@opaquecash/disclosure 0.2.0

package/dist/context.d.ts

@@ -0,0 +1,20 @@
+/**
+ * Disclosure request contexts — spec/conditional-disclosure.md §5.
+ * `context` commits the proof and the custodian quorum signature to one exact
+ * request (policy, case, requester). Each chain's registry recomputes it on-chain,
+ * so these MUST match the deployed encodings byte-for-byte.
+ */
+import { type Address, type Hex } from "viem";
+export declare const FIELD = 21888242871839275222246405745257275088548364400416034343698204186575808495617n;
+/** keccak256("opaque/disclosure/v1") mod r — the nullifier domain tag (spec §7). */
+export declare const DOMAIN_DISCLOSURE = 2892858644728810973983554811705195156385130922452064297470708309156017996001n;
+/** Ethereum: `uint256(keccak256(abi.encode(policyId, caseId, requester))) % r`. */
+export declare function computeContextEvm(policyId: bigint, caseId: Hex, requester: Address): bigint;
+/**
+ * Solana: `keccak256(policy_pda ‖ case_id ‖ requester)` with the top 3 bits
+ * cleared (< 2^253 < r), matching the program and the pool's scope/context style.
+ */
+export declare function computeContextSolana(policy: Uint8Array, caseId: Uint8Array, requester: Uint8Array): bigint;
+/** The 32-byte big-endian message the custodian quorum FROST-signs. */
+export declare function contextToMessage(context: bigint): Uint8Array;
+//# sourceMappingURL=context.d.ts.map

package/dist/context.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"context.d.ts","sourceRoot":"","sources":["../src/context.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AACH,OAAO,EAAkC,KAAK,OAAO,EAAE,KAAK,GAAG,EAAE,MAAM,MAAM,CAAC;AAE9E,eAAO,MAAM,KAAK,iFAC8D,CAAC;AAEjF,oFAAoF;AACpF,eAAO,MAAM,iBAAiB,gFACiD,CAAC;AAEhF,mFAAmF;AACnF,wBAAgB,iBAAiB,CAAC,QAAQ,EAAE,MAAM,EAAE,MAAM,EAAE,GAAG,EAAE,SAAS,EAAE,OAAO,GAAG,MAAM,CAW3F;AAED;;;GAGG;AACH,wBAAgB,oBAAoB,CAClC,MAAM,EAAE,UAAU,EAClB,MAAM,EAAE,UAAU,EAClB,SAAS,EAAE,UAAU,GACpB,MAAM,CAWR;AAED,uEAAuE;AACvE,wBAAgB,gBAAgB,CAAC,OAAO,EAAE,MAAM,GAAG,UAAU,CAG5D"}

package/dist/context.js

@@ -0,0 +1,37 @@
+/**
+ * Disclosure request contexts — spec/conditional-disclosure.md §5.
+ * `context` commits the proof and the custodian quorum signature to one exact
+ * request (policy, case, requester). Each chain's registry recomputes it on-chain,
+ * so these MUST match the deployed encodings byte-for-byte.
+ */
+import { encodeAbiParameters, keccak256 } from "viem";
+export const FIELD = 21888242871839275222246405745257275088548364400416034343698204186575808495617n;
+/** keccak256("opaque/disclosure/v1") mod r — the nullifier domain tag (spec §7). */
+export const DOMAIN_DISCLOSURE = 2892858644728810973983554811705195156385130922452064297470708309156017996001n;
+/** Ethereum: `uint256(keccak256(abi.encode(policyId, caseId, requester))) % r`. */
+export function computeContextEvm(policyId, caseId, requester) {
+    return (BigInt(keccak256(encodeAbiParameters([{ type: "uint256" }, { type: "bytes32" }, { type: "address" }], [policyId, caseId, requester]))) % FIELD);
+}
+/**
+ * Solana: `keccak256(policy_pda ‖ case_id ‖ requester)` with the top 3 bits
+ * cleared (< 2^253 < r), matching the program and the pool's scope/context style.
+ */
+export function computeContextSolana(policy, caseId, requester) {
+    if (policy.length !== 32 || caseId.length !== 32 || requester.length !== 32) {
+        throw new Error("policy, caseId, and requester must each be 32 bytes");
+    }
+    const joined = new Uint8Array(96);
+    joined.set(policy, 0);
+    joined.set(caseId, 32);
+    joined.set(requester, 64);
+    const digest = Buffer.from(keccak256(joined).slice(2), "hex");
+    digest[0] &= 0x1f;
+    return BigInt("0x" + digest.toString("hex"));
+}
+/** The 32-byte big-endian message the custodian quorum FROST-signs. */
+export function contextToMessage(context) {
+    if (context < 0n || context >= FIELD)
+        throw new Error("context out of field");
+    return Uint8Array.from(Buffer.from(context.toString(16).padStart(64, "0"), "hex"));
+}
+//# sourceMappingURL=context.js.map

