@oleary-labs/signet-sdk 0.1.0

package/dist/jwt.d.ts

@@ -0,0 +1,27 @@
+/**
+ * JWT parsing utilities for ZK proof witness construction.
+ *
+ * Extracts the components needed by the noir jwt_auth circuit:
+ * - Signed data (header.payload as raw bytes)
+ * - RSA signature (decoded from base64url)
+ * - Key ID (kid) from the header for JWKS lookup
+ */
+import type { IdTokenClaims } from "./types";
+/** Parsed JWT components needed for proof generation. */
+export interface ParsedJWT {
+    /** Raw signed data: base64(header) + "." + base64(payload) as bytes */
+    signedData: Uint8Array;
+    /** Base64-decoded RSA signature bytes */
+    signatureBytes: Uint8Array;
+    /** Key ID from the JWT header — used to find the right JWKS key */
+    kid: string;
+    /** Decoded payload claims */
+    claims: IdTokenClaims;
+    /** Offset where base64-encoded payload starts (header length + 1 for the dot) */
+    base64DecodeOffset: number;
+}
+/**
+ * Parse a JWT into its components for ZK proof generation.
+ */
+export declare function parseJWT(jwt: string): ParsedJWT;
+//# sourceMappingURL=jwt.d.ts.map

package/dist/jwt.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"jwt.d.ts","sourceRoot":"","sources":["../src/jwt.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,SAAS,CAAC;AAE7C,yDAAyD;AACzD,MAAM,WAAW,SAAS;IACxB,uEAAuE;IACvE,UAAU,EAAE,UAAU,CAAC;IACvB,yCAAyC;IACzC,cAAc,EAAE,UAAU,CAAC;IAC3B,mEAAmE;IACnE,GAAG,EAAE,MAAM,CAAC;IACZ,6BAA6B;IAC7B,MAAM,EAAE,aAAa,CAAC;IACtB,iFAAiF;IACjF,kBAAkB,EAAE,MAAM,CAAC;CAC5B;AAED;;GAEG;AACH,wBAAgB,QAAQ,CAAC,GAAG,EAAE,MAAM,GAAG,SAAS,CA+B/C"}

package/dist/jwt.js

@@ -0,0 +1,50 @@
+/**
+ * JWT parsing utilities for ZK proof witness construction.
+ *
+ * Extracts the components needed by the noir jwt_auth circuit:
+ * - Signed data (header.payload as raw bytes)
+ * - RSA signature (decoded from base64url)
+ * - Key ID (kid) from the header for JWKS lookup
+ */
+/**
+ * Parse a JWT into its components for ZK proof generation.
+ */
+export function parseJWT(jwt) {
+    const parts = jwt.split(".");
+    if (parts.length !== 3) {
+        throw new Error("Invalid JWT: expected 3 parts");
+    }
+    const [headerB64, payloadB64, signatureB64] = parts;
+    // Decode header to get kid
+    const header = JSON.parse(base64urlDecode(headerB64));
+    if (header.alg !== "RS256") {
+        throw new Error(`Unsupported JWT algorithm: ${header.alg}`);
+    }
+    // Signed data is the raw ASCII bytes of "header.payload"
+    const signedDataStr = `${headerB64}.${payloadB64}`;
+    const signedData = new TextEncoder().encode(signedDataStr);
+    // Decode the RSA signature
+    const signatureBytes = base64urlDecodeBytes(signatureB64);
+    // Decode claims
+    const claims = JSON.parse(base64urlDecode(payloadB64));
+    return {
+        signedData,
+        signatureBytes,
+        kid: header.kid,
+        claims,
+        base64DecodeOffset: headerB64.length + 1,
+    };
+}
+function base64urlDecode(s) {
+    const padded = s.replace(/-/g, "+").replace(/_/g, "/");
+    return atob(padded);
+}
+function base64urlDecodeBytes(s) {
+    const decoded = base64urlDecode(s);
+    const bytes = new Uint8Array(decoded.length);
+    for (let i = 0; i < decoded.length; i++) {
+        bytes[i] = decoded.charCodeAt(i);
+    }
+    return bytes;
+}
+//# sourceMappingURL=jwt.js.map

package/dist/jwt.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"jwt.js","sourceRoot":"","sources":["../src/jwt.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAkBH;;GAEG;AACH,MAAM,UAAU,QAAQ,CAAC,GAAW;IAClC,MAAM,KAAK,GAAG,GAAG,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IAC7B,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACvB,MAAM,IAAI,KAAK,CAAC,+BAA+B,CAAC,CAAC;IACnD,CAAC;IAED,MAAM,CAAC,SAAS,EAAE,UAAU,EAAE,YAAY,CAAC,GAAG,KAAK,CAAC;IAEpD,2BAA2B;IAC3B,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,eAAe,CAAC,SAAS,CAAC,CAAC,CAAC;IACtD,IAAI,MAAM,CAAC,GAAG,KAAK,OAAO,EAAE,CAAC;QAC3B,MAAM,IAAI,KAAK,CAAC,8BAA8B,MAAM,CAAC,GAAG,EAAE,CAAC,CAAC;IAC9D,CAAC;IAED,yDAAyD;IACzD,MAAM,aAAa,GAAG,GAAG,SAAS,IAAI,UAAU,EAAE,CAAC;IACnD,MAAM,UAAU,GAAG,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,aAAa,CAAC,CAAC;IAE3D,2BAA2B;IAC3B,MAAM,cAAc,GAAG,oBAAoB,CAAC,YAAY,CAAC,CAAC;IAE1D,gBAAgB;IAChB,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,eAAe,CAAC,UAAU,CAAC,CAAkB,CAAC;IAExE,OAAO;QACL,UAAU;QACV,cAAc;QACd,GAAG,EAAE,MAAM,CAAC,GAAG;QACf,MAAM;QACN,kBAAkB,EAAE,SAAS,CAAC,MAAM,GAAG,CAAC;KACzC,CAAC;AACJ,CAAC;AAED,SAAS,eAAe,CAAC,CAAS;IAChC,MAAM,MAAM,GAAG,CAAC,CAAC,OAAO,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC;IACvD,OAAO,IAAI,CAAC,MAAM,CAAC,CAAC;AACtB,CAAC;AAED,SAAS,oBAAoB,CAAC,CAAS;IACrC,MAAM,OAAO,GAAG,eAAe,CAAC,CAAC,CAAC,CAAC;IACnC,MAAM,KAAK,GAAG,IAAI,UAAU,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC;IAC7C,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,OAAO,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QACxC,KAAK,CAAC,CAAC,CAAC,GAAG,OAAO,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC;IACnC,CAAC;IACD,OAAO,KAAK,CAAC;AACf,CAAC"}

