@oleary-labs/signet-sdk 0.1.0

package/dist/admin.d.ts

@@ -0,0 +1,38 @@
+/**
+ * Admin API authentication for Signet group management.
+ *
+ * Admin auth is stateless: sign SHA256(group_id : nonce : timestamp_BE)
+ * with a trusted auth key. For Schnorr auth keys (prefix 0x01), the
+ * signature is produced via FROST threshold signing through the bootstrap
+ * group.
+ */
+import type { SessionKeypair, IdTokenClaims } from "./types";
+export interface AdminAuthConfig {
+    nodeProxyUrl: string;
+    bootstrapGroup: string;
+    bootstrapNodes: string[];
+}
+export interface AdminAuth {
+    group_id: string;
+    auth_key_pub: string;
+    signature: string;
+    nonce: string;
+    timestamp: number;
+}
+/**
+ * Build an admin auth payload by threshold-signing the admin hash
+ * via the bootstrap group.
+ *
+ * The admin hash is: SHA256(group_id + ":" + nonce + ":" + timestamp_8BE)
+ * The signature is a 65-byte FROST Schnorr signature.
+ */
+export declare function buildAdminAuth(config: AdminAuthConfig, groupId: string, authKeyPub: string, sessionKeypair: SessionKeypair, claims: IdTokenClaims): Promise<AdminAuth>;
+/**
+ * Call an admin endpoint with auth.
+ *
+ * If the signing request fails with a 401 "session not found" error and
+ * a reauthenticate callback is provided, re-establishes the node session
+ * and retries once.
+ */
+export declare function adminRequest<T>(config: AdminAuthConfig, nodeUrl: string, path: string, groupId: string, authKeyPub: string, sessionKeypair: SessionKeypair, claims: IdTokenClaims, extraBody?: Record<string, unknown>, reauthenticate?: () => Promise<void>): Promise<T>;
+//# sourceMappingURL=admin.d.ts.map

package/dist/admin.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"admin.d.ts","sourceRoot":"","sources":["../src/admin.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,OAAO,KAAK,EAAE,cAAc,EAAE,aAAa,EAAE,MAAM,SAAS,CAAC;AAI7D,MAAM,WAAW,eAAe;IAC9B,YAAY,EAAE,MAAM,CAAC;IACrB,cAAc,EAAE,MAAM,CAAC;IACvB,cAAc,EAAE,MAAM,EAAE,CAAC;CAC1B;AAED,MAAM,WAAW,SAAS;IACxB,QAAQ,EAAE,MAAM,CAAC;IACjB,YAAY,EAAE,MAAM,CAAC;IACrB,SAAS,EAAE,MAAM,CAAC;IAClB,KAAK,EAAE,MAAM,CAAC;IACd,SAAS,EAAE,MAAM,CAAC;CACnB;AAED;;;;;;GAMG;AACH,wBAAsB,cAAc,CAClC,MAAM,EAAE,eAAe,EACvB,OAAO,EAAE,MAAM,EACf,UAAU,EAAE,MAAM,EAClB,cAAc,EAAE,cAAc,EAC9B,MAAM,EAAE,aAAa,GACpB,OAAO,CAAC,SAAS,CAAC,CAwCpB;AAED;;;;;;GAMG;AACH,wBAAsB,YAAY,CAAC,CAAC,EAClC,MAAM,EAAE,eAAe,EACvB,OAAO,EAAE,MAAM,EACf,IAAI,EAAE,MAAM,EACZ,OAAO,EAAE,MAAM,EACf,UAAU,EAAE,MAAM,EAClB,cAAc,EAAE,cAAc,EAC9B,MAAM,EAAE,aAAa,EACrB,SAAS,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EACnC,cAAc,CAAC,EAAE,MAAM,OAAO,CAAC,IAAI,CAAC,GACnC,OAAO,CAAC,CAAC,CAAC,CAWZ"}

package/dist/admin.js

@@ -0,0 +1,112 @@
+/**
+ * Admin API authentication for Signet group management.
+ *
+ * Admin auth is stateless: sign SHA256(group_id : nonce : timestamp_BE)
+ * with a trusted auth key. For Schnorr auth keys (prefix 0x01), the
+ * signature is produced via FROST threshold signing through the bootstrap
+ * group.
+ */
+import { signSignRequest } from "./request";
+import { bytesToHex } from "./session";
+/**
+ * Build an admin auth payload by threshold-signing the admin hash
+ * via the bootstrap group.
+ *
+ * The admin hash is: SHA256(group_id + ":" + nonce + ":" + timestamp_8BE)
+ * The signature is a 65-byte FROST Schnorr signature.
+ */
+export async function buildAdminAuth(config, groupId, authKeyPub, sessionKeypair, claims) {
+    const normalizedGroupId = groupId.toLowerCase();
+    const nonce = generateNonce();
+    const timestamp = Math.floor(Date.now() / 1000);
+    // Build the admin hash: SHA256(group_id + ":" + nonce + ":" + timestamp_8BE)
+    const adminHash = await computeAdminHash(normalizedGroupId, nonce, timestamp);
+    // Threshold-sign the hash via bootstrap group
+    const signReq = await signSignRequest(sessionKeypair, claims, config.bootstrapGroup, adminHash);
+    const signRes = await fetch(config.nodeProxyUrl, {
+        method: "POST",
+        headers: {
+            "Content-Type": "application/json",
+            "x-node-url": config.bootstrapNodes[0],
+            "x-node-path": "/v1/sign",
+        },
+        body: JSON.stringify(signReq),
+    });
+    if (!signRes.ok) {
+        const body = await signRes.text();
+        throw new Error(`Admin signing failed: ${signRes.status} — ${body}`);
+    }
+    const { ethereum_signature } = await signRes.json();
+    return {
+        group_id: normalizedGroupId,
+        auth_key_pub: authKeyPub,
+        signature: ethereum_signature,
+        nonce,
+        timestamp,
+    };
+}
+/**
+ * Call an admin endpoint with auth.
+ *
+ * If the signing request fails with a 401 "session not found" error and
+ * a reauthenticate callback is provided, re-establishes the node session
+ * and retries once.
+ */
+export async function adminRequest(config, nodeUrl, path, groupId, authKeyPub, sessionKeypair, claims, extraBody, reauthenticate) {
+    try {
+        return await adminRequestInner(config, nodeUrl, path, groupId, authKeyPub, sessionKeypair, claims, extraBody);
+    }
+    catch (err) {
+        const msg = err instanceof Error ? err.message : String(err);
+        if (reauthenticate && /session not found/i.test(msg)) {
+            await reauthenticate();
+            return await adminRequestInner(config, nodeUrl, path, groupId, authKeyPub, sessionKeypair, claims, extraBody);
+        }
+        throw err;
+    }
+}
+async function adminRequestInner(config, nodeUrl, path, groupId, authKeyPub, sessionKeypair, claims, extraBody) {
+    const auth = await buildAdminAuth(config, groupId, authKeyPub, sessionKeypair, claims);
+    const res = await fetch(config.nodeProxyUrl, {
+        method: "POST",
+        headers: {
+            "Content-Type": "application/json",
+            "x-node-url": nodeUrl,
+            "x-node-path": path,
+        },
+        body: JSON.stringify({ ...auth, ...extraBody }),
+    });
+    if (!res.ok) {
+        const body = await res.text();
+        throw new Error(`Admin ${path} failed: ${res.status} — ${body}`);
+    }
+    return res.json();
+}
+async function computeAdminHash(groupId, nonce, timestamp) {
+    const enc = new TextEncoder();
+    const parts = [];
+    parts.push(enc.encode(groupId));
+    parts.push(enc.encode(":"));
+    parts.push(enc.encode(nonce));
+    parts.push(enc.encode(":"));
+    // timestamp as 8-byte big-endian
+    const tsBuf = new ArrayBuffer(8);
+    const view = new DataView(tsBuf);
+    view.setBigUint64(0, BigInt(timestamp));
+    parts.push(new Uint8Array(tsBuf));
+    const total = parts.reduce((n, p) => n + p.length, 0);
+    const buf = new Uint8Array(total);
+    let offset = 0;
+    for (const p of parts) {
+        buf.set(p, offset);
+        offset += p.length;
+    }
+    const digest = await crypto.subtle.digest("SHA-256", buf);
+    return new Uint8Array(digest);
+}
+function generateNonce() {
+    const bytes = new Uint8Array(16);
+    crypto.getRandomValues(bytes);
+    return bytesToHex(bytes);
+}
+//# sourceMappingURL=admin.js.map