package/dist/context.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"context.js","sourceRoot":"","sources":["../src/context.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AACH,OAAO,EAAE,mBAAmB,EAAE,SAAS,EAA0B,MAAM,MAAM,CAAC;AAE9E,MAAM,CAAC,MAAM,KAAK,GAChB,8EAA8E,CAAC;AAEjF,oFAAoF;AACpF,MAAM,CAAC,MAAM,iBAAiB,GAC5B,6EAA6E,CAAC;AAEhF,mFAAmF;AACnF,MAAM,UAAU,iBAAiB,CAAC,QAAgB,EAAE,MAAW,EAAE,SAAkB;IACjF,OAAO,CACL,MAAM,CACJ,SAAS,CACP,mBAAmB,CACjB,CAAC,EAAE,IAAI,EAAE,SAAS,EAAE,EAAE,EAAE,IAAI,EAAE,SAAS,EAAE,EAAE,EAAE,IAAI,EAAE,SAAS,EAAE,CAAC,EAC/D,CAAC,QAAQ,EAAE,MAAM,EAAE,SAAS,CAAC,CAC9B,CACF,CACF,GAAG,KAAK,CACV,CAAC;AACJ,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,oBAAoB,CAClC,MAAkB,EAClB,MAAkB,EAClB,SAAqB;IAErB,IAAI,MAAM,CAAC,MAAM,KAAK,EAAE,IAAI,MAAM,CAAC,MAAM,KAAK,EAAE,IAAI,SAAS,CAAC,MAAM,KAAK,EAAE,EAAE,CAAC;QAC5E,MAAM,IAAI,KAAK,CAAC,qDAAqD,CAAC,CAAC;IACzE,CAAC;IACD,MAAM,MAAM,GAAG,IAAI,UAAU,CAAC,EAAE,CAAC,CAAC;IAClC,MAAM,CAAC,GAAG,CAAC,MAAM,EAAE,CAAC,CAAC,CAAC;IACtB,MAAM,CAAC,GAAG,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC;IACvB,MAAM,CAAC,GAAG,CAAC,SAAS,EAAE,EAAE,CAAC,CAAC;IAC1B,MAAM,MAAM,GAAG,MAAM,CAAC,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,KAAK,CAAC,CAAC;IAC9D,MAAM,CAAC,CAAC,CAAC,IAAI,IAAI,CAAC;IAClB,OAAO,MAAM,CAAC,IAAI,GAAG,MAAM,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC,CAAC;AAC/C,CAAC;AAED,uEAAuE;AACvE,MAAM,UAAU,gBAAgB,CAAC,OAAe;IAC9C,IAAI,OAAO,GAAG,EAAE,IAAI,OAAO,IAAI,KAAK;QAAE,MAAM,IAAI,KAAK,CAAC,sBAAsB,CAAC,CAAC;IAC9E,OAAO,UAAU,CAAC,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,EAAE,EAAE,GAAG,CAAC,EAAE,KAAK,CAAC,CAAC,CAAC;AACrF,CAAC"}