package/dist/keygen.d.ts

@@ -0,0 +1,26 @@
+/**
+ * Distributed key generation via bootstrap nodes.
+ *
+ * After auth, call keygen to create a key shard for the session identity.
+ * 409 (key already exists) is treated as success — the key was already created
+ * in a previous session.
+ */
+import type { SessionKeypair, IdTokenClaims } from "./types";
+export interface KeygenConfig {
+    nodeUrls: string[];
+    groupId: string;
+    /** Proxy endpoint for CORS */
+    proxyEndpoint?: string;
+}
+export interface KeygenResult {
+    keyId: string;
+    ethereumAddress: string;
+    groupPublicKey: string;
+    alreadyExisted: boolean;
+}
+/**
+ * Trigger keygen on a bootstrap node.
+ * If the key already exists (409), returns success with alreadyExisted=true.
+ */
+export declare function keygen(config: KeygenConfig, keypair: SessionKeypair, claims: IdTokenClaims, keySuffix?: string, identity?: string, curve?: string, scope?: string): Promise<KeygenResult>;
+//# sourceMappingURL=keygen.d.ts.map

package/dist/keygen.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"keygen.d.ts","sourceRoot":"","sources":["../src/keygen.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,KAAK,EAAE,cAAc,EAAE,aAAa,EAAE,MAAM,SAAS,CAAC;AAG7D,MAAM,WAAW,YAAY;IAC3B,QAAQ,EAAE,MAAM,EAAE,CAAC;IACnB,OAAO,EAAE,MAAM,CAAC;IAChB,8BAA8B;IAC9B,aAAa,CAAC,EAAE,MAAM,CAAC;CACxB;AAED,MAAM,WAAW,YAAY;IAC3B,KAAK,EAAE,MAAM,CAAC;IACd,eAAe,EAAE,MAAM,CAAC;IACxB,cAAc,EAAE,MAAM,CAAC;IACvB,cAAc,EAAE,OAAO,CAAC;CACzB;AAED;;;GAGG;AACH,wBAAsB,MAAM,CAC1B,MAAM,EAAE,YAAY,EACpB,OAAO,EAAE,cAAc,EACvB,MAAM,EAAE,aAAa,EACrB,SAAS,CAAC,EAAE,MAAM,EAClB,QAAQ,CAAC,EAAE,MAAM,EACjB,KAAK,CAAC,EAAE,MAAM,EACd,KAAK,CAAC,EAAE,MAAM,GACb,OAAO,CAAC,YAAY,CAAC,CAmDvB"}

package/dist/keygen.js

@@ -0,0 +1,60 @@
+/**
+ * Distributed key generation via bootstrap nodes.
+ *
+ * After auth, call keygen to create a key shard for the session identity.
+ * 409 (key already exists) is treated as success — the key was already created
+ * in a previous session.
+ */
+import { signKeygenRequest } from "./request";
+/**
+ * Trigger keygen on a bootstrap node.
+ * If the key already exists (409), returns success with alreadyExisted=true.
+ */
+export async function keygen(config, keypair, claims, keySuffix, identity, curve, scope) {
+    const req = await signKeygenRequest(keypair, claims, config.groupId, keySuffix, identity);
+    // Try the first node (keygen only needs to be initiated on one node)
+    const nodeUrl = config.nodeUrls[0];
+    const url = config.proxyEndpoint
+        ? config.proxyEndpoint
+        : `${nodeUrl}/v1/keygen`;
+    const headers = {
+        "Content-Type": "application/json",
+    };
+    if (config.proxyEndpoint) {
+        headers["x-node-url"] = nodeUrl;
+        headers["x-node-path"] = "/v1/keygen";
+    }
+    // Add optional curve and scope to the request body
+    const body = { ...req };
+    if (curve)
+        body.curve = curve;
+    if (scope)
+        body.scope = scope;
+    const res = await fetch(url, {
+        method: "POST",
+        headers,
+        body: JSON.stringify(body),
+    });
+    if (res.status === 409) {
+        // Key already exists — node now returns full key info on 409
+        const data = await res.json();
+        return {
+            keyId: data.key_id ?? `${claims.iss}:${claims.sub}${keySuffix ? `:${keySuffix}` : ""}`,
+            ethereumAddress: data.ethereum_address ?? "",
+            groupPublicKey: data.public_key ?? "",
+            alreadyExisted: true,
+        };
+    }
+    if (!res.ok) {
+        const body = await res.text();
+        throw new Error(`Keygen failed: ${res.status} — ${body}`);
+    }
+    const data = await res.json();
+    return {
+        keyId: data.key_id,
+        ethereumAddress: data.ethereum_address,
+        groupPublicKey: data.public_key,
+        alreadyExisted: false,
+    };
+}
+//# sourceMappingURL=keygen.js.map