package/dist/admin.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"admin.js","sourceRoot":"","sources":["../src/admin.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAGH,OAAO,EAAE,eAAe,EAAE,MAAM,WAAW,CAAC;AAC5C,OAAO,EAAE,UAAU,EAAE,MAAM,WAAW,CAAC;AAgBvC;;;;;;GAMG;AACH,MAAM,CAAC,KAAK,UAAU,cAAc,CAClC,MAAuB,EACvB,OAAe,EACf,UAAkB,EAClB,cAA8B,EAC9B,MAAqB;IAErB,MAAM,iBAAiB,GAAG,OAAO,CAAC,WAAW,EAAE,CAAC;IAChD,MAAM,KAAK,GAAG,aAAa,EAAE,CAAC;IAC9B,MAAM,SAAS,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;IAEhD,6EAA6E;IAC7E,MAAM,SAAS,GAAG,MAAM,gBAAgB,CAAC,iBAAiB,EAAE,KAAK,EAAE,SAAS,CAAC,CAAC;IAE9E,8CAA8C;IAC9C,MAAM,OAAO,GAAG,MAAM,eAAe,CACnC,cAAc,EACd,MAAM,EACN,MAAM,CAAC,cAAc,EACrB,SAAS,CACV,CAAC;IAEF,MAAM,OAAO,GAAG,MAAM,KAAK,CAAC,MAAM,CAAC,YAAY,EAAE;QAC/C,MAAM,EAAE,MAAM;QACd,OAAO,EAAE;YACP,cAAc,EAAE,kBAAkB;YAClC,YAAY,EAAE,MAAM,CAAC,cAAc,CAAC,CAAC,CAAC;YACtC,aAAa,EAAE,UAAU;SAC1B;QACD,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC;KAC9B,CAAC,CAAC;IAEH,IAAI,CAAC,OAAO,CAAC,EAAE,EAAE,CAAC;QAChB,MAAM,IAAI,GAAG,MAAM,OAAO,CAAC,IAAI,EAAE,CAAC;QAClC,MAAM,IAAI,KAAK,CAAC,yBAAyB,OAAO,CAAC,MAAM,MAAM,IAAI,EAAE,CAAC,CAAC;IACvE,CAAC;IAED,MAAM,EAAE,kBAAkB,EAAE,GAAG,MAAM,OAAO,CAAC,IAAI,EAAE,CAAC;IAEpD,OAAO;QACL,QAAQ,EAAE,iBAAiB;QAC3B,YAAY,EAAE,UAAU;QACxB,SAAS,EAAE,kBAAkB;QAC7B,KAAK;QACL,SAAS;KACV,CAAC;AACJ,CAAC;AAED;;;;;;GAMG;AACH,MAAM,CAAC,KAAK,UAAU,YAAY,CAChC,MAAuB,EACvB,OAAe,EACf,IAAY,EACZ,OAAe,EACf,UAAkB,EAClB,cAA8B,EAC9B,MAAqB,EACrB,SAAmC,EACnC,cAAoC;IAEpC,IAAI,CAAC;QACH,OAAO,MAAM,iBAAiB,CAAI,MAAM,EAAE,OAAO,EAAE,IAAI,EAAE,OAAO,EAAE,UAAU,EAAE,cAAc,EAAE,MAAM,EAAE,SAAS,CAAC,CAAC;IACnH,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,MAAM,GAAG,GAAG,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;QAC7D,IAAI,cAAc,IAAI,oBAAoB,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC;YACrD,MAAM,cAAc,EAAE,CAAC;YACvB,OAAO,MAAM,iBAAiB,CAAI,MAAM,EAAE,OAAO,EAAE,IAAI,EAAE,OAAO,EAAE,UAAU,EAAE,cAAc,EAAE,MAAM,EAAE,SAAS,CAAC,CAAC;QACnH,CAAC;QACD,MAAM,GAAG,CAAC;IACZ,CAAC;AACH,CAAC;AAED,KAAK,UAAU,iBAAiB,CAC9B,MAAuB,EACvB,OAAe,EACf,IAAY,EACZ,OAAe,EACf,UAAkB,EAClB,cAA8B,EAC9B,MAAqB,EACrB,SAAmC;IAEnC,MAAM,IAAI,GAAG,MAAM,cAAc,CAAC,MAAM,EAAE,OAAO,EAAE,UAAU,EAAE,cAAc,EAAE,MAAM,CAAC,CAAC;IAEvF,MAAM,GAAG,GAAG,MAAM,KAAK,CAAC,MAAM,CAAC,YAAY,EAAE;QAC3C,MAAM,EAAE,MAAM;QACd,OAAO,EAAE;YACP,cAAc,EAAE,kBAAkB;YAClC,YAAY,EAAE,OAAO;YACrB,aAAa,EAAE,IAAI;SACpB;QACD,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,EAAE,GAAG,IAAI,EAAE,GAAG,SAAS,EAAE,CAAC;KAChD,CAAC,CAAC;IAEH,IAAI,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC;QACZ,MAAM,IAAI,GAAG,MAAM,GAAG,CAAC,IAAI,EAAE,CAAC;QAC9B,MAAM,IAAI,KAAK,CAAC,SAAS,IAAI,YAAY,GAAG,CAAC,MAAM,MAAM,IAAI,EAAE,CAAC,CAAC;IACnE,CAAC;IAED,OAAO,GAAG,CAAC,IAAI,EAAE,CAAC;AACpB,CAAC;AAED,KAAK,UAAU,gBAAgB,CAC7B,OAAe,EACf,KAAa,EACb,SAAiB;IAEjB,MAAM,GAAG,GAAG,IAAI,WAAW,EAAE,CAAC;IAC9B,MAAM,KAAK,GAAiB,EAAE,CAAC;IAE/B,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC,CAAC;IAChC,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC;IAC5B,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC;IAC9B,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC;IAE5B,iCAAiC;IACjC,MAAM,KAAK,GAAG,IAAI,WAAW,CAAC,CAAC,CAAC,CAAC;IACjC,MAAM,IAAI,GAAG,IAAI,QAAQ,CAAC,KAAK,CAAC,CAAC;IACjC,IAAI,CAAC,YAAY,CAAC,CAAC,EAAE,MAAM,CAAC,SAAS,CAAC,CAAC,CAAC;IACxC,KAAK,CAAC,IAAI,CAAC,IAAI,UAAU,CAAC,KAAK,CAAC,CAAC,CAAC;IAElC,MAAM,KAAK,GAAG,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,CAAC,GAAG,CAAC,CAAC,MAAM,EAAE,CAAC,CAAC,CAAC;IACtD,MAAM,GAAG,GAAG,IAAI,UAAU,CAAC,KAAK,CAAC,CAAC;IAClC,IAAI,MAAM,GAAG,CAAC,CAAC;IACf,KAAK,MAAM,CAAC,IAAI,KAAK,EAAE,CAAC;QACtB,GAAG,CAAC,GAAG,CAAC,CAAC,EAAE,MAAM,CAAC,CAAC;QACnB,MAAM,IAAI,CAAC,CAAC,MAAM,CAAC;IACrB,CAAC;IAED,MAAM,MAAM,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,SAAS,EAAE,GAAG,CAAC,CAAC;IAC1D,OAAO,IAAI,UAAU,CAAC,MAAM,CAAC,CAAC;AAChC,CAAC;AAED,SAAS,aAAa;IACpB,MAAM,KAAK,GAAG,IAAI,UAAU,CAAC,EAAE,CAAC,CAAC;IACjC,MAAM,CAAC,eAAe,CAAC,KAAK,CAAC,CAAC;IAC9B,OAAO,UAAU,CAAC,KAAK,CAAC,CAAC;AAC3B,CAAC"}