package/dist/index.d.ts

@@ -0,0 +1,22 @@
+/**
+ * `@opaquecash/disclosure` — conditional disclosure / threshold viewing keys
+ * (spec/conditional-disclosure.md).
+ *
+ * Two surfaces:
+ *   - **Escrow backstop**: {@link splitViewingKey} / {@link recoverViewingKey} —
+ *     Shamir shares of the CSAP viewing key. Reconstruction reveals the FULL key;
+ *     recovery only.
+ *   - **Active disclosure**: {@link buildDisclosureWitness} +
+ *     {@link generateDisclosureProof} (pool-scoped Groth16 proof) gated by a
+ *     custodian FROST quorum's BIP-340 signature ({@link verifyQuorumSignature})
+ *     over the request {@link computeContextEvm | context}, submitted via
+ *     {@link buildDiscloseTx} / {@link buildDiscloseIx}.
+ *
+ * @packageDocumentation
+ */
+export { splitViewingKey, recoverViewingKey, parseShare, SHARE_SCHEME, type ParsedShare, } from "./shamir.js";
+export { FIELD, DOMAIN_DISCLOSURE, computeContextEvm, computeContextSolana, contextToMessage, } from "./context.js";
+export { liftEvenY, parseBip340, parseFrostSignature, verifyQuorumSignature, type QuorumSignature, type FrostSignatureFile, } from "./schnorr.js";
+export { disclosureNullifier, buildDisclosureWitness, generateDisclosureProof, POOL_LEVELS, type DisclosureArtifacts, type BuildDisclosureWitnessParams, type DisclosureWitness, type DisclosureProof, } from "./prove.js";
+export { opaqueDisclosureRegistryAbi, buildRegisterPolicyTx, buildDiscloseTx, policyPda, disclosureNullifierPda, buildRegisterPolicyIx, buildDiscloseIx, toSolanaProof, toSolidityProof, type EvmTxRequest, type SolanaProofBytes, type SolidityProof, } from "./tx.js";
+//# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;GAeG;AAEH,OAAO,EACL,eAAe,EACf,iBAAiB,EACjB,UAAU,EACV,YAAY,EACZ,KAAK,WAAW,GACjB,MAAM,aAAa,CAAC;AAErB,OAAO,EACL,KAAK,EACL,iBAAiB,EACjB,iBAAiB,EACjB,oBAAoB,EACpB,gBAAgB,GACjB,MAAM,cAAc,CAAC;AAEtB,OAAO,EACL,SAAS,EACT,WAAW,EACX,mBAAmB,EACnB,qBAAqB,EACrB,KAAK,eAAe,EACpB,KAAK,kBAAkB,GACxB,MAAM,cAAc,CAAC;AAEtB,OAAO,EACL,mBAAmB,EACnB,sBAAsB,EACtB,uBAAuB,EACvB,WAAW,EACX,KAAK,mBAAmB,EACxB,KAAK,4BAA4B,EACjC,KAAK,iBAAiB,EACtB,KAAK,eAAe,GACrB,MAAM,YAAY,CAAC;AAEpB,OAAO,EACL,2BAA2B,EAC3B,qBAAqB,EACrB,eAAe,EACf,SAAS,EACT,sBAAsB,EACtB,qBAAqB,EACrB,eAAe,EACf,aAAa,EACb,eAAe,EACf,KAAK,YAAY,EACjB,KAAK,gBAAgB,EACrB,KAAK,aAAa,GACnB,MAAM,SAAS,CAAC"}

package/dist/index.js

@@ -0,0 +1,22 @@
+/**
+ * `@opaquecash/disclosure` — conditional disclosure / threshold viewing keys
+ * (spec/conditional-disclosure.md).
+ *
+ * Two surfaces:
+ *   - **Escrow backstop**: {@link splitViewingKey} / {@link recoverViewingKey} —
+ *     Shamir shares of the CSAP viewing key. Reconstruction reveals the FULL key;
+ *     recovery only.
+ *   - **Active disclosure**: {@link buildDisclosureWitness} +
+ *     {@link generateDisclosureProof} (pool-scoped Groth16 proof) gated by a
+ *     custodian FROST quorum's BIP-340 signature ({@link verifyQuorumSignature})
+ *     over the request {@link computeContextEvm | context}, submitted via
+ *     {@link buildDiscloseTx} / {@link buildDiscloseIx}.
+ *
+ * @packageDocumentation
+ */
+export { splitViewingKey, recoverViewingKey, parseShare, SHARE_SCHEME, } from "./shamir.js";
+export { FIELD, DOMAIN_DISCLOSURE, computeContextEvm, computeContextSolana, contextToMessage, } from "./context.js";
+export { liftEvenY, parseBip340, parseFrostSignature, verifyQuorumSignature, } from "./schnorr.js";
+export { disclosureNullifier, buildDisclosureWitness, generateDisclosureProof, POOL_LEVELS, } from "./prove.js";
+export { opaqueDisclosureRegistryAbi, buildRegisterPolicyTx, buildDiscloseTx, policyPda, disclosureNullifierPda, buildRegisterPolicyIx, buildDiscloseIx, toSolanaProof, toSolidityProof, } from "./tx.js";
+//# sourceMappingURL=index.js.map

package/dist/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;GAeG;AAEH,OAAO,EACL,eAAe,EACf,iBAAiB,EACjB,UAAU,EACV,YAAY,GAEb,MAAM,aAAa,CAAC;AAErB,OAAO,EACL,KAAK,EACL,iBAAiB,EACjB,iBAAiB,EACjB,oBAAoB,EACpB,gBAAgB,GACjB,MAAM,cAAc,CAAC;AAEtB,OAAO,EACL,SAAS,EACT,WAAW,EACX,mBAAmB,EACnB,qBAAqB,GAGtB,MAAM,cAAc,CAAC;AAEtB,OAAO,EACL,mBAAmB,EACnB,sBAAsB,EACtB,uBAAuB,EACvB,WAAW,GAKZ,MAAM,YAAY,CAAC;AAEpB,OAAO,EACL,2BAA2B,EAC3B,qBAAqB,EACrB,eAAe,EACf,SAAS,EACT,sBAAsB,EACtB,qBAAqB,EACrB,eAAe,EACf,aAAa,EACb,eAAe,GAIhB,MAAM,SAAS,CAAC"}