package/dist/keygen.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"keygen.js","sourceRoot":"","sources":["../src/keygen.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAGH,OAAO,EAAE,iBAAiB,EAAE,MAAM,WAAW,CAAC;AAgB9C;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,MAAM,CAC1B,MAAoB,EACpB,OAAuB,EACvB,MAAqB,EACrB,SAAkB,EAClB,QAAiB,EACjB,KAAc,EACd,KAAc;IAEd,MAAM,GAAG,GAAG,MAAM,iBAAiB,CAAC,OAAO,EAAE,MAAM,EAAE,MAAM,CAAC,OAAO,EAAE,SAAS,EAAE,QAAQ,CAAC,CAAC;IAE1F,qEAAqE;IACrE,MAAM,OAAO,GAAG,MAAM,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC;IACnC,MAAM,GAAG,GAAG,MAAM,CAAC,aAAa;QAC9B,CAAC,CAAC,MAAM,CAAC,aAAa;QACtB,CAAC,CAAC,GAAG,OAAO,YAAY,CAAC;IAE3B,MAAM,OAAO,GAA2B;QACtC,cAAc,EAAE,kBAAkB;KACnC,CAAC;IACF,IAAI,MAAM,CAAC,aAAa,EAAE,CAAC;QACzB,OAAO,CAAC,YAAY,CAAC,GAAG,OAAO,CAAC;QAChC,OAAO,CAAC,aAAa,CAAC,GAAG,YAAY,CAAC;IACxC,CAAC;IAED,mDAAmD;IACnD,MAAM,IAAI,GAA4B,EAAE,GAAG,GAAG,EAAE,CAAC;IACjD,IAAI,KAAK;QAAE,IAAI,CAAC,KAAK,GAAG,KAAK,CAAC;IAC9B,IAAI,KAAK;QAAE,IAAI,CAAC,KAAK,GAAG,KAAK,CAAC;IAE9B,MAAM,GAAG,GAAG,MAAM,KAAK,CAAC,GAAG,EAAE;QAC3B,MAAM,EAAE,MAAM;QACd,OAAO;QACP,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC;KAC3B,CAAC,CAAC;IAEH,IAAI,GAAG,CAAC,MAAM,KAAK,GAAG,EAAE,CAAC;QACvB,6DAA6D;QAC7D,MAAM,IAAI,GAAG,MAAM,GAAG,CAAC,IAAI,EAAE,CAAC;QAC9B,OAAO;YACL,KAAK,EAAE,IAAI,CAAC,MAAM,IAAI,GAAG,MAAM,CAAC,GAAG,IAAI,MAAM,CAAC,GAAG,GAAG,SAAS,CAAC,CAAC,CAAC,IAAI,SAAS,EAAE,CAAC,CAAC,CAAC,EAAE,EAAE;YACtF,eAAe,EAAE,IAAI,CAAC,gBAAgB,IAAI,EAAE;YAC5C,cAAc,EAAE,IAAI,CAAC,UAAU,IAAI,EAAE;YACrC,cAAc,EAAE,IAAI;SACrB,CAAC;IACJ,CAAC;IAED,IAAI,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC;QACZ,MAAM,IAAI,GAAG,MAAM,GAAG,CAAC,IAAI,EAAE,CAAC;QAC9B,MAAM,IAAI,KAAK,CAAC,kBAAkB,GAAG,CAAC,MAAM,MAAM,IAAI,EAAE,CAAC,CAAC;IAC5D,CAAC;IAED,MAAM,IAAI,GAAG,MAAM,GAAG,CAAC,IAAI,EAAE,CAAC;IAC9B,OAAO;QACL,KAAK,EAAE,IAAI,CAAC,MAAM;QAClB,eAAe,EAAE,IAAI,CAAC,gBAAgB;QACtC,cAAc,EAAE,IAAI,CAAC,UAAU;QAC/B,cAAc,EAAE,KAAK;KACtB,CAAC;AACJ,CAAC"}

package/dist/oauth.d.ts

@@ -0,0 +1,34 @@
+/**
+ * Google OAuth PKCE flow.
+ *
+ * Framework-agnostic — uses browser APIs only (sessionStorage, crypto, location).
+ * The token exchange itself is delegated to a caller-provided endpoint
+ * so the client_secret stays server-side.
+ */
+import type { IdTokenClaims } from "./types";
+export interface OAuthConfig {
+    clientId: string;
+    callbackPath?: string;
+}
+/**
+ * Kick off the Google OAuth PKCE flow.
+ * Stores PKCE state in sessionStorage and redirects to Google.
+ */
+export declare function startGoogleOAuth(config: OAuthConfig, returnTo?: string): Promise<void>;
+/**
+ * Handle the OAuth callback: validate state, exchange code for tokens.
+ *
+ * @param tokenEndpoint — URL of the server-side token exchange endpoint
+ * @returns The raw JWT id_token string, or throws on error.
+ */
+export declare function handleOAuthCallback(tokenEndpoint: string): Promise<string>;
+/**
+ * Decode a JWT payload without verification.
+ * Signature verification happens via ZK proof.
+ */
+export declare function decodeIdToken(jwt: string): IdTokenClaims;
+/**
+ * Get the return-to path stored before the OAuth redirect.
+ */
+export declare function getOAuthReturnTo(): string;
+//# sourceMappingURL=oauth.d.ts.map

package/dist/oauth.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"oauth.d.ts","sourceRoot":"","sources":["../src/oauth.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,SAAS,CAAC;AAqB7C,MAAM,WAAW,WAAW;IAC1B,QAAQ,EAAE,MAAM,CAAC;IACjB,YAAY,CAAC,EAAE,MAAM,CAAC;CACvB;AAED;;;GAGG;AACH,wBAAsB,gBAAgB,CACpC,MAAM,EAAE,WAAW,EACnB,QAAQ,CAAC,EAAE,MAAM,GAChB,OAAO,CAAC,IAAI,CAAC,CAgCf;AAED;;;;;GAKG;AACH,wBAAsB,mBAAmB,CACvC,aAAa,EAAE,MAAM,GACpB,OAAO,CAAC,MAAM,CAAC,CA+CjB;AAED;;;GAGG;AACH,wBAAgB,aAAa,CAAC,GAAG,EAAE,MAAM,GAAG,aAAa,CAWxD;AAED;;GAEG;AACH,wBAAgB,gBAAgB,IAAI,MAAM,CAIzC"}