package/dist/authkey-session.d.ts

@@ -0,0 +1,64 @@
+/**
+ * Auth key certificate session flow.
+ *
+ * Creates a node session using an ECDSA auth key certificate instead of
+ * an OAuth/ZK proof. This enables keygen and signing without user login —
+ * useful for backend services, AI agents, or any programmatic access.
+ *
+ * Flow:
+ * 1. Sign a certificate binding an identity + session pub to the auth key
+ * 2. POST /v1/auth with the certificate to establish a session
+ * 3. Use the session key for subsequent keygen/sign requests (same as OAuth flow)
+ *
+ * The identity becomes the key namespace: keys are stored as "authkey:<identity>"
+ * (or "authkey:<identity>:<suffix>" with key_suffix).
+ */
+import type { SessionKeypair } from "./types";
+export interface AuthKeyCertConfig {
+    /** Base URL or proxy URL for the node */
+    nodeUrl: string;
+    /** If set, requests go through this proxy (for CORS) */
+    proxyEndpoint?: string;
+}
+export interface AuthKeyCertResult {
+    identity: string;
+    expiresAt: number;
+}
+/**
+ * Authenticate with a node using an auth key certificate.
+ *
+ * @param config - Node URL / proxy config
+ * @param groupId - Group contract address
+ * @param authPrivateKey - 32-byte ECDSA private key (matches an on-chain auth key)
+ * @param identity - Logical identity string (e.g. "my-backend", "agent-1")
+ * @param sessionKeypair - Ephemeral session keypair for subsequent requests
+ * @param expiry - Certificate expiry (unix seconds). Default: 1 hour from now.
+ */
+export declare function authenticateWithAuthKey(config: AuthKeyCertConfig, groupId: string, authPrivateKey: Uint8Array, identity: string, sessionKeypair: SessionKeypair, expiry?: number): Promise<AuthKeyCertResult>;
+/**
+ * Authenticate with a node using a Schnorr auth key certificate.
+ *
+ * The certificate hash is threshold-signed via the bootstrap group (FROST),
+ * producing a 65-byte Schnorr signature. This works for auth keys registered
+ * on-chain with the 0x01 (Schnorr) prefix.
+ *
+ * @param config - Bootstrap group config for threshold signing
+ * @param targetNodeUrl - The target group node to authenticate with
+ * @param proxyEndpoint - CORS proxy URL
+ * @param targetGroupId - The target group contract address
+ * @param authKeyPub - Auth key with 0x01 prefix (e.g. "0x0103d767f7...")
+ * @param identity - Logical identity string (e.g. "key-tester")
+ * @param sessionKeypair - Session keypair for the target group node
+ * @param bootstrapSessionKeypair - Session keypair for the bootstrap group (already authed)
+ * @param claims - OAuth claims for signing requests to the bootstrap group
+ * @param expiry - Certificate expiry (unix seconds). Default: 1 hour from now.
+ */
+export declare function authenticateWithSchnorrAuthKey(config: {
+    bootstrapGroup: string;
+    bootstrapNodes: string[];
+    nodeProxyUrl: string;
+}, targetNodeUrl: string, proxyEndpoint: string, targetGroupId: string, authKeyPub: string, identity: string, sessionKeypair: SessionKeypair, bootstrapSessionKeypair: SessionKeypair, claims: {
+    iss: string;
+    sub: string;
+}, expiry?: number): Promise<AuthKeyCertResult>;
+//# sourceMappingURL=authkey-session.d.ts.map

package/dist/authkey-session.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"authkey-session.d.ts","sourceRoot":"","sources":["../src/authkey-session.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;GAcG;AAEH,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,SAAS,CAAC;AAG9C,MAAM,WAAW,iBAAiB;IAChC,yCAAyC;IACzC,OAAO,EAAE,MAAM,CAAC;IAChB,wDAAwD;IACxD,aAAa,CAAC,EAAE,MAAM,CAAC;CACxB;AAED,MAAM,WAAW,iBAAiB;IAChC,QAAQ,EAAE,MAAM,CAAC;IACjB,SAAS,EAAE,MAAM,CAAC;CACnB;AAED;;;;;;;;;GASG;AACH,wBAAsB,uBAAuB,CAC3C,MAAM,EAAE,iBAAiB,EACzB,OAAO,EAAE,MAAM,EACf,cAAc,EAAE,UAAU,EAC1B,QAAQ,EAAE,MAAM,EAChB,cAAc,EAAE,cAAc,EAC9B,MAAM,CAAC,EAAE,MAAM,GACd,OAAO,CAAC,iBAAiB,CAAC,CAwD5B;AAED;;;;;;;;;;;;;;;;;GAiBG;AACH,wBAAsB,8BAA8B,CAClD,MAAM,EAAE;IACN,cAAc,EAAE,MAAM,CAAC;IACvB,cAAc,EAAE,MAAM,EAAE,CAAC;IACzB,YAAY,EAAE,MAAM,CAAC;CACtB,EACD,aAAa,EAAE,MAAM,EACrB,aAAa,EAAE,MAAM,EACrB,aAAa,EAAE,MAAM,EACrB,UAAU,EAAE,MAAM,EAClB,QAAQ,EAAE,MAAM,EAChB,cAAc,EAAE,cAAc,EAC9B,uBAAuB,EAAE,cAAc,EACvC,MAAM,EAAE;IAAE,GAAG,EAAE,MAAM,CAAC;IAAC,GAAG,EAAE,MAAM,CAAA;CAAE,EACpC,MAAM,CAAC,EAAE,MAAM,GACd,OAAO,CAAC,iBAAiB,CAAC,CAqE5B"}