package/dist/prove.d.ts

@@ -0,0 +1,48 @@
+/**
+ * Disclosure witness assembly + Groth16 proof generation
+ * (spec/conditional-disclosure.md §4). The witness binds a pool note's openings,
+ * its state-tree inclusion path, the policy threshold, and the request `context`.
+ * Public-signal order matches the circuit:
+ * value, label, threshold, state_root, disclosure_nullifier, context.
+ */
+import { POOL_LEVELS, type PoolCrypto, type CommitmentNote } from "@opaquecash/privacy-pool";
+/** Paths/URLs to the conditional_disclosure circuit artifacts. */
+export interface DisclosureArtifacts {
+    wasmPath: string;
+    zkeyPath: string;
+}
+export interface BuildDisclosureWitnessParams {
+    /** The note being disclosed (its openings stay private). */
+    note: CommitmentNote;
+    /** The policy's qualification threshold; note.value must exceed it. */
+    threshold: bigint;
+    /** Ordered state-tree leaves (all commitments) and the note's leaf index. */
+    stateLeaves: bigint[];
+    stateIndex: number;
+    /** The request context (computeContextEvm / computeContextSolana). */
+    context: bigint;
+}
+export interface DisclosureWitness {
+    input: Record<string, string | string[] | number[]>;
+    /** Public values submitted to `disclose` alongside the proof. */
+    publics: {
+        value: bigint;
+        label: bigint;
+        threshold: bigint;
+        stateRoot: bigint;
+        disclosureNullifier: bigint;
+        context: bigint;
+    };
+}
+/** disclosure_nullifier = Poseidon(nullifier, context, DOMAIN_DISCLOSURE) (spec §7). */
+export declare function disclosureNullifier(crypto: PoolCrypto, nullifier: bigint, context: bigint): bigint;
+/** Assemble the circuit input + public values for an on-chain `disclose` call. */
+export declare function buildDisclosureWitness(crypto: PoolCrypto, p: BuildDisclosureWitnessParams): DisclosureWitness;
+export interface DisclosureProof {
+    proof: unknown;
+    publicSignals: string[];
+}
+/** Generate the Groth16 proof (snarkjs; Node paths or browser URLs). */
+export declare function generateDisclosureProof(witness: DisclosureWitness, artifacts: DisclosureArtifacts): Promise<DisclosureProof>;
+export { POOL_LEVELS };
+//# sourceMappingURL=prove.d.ts.map

package/dist/prove.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"prove.d.ts","sourceRoot":"","sources":["../src/prove.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAIH,OAAO,EAEL,WAAW,EACX,KAAK,UAAU,EACf,KAAK,cAAc,EACpB,MAAM,0BAA0B,CAAC;AAGlC,kEAAkE;AAClE,MAAM,WAAW,mBAAmB;IAClC,QAAQ,EAAE,MAAM,CAAC;IACjB,QAAQ,EAAE,MAAM,CAAC;CAClB;AAED,MAAM,WAAW,4BAA4B;IAC3C,4DAA4D;IAC5D,IAAI,EAAE,cAAc,CAAC;IACrB,uEAAuE;IACvE,SAAS,EAAE,MAAM,CAAC;IAClB,6EAA6E;IAC7E,WAAW,EAAE,MAAM,EAAE,CAAC;IACtB,UAAU,EAAE,MAAM,CAAC;IACnB,sEAAsE;IACtE,OAAO,EAAE,MAAM,CAAC;CACjB;AAED,MAAM,WAAW,iBAAiB;IAChC,KAAK,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,GAAG,MAAM,EAAE,GAAG,MAAM,EAAE,CAAC,CAAC;IACpD,iEAAiE;IACjE,OAAO,EAAE;QACP,KAAK,EAAE,MAAM,CAAC;QACd,KAAK,EAAE,MAAM,CAAC;QACd,SAAS,EAAE,MAAM,CAAC;QAClB,SAAS,EAAE,MAAM,CAAC;QAClB,mBAAmB,EAAE,MAAM,CAAC;QAC5B,OAAO,EAAE,MAAM,CAAC;KACjB,CAAC;CACH;AAED,wFAAwF;AACxF,wBAAgB,mBAAmB,CACjC,MAAM,EAAE,UAAU,EAClB,SAAS,EAAE,MAAM,EACjB,OAAO,EAAE,MAAM,GACd,MAAM,CAER;AAED,kFAAkF;AAClF,wBAAgB,sBAAsB,CACpC,MAAM,EAAE,UAAU,EAClB,CAAC,EAAE,4BAA4B,GAC9B,iBAAiB,CAyCnB;AAED,MAAM,WAAW,eAAe;IAC9B,KAAK,EAAE,OAAO,CAAC;IACf,aAAa,EAAE,MAAM,EAAE,CAAC;CACzB;AAED,wEAAwE;AACxE,wBAAsB,uBAAuB,CAC3C,OAAO,EAAE,iBAAiB,EAC1B,SAAS,EAAE,mBAAmB,GAC7B,OAAO,CAAC,eAAe,CAAC,CAO1B;AAED,OAAO,EAAE,WAAW,EAAE,CAAC"}

package/dist/prove.js

@@ -0,0 +1,58 @@
+/**
+ * Disclosure witness assembly + Groth16 proof generation
+ * (spec/conditional-disclosure.md §4). The witness binds a pool note's openings,
+ * its state-tree inclusion path, the policy threshold, and the request `context`.
+ * Public-signal order matches the circuit:
+ * value, label, threshold, state_root, disclosure_nullifier, context.
+ */
+// @ts-expect-error snarkjs is untyped
+import * as snarkjs from "snarkjs";
+import { PoolMerkleTree, POOL_LEVELS, } from "@opaquecash/privacy-pool";
+import { DOMAIN_DISCLOSURE } from "./context.js";
+/** disclosure_nullifier = Poseidon(nullifier, context, DOMAIN_DISCLOSURE) (spec §7). */
+export function disclosureNullifier(crypto, nullifier, context) {
+    return crypto.hash([nullifier, context, DOMAIN_DISCLOSURE]);
+}
+/** Assemble the circuit input + public values for an on-chain `disclose` call. */
+export function buildDisclosureWitness(crypto, p) {
+    if (p.note.value <= p.threshold) {
+        throw new Error(`note does not qualify: value ${p.note.value} <= threshold ${p.threshold} ` +
+            "(the circuit would be unsatisfiable)");
+    }
+    const commitment = crypto.commitment(p.note.value, p.note.label, crypto.precommitment(p.note.nullifier, p.note.secret));
+    if (p.stateLeaves[p.stateIndex] !== commitment) {
+        throw new Error("stateLeaves[stateIndex] is not the note's commitment");
+    }
+    const tree = new PoolMerkleTree(crypto, p.stateLeaves);
+    const path = tree.proof(p.stateIndex);
+    const nullifier = disclosureNullifier(crypto, p.note.nullifier, p.context);
+    return {
+        input: {
+            nullifier: p.note.nullifier.toString(),
+            secret: p.note.secret.toString(),
+            state_siblings: path.siblings.map(String),
+            state_index: path.pathIndices,
+            value: p.note.value.toString(),
+            label: p.note.label.toString(),
+            threshold: p.threshold.toString(),
+            state_root: tree.root().toString(),
+            disclosure_nullifier: nullifier.toString(),
+            context: p.context.toString(),
+        },
+        publics: {
+            value: p.note.value,
+            label: p.note.label,
+            threshold: p.threshold,
+            stateRoot: tree.root(),
+            disclosureNullifier: nullifier,
+            context: p.context,
+        },
+    };
+}
+/** Generate the Groth16 proof (snarkjs; Node paths or browser URLs). */
+export async function generateDisclosureProof(witness, artifacts) {
+    const { proof, publicSignals } = await snarkjs.groth16.fullProve(witness.input, artifacts.wasmPath, artifacts.zkeyPath);
+    return { proof, publicSignals };
+}
+export { POOL_LEVELS };
+//# sourceMappingURL=prove.js.map