package/dist/oauth.js

@@ -0,0 +1,119 @@
+/**
+ * Google OAuth PKCE flow.
+ *
+ * Framework-agnostic — uses browser APIs only (sessionStorage, crypto, location).
+ * The token exchange itself is delegated to a caller-provided endpoint
+ * so the client_secret stays server-side.
+ */
+function base64urlEncode(buf) {
+    return btoa(String.fromCharCode(...new Uint8Array(buf)))
+        .replace(/\+/g, "-")
+        .replace(/\//g, "_")
+        .replace(/=/g, "");
+}
+function generateVerifier() {
+    const buf = new Uint8Array(32);
+    crypto.getRandomValues(buf);
+    return base64urlEncode(buf);
+}
+async function generateChallenge(verifier) {
+    const data = new TextEncoder().encode(verifier);
+    const digest = await crypto.subtle.digest("SHA-256", data);
+    return base64urlEncode(digest);
+}
+/**
+ * Kick off the Google OAuth PKCE flow.
+ * Stores PKCE state in sessionStorage and redirects to Google.
+ */
+export async function startGoogleOAuth(config, returnTo) {
+    if (!config.clientId) {
+        throw new Error("Google Client ID not configured");
+    }
+    const verifier = generateVerifier();
+    const challenge = await generateChallenge(verifier);
+    const state = base64urlEncode(crypto.getRandomValues(new Uint8Array(16)));
+    sessionStorage.setItem("signet_oauth_verifier", verifier);
+    sessionStorage.setItem("signet_oauth_state", state);
+    sessionStorage.setItem("signet_oauth_return_to", returnTo ?? window.location.pathname);
+    const callbackPath = config.callbackPath ?? "/auth/callback";
+    const redirectUri = `${window.location.origin}${callbackPath}`;
+    const params = new URLSearchParams({
+        client_id: config.clientId,
+        redirect_uri: redirectUri,
+        response_type: "code",
+        scope: "openid profile email",
+        code_challenge: challenge,
+        code_challenge_method: "S256",
+        state,
+    });
+    window.location.href = `https://accounts.google.com/o/oauth2/v2/auth?${params}`;
+}
+/**
+ * Handle the OAuth callback: validate state, exchange code for tokens.
+ *
+ * @param tokenEndpoint — URL of the server-side token exchange endpoint
+ * @returns The raw JWT id_token string, or throws on error.
+ */
+export async function handleOAuthCallback(tokenEndpoint) {
+    const params = new URLSearchParams(window.location.search);
+    const code = params.get("code");
+    const state = params.get("state");
+    const error = params.get("error");
+    if (error) {
+        throw new Error(`Google OAuth error: ${error} — ${params.get("error_description") ?? ""}`);
+    }
+    if (!code) {
+        throw new Error("No authorization code received");
+    }
+    const savedState = sessionStorage.getItem("signet_oauth_state");
+    if (state !== savedState) {
+        throw new Error("State mismatch — possible CSRF attack");
+    }
+    const verifier = sessionStorage.getItem("signet_oauth_verifier");
+    const callbackUri = window.location.origin + window.location.pathname;
+    // Clean up PKCE state
+    sessionStorage.removeItem("signet_oauth_state");
+    sessionStorage.removeItem("signet_oauth_verifier");
+    const res = await fetch(tokenEndpoint, {
+        method: "POST",
+        headers: { "Content-Type": "application/json" },
+        body: JSON.stringify({
+            code,
+            code_verifier: verifier,
+            redirect_uri: callbackUri,
+        }),
+    });
+    const data = await res.json();
+    if (data.error) {
+        throw new Error(`Token exchange failed: ${data.error} — ${data.error_description ?? ""}`);
+    }
+    return data.id_token;
+}
+/**
+ * Decode a JWT payload without verification.
+ * Signature verification happens via ZK proof.
+ */
+export function decodeIdToken(jwt) {
+    const payload = jwt.split(".")[1];
+    const decoded = atob(payload.replace(/-/g, "+").replace(/_/g, "/"));
+    const claims = JSON.parse(decoded);
+    // Preserve original aud/azp presence for ZK proof public input matching.
+    // If the JWT doesn't have aud or azp, keep them empty so the prover
+    // and verifier agree on the same (empty) public inputs.
+    if (claims.aud === undefined)
+        claims.aud = "";
+    if (claims.azp === undefined)
+        claims.azp = "";
+    if (claims.email === undefined)
+        claims.email = "";
+    return claims;
+}
+/**
+ * Get the return-to path stored before the OAuth redirect.
+ */
+export function getOAuthReturnTo() {
+    const returnTo = sessionStorage.getItem("signet_oauth_return_to") ?? "/";
+    sessionStorage.removeItem("signet_oauth_return_to");
+    return returnTo;
+}
+//# sourceMappingURL=oauth.js.map

package/dist/oauth.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"oauth.js","sourceRoot":"","sources":["../src/oauth.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAIH,SAAS,eAAe,CAAC,GAA6B;IACpD,OAAO,IAAI,CAAC,MAAM,CAAC,YAAY,CAAC,GAAG,IAAI,UAAU,CAAC,GAAG,CAAC,CAAC,CAAC;SACrD,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC;SACnB,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC;SACnB,OAAO,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC;AACvB,CAAC;AAED,SAAS,gBAAgB;IACvB,MAAM,GAAG,GAAG,IAAI,UAAU,CAAC,EAAE,CAAC,CAAC;IAC/B,MAAM,CAAC,eAAe,CAAC,GAAG,CAAC,CAAC;IAC5B,OAAO,eAAe,CAAC,GAAG,CAAC,CAAC;AAC9B,CAAC;AAED,KAAK,UAAU,iBAAiB,CAAC,QAAgB;IAC/C,MAAM,IAAI,GAAG,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC;IAChD,MAAM,MAAM,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,SAAS,EAAE,IAAI,CAAC,CAAC;IAC3D,OAAO,eAAe,CAAC,MAAM,CAAC,CAAC;AACjC,CAAC;AAOD;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,gBAAgB,CACpC,MAAmB,EACnB,QAAiB;IAEjB,IAAI,CAAC,MAAM,CAAC,QAAQ,EAAE,CAAC;QACrB,MAAM,IAAI,KAAK,CAAC,iCAAiC,CAAC,CAAC;IACrD,CAAC;IAED,MAAM,QAAQ,GAAG,gBAAgB,EAAE,CAAC;IACpC,MAAM,SAAS,GAAG,MAAM,iBAAiB,CAAC,QAAQ,CAAC,CAAC;IACpD,MAAM,KAAK,GAAG,eAAe,CAC3B,MAAM,CAAC,eAAe,CAAC,IAAI,UAAU,CAAC,EAAE,CAAC,CAAC,CAC3C,CAAC;IAEF,cAAc,CAAC,OAAO,CAAC,uBAAuB,EAAE,QAAQ,CAAC,CAAC;IAC1D,cAAc,CAAC,OAAO,CAAC,oBAAoB,EAAE,KAAK,CAAC,CAAC;IACpD,cAAc,CAAC,OAAO,CACpB,wBAAwB,EACxB,QAAQ,IAAI,MAAM,CAAC,QAAQ,CAAC,QAAQ,CACrC,CAAC;IAEF,MAAM,YAAY,GAAG,MAAM,CAAC,YAAY,IAAI,gBAAgB,CAAC;IAC7D,MAAM,WAAW,GAAG,GAAG,MAAM,CAAC,QAAQ,CAAC,MAAM,GAAG,YAAY,EAAE,CAAC;IAE/D,MAAM,MAAM,GAAG,IAAI,eAAe,CAAC;QACjC,SAAS,EAAE,MAAM,CAAC,QAAQ;QAC1B,YAAY,EAAE,WAAW;QACzB,aAAa,EAAE,MAAM;QACrB,KAAK,EAAE,sBAAsB;QAC7B,cAAc,EAAE,SAAS;QACzB,qBAAqB,EAAE,MAAM;QAC7B,KAAK;KACN,CAAC,CAAC;IAEH,MAAM,CAAC,QAAQ,CAAC,IAAI,GAAG,gDAAgD,MAAM,EAAE,CAAC;AAClF,CAAC;AAED;;;;;GAKG;AACH,MAAM,CAAC,KAAK,UAAU,mBAAmB,CACvC,aAAqB;IAErB,MAAM,MAAM,GAAG,IAAI,eAAe,CAAC,MAAM,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC;IAC3D,MAAM,IAAI,GAAG,MAAM,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;IAChC,MAAM,KAAK,GAAG,MAAM,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;IAClC,MAAM,KAAK,GAAG,MAAM,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;IAElC,IAAI,KAAK,EAAE,CAAC;QACV,MAAM,IAAI,KAAK,CACb,uBAAuB,KAAK,MAAM,MAAM,CAAC,GAAG,CAAC,mBAAmB,CAAC,IAAI,EAAE,EAAE,CAC1E,CAAC;IACJ,CAAC;IAED,IAAI,CAAC,IAAI,EAAE,CAAC;QACV,MAAM,IAAI,KAAK,CAAC,gCAAgC,CAAC,CAAC;IACpD,CAAC;IAED,MAAM,UAAU,GAAG,cAAc,CAAC,OAAO,CAAC,oBAAoB,CAAC,CAAC;IAChE,IAAI,KAAK,KAAK,UAAU,EAAE,CAAC;QACzB,MAAM,IAAI,KAAK,CAAC,uCAAuC,CAAC,CAAC;IAC3D,CAAC;IAED,MAAM,QAAQ,GAAG,cAAc,CAAC,OAAO,CAAC,uBAAuB,CAAC,CAAC;IACjE,MAAM,WAAW,GAAG,MAAM,CAAC,QAAQ,CAAC,MAAM,GAAG,MAAM,CAAC,QAAQ,CAAC,QAAQ,CAAC;IAEtE,sBAAsB;IACtB,cAAc,CAAC,UAAU,CAAC,oBAAoB,CAAC,CAAC;IAChD,cAAc,CAAC,UAAU,CAAC,uBAAuB,CAAC,CAAC;IAEnD,MAAM,GAAG,GAAG,MAAM,KAAK,CAAC,aAAa,EAAE;QACrC,MAAM,EAAE,MAAM;QACd,OAAO,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE;QAC/C,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC;YACnB,IAAI;YACJ,aAAa,EAAE,QAAQ;YACvB,YAAY,EAAE,WAAW;SAC1B,CAAC;KACH,CAAC,CAAC;IAEH,MAAM,IAAI,GAAG,MAAM,GAAG,CAAC,IAAI,EAAE,CAAC;IAE9B,IAAI,IAAI,CAAC,KAAK,EAAE,CAAC;QACf,MAAM,IAAI,KAAK,CACb,0BAA0B,IAAI,CAAC,KAAK,MAAM,IAAI,CAAC,iBAAiB,IAAI,EAAE,EAAE,CACzE,CAAC;IACJ,CAAC;IAED,OAAO,IAAI,CAAC,QAAQ,CAAC;AACvB,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,aAAa,CAAC,GAAW;IACvC,MAAM,OAAO,GAAG,GAAG,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC;IAClC,MAAM,OAAO,GAAG,IAAI,CAAC,OAAO,CAAC,OAAO,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC,CAAC;IACpE,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;IACnC,yEAAyE;IACzE,oEAAoE;IACpE,wDAAwD;IACxD,IAAI,MAAM,CAAC,GAAG,KAAK,SAAS;QAAE,MAAM,CAAC,GAAG,GAAG,EAAE,CAAC;IAC9C,IAAI,MAAM,CAAC,GAAG,KAAK,SAAS;QAAE,MAAM,CAAC,GAAG,GAAG,EAAE,CAAC;IAC9C,IAAI,MAAM,CAAC,KAAK,KAAK,SAAS;QAAE,MAAM,CAAC,KAAK,GAAG,EAAE,CAAC;IAClD,OAAO,MAAM,CAAC;AAChB,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,gBAAgB;IAC9B,MAAM,QAAQ,GAAG,cAAc,CAAC,OAAO,CAAC,wBAAwB,CAAC,IAAI,GAAG,CAAC;IACzE,cAAc,CAAC,UAAU,CAAC,wBAAwB,CAAC,CAAC;IACpD,OAAO,QAAQ,CAAC;AAClB,CAAC"}

package/dist/request.d.ts

@@ -0,0 +1,42 @@
+/**
+ * Session-authenticated request signing.
+ *
+ * After auth, every keygen/sign request must include a signature
+ * over the canonical request hash, produced with the session private key.
+ *
+ * Canonical hash: SHA256(groupID ":" keyID ":" nonce ":" timestamp_8BE [":" messageHash])
+ * Signature: 64-byte [R || S] secp256k1 ECDSA (no recovery byte)
+ */
+import type { SessionKeypair, IdTokenClaims } from "./types";
+/** Signed request ready to POST to a node. */
+export interface SignedRequest {
+    group_id: string;
+    key_suffix?: string;
+    session_pub: string;
+    request_sig: string;
+    nonce: string;
+    timestamp: number;
+}
+/** Signed request with message_hash for /v1/sign. */
+export interface SignedSignRequest extends SignedRequest {
+    message_hash: string;
+}
+/**
+ * Derive the key ID that the node will resolve for this session.
+ *
+ * For OAuth sessions: iss:sub or iss:sub:suffix
+ * e.g. https://accounts.google.com:114810956681671373980
+ */
+export declare function deriveKeyId(claims: IdTokenClaims, keySuffix?: string, identity?: string): string;
+/**
+ * Build and sign a keygen request.
+ *
+ * @param identity - For auth key cert sessions, pass the identity string.
+ *   The key ID becomes `identity[:suffix]` instead of `iss:sub[:suffix]`.
+ */
+export declare function signKeygenRequest(keypair: SessionKeypair, claims: IdTokenClaims, groupId: string, keySuffix?: string, identity?: string): Promise<SignedRequest>;
+/**
+ * Build and sign a threshold signing request.
+ */
+export declare function signSignRequest(keypair: SessionKeypair, claims: IdTokenClaims, groupId: string, messageHash: Uint8Array, keySuffix?: string, identity?: string): Promise<SignedSignRequest>;
+//# sourceMappingURL=request.d.ts.map

package/dist/request.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"request.d.ts","sourceRoot":"","sources":["../src/request.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAEH,OAAO,KAAK,EAAE,cAAc,EAAE,aAAa,EAAE,MAAM,SAAS,CAAC;AAG7D,8CAA8C;AAC9C,MAAM,WAAW,aAAa;IAC5B,QAAQ,EAAE,MAAM,CAAC;IACjB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,WAAW,EAAE,MAAM,CAAC;IACpB,WAAW,EAAE,MAAM,CAAC;IACpB,KAAK,EAAE,MAAM,CAAC;IACd,SAAS,EAAE,MAAM,CAAC;CACnB;AAED,qDAAqD;AACrD,MAAM,WAAW,iBAAkB,SAAQ,aAAa;IACtD,YAAY,EAAE,MAAM,CAAC;CACtB;AAED;;;;;GAKG;AACH,wBAAgB,WAAW,CAAC,MAAM,EAAE,aAAa,EAAE,SAAS,CAAC,EAAE,MAAM,EAAE,QAAQ,CAAC,EAAE,MAAM,GAAG,MAAM,CAGhG;AAED;;;;;GAKG;AACH,wBAAsB,iBAAiB,CACrC,OAAO,EAAE,cAAc,EACvB,MAAM,EAAE,aAAa,EACrB,OAAO,EAAE,MAAM,EACf,SAAS,CAAC,EAAE,MAAM,EAClB,QAAQ,CAAC,EAAE,MAAM,GAChB,OAAO,CAAC,aAAa,CAAC,CAiBxB;AAED;;GAEG;AACH,wBAAsB,eAAe,CACnC,OAAO,EAAE,cAAc,EACvB,MAAM,EAAE,aAAa,EACrB,OAAO,EAAE,MAAM,EACf,WAAW,EAAE,UAAU,EACvB,SAAS,CAAC,EAAE,MAAM,EAClB,QAAQ,CAAC,EAAE,MAAM,GAChB,OAAO,CAAC,iBAAiB,CAAC,CAwB5B"}

package/dist/request.js

@@ -0,0 +1,115 @@
+/**
+ * Session-authenticated request signing.
+ *
+ * After auth, every keygen/sign request must include a signature
+ * over the canonical request hash, produced with the session private key.
+ *
+ * Canonical hash: SHA256(groupID ":" keyID ":" nonce ":" timestamp_8BE [":" messageHash])
+ * Signature: 64-byte [R || S] secp256k1 ECDSA (no recovery byte)
+ */
+import { bytesToHex } from "./session";
+/**
+ * Derive the key ID that the node will resolve for this session.
+ *
+ * For OAuth sessions: iss:sub or iss:sub:suffix
+ * e.g. https://accounts.google.com:114810956681671373980
+ */
+export function deriveKeyId(claims, keySuffix, identity) {
+    const base = identity ?? `${claims.iss}:${claims.sub}`;
+    return keySuffix ? `${base}:${keySuffix}` : base;
+}
+/**
+ * Build and sign a keygen request.
+ *
+ * @param identity - For auth key cert sessions, pass the identity string.
+ *   The key ID becomes `identity[:suffix]` instead of `iss:sub[:suffix]`.
+ */
+export async function signKeygenRequest(keypair, claims, groupId, keySuffix, identity) {
+    const normalizedGroupId = groupId.toLowerCase();
+    const keyId = deriveKeyId(claims, keySuffix, identity);
+    const nonce = generateNonce();
+    const timestamp = Math.floor(Date.now() / 1000);
+    const hash = await canonicalRequestHash(normalizedGroupId, keyId, nonce, timestamp);
+    const sig = await signHash(keypair.privateKey, hash);
+    return {
+        group_id: normalizedGroupId,
+        key_suffix: keySuffix,
+        session_pub: keypair.publicKeyHex,
+        request_sig: bytesToHex(sig),
+        nonce,
+        timestamp,
+    };
+}
+/**
+ * Build and sign a threshold signing request.
+ */
+export async function signSignRequest(keypair, claims, groupId, messageHash, keySuffix, identity) {
+    const normalizedGroupId = groupId.toLowerCase();
+    const keyId = deriveKeyId(claims, keySuffix, identity);
+    const nonce = generateNonce();
+    const timestamp = Math.floor(Date.now() / 1000);
+    const hash = await canonicalRequestHash(normalizedGroupId, keyId, nonce, timestamp, messageHash);
+    const sig = await signHash(keypair.privateKey, hash);
+    return {
+        group_id: normalizedGroupId,
+        key_suffix: keySuffix,
+        session_pub: keypair.publicKeyHex,
+        request_sig: bytesToHex(sig),
+        nonce,
+        timestamp,
+        message_hash: bytesToHex(messageHash),
+    };
+}
+/**
+ * Compute the canonical request hash matching the Go node's format.
+ *
+ * SHA256(groupID ":" keyID ":" nonce ":" timestamp_8BE [":" messageHash])
+ */
+async function canonicalRequestHash(groupId, keyId, nonce, timestamp, messageHash) {
+    const parts = [];
+    const enc = new TextEncoder();
+    parts.push(enc.encode(groupId));
+    parts.push(enc.encode(":"));
+    parts.push(enc.encode(keyId));
+    parts.push(enc.encode(":"));
+    parts.push(enc.encode(nonce));
+    parts.push(enc.encode(":"));
+    // timestamp as 8-byte big-endian
+    const tsBuf = new ArrayBuffer(8);
+    const view = new DataView(tsBuf);
+    view.setBigUint64(0, BigInt(timestamp));
+    parts.push(new Uint8Array(tsBuf));
+    if (messageHash && messageHash.length > 0) {
+        parts.push(enc.encode(":"));
+        parts.push(messageHash);
+    }
+    // Concatenate
+    const total = parts.reduce((n, p) => n + p.length, 0);
+    const buf = new Uint8Array(total);
+    let offset = 0;
+    for (const p of parts) {
+        buf.set(p, offset);
+        offset += p.length;
+    }
+    const digest = await crypto.subtle.digest("SHA-256", buf);
+    return new Uint8Array(digest);
+}
+/**
+ * Sign a 32-byte hash with the session private key.
+ * Returns 64-byte [R || S] signature (no recovery byte).
+ *
+ * Uses signAsync which works without configuring hashes.sha256.
+ * lowS: true to match go-ethereum's crypto.VerifySignature.
+ */
+async function signHash(privateKey, hash) {
+    const { signAsync } = await import("@noble/secp256k1");
+    // prehash: false — our input is already SHA-256'd, don't hash again
+    const sig = await signAsync(hash, privateKey, { lowS: true, prehash: false });
+    return new Uint8Array(sig);
+}
+function generateNonce() {
+    const bytes = new Uint8Array(16);
+    crypto.getRandomValues(bytes);
+    return bytesToHex(bytes);
+}
+//# sourceMappingURL=request.js.map

package/dist/request.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"request.js","sourceRoot":"","sources":["../src/request.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAGH,OAAO,EAAE,UAAU,EAAE,MAAM,WAAW,CAAC;AAiBvC;;;;;GAKG;AACH,MAAM,UAAU,WAAW,CAAC,MAAqB,EAAE,SAAkB,EAAE,QAAiB;IACtF,MAAM,IAAI,GAAG,QAAQ,IAAI,GAAG,MAAM,CAAC,GAAG,IAAI,MAAM,CAAC,GAAG,EAAE,CAAC;IACvD,OAAO,SAAS,CAAC,CAAC,CAAC,GAAG,IAAI,IAAI,SAAS,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC;AACnD,CAAC;AAED;;;;;GAKG;AACH,MAAM,CAAC,KAAK,UAAU,iBAAiB,CACrC,OAAuB,EACvB,MAAqB,EACrB,OAAe,EACf,SAAkB,EAClB,QAAiB;IAEjB,MAAM,iBAAiB,GAAG,OAAO,CAAC,WAAW,EAAE,CAAC;IAChD,MAAM,KAAK,GAAG,WAAW,CAAC,MAAM,EAAE,SAAS,EAAE,QAAQ,CAAC,CAAC;IACvD,MAAM,KAAK,GAAG,aAAa,EAAE,CAAC;IAC9B,MAAM,SAAS,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;IAEhD,MAAM,IAAI,GAAG,MAAM,oBAAoB,CAAC,iBAAiB,EAAE,KAAK,EAAE,KAAK,EAAE,SAAS,CAAC,CAAC;IACpF,MAAM,GAAG,GAAG,MAAM,QAAQ,CAAC,OAAO,CAAC,UAAU,EAAE,IAAI,CAAC,CAAC;IAErD,OAAO;QACL,QAAQ,EAAE,iBAAiB;QAC3B,UAAU,EAAE,SAAS;QACrB,WAAW,EAAE,OAAO,CAAC,YAAY;QACjC,WAAW,EAAE,UAAU,CAAC,GAAG,CAAC;QAC5B,KAAK;QACL,SAAS;KACV,CAAC;AACJ,CAAC;AAED;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,eAAe,CACnC,OAAuB,EACvB,MAAqB,EACrB,OAAe,EACf,WAAuB,EACvB,SAAkB,EAClB,QAAiB;IAEjB,MAAM,iBAAiB,GAAG,OAAO,CAAC,WAAW,EAAE,CAAC;IAChD,MAAM,KAAK,GAAG,WAAW,CAAC,MAAM,EAAE,SAAS,EAAE,QAAQ,CAAC,CAAC;IACvD,MAAM,KAAK,GAAG,aAAa,EAAE,CAAC;IAC9B,MAAM,SAAS,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;IAEhD,MAAM,IAAI,GAAG,MAAM,oBAAoB,CACrC,iBAAiB,EACjB,KAAK,EACL,KAAK,EACL,SAAS,EACT,WAAW,CACZ,CAAC;IACF,MAAM,GAAG,GAAG,MAAM,QAAQ,CAAC,OAAO,CAAC,UAAU,EAAE,IAAI,CAAC,CAAC;IAErD,OAAO;QACL,QAAQ,EAAE,iBAAiB;QAC3B,UAAU,EAAE,SAAS;QACrB,WAAW,EAAE,OAAO,CAAC,YAAY;QACjC,WAAW,EAAE,UAAU,CAAC,GAAG,CAAC;QAC5B,KAAK;QACL,SAAS;QACT,YAAY,EAAE,UAAU,CAAC,WAAW,CAAC;KACtC,CAAC;AACJ,CAAC;AAED;;;;GAIG;AACH,KAAK,UAAU,oBAAoB,CACjC,OAAe,EACf,KAAa,EACb,KAAa,EACb,SAAiB,EACjB,WAAwB;IAExB,MAAM,KAAK,GAAiB,EAAE,CAAC;IAC/B,MAAM,GAAG,GAAG,IAAI,WAAW,EAAE,CAAC;IAE9B,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC,CAAC;IAChC,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC;IAC5B,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC;IAC9B,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC;IAC5B,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC;IAC9B,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC;IAE5B,iCAAiC;IACjC,MAAM,KAAK,GAAG,IAAI,WAAW,CAAC,CAAC,CAAC,CAAC;IACjC,MAAM,IAAI,GAAG,IAAI,QAAQ,CAAC,KAAK,CAAC,CAAC;IACjC,IAAI,CAAC,YAAY,CAAC,CAAC,EAAE,MAAM,CAAC,SAAS,CAAC,CAAC,CAAC;IACxC,KAAK,CAAC,IAAI,CAAC,IAAI,UAAU,CAAC,KAAK,CAAC,CAAC,CAAC;IAElC,IAAI,WAAW,IAAI,WAAW,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC1C,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC;QAC5B,KAAK,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC;IAC1B,CAAC;IAED,cAAc;IACd,MAAM,KAAK,GAAG,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,CAAC,GAAG,CAAC,CAAC,MAAM,EAAE,CAAC,CAAC,CAAC;IACtD,MAAM,GAAG,GAAG,IAAI,UAAU,CAAC,KAAK,CAAC,CAAC;IAClC,IAAI,MAAM,GAAG,CAAC,CAAC;IACf,KAAK,MAAM,CAAC,IAAI,KAAK,EAAE,CAAC;QACtB,GAAG,CAAC,GAAG,CAAC,CAAC,EAAE,MAAM,CAAC,CAAC;QACnB,MAAM,IAAI,CAAC,CAAC,MAAM,CAAC;IACrB,CAAC;IAED,MAAM,MAAM,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,SAAS,EAAE,GAAG,CAAC,CAAC;IAC1D,OAAO,IAAI,UAAU,CAAC,MAAM,CAAC,CAAC;AAChC,CAAC;AAED;;;;;;GAMG;AACH,KAAK,UAAU,QAAQ,CACrB,UAAsB,EACtB,IAAgB;IAEhB,MAAM,EAAE,SAAS,EAAE,GAAG,MAAM,MAAM,CAAC,kBAAkB,CAAC,CAAC;IACvD,oEAAoE;IACpE,MAAM,GAAG,GAAG,MAAM,SAAS,CAAC,IAAI,EAAE,UAAU,EAAE,EAAE,IAAI,EAAE,IAAI,EAAE,OAAO,EAAE,KAAK,EAAE,CAAC,CAAC;IAC9E,OAAO,IAAI,UAAU,CAAC,GAAG,CAAC,CAAC;AAC7B,CAAC;AAED,SAAS,aAAa;IACpB,MAAM,KAAK,GAAG,IAAI,UAAU,CAAC,EAAE,CAAC,CAAC;IACjC,MAAM,CAAC,eAAe,CAAC,KAAK,CAAC,CAAC;IAC9B,OAAO,UAAU,CAAC,KAAK,CAAC,CAAC;AAC3B,CAAC"}

package/dist/scopedSign.d.ts

@@ -0,0 +1,82 @@
+/**
+ * Structured EIP-712 signing for scoped keys.
+ *
+ * Scoped keys reject raw hash signing — the caller must provide a
+ * structured payload that the node verifies against the key's scope
+ * before computing the hash and signing.
+ */
+import type { SessionKeypair, IdTokenClaims } from "./types";
+export interface EIP712Domain {
+    name?: string;
+    version?: string;
+    chainId: number;
+    verifyingContract: string;
+}
+export interface EIP712TypedData {
+    domain: EIP712Domain;
+    types: Record<string, Array<{
+        name: string;
+        type: string;
+    }>>;
+    primaryType: string;
+    message: Record<string, unknown>;
+}
+export interface ScopedSignResult {
+    signature: string;
+    ecdsaSignature: string;
+    curve: string;
+}
+/**
+ * Build an EIP-712 domain scope (scheme 0x03).
+ *
+ * Format: 0x03 | chainId (8 bytes, uint64 BE) | verifyingContract (20 bytes)
+ * Total: 29 bytes.
+ */
+export declare function buildEIP712Scope(chainId: number, verifyingContract: string): string;
+/**
+ * Sign a structured EIP-712 payload with a scoped key.
+ *
+ * The node extracts the domain from the typed data, verifies it matches
+ * the key's scope, computes hashTypedData, and threshold-signs.
+ *
+ * @param nodeUrl - Target group node URL
+ * @param proxyEndpoint - CORS proxy URL
+ * @param groupId - Group contract address
+ * @param keyId - The scoped sub-key to sign with
+ * @param curve - Key curve (e.g. "ecdsa_secp256k1")
+ * @param typedData - Full EIP-712 typed data structure
+ * @param sessionKeypair - Active session keypair
+ * @param claims - OAuth/identity claims for session auth
+ * @param identity - For auth key cert sessions
+ */
+export declare function signTypedData(nodeUrl: string, proxyEndpoint: string, groupId: string, keyId: string, curve: string, typedData: EIP712TypedData, sessionKeypair: SessionKeypair, claims: IdTokenClaims, identity?: string): Promise<ScopedSignResult>;
+export declare const CHAIN_PRESETS: readonly [{
+    readonly label: "USDC on Base";
+    readonly chainId: 8453;
+    readonly contractName: "USDC";
+    readonly verifyingContract: "0x833589fCD6eDb6E08f4c7C32D4f71b54bdA02913";
+    readonly eip712Name: "USD Coin";
+    readonly eip712Version: "2";
+}, {
+    readonly label: "USDC on Base Sepolia";
+    readonly chainId: 84532;
+    readonly contractName: "USDC";
+    readonly verifyingContract: "0x036CbD53842c5426634e7929541eC2318f3dCF7e";
+    readonly eip712Name: "USD Coin";
+    readonly eip712Version: "2";
+}, {
+    readonly label: "USDC on Ethereum";
+    readonly chainId: 1;
+    readonly contractName: "USDC";
+    readonly verifyingContract: "0xA0b86991c6218b36c1d19D4a2e9Eb0cE3606eB48";
+    readonly eip712Name: "USD Coin";
+    readonly eip712Version: "2";
+}, {
+    readonly label: "USDC on Sepolia";
+    readonly chainId: 11155111;
+    readonly contractName: "USDC";
+    readonly verifyingContract: "0x1c7D4B196Cb0C7B01d743Fbc6116a902379C7238";
+    readonly eip712Name: "USD Coin";
+    readonly eip712Version: "2";
+}];
+//# sourceMappingURL=scopedSign.d.ts.map

package/dist/scopedSign.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"scopedSign.d.ts","sourceRoot":"","sources":["../src/scopedSign.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,KAAK,EAAE,cAAc,EAAE,aAAa,EAAE,MAAM,SAAS,CAAC;AAO7D,MAAM,WAAW,YAAY;IAC3B,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,OAAO,EAAE,MAAM,CAAC;IAChB,iBAAiB,EAAE,MAAM,CAAC;CAC3B;AAED,MAAM,WAAW,eAAe;IAC9B,MAAM,EAAE,YAAY,CAAC;IACrB,KAAK,EAAE,MAAM,CAAC,MAAM,EAAE,KAAK,CAAC;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,IAAI,EAAE,MAAM,CAAA;KAAE,CAAC,CAAC,CAAC;IAC7D,WAAW,EAAE,MAAM,CAAC;IACpB,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;CAClC;AAED,MAAM,WAAW,gBAAgB;IAC/B,SAAS,EAAE,MAAM,CAAC;IAClB,cAAc,EAAE,MAAM,CAAC;IACvB,KAAK,EAAE,MAAM,CAAC;CACf;AAMD;;;;;GAKG;AACH,wBAAgB,gBAAgB,CAAC,OAAO,EAAE,MAAM,EAAE,iBAAiB,EAAE,MAAM,GAAG,MAAM,CAiBnF;AAMD;;;;;;;;;;;;;;;GAeG;AACH,wBAAsB,aAAa,CACjC,OAAO,EAAE,MAAM,EACf,aAAa,EAAE,MAAM,EACrB,OAAO,EAAE,MAAM,EACf,KAAK,EAAE,MAAM,EACb,KAAK,EAAE,MAAM,EACb,SAAS,EAAE,eAAe,EAC1B,cAAc,EAAE,cAAc,EAC9B,MAAM,EAAE,aAAa,EACrB,QAAQ,CAAC,EAAE,MAAM,GAChB,OAAO,CAAC,gBAAgB,CAAC,CAkD3B;AAMD,eAAO,MAAM,aAAa;;;;;;;;;;;;;;;;;;;;;;;;;;;;EAiChB,CAAC"}