package/dist/authkey-session.js

@@ -0,0 +1,164 @@
+/**
+ * Auth key certificate session flow.
+ *
+ * Creates a node session using an ECDSA auth key certificate instead of
+ * an OAuth/ZK proof. This enables keygen and signing without user login —
+ * useful for backend services, AI agents, or any programmatic access.
+ *
+ * Flow:
+ * 1. Sign a certificate binding an identity + session pub to the auth key
+ * 2. POST /v1/auth with the certificate to establish a session
+ * 3. Use the session key for subsequent keygen/sign requests (same as OAuth flow)
+ *
+ * The identity becomes the key namespace: keys are stored as "authkey:<identity>"
+ * (or "authkey:<identity>:<suffix>" with key_suffix).
+ */
+import { bytesToHex } from "./session";
+/**
+ * Authenticate with a node using an auth key certificate.
+ *
+ * @param config - Node URL / proxy config
+ * @param groupId - Group contract address
+ * @param authPrivateKey - 32-byte ECDSA private key (matches an on-chain auth key)
+ * @param identity - Logical identity string (e.g. "my-backend", "agent-1")
+ * @param sessionKeypair - Ephemeral session keypair for subsequent requests
+ * @param expiry - Certificate expiry (unix seconds). Default: 1 hour from now.
+ */
+export async function authenticateWithAuthKey(config, groupId, authPrivateKey, identity, sessionKeypair, expiry) {
+    const { getPublicKey, signAsync } = await import("@noble/secp256k1");
+    const normalizedGroupId = groupId.toLowerCase();
+    const certExpiry = expiry ?? Math.floor(Date.now() / 1000) + 3600;
+    // Derive the auth key public key (with ECDSA prefix 0x00)
+    const authPubBytes = getPublicKey(authPrivateKey, true);
+    const authKeyPub = `0x00${bytesToHex(authPubBytes)}`;
+    // Sign certificate: SHA256(identity + ":" + group_id + ":" + session_pub_hex + ":" + expiry_8BE)
+    const certHash = await computeCertHash(identity, normalizedGroupId, sessionKeypair.publicKeyHex, certExpiry);
+    const certSig = await signAsync(certHash, authPrivateKey, {
+        lowS: true,
+        prehash: false,
+    });
+    const certSigHex = bytesToHex(new Uint8Array(certSig));
+    // POST /v1/auth with certificate
+    const url = config.proxyEndpoint ?? `${config.nodeUrl}/v1/auth`;
+    const headers = { "Content-Type": "application/json" };
+    if (config.proxyEndpoint) {
+        headers["x-node-url"] = config.nodeUrl;
+        headers["x-node-path"] = "/v1/auth";
+    }
+    const res = await fetch(url, {
+        method: "POST",
+        headers,
+        body: JSON.stringify({
+            group_id: normalizedGroupId,
+            session_pub: sessionKeypair.publicKeyHex,
+            certificate: {
+                identity,
+                expiry: certExpiry,
+                auth_key_pub: authKeyPub,
+                signature: certSigHex,
+            },
+        }),
+    });
+    if (!res.ok) {
+        const body = await res.text();
+        throw new Error(`Auth key auth failed: ${res.status} — ${body}`);
+    }
+    const data = await res.json();
+    return {
+        identity: data.identity ?? identity,
+        expiresAt: data.expires_at ?? certExpiry,
+    };
+}
+/**
+ * Authenticate with a node using a Schnorr auth key certificate.
+ *
+ * The certificate hash is threshold-signed via the bootstrap group (FROST),
+ * producing a 65-byte Schnorr signature. This works for auth keys registered
+ * on-chain with the 0x01 (Schnorr) prefix.
+ *
+ * @param config - Bootstrap group config for threshold signing
+ * @param targetNodeUrl - The target group node to authenticate with
+ * @param proxyEndpoint - CORS proxy URL
+ * @param targetGroupId - The target group contract address
+ * @param authKeyPub - Auth key with 0x01 prefix (e.g. "0x0103d767f7...")
+ * @param identity - Logical identity string (e.g. "key-tester")
+ * @param sessionKeypair - Session keypair for the target group node
+ * @param bootstrapSessionKeypair - Session keypair for the bootstrap group (already authed)
+ * @param claims - OAuth claims for signing requests to the bootstrap group
+ * @param expiry - Certificate expiry (unix seconds). Default: 1 hour from now.
+ */
+export async function authenticateWithSchnorrAuthKey(config, targetNodeUrl, proxyEndpoint, targetGroupId, authKeyPub, identity, sessionKeypair, bootstrapSessionKeypair, claims, expiry) {
+    const { signSignRequest } = await import("./request");
+    const normalizedGroupId = targetGroupId.toLowerCase();
+    const certExpiry = expiry ?? Math.floor(Date.now() / 1000) + 3600;
+    // Compute certificate hash
+    const certHash = await computeCertHash(identity, normalizedGroupId, sessionKeypair.publicKeyHex, certExpiry);
+    // Threshold-sign the cert hash via bootstrap group
+    const signReq = await signSignRequest(bootstrapSessionKeypair, claims, config.bootstrapGroup, certHash);
+    const signRes = await fetch(config.nodeProxyUrl, {
+        method: "POST",
+        headers: {
+            "Content-Type": "application/json",
+            "x-node-url": config.bootstrapNodes[0],
+            "x-node-path": "/v1/sign",
+        },
+        body: JSON.stringify(signReq),
+    });
+    if (!signRes.ok) {
+        const body = await signRes.text();
+        throw new Error(`Schnorr cert signing failed: ${signRes.status} — ${body}`);
+    }
+    const { ethereum_signature } = await signRes.json();
+    // POST /v1/auth on the target group node with the Schnorr-signed certificate
+    const res = await fetch(proxyEndpoint, {
+        method: "POST",
+        headers: {
+            "Content-Type": "application/json",
+            "x-node-url": targetNodeUrl,
+            "x-node-path": "/v1/auth",
+        },
+        body: JSON.stringify({
+            group_id: normalizedGroupId,
+            session_pub: sessionKeypair.publicKeyHex,
+            certificate: {
+                identity,
+                expiry: certExpiry,
+                auth_key_pub: authKeyPub,
+                signature: ethereum_signature,
+            },
+        }),
+    });
+    if (!res.ok) {
+        const body = await res.text();
+        throw new Error(`Schnorr auth key auth failed: ${res.status} — ${body}`);
+    }
+    const data = await res.json();
+    return {
+        identity: data.identity ?? identity,
+        expiresAt: data.expires_at ?? certExpiry,
+    };
+}
+async function computeCertHash(identity, groupId, sessionPubHex, expiry) {
+    const enc = new TextEncoder();
+    const expiryBuf = new ArrayBuffer(8);
+    new DataView(expiryBuf).setBigUint64(0, BigInt(expiry));
+    const parts = [
+        enc.encode(identity),
+        enc.encode(":"),
+        enc.encode(groupId),
+        enc.encode(":"),
+        enc.encode(sessionPubHex),
+        enc.encode(":"),
+        new Uint8Array(expiryBuf),
+    ];
+    const total = parts.reduce((n, p) => n + p.length, 0);
+    const buf = new Uint8Array(total);
+    let offset = 0;
+    for (const p of parts) {
+        buf.set(p, offset);
+        offset += p.length;
+    }
+    const digest = await crypto.subtle.digest("SHA-256", buf);
+    return new Uint8Array(digest);
+}
+//# sourceMappingURL=authkey-session.js.map