package/dist/prove.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"prove.js","sourceRoot":"","sources":["../src/prove.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,sCAAsC;AACtC,OAAO,KAAK,OAAO,MAAM,SAAS,CAAC;AACnC,OAAO,EACL,cAAc,EACd,WAAW,GAGZ,MAAM,0BAA0B,CAAC;AAClC,OAAO,EAAE,iBAAiB,EAAE,MAAM,cAAc,CAAC;AAiCjD,wFAAwF;AACxF,MAAM,UAAU,mBAAmB,CACjC,MAAkB,EAClB,SAAiB,EACjB,OAAe;IAEf,OAAO,MAAM,CAAC,IAAI,CAAC,CAAC,SAAS,EAAE,OAAO,EAAE,iBAAiB,CAAC,CAAC,CAAC;AAC9D,CAAC;AAED,kFAAkF;AAClF,MAAM,UAAU,sBAAsB,CACpC,MAAkB,EAClB,CAA+B;IAE/B,IAAI,CAAC,CAAC,IAAI,CAAC,KAAK,IAAI,CAAC,CAAC,SAAS,EAAE,CAAC;QAChC,MAAM,IAAI,KAAK,CACb,gCAAgC,CAAC,CAAC,IAAI,CAAC,KAAK,iBAAiB,CAAC,CAAC,SAAS,GAAG;YACzE,sCAAsC,CACzC,CAAC;IACJ,CAAC;IACD,MAAM,UAAU,GAAG,MAAM,CAAC,UAAU,CAClC,CAAC,CAAC,IAAI,CAAC,KAAK,EACZ,CAAC,CAAC,IAAI,CAAC,KAAK,EACZ,MAAM,CAAC,aAAa,CAAC,CAAC,CAAC,IAAI,CAAC,SAAS,EAAE,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,CACtD,CAAC;IACF,IAAI,CAAC,CAAC,WAAW,CAAC,CAAC,CAAC,UAAU,CAAC,KAAK,UAAU,EAAE,CAAC;QAC/C,MAAM,IAAI,KAAK,CAAC,sDAAsD,CAAC,CAAC;IAC1E,CAAC;IACD,MAAM,IAAI,GAAG,IAAI,cAAc,CAAC,MAAM,EAAE,CAAC,CAAC,WAAW,CAAC,CAAC;IACvD,MAAM,IAAI,GAAG,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,UAAU,CAAC,CAAC;IACtC,MAAM,SAAS,GAAG,mBAAmB,CAAC,MAAM,EAAE,CAAC,CAAC,IAAI,CAAC,SAAS,EAAE,CAAC,CAAC,OAAO,CAAC,CAAC;IAE3E,OAAO;QACL,KAAK,EAAE;YACL,SAAS,EAAE,CAAC,CAAC,IAAI,CAAC,SAAS,CAAC,QAAQ,EAAE;YACtC,MAAM,EAAE,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,QAAQ,EAAE;YAChC,cAAc,EAAE,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,MAAM,CAAC;YACzC,WAAW,EAAE,IAAI,CAAC,WAAW;YAC7B,KAAK,EAAE,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,QAAQ,EAAE;YAC9B,KAAK,EAAE,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,QAAQ,EAAE;YAC9B,SAAS,EAAE,CAAC,CAAC,SAAS,CAAC,QAAQ,EAAE;YACjC,UAAU,EAAE,IAAI,CAAC,IAAI,EAAE,CAAC,QAAQ,EAAE;YAClC,oBAAoB,EAAE,SAAS,CAAC,QAAQ,EAAE;YAC1C,OAAO,EAAE,CAAC,CAAC,OAAO,CAAC,QAAQ,EAAE;SAC9B;QACD,OAAO,EAAE;YACP,KAAK,EAAE,CAAC,CAAC,IAAI,CAAC,KAAK;YACnB,KAAK,EAAE,CAAC,CAAC,IAAI,CAAC,KAAK;YACnB,SAAS,EAAE,CAAC,CAAC,SAAS;YACtB,SAAS,EAAE,IAAI,CAAC,IAAI,EAAE;YACtB,mBAAmB,EAAE,SAAS;YAC9B,OAAO,EAAE,CAAC,CAAC,OAAO;SACnB;KACF,CAAC;AACJ,CAAC;AAOD,wEAAwE;AACxE,MAAM,CAAC,KAAK,UAAU,uBAAuB,CAC3C,OAA0B,EAC1B,SAA8B;IAE9B,MAAM,EAAE,KAAK,EAAE,aAAa,EAAE,GAAG,MAAM,OAAO,CAAC,OAAO,CAAC,SAAS,CAC9D,OAAO,CAAC,KAAK,EACb,SAAS,CAAC,QAAQ,EAClB,SAAS,CAAC,QAAQ,CACnB,CAAC;IACF,OAAO,EAAE,KAAK,EAAE,aAAa,EAAE,CAAC;AAClC,CAAC;AAED,OAAO,EAAE,WAAW,EAAE,CAAC"}

package/dist/schnorr.d.ts

@@ -0,0 +1,28 @@
+/** The SchnorrSig tuple submitted on-chain (R as a full even-Y point). */
+export interface QuorumSignature {
+    rx: bigint;
+    ry: bigint;
+    s: bigint;
+}
+/** The custodian CLI's `signature.json` shape (frost-custodian aggregate). */
+export interface FrostSignatureFile {
+    rx: string;
+    ry: string;
+    s: string;
+    bip340: string;
+    message: string;
+    group_key_x: string;
+}
+/** Even-Y lift of an x coordinate (p ≡ 3 mod 4 → sqrt = ^((p+1)/4)). */
+export declare function liftEvenY(x: bigint): bigint;
+/** Parse a 64-byte BIP-340 signature (Rx ‖ s) into the on-chain tuple. */
+export declare function parseBip340(signature: Uint8Array): QuorumSignature;
+/** Parse the custodian CLI's aggregate output. */
+export declare function parseFrostSignature(file: FrostSignatureFile): QuorumSignature;
+/**
+ * Verify a quorum signature over a 32-byte message against the x-only group key —
+ * the same check both registries perform, so a submission that passes here passes
+ * on-chain.
+ */
+export declare function verifyQuorumSignature(groupKeyX: bigint, message: Uint8Array, sig: QuorumSignature): boolean;
+//# sourceMappingURL=schnorr.d.ts.map

package/dist/schnorr.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"schnorr.d.ts","sourceRoot":"","sources":["../src/schnorr.ts"],"names":[],"mappings":"AAUA,0EAA0E;AAC1E,MAAM,WAAW,eAAe;IAC9B,EAAE,EAAE,MAAM,CAAC;IACX,EAAE,EAAE,MAAM,CAAC;IACX,CAAC,EAAE,MAAM,CAAC;CACX;AAED,8EAA8E;AAC9E,MAAM,WAAW,kBAAkB;IACjC,EAAE,EAAE,MAAM,CAAC;IACX,EAAE,EAAE,MAAM,CAAC;IACX,CAAC,EAAE,MAAM,CAAC;IACV,MAAM,EAAE,MAAM,CAAC;IACf,OAAO,EAAE,MAAM,CAAC;IAChB,WAAW,EAAE,MAAM,CAAC;CACrB;AAaD,wEAAwE;AACxE,wBAAgB,SAAS,CAAC,CAAC,EAAE,MAAM,GAAG,MAAM,CAI3C;AAID,0EAA0E;AAC1E,wBAAgB,WAAW,CAAC,SAAS,EAAE,UAAU,GAAG,eAAe,CAKlE;AAED,kDAAkD;AAClD,wBAAgB,mBAAmB,CAAC,IAAI,EAAE,kBAAkB,GAAG,eAAe,CAE7E;AAED;;;;GAIG;AACH,wBAAgB,qBAAqB,CACnC,SAAS,EAAE,MAAM,EACjB,OAAO,EAAE,UAAU,EACnB,GAAG,EAAE,eAAe,GACnB,OAAO,CAWT"}

package/dist/schnorr.js

@@ -0,0 +1,55 @@
+/**
+ * BIP-340 quorum-signature helpers — spec/conditional-disclosure.md §5.
+ * A FROST(secp256k1, Taproot) aggregate from the custodian ceremony is a standard
+ * BIP-340 Schnorr signature; this module verifies one client-side (mirroring the
+ * on-chain checks) and converts it into the (rx, ry, s) tuple both registries take.
+ */
+import { schnorr } from "@noble/curves/secp256k1";
+const SECP_P = 0xfffffffffffffffffffffffffffffffffffffffffffffffffffffffefffffc2fn;
+function modpow(base, exp, mod) {
+    let r = 1n;
+    base %= mod;
+    while (exp > 0n) {
+        if (exp & 1n)
+            r = (r * base) % mod;
+        base = (base * base) % mod;
+        exp >>= 1n;
+    }
+    return r;
+}
+/** Even-Y lift of an x coordinate (p ≡ 3 mod 4 → sqrt = ^((p+1)/4)). */
+export function liftEvenY(x) {
+    const y = modpow((x * x * x + 7n) % SECP_P, (SECP_P + 1n) / 4n, SECP_P);
+    if ((y * y) % SECP_P !== (x * x * x + 7n) % SECP_P)
+        throw new Error("x is not on the curve");
+    return y % 2n === 0n ? y : SECP_P - y;
+}
+const to32 = (x) => Uint8Array.from(Buffer.from(x.toString(16).padStart(64, "0"), "hex"));
+/** Parse a 64-byte BIP-340 signature (Rx ‖ s) into the on-chain tuple. */
+export function parseBip340(signature) {
+    if (signature.length !== 64)
+        throw new Error("BIP-340 signature must be 64 bytes");
+    const rx = BigInt("0x" + Buffer.from(signature.slice(0, 32)).toString("hex"));
+    const s = BigInt("0x" + Buffer.from(signature.slice(32)).toString("hex"));
+    return { rx, ry: liftEvenY(rx), s };
+}
+/** Parse the custodian CLI's aggregate output. */
+export function parseFrostSignature(file) {
+    return parseBip340(Uint8Array.from(Buffer.from(file.bip340, "hex")));
+}
+/**
+ * Verify a quorum signature over a 32-byte message against the x-only group key —
+ * the same check both registries perform, so a submission that passes here passes
+ * on-chain.
+ */
+export function verifyQuorumSignature(groupKeyX, message, sig) {
+    if (message.length !== 32)
+        throw new Error("message must be 32 bytes (the context)");
+    try {
+        return schnorr.verify(new Uint8Array([...to32(sig.rx), ...to32(sig.s)]), message, to32(groupKeyX));
+    }
+    catch {
+        return false;
+    }
+}
+//# sourceMappingURL=schnorr.js.map

package/dist/schnorr.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"schnorr.js","sourceRoot":"","sources":["../src/schnorr.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AACH,OAAO,EAAE,OAAO,EAAE,MAAM,yBAAyB,CAAC;AAElD,MAAM,MAAM,GAAG,mEAAmE,CAAC;AAmBnF,SAAS,MAAM,CAAC,IAAY,EAAE,GAAW,EAAE,GAAW;IACpD,IAAI,CAAC,GAAG,EAAE,CAAC;IACX,IAAI,IAAI,GAAG,CAAC;IACZ,OAAO,GAAG,GAAG,EAAE,EAAE,CAAC;QAChB,IAAI,GAAG,GAAG,EAAE;YAAE,CAAC,GAAG,CAAC,CAAC,GAAG,IAAI,CAAC,GAAG,GAAG,CAAC;QACnC,IAAI,GAAG,CAAC,IAAI,GAAG,IAAI,CAAC,GAAG,GAAG,CAAC;QAC3B,GAAG,KAAK,EAAE,CAAC;IACb,CAAC;IACD,OAAO,CAAC,CAAC;AACX,CAAC;AAED,wEAAwE;AACxE,MAAM,UAAU,SAAS,CAAC,CAAS;IACjC,MAAM,CAAC,GAAG,MAAM,CAAC,CAAC,CAAC,GAAG,CAAC,GAAG,CAAC,GAAG,EAAE,CAAC,GAAG,MAAM,EAAE,CAAC,MAAM,GAAG,EAAE,CAAC,GAAG,EAAE,EAAE,MAAM,CAAC,CAAC;IACxE,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC,GAAG,MAAM,KAAK,CAAC,CAAC,GAAG,CAAC,GAAG,CAAC,GAAG,EAAE,CAAC,GAAG,MAAM;QAAE,MAAM,IAAI,KAAK,CAAC,uBAAuB,CAAC,CAAC;IAC7F,OAAO,CAAC,GAAG,EAAE,KAAK,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,MAAM,GAAG,CAAC,CAAC;AACxC,CAAC;AAED,MAAM,IAAI,GAAG,CAAC,CAAS,EAAE,EAAE,CAAC,UAAU,CAAC,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,EAAE,EAAE,GAAG,CAAC,EAAE,KAAK,CAAC,CAAC,CAAC;AAElG,0EAA0E;AAC1E,MAAM,UAAU,WAAW,CAAC,SAAqB;IAC/C,IAAI,SAAS,CAAC,MAAM,KAAK,EAAE;QAAE,MAAM,IAAI,KAAK,CAAC,oCAAoC,CAAC,CAAC;IACnF,MAAM,EAAE,GAAG,MAAM,CAAC,IAAI,GAAG,MAAM,CAAC,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC,CAAC;IAC9E,MAAM,CAAC,GAAG,MAAM,CAAC,IAAI,GAAG,MAAM,CAAC,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC,CAAC;IAC1E,OAAO,EAAE,EAAE,EAAE,EAAE,EAAE,SAAS,CAAC,EAAE,CAAC,EAAE,CAAC,EAAE,CAAC;AACtC,CAAC;AAED,kDAAkD;AAClD,MAAM,UAAU,mBAAmB,CAAC,IAAwB;IAC1D,OAAO,WAAW,CAAC,UAAU,CAAC,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,KAAK,CAAC,CAAC,CAAC,CAAC;AACvE,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,qBAAqB,CACnC,SAAiB,EACjB,OAAmB,EACnB,GAAoB;IAEpB,IAAI,OAAO,CAAC,MAAM,KAAK,EAAE;QAAE,MAAM,IAAI,KAAK,CAAC,wCAAwC,CAAC,CAAC;IACrF,IAAI,CAAC;QACH,OAAO,OAAO,CAAC,MAAM,CACnB,IAAI,UAAU,CAAC,CAAC,GAAG,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,EAAE,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,EACjD,OAAO,EACP,IAAI,CAAC,SAAS,CAAC,CAChB,CAAC;IACJ,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,KAAK,CAAC;IACf,CAAC;AACH,CAAC"}

package/dist/shamir.d.ts

@@ -0,0 +1,28 @@
+export declare const SHARE_SCHEME = "shamir-gf256-v1";
+export interface ParsedShare {
+    /** Envelope version (currently 1). */
+    version: number;
+    /** Recovery threshold m. */
+    threshold: