint8Array | string, condition: Condition, dkgPublicKey: DkgPublicKey, authAccount: SignerAccount): Promise<ThresholdMessageKit>;
+    /**
+     * Decrypt data using TACo
+     *
+     * @param {ThresholdMessageKit | Uint8Array} encryptedData - Either a ThresholdMessageKit or encrypted bytes (Uint8Array)
+     * @param {ConditionContext} [conditionContext] - Optional condition context for time-based conditions
+     * @returns {Promise<Uint8Array>} Decrypted data
+     * @throws {Error} If decryption fails
+     *
+     * @example
+     * ```typescript
+     * // With messageKit
+     * const decrypted = await accessClient.decrypt(messageKit, conditionContext);
+     *
+     * // With encrypted bytes
+     * const decrypted = await accessClient.decrypt(encryptedBytes, conditionContext);
+     * ```
+     */
+    decrypt(encryptedData: ThresholdMessageKit | Uint8Array, conditionContext?: ConditionContext): Promise<Uint8Array>;
+    /**
+     * Get current client configuration
+     *
+     * @returns {Readonly<AccessClientConfig>} Client configuration
+     */
+    getConfig(): Readonly<AccessClientConfig>;
+}

package/dist/cjs/access-client/client.js

@@ -0,0 +1,196 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.AccessClient = void 0;
+const nucypher_core_1 = require("@nucypher/nucypher-core");
+const taco_js_1 = require("../taco.js");
+const config_validator_js_1 = require("./config-validator.js");
+/**
+ * AccessClient provides an object-oriented interface for TACo cryptographic operations
+ *
+ * This class encapsulates TACo access-control configuration and provides simplified methods
+ * for encryption and decryption operations. It handles configuration validation,
+ * automatic WASM initialization, and provides enhanced error messages.
+ *
+ * @example Using with viem:
+ * ```typescript
+ * import { AccessClient, DOMAIN_NAMES } from '@nucypher/taco';
+ * import { createPublicClient, http } from 'viem';
+ * import { polygonAmoy } from 'viem/chains';
+ * import { privateKeyToAccount } from 'viem/accounts';
+ *
+ * // Create viem client and account
+ * const viemClient = createPublicClient({
+ *   chain: polygonAmoy,
+ *   transport: http()
+ * });
+ * const viemAccount = privateKeyToAccount('0x...');
+ *
+ * // Create AccessClient - WASM initializes automatically
+ * const accessClient = new AccessClient({
+ *   domain: DOMAIN_NAMES.TESTNET, // 'tapir'
+ *   ritualId: 6,
+ *   viemClient
+ * });
+ *
+ * // Pass signer to encrypt operation
+ * const messageKit = await accessClient.encrypt('Hello, secret!', condition, viemAccount);
+ * // Decrypt doesn't require signer
+ * const decrypted = await accessClient.decrypt(messageKit, conditionContext);
+ * ```
+ *
+ * @example Using with ethers.js:
+ * ```typescript
+ * import { AccessClient, DOMAIN_NAMES } from '@nucypher/taco';
+ * import { ethers } from 'ethers';
+ *
+ * // Create ethers provider and signer
+ * const ethersProvider = new ethers.providers.JsonRpcProvider('https://rpc-amoy.polygon.technology');
+ * const ethersSigner = new ethers.Wallet('0x...', ethersProvider);
+ *
+ * // Create AccessClient - WASM initializes automatically
+ * const accessClient = new AccessClient({
+ *   domain: DOMAIN_NAMES.TESTNET,
+ *   ritualId: 6,
+ *   ethersProvider
+ * });
+ *
+ * // Pass signer to encrypt operation
+ * const messageKit = await accessClient.encrypt('Hello, secret!', condition, ethersSigner);
+ * // Decrypt doesn't require signer
+ * const decrypted = await accessClient.decrypt(messageKit, conditionContext);
+ * ```
+ */
+class AccessClient {
+    config;
+    static initializationPromise;
+    /**
+     * Initialize TACo WASM globally (singleton pattern)
+     *
+     * This method ensures TACo WASM is initialized exactly once across all AccessClient instances.
+     * Initialization happens automatically when creating clients or calling operations, but you can
+     * call this explicitly for performance optimization or error handling.
+     *
+     * @returns {Promise<void>} Promise that resolves when TACo WASM is initialized
+     *
+     * @example
+     * ```typescript
+     * // Optional: Pre-initialize for better performance
+     * await AccessClient.initialize();
+     *
+     * // All AccessClient instances share the same initialization
+     * const client1 = new AccessClient(config1);
+     * const client2 = new AccessClient(config2);
+     *
+     * // Operations automatically wait for initialization
+     * const encrypted = await client1.encrypt(data, condition);
+     * ```
+     */
+    static async initialize() {
+        if (!AccessClient.initializationPromise) {
+            AccessClient.initializationPromise = (async () => {
+                try {
+                    await (0, nucypher_core_1.initialize)();
+                }
+                catch (error) {
+                    console.error(`TACo initialization failed: ${error}`);
+                    throw error; // Re-throw to maintain error propagation
+                }
+            })();
+        }
+        return AccessClient.initializationPromise;
+    }
+    /**
+     * Create a new AccessClient instance
+     *
+     * @param {AccessClientConfig} config - Configuration for the AccessClient
+     * @throws {Error} If configuration is invalid
+     */
+    constructor(config) {
+        // Validate configuration using AccessConfig
+        const result = config_validator_js_1.AccessConfigValidator.validateFast(config);
+        if (!result.isValid) {
+            throw new Error(`Invalid configuration: ${result.errors.join(', ')}`);
+        }
+        this.config = config;
+        AccessClient.initialize();
+    }
+    /**
+     * Fully validate the configuration including network provider checks
+     *
+     * This method performs comprehensive validation including:
+     * - Domain and ritual ID validation
+     * - Provider/signer configuration validation
+     * - Network compatibility check (calls provider to verify chain ID matches domain)
+     *
+     * @returns {Promise<ValidationResult>} Promise resolving to validation result with isValid boolean and errors array
+     * @throws {Error} If configuration validation fails
+     *
+     * @example
+     * ```typescript
+     * try {
+     *   await accessClient.validateConfig();
+     *   console.log('Configuration is valid.');
+     * } catch (error) {
+     *   console.error('Configuration validation failed:', error.message);
+     * }
+     * ```
+     */
+    async validateConfig() {
+        const validationResult = await config_validator_js_1.AccessConfigValidator.validate(this.config);
+        if (!validationResult.isValid) {
+            throw new Error(`Invalid configuration: ${validationResult.errors.join(', ')}`);
+        }
+    }
+    async encrypt(data, accessCondition, signerLike) {
+        await AccessClient.initialize();
+        const messageKit = await (0, taco_js_1.encrypt)(this.config.ethersProvider ||
+            this.config.viemClient, this.config.domain, data, accessCondition, this.config.ritualId, 
+        // eslint-disable-next-line @typescript-eslint/no-explicit-any
+        signerLike);
+        return messageKit;
+    }
+    async encryptWithPublicKey(data, accessCondition, dkgPublicKey, signerLike) {
+        await AccessClient.initialize();
+        const messageKit = await (0, taco_js_1.encryptWithPublicKey)(data, accessCondition, dkgPublicKey, 
+        // eslint-disable-next-line @typescript-eslint/no-explicit-any
+        signerLike);
+        return messageKit;
+    }
+    /**
+     * Decrypt data using TACo
+     *
+     * @param {ThresholdMessageKit | Uint8Array} encryptedData - Either a ThresholdMessageKit or encrypted bytes (Uint8Array)
+     * @param {ConditionContext} [conditionContext] - Optional condition context for time-based conditions
+     * @returns {Promise<Uint8Array>} Decrypted data
+     * @throws {Error} If decryption fails
+     *
+     * @example
+     * ```typescript
+     * // With messageKit
+     * const decrypted = await accessClient.decrypt(messageKit, conditionContext);
+     *
+     * // With encrypted bytes
+     * const decrypted = await accessClient.decrypt(encryptedBytes, conditionContext);
+     * ```
+     */
+    async decrypt(encryptedData, conditionContext) {
+        await AccessClient.initialize();
+        // Handle both messageKit and encrypted bytes
+        const messageKit = encryptedData instanceof nucypher_core_1.ThresholdMessageKit
+            ? encryptedData
+            : nucypher_core_1.ThresholdMessageKit.fromBytes(encryptedData);
+        const decrypted = await (0, taco_js_1.decrypt)(this.config.ethersProvider ||
+            this.config.viemClient, this.config.domain, messageKit, conditionContext, this.config.porterUris);
+        return decrypted;
+    }
+    /**
+     * Get current client configuration
+     *
+     * @returns {Readonly<AccessClientConfig>} Client configuration
+     */
+    getConfig() {
+        return Object.freeze({ ...this.config });
+    }
+}
+exports.AccessClient = AccessClient;
+//# sourceMappingURL=client.js.map

package/dist/cjs/access-client/client.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"client.js","sourceRoot":"","sources":["../../../src/access-client/client.ts"],"names":[],"mappings":";;;AAAA,2DAIiC;AAMjC,wCAAoE;AAEpE,+DAA8D;AAO9D;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAuDG;AACH,MAAa,YAAY;IACf,MAAM,CAAqB;IAC3B,MAAM,CAAC,qBAAqB,CAAgB;IAEpD;;;;;;;;;;;;;;;;;;;;;OAqBG;IACH,MAAM,CAAC,KAAK,CAAC,UAAU;QACrB,IAAI,CAAC,YAAY,CAAC,qBAAqB,EAAE,CAAC;YACxC,YAAY,CAAC,qBAAqB,GAAG,CAAC,KAAK,IAAI,EAAE;gBAC/C,IAAI,CAAC;oBACH,MAAM,IAAA,0BAAU,GAAE,CAAC;gBACrB,CAAC;gBAAC,OAAO,KAAK,EAAE,CAAC;oBACf,OAAO,CAAC,KAAK,CAAC,+BAA+B,KAAK,EAAE,CAAC,CAAC;oBACtD,MAAM,KAAK,CAAC,CAAC,yCAAyC;gBACxD,CAAC;YACH,CAAC,CAAC,EAAE,CAAC;QACP,CAAC;QACD,OAAO,YAAY,CAAC,qBAAqB,CAAC;IAC5C,CAAC;IAED;;;;;OAKG;IACH,YAAY,MAA0B;QACpC,4CAA4C;QAC5C,MAAM,MAAM,GAAG,2CAAqB,CAAC,YAAY,CAAC,MAAM,CAAC,CAAC;QAC1D,IAAI,CAAC,MAAM,CAAC,OAAO,EAAE,CAAC;YACpB,MAAM,IAAI,KAAK,CAAC,0BAA0B,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QACxE,CAAC;QAED,IAAI,CAAC,MAAM,GAAG,MAAM,CAAC;QAErB,YAAY,CAAC,UAAU,EAAE,CAAC;IAC5B,CAAC;IAED;;;;;;;;;;;;;;;;;;;;OAoBG;IACH,KAAK,CAAC,cAAc;QAClB,MAAM,gBAAgB,GAAG,MAAM,2CAAqB,CAAC,QAAQ,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;QAC3E,IAAI,CAAC,gBAAgB,CAAC,OAAO,EAAE,CAAC;YAC9B,MAAM,IAAI,KAAK,CACb,0BAA0B,gBAAgB,CAAC,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAC/D,CAAC;QACJ,CAAC;IACH,CAAC;IAmDD,KAAK,CAAC,OAAO,CACX,IAAyB,EACzB,eAA0B,EAC1B,UAAsB;QAEtB,MAAM,YAAY,CAAC,UAAU,EAAE,CAAC;QAEhC,MAAM,UAAU,GAAG,MAAM,IAAA,iBAAO,EAC7B,IAAI,CAAC,MAAmC,CAAC,cAAc;YACrD,IAAI,CAAC,MAAiC,CAAC,UAAU,EACpD,IAAI,CAAC,MAAM,CAAC,MAAM,EAClB,IAAI,EACJ,eAAe,EACf,IAAI,CAAC,MAAM,CAAC,QAAQ;QACpB,8DAA8D;QAC9D,UAAiB,CAClB,CAAC;QAEF,OAAO,UAAU,CAAC;IACpB,CAAC;IAsED,KAAK,CAAC,oBAAoB,CACxB,IAAyB,EACzB,eAA0B,EAC1B,YAA0B,EAC1B,UAAsB;QAEtB,MAAM,YAAY,CAAC,UAAU,EAAE,CAAC;QAEhC,MAAM,UAAU,GAAG,MAAM,IAAA,8BAAoB,EAC3C,IAAI,EACJ,eAAe,EACf,YAAY;QACZ,8DAA8D;QAC9D,UAAiB,CAClB,CAAC;QAEF,OAAO,UAAU,CAAC;IACpB,CAAC;IAED;;;;;;;;;;;;;;;;OAgBG;IACH,KAAK,CAAC,OAAO,CACX,aAA+C,EAC/C,gBAAmC;QAEnC,MAAM,YAAY,CAAC,UAAU,EAAE,CAAC;QAEhC,6CAA6C;QAC7C,MAAM,UAAU,GACd,aAAa,YAAY,mCAAmB;YAC1C,CAAC,CAAC,aAAa;YACf,CAAC,CAAC,mCAAmB,CAAC,SAAS,CAAC,aAAa,CAAC,CAAC;QAEnD,MAAM,SAAS,GAAG,MAAM,IAAA,iBAAO,EAC5B,IAAI,CAAC,MAAmC,CAAC,cAAc;YACrD,IAAI,CAAC,MAAiC,CAAC,UAAU,EACpD,IAAI,CAAC,MAAM,CAAC,MAAM,EAClB,UAAU,EACV,gBAAgB,EAChB,IAAI,CAAC,MAAM,CAAC,UAAU,CACvB,CAAC;QAEF,OAAO,SAAS,CAAC;IACnB,CAAC;IAED;;;;OAIG;IACH,SAAS;QACP,OAAO,MAAM,CAAC,MAAM,CAAC,EAAE,GAAG,IAAI,CAAC,MAAM,EAAE,CAAC,CAAC;IAC3C,CAAC;CACF;AAtSD,oCAsSC"}

package/dist/cjs/access-client/config-validator.d.ts

@@ -0,0 +1,92 @@
+/**
+ * TACo Domain Configuration and Validation
+ *
+ * This module provides domain configuration management, validation utilities,
+ * and configuration processing for TACo operations across different networks.
+ */
+import { DomainName, ProviderLike } from '@nucypher/shared';
+import { type AccessClientConfig } from './index.js';
+/**
+ * Generic validation result interface
+ */
+export interface ValidationResult {
+    isValid: boolean;
+    errors: string[];
+}
+/**
+ * Access Configuration Validator
+ *
+ * Validates Access client configurations, domains, and provider compatibility.
+ * Provides both fast and full validation methods for TACo operations.
+ */
+export declare class AccessConfigValidator {
+    /**
+     * Get all supported TACo domain names
+     * @returns {DomainName[]} Array of supported TACo domain names ('lynx', 'tapir', 'mainnet')
+     */
+    static getSupportedDomains(): DomainName[];
+    /**
+     * Check if domain is valid
+     * @param {DomainName} domain - TACo domain name to check ('lynx', 'tapir', 'mainnet')
+     * @returns {boolean} True if domain exists
+     */
+    static isValidDomain(domain: DomainName): boolean;
+    /**
+     * Get expected chain ID for domain from DOMAINS configuration
+     * @param {DomainName} domain - Domain name to look up
+     * @returns {number | undefined} Chain ID for the domain, undefined if not found
+     * @private
+     */
+    private static getExpectedChainId;
+    /**
+     * Validate ritual ID (basic validation - positive integer or 0)
+     * @param {number} ritualId - Ritual ID to validate
+     * @returns {boolean} True if valid (positive integer or 0)
+     */
+    static isValidRitualId(ritualId: number): boolean;
+    /**
+     * Validate provider compatibility with domain
+     * @param {DomainName} domain - Domain name
+     * @param {ProviderLike} provider - Provider to validate (ethers Provider or viem PublicClient)
+     * @returns {Promise<boolean>} True if provider is valid for domain
+     */
+    static isValidProvider(domain: DomainName, provider: ProviderLike): Promise<boolean>;
+    /**
+     * Fast validation (everything except provider network checks)
+     *
+     * Performs synchronous validation of configuration including:
+     * - Domain name validation
+     * - Ritual ID validation to ensure it is a positive integer
+     * - Provider/signer presence validation
+     * - Chain compatibility check (if chain info is available synchronously)
+     *
+     * @param {TacoClientConfig} config - Configuration to validate
+     * @returns {ValidationResult} Validation result with isValid boolean and errors array
+     */
+    static validateFast(config: AccessClientConfig): ValidationResult;
+    /**
+     * Synchronous chain compatibility validation
+     *
+     * Validates provider chain compatibility with domain requirements using
+     * synchronously available chain information.
+     *
+     * @param {TacoClientConfig} config - Configuration to validate
+     * @returns {ValidationResult} Validation result
+     * @private
+     */
+    private static validateChainCompatibility;
+    /**
+     * Full validation including async provider network checks
+     *
+     * Performs comprehensive validation including:
+     * - All fast validation checks
+     * - Async network calls to verify provider chain ID matches domain requirements
+     *
+     * Use this method when you need complete validation including network connectivity checks.
+     * For faster validation without network calls, use validateFast().
+     *
+     * @param {TacoClientConfig} config - Configuration to validate
+     * @returns {Promise<ValidationResult>} Promise resolving to validation result with isValid boolean and errors array
+     */
+    static validate(config: AccessClientConfig): Promise<ValidationResult>;
+}