package/dist/authkey-session.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"authkey-session.js","sourceRoot":"","sources":["../src/authkey-session.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;GAcG;AAGH,OAAO,EAAE,UAAU,EAAE,MAAM,WAAW,CAAC;AAcvC;;;;;;;;;GASG;AACH,MAAM,CAAC,KAAK,UAAU,uBAAuB,CAC3C,MAAyB,EACzB,OAAe,EACf,cAA0B,EAC1B,QAAgB,EAChB,cAA8B,EAC9B,MAAe;IAEf,MAAM,EAAE,YAAY,EAAE,SAAS,EAAE,GAAG,MAAM,MAAM,CAAC,kBAAkB,CAAC,CAAC;IAErE,MAAM,iBAAiB,GAAG,OAAO,CAAC,WAAW,EAAE,CAAC;IAChD,MAAM,UAAU,GAAG,MAAM,IAAI,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,GAAG,IAAI,CAAC;IAElE,0DAA0D;IAC1D,MAAM,YAAY,GAAG,YAAY,CAAC,cAAc,EAAE,IAAI,CAAC,CAAC;IACxD,MAAM,UAAU,GAAG,OAAO,UAAU,CAAC,YAAY,CAAC,EAAE,CAAC;IAErD,iGAAiG;IACjG,MAAM,QAAQ,GAAG,MAAM,eAAe,CACpC,QAAQ,EACR,iBAAiB,EACjB,cAAc,CAAC,YAAY,EAC3B,UAAU,CACX,CAAC;IACF,MAAM,OAAO,GAAG,MAAM,SAAS,CAAC,QAAQ,EAAE,cAAc,EAAE;QACxD,IAAI,EAAE,IAAI;QACV,OAAO,EAAE,KAAK;KACf,CAAC,CAAC;IACH,MAAM,UAAU,GAAG,UAAU,CAAC,IAAI,UAAU,CAAC,OAAO,CAAC,CAAC,CAAC;IAEvD,iCAAiC;IACjC,MAAM,GAAG,GAAG,MAAM,CAAC,aAAa,IAAI,GAAG,MAAM,CAAC,OAAO,UAAU,CAAC;IAChE,MAAM,OAAO,GAA2B,EAAE,cAAc,EAAE,kBAAkB,EAAE,CAAC;IAC/E,IAAI,MAAM,CAAC,aAAa,EAAE,CAAC;QACzB,OAAO,CAAC,YAAY,CAAC,GAAG,MAAM,CAAC,OAAO,CAAC;QACvC,OAAO,CAAC,aAAa,CAAC,GAAG,UAAU,CAAC;IACtC,CAAC;IAED,MAAM,GAAG,GAAG,MAAM,KAAK,CAAC,GAAG,EAAE;QAC3B,MAAM,EAAE,MAAM;QACd,OAAO;QACP,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC;YACnB,QAAQ,EAAE,iBAAiB;YAC3B,WAAW,EAAE,cAAc,CAAC,YAAY;YACxC,WAAW,EAAE;gBACX,QAAQ;gBACR,MAAM,EAAE,UAAU;gBAClB,YAAY,EAAE,UAAU;gBACxB,SAAS,EAAE,UAAU;aACtB;SACF,CAAC;KACH,CAAC,CAAC;IAEH,IAAI,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC;QACZ,MAAM,IAAI,GAAG,MAAM,GAAG,CAAC,IAAI,EAAE,CAAC;QAC9B,MAAM,IAAI,KAAK,CAAC,yBAAyB,GAAG,CAAC,MAAM,MAAM,IAAI,EAAE,CAAC,CAAC;IACnE,CAAC;IAED,MAAM,IAAI,GAAG,MAAM,GAAG,CAAC,IAAI,EAAE,CAAC;IAC9B,OAAO;QACL,QAAQ,EAAE,IAAI,CAAC,QAAQ,IAAI,QAAQ;QACnC,SAAS,EAAE,IAAI,CAAC,UAAU,IAAI,UAAU;KACzC,CAAC;AACJ,CAAC;AAED;;;;;;;;;;;;;;;;;GAiBG;AACH,MAAM,CAAC,KAAK,UAAU,8BAA8B,CAClD,MAIC,EACD,aAAqB,EACrB,aAAqB,EACrB,aAAqB,EACrB,UAAkB,EAClB,QAAgB,EAChB,cAA8B,EAC9B,uBAAuC,EACvC,MAAoC,EACpC,MAAe;IAEf,MAAM,EAAE,eAAe,EAAE,GAAG,MAAM,MAAM,CAAC,WAAW,CAAC,CAAC;IAEtD,MAAM,iBAAiB,GAAG,aAAa,CAAC,WAAW,EAAE,CAAC;IACtD,MAAM,UAAU,GAAG,MAAM,IAAI,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,GAAG,IAAI,CAAC;IAElE,2BAA2B;IAC3B,MAAM,QAAQ,GAAG,MAAM,eAAe,CACpC,QAAQ,EACR,iBAAiB,EACjB,cAAc,CAAC,YAAY,EAC3B,UAAU,CACX,CAAC;IAEF,mDAAmD;IACnD,MAAM,OAAO,GAAG,MAAM,eAAe,CACnC,uBAAuB,EACvB,MAAoD,EACpD,MAAM,CAAC,cAAc,EACrB,QAAQ,CACT,CAAC;IAEF,MAAM,OAAO,GAAG,MAAM,KAAK,CAAC,MAAM,CAAC,YAAY,EAAE;QAC/C,MAAM,EAAE,MAAM;QACd,OAAO,EAAE;YACP,cAAc,EAAE,kBAAkB;YAClC,YAAY,EAAE,MAAM,CAAC,cAAc,CAAC,CAAC,CAAC;YACtC,aAAa,EAAE,UAAU;SAC1B;QACD,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC;KAC9B,CAAC,CAAC;IAEH,IAAI,CAAC,OAAO,CAAC,EAAE,EAAE,CAAC;QAChB,MAAM,IAAI,GAAG,MAAM,OAAO,CAAC,IAAI,EAAE,CAAC;QAClC,MAAM,IAAI,KAAK,CAAC,gCAAgC,OAAO,CAAC,MAAM,MAAM,IAAI,EAAE,CAAC,CAAC;IAC9E,CAAC;IAED,MAAM,EAAE,kBAAkB,EAAE,GAAG,MAAM,OAAO,CAAC,IAAI,EAAE,CAAC;IAEpD,6EAA6E;IAC7E,MAAM,GAAG,GAAG,MAAM,KAAK,CAAC,aAAa,EAAE;QACrC,MAAM,EAAE,MAAM;QACd,OAAO,EAAE;YACP,cAAc,EAAE,kBAAkB;YAClC,YAAY,EAAE,aAAa;YAC3B,aAAa,EAAE,UAAU;SAC1B;QACD,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC;YACnB,QAAQ,EAAE,iBAAiB;YAC3B,WAAW,EAAE,cAAc,CAAC,YAAY;YACxC,WAAW,EAAE;gBACX,QAAQ;gBACR,MAAM,EAAE,UAAU;gBAClB,YAAY,EAAE,UAAU;gBACxB,SAAS,EAAE,kBAAkB;aAC9B;SACF,CAAC;KACH,CAAC,CAAC;IAEH,IAAI,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC;QACZ,MAAM,IAAI,GAAG,MAAM,GAAG,CAAC,IAAI,EAAE,CAAC;QAC9B,MAAM,IAAI,KAAK,CAAC,iCAAiC,GAAG,CAAC,MAAM,MAAM,IAAI,EAAE,CAAC,CAAC;IAC3E,CAAC;IAED,MAAM,IAAI,GAAG,MAAM,GAAG,CAAC,IAAI,EAAE,CAAC;IAC9B,OAAO;QACL,QAAQ,EAAE,IAAI,CAAC,QAAQ,IAAI,QAAQ;QACnC,SAAS,EAAE,IAAI,CAAC,UAAU,IAAI,UAAU;KACzC,CAAC;AACJ,CAAC;AAED,KAAK,UAAU,eAAe,CAC5B,QAAgB,EAChB,OAAe,EACf,aAAqB,EACrB,MAAc;IAEd,MAAM,GAAG,GAAG,IAAI,WAAW,EAAE,CAAC;IAC9B,MAAM,SAAS,GAAG,IAAI,WAAW,CAAC,CAAC,CAAC,CAAC;IACrC,IAAI,QAAQ,CAAC,SAAS,CAAC,CAAC,YAAY,CAAC,CAAC,EAAE,MAAM,CAAC,MAAM,CAAC,CAAC,CAAC;IAExD,MAAM,KAAK,GAAiB;QAC1B,GAAG,CAAC,MAAM,CAAC,QAAQ,CAAC;QACpB,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC;QACf,GAAG,CAAC,MAAM,CAAC,OAAO,CAAC;QACnB,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC;QACf,GAAG,CAAC,MAAM,CAAC,aAAa,CAAC;QACzB,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC;QACf,IAAI,UAAU,CAAC,SAAS,CAAC;KAC1B,CAAC;IAEF,MAAM,KAAK,GAAG,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,CAAC,GAAG,CAAC,CAAC,MAAM,EAAE,CAAC,CAAC,CAAC;IACtD,MAAM,GAAG,GAAG,IAAI,UAAU,CAAC,KAAK,CAAC,CAAC;IAClC,IAAI,MAAM,GAAG,CAAC,CAAC;IACf,KAAK,MAAM,CAAC,IAAI,KAAK,EAAE,CAAC;QACtB,GAAG,CAAC,GAAG,CAAC,CAAC,EAAE,MAAM,CAAC,CAAC;QACnB,MAAM,IAAI,CAAC,CAAC,MAAM,CAAC;IACrB,CAAC;IAED,MAAM,MAAM,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,SAAS,EAAE,GAAG,CAAC,CAAC;IAC1D,OAAO,IAAI,UAAU,CAAC,MAAM,CAAC,CAAC;AAChC,CAAC"}

package/dist/bootstrap.d.ts

@@ -0,0 +1,30 @@
+/**
+ * Bootstrap group node authentication.
+ *
+ * After generating a ZK proof of the JWT, POST it to each
+ * bootstrap node to register the session key.
+ */
+export interface BootstrapConfig {
+    groupId: string;
+    nodeUrls: string[];
+    /** Proxy endpoint for CORS — if set, requests go through this instead of directly to nodes */
+    proxyEndpoint?: string;
+}
+export interface AuthResult {
+    identity: string;
+    expiresAt: number;
+}
+/**
+ * Authenticate with all bootstrap nodes.
+ *
+ * Posts the ZK proof + session public key to each node's /v1/auth.
+ * All nodes must accept the session for signing to work.
+ */
+export declare function authenticateWithBootstrap(config: BootstrapConfig, proof: Uint8Array, sessionPubHex: string, claims: {
+    iss: string;
+    sub: string;
+    exp: number;
+    aud: string;
+    azp: string;
+}, jwksModulusBytes: Uint8Array): Promise<AuthResult>;
+//# sourceMappingURL=bootstrap.d.ts.map

package/dist/bootstrap.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"bootstrap.d.ts","sourceRoot":"","sources":["../src/bootstrap.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAKH,MAAM,WAAW,eAAe;IAC9B,OAAO,EAAE,MAAM,CAAC;IAChB,QAAQ,EAAE,MAAM,EAAE,CAAC;IACnB,8FAA8F;IAC9F,aAAa,CAAC,EAAE,MAAM,CAAC;CACxB;AAED,MAAM,WAAW,UAAU;IACzB,QAAQ,EAAE,MAAM,CAAC;IACjB,SAAS,EAAE,MAAM,CAAC;CACnB;AAED;;;;;GAKG;AACH,wBAAsB,yBAAyB,CAC7C,MAAM,EAAE,eAAe,EACvB,KAAK,EAAE,UAAU,EACjB,aAAa,EAAE,MAAM,EACrB,MAAM,EAAE;IAAE,GAAG,EAAE,MAAM,CAAC;IAAC,GAAG,EAAE,MAAM,CAAC;IAAC,GAAG,EAAE,MAAM,CAAC;IAAC,GAAG,EAAE,MAAM,CAAC;IAAC,GAAG,EAAE,MAAM,CAAA;CAAE,EAC3E,gBAAgB,EAAE,UAAU,GAC3B,OAAO,CAAC,UAAU,CAAC,CA2CrB"}

package/dist/bootstrap.js

@@ -0,0 +1,60 @@
+/**
+ * Bootstrap group node authentication.
+ *
+ * After generating a ZK proof of the JWT, POST it to each
+ * bootstrap node to register the session key.
+ */
+import { bytesToHex } from "./session";
+/**
+ * Authenticate with all bootstrap nodes.
+ *
+ * Posts the ZK proof + session public key to each node's /v1/auth.
+ * All nodes must accept the session for signing to work.
+ */
+export async function authenticateWithBootstrap(config, proof, sessionPubHex, claims, jwksModulusBytes) {
+    const request = {
+        group_id: config.groupId,
+        session_pub: sessionPubHex,
+        proof: bytesToHex(proof),
+        sub: claims.sub,
+        iss: claims.iss,
+        exp: claims.exp,
+        aud: claims.aud,
+        azp: claims.azp,
+        jwks_modulus: bytesToHex(jwksModulusBytes),
+    };
+    // Auth with all nodes in parallel
+    const results = await Promise.allSettled(config.nodeUrls.map((url) => authWithNode(url, request, config.proxyEndpoint)));
+    // Check that at least one succeeded
+    const successes = results.filter((r) => r.status === "fulfilled");
+    const failures = results.filter((r) => r.status === "rejected");
+    if (successes.length === 0) {
+        const reasons = failures.map((f) => f.reason?.message ?? String(f.reason));
+        throw new Error(`All bootstrap nodes rejected auth: ${reasons.join("; ")}`);
+    }
+    if (failures.length > 0) {
+        console.warn(`${failures.length}/${config.nodeUrls.length} bootstrap nodes failed auth:`, failures.map((f) => f.reason?.message));
+    }
+    return successes[0].value;
+}
+async function authWithNode(baseUrl, request, proxyEndpoint) {
+    const url = proxyEndpoint ?? `${baseUrl}/v1/auth`;
+    const headers = {
+        "Content-Type": "application/json",
+    };
+    if (proxyEndpoint) {
+        headers["x-node-url"] = baseUrl;
+        headers["x-node-path"] = "/v1/auth";
+    }
+    const res = await fetch(url, {
+        method: "POST",
+        headers,
+        body: JSON.stringify(request),
+    });
+    if (!res.ok) {
+        const body = await res.text();
+        throw new Error(`${baseUrl}: ${res.status} — ${body}`);
+    }
+    return res.json();
+}
+//# sourceMappingURL=bootstrap.js.map

package/dist/bootstrap.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"bootstrap.js","sourceRoot":"","sources":["../src/bootstrap.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAGH,OAAO,EAAE,UAAU,EAAE,MAAM,WAAW,CAAC;AAcvC;;;;;GAKG;AACH,MAAM,CAAC,KAAK,UAAU,yBAAyB,CAC7C,MAAuB,EACvB,KAAiB,EACjB,aAAqB,EACrB,MAA2E,EAC3E,gBAA4B;IAE5B,MAAM,OAAO,GAAoB;QAC/B,QAAQ,EAAE,MAAM,CAAC,OAAO;QACxB,WAAW,EAAE,aAAa;QAC1B,KAAK,EAAE,UAAU,CAAC,KAAK,CAAC;QACxB,GAAG,EAAE,MAAM,CAAC,GAAG;QACf,GAAG,EAAE,MAAM,CAAC,GAAG;QACf,GAAG,EAAE,MAAM,CAAC,GAAG;QACf,GAAG,EAAE,MAAM,CAAC,GAAG;QACf,GAAG,EAAE,MAAM,CAAC,GAAG;QACf,YAAY,EAAE,UAAU,CAAC,gBAAgB,CAAC;KAC3C,CAAC;IAEF,kCAAkC;IAClC,MAAM,OAAO,GAAG,MAAM,OAAO,CAAC,UAAU,CACtC,MAAM,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,GAAG,EAAE,EAAE,CAC1B,YAAY,CAAC,GAAG,EAAE,OAAO,EAAE,MAAM,CAAC,aAAa,CAAC,CACjD,CACF,CAAC;IAEF,oCAAoC;IACpC,MAAM,SAAS,GAAG,OAAO,CAAC,MAAM,CAC9B,CAAC,CAAC,EAA2C,EAAE,CAAC,CAAC,CAAC,MAAM,KAAK,WAAW,CACzE,CAAC;IACF,MAAM,QAAQ,GAAG,OAAO,CAAC,MAAM,CAC7B,CAAC,CAAC,EAA8B,EAAE,CAAC,CAAC,CAAC,MAAM,KAAK,UAAU,CAC3D,CAAC;IAEF,IAAI,SAAS,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAC3B,MAAM,OAAO,GAAG,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,MAAM,EAAE,OAAO,IAAI,MAAM,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC;QAC3E,MAAM,IAAI,KAAK,CACb,sCAAsC,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAC3D,CAAC;IACJ,CAAC;IAED,IAAI,QAAQ,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACxB,OAAO,CAAC,IAAI,CACV,GAAG,QAAQ,CAAC,MAAM,IAAI,MAAM,CAAC,QAAQ,CAAC,MAAM,+BAA+B,EAC3E,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,MAAM,EAAE,OAAO,CAAC,CACvC,CAAC;IACJ,CAAC;IAED,OAAO,SAAS,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC;AAC5B,CAAC;AAED,KAAK,UAAU,YAAY,CACzB,OAAe,EACf,OAAwB,EACxB,aAAsB;IAEtB,MAAM,GAAG,GAAG,aAAa,IAAI,GAAG,OAAO,UAAU,CAAC;IAClD,MAAM,OAAO,GAA2B;QACtC,cAAc,EAAE,kBAAkB;KACnC,CAAC;IACF,IAAI,aAAa,EAAE,CAAC;QAClB,OAAO,CAAC,YAAY,CAAC,GAAG,OAAO,CAAC;QAChC,OAAO,CAAC,aAAa,CAAC,GAAG,UAAU,CAAC;IACtC,CAAC;IAED,MAAM,GAAG,GAAG,MAAM,KAAK,CAAC,GAAG,EAAE;QAC3B,MAAM,EAAE,MAAM;QACd,OAAO;QACP,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC;KAC9B,CAAC,CAAC;IAEH,IAAI,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC;QACZ,MAAM,IAAI,GAAG,MAAM,GAAG,CAAC,IAAI,EAAE,CAAC;QAC9B,MAAM,IAAI,KAAK,CAAC,GAAG,OAAO,KAAK,GAAG,CAAC,MAAM,MAAM,IAAI,EAAE,CAAC,CAAC;IACzD,CAAC;IAED,OAAO,GAAG,CAAC,IAAI,EAAE,CAAC;AACpB,CAAC"}

package/dist/bundler.d.ts

@@ -0,0 +1,85 @@
+/**
+ * Bundler RPC client for ERC-4337 UserOperations.
+ *
+ * Framework-agnostic — all config is passed in, no env imports.
+ * Handles serialization between the packed UserOp format (used
+ * internally and for hashing) and the unpacked v0.7 RPC format
+ * expected by signet-min-bundler.
+ */
+import { type Address, type Hex } from "viem";
+import type { PackedUserOperation } from "./userop";
+export interface BundlerSendResult {
+    userOpHash: Hex;
+}
+export interface UserOpReceipt {
+    userOpHash: Hex;
+    transactionHash: Hex;
+    success: boolean;
+}
+export interface GasEstimate {
+    preVerificationGas: Hex;
+    verificationGasLimit: Hex;
+    callGasLimit: Hex;
+}
+/**
+ * ERC-7677 paymaster sponsorship result.
+ *
+ * The bundler returns paymaster gas limits as separate fields, but
+ * signet-min-bundler's wire format for eth_sendUserOperation expects
+ * them packed into the front of `paymasterData` (see packPaymasterData
+ * and the note on the getHash comment in internal/paymaster/paymaster.go).
+ */
+export interface PaymasterSponsorship {
+    paymaster: Address;
+    paymasterData: Hex;
+    paymasterVerificationGasLimit: Hex;
+    paymasterPostOpGasLimit: Hex;
+}
+/**
+ * ERC-7677 context object passed as the 4th parameter to
+ * pm_getPaymasterStubData / pm_getPaymasterData.
+ */
+export interface PaymasterContext {
+    invite_code?: string;
+}
+export declare function sendUserOp(bundlerUrl: string, entryPointAddress: Address, userOp: PackedUserOperation): Promise<BundlerSendResult>;
+export declare function getUserOpReceipt(bundlerUrl: string, userOpHash: Hex): Promise<UserOpReceipt | null>;
+export declare function estimateUserOpGas(bundlerUrl: string, entryPointAddress: Address, userOp: PackedUserOperation): Promise<GasEstimate>;
+/**
+ * Call pm_getPaymasterStubData.
+ *
+ * Returns paymaster fields with a correctly-sized but zeroed signature,
+ * suitable for gas estimation. Call this BEFORE eth_estimateUserOperationGas
+ * so the estimate accounts for the paymaster's verification overhead.
+ */
+export declare function getPaymasterStubData(bundlerUrl: string, entryPointAddress: Address, chainId: number, userOp: PackedUserOperation, context?: PaymasterContext): Promise<PaymasterSponsorship>;
+/**
+ * Call pm_getPaymasterData.
+ *
+ * Returns a real paymaster signature. The bundler first checks the
+ * paymaster contract's shouldSponsor() policy via eth_call; if sponsorship
+ * is rejected, this throws.
+ *
+ * IMPORTANT: call AFTER gas estimation, because the paymaster signs over
+ * the gas fields. Changing gas after this call invalidates the signature.
+ */
+export declare function getPaymasterData(bundlerUrl: string, entryPointAddress: Address, chainId: number, userOp: PackedUserOperation, context?: PaymasterContext): Promise<PaymasterSponsorship>;
+/**
+ * Pack an ERC-7677 sponsorship response into the on-chain paymasterAndData
+ * layout expected by EntryPoint v0.7:
+ *
+ *   [paymaster:20][verifGasLimit:16][postOpGasLimit:16][paymasterData:rest]
+ *
+ * The paymaster's getHash function reads paymasterAndData[20:52] as the
+ * packed (verifGasLimit || postOpGasLimit) uint128 pair — so the returned
+ * layout must match exactly or the paymaster signature will not verify
+ * on-chain (AA34 signature error).
+ *
+ * NOTE on the bundler's wire format: signet-min-bundler's FromRPC
+ * concatenates the JSON `paymaster` + `paymasterData` fields directly
+ * into paymasterAndData. It does NOT re-insert gas-limit bytes. So when
+ * serializing for eth_sendUserOperation, the `paymasterData` on the wire
+ * already includes the packed gas limits.
+ */
+export declare function applyPaymasterSponsorship(userOp: PackedUserOperation, s: PaymasterSponsorship): PackedUserOperation;
+//# sourceMappingURL=bundler.d.ts.map

package/dist/bundler.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"bundler.d.ts","sourceRoot":"","sources":["../src/bundler.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,OAAO,EAAE,KAAK,OAAO,EAAE,KAAK,GAAG,EAAU,MAAM,MAAM,CAAC;AACtD,OAAO,KAAK,EAAE,mBAAmB,EAAE,MAAM,UAAU,CAAC;AAMpD,MAAM,WAAW,iBAAiB;IAChC,UAAU,EAAE,GAAG,CAAC;CACjB;AAED,MAAM,WAAW,aAAa;IAC5B,UAAU,EAAE,GAAG,CAAC;IAChB,eAAe,EAAE,GAAG,CAAC;IACrB,OAAO,EAAE,OAAO,CAAC;CAClB;AAED,MAAM,WAAW,WAAW;IAC1B,kBAAkB,EAAE,GAAG,CAAC;IACxB,oBAAoB,EAAE,GAAG,CAAC;IAC1B,YAAY,EAAE,GAAG,CAAC;CACnB;AAED;;;;;;;GAOG;AACH,MAAM,WAAW,oBAAoB;IACnC,SAAS,EAAE,OAAO,CAAC;IACnB,aAAa,EAAE,GAAG,CAAC;IACnB,6BAA6B,EAAE,GAAG,CAAC;IACnC,uBAAuB,EAAE,GAAG,CAAC;CAC9B;AAED;;;GAGG;AACH,MAAM,WAAW,gBAAgB;IAC/B,WAAW,CAAC,EAAE,MAAM,CAAC;CACtB;AAMD,wBAAsB,UAAU,CAC9B,UAAU,EAAE,MAAM,EAClB,iBAAiB,EAAE,OAAO,EAC1B,MAAM,EAAE,mBAAmB,GAC1B,OAAO,CAAC,iBAAiB,CAAC,CAM5B;AAED,wBAAsB,gBAAgB,CACpC,UAAU,EAAE,MAAM,EAClB,UAAU,EAAE,GAAG,GACd,OAAO,CAAC,aAAa,GAAG,IAAI,CAAC,CAY/B;AAED,wBAAsB,iBAAiB,CACrC,UAAU,EAAE,MAAM,EAClB,iBAAiB,EAAE,OAAO,EAC1B,MAAM,EAAE,mBAAmB,GAC1B,OAAO,CAAC,WAAW,CAAC,CAMtB;AAMD;;;;;;GAMG;AACH,wBAAsB,oBAAoB,CACxC,UAAU,EAAE,MAAM,EAClB,iBAAiB,EAAE,OAAO,EAC1B,OAAO,EAAE,MAAM,EACf,MAAM,EAAE,mBAAmB,EAC3B,OAAO,CAAC,EAAE,gBAAgB,GACzB,OAAO,CAAC,oBAAoB,CAAC,CAE/B;AAED;;;;;;;;;GASG;AACH,wBAAsB,gBAAgB,CACpC,UAAU,EAAE,MAAM,EAClB,iBAAiB,EAAE,OAAO,EAC1B,OAAO,EAAE,MAAM,EACf,MAAM,EAAE,mBAAmB,EAC3B,OAAO,CAAC,EAAE,gBAAgB,GACzB,OAAO,CAAC,oBAAoB,CAAC,CAE/B;AAED;;;;;;;;;;;;;;;;GAgBG;AACH,wBAAgB,yBAAyB,CACvC,MAAM,EAAE,mBAAmB,EAC3B,CAAC,EAAE,oBAAoB,GACtB,mBAAmB,CAQrB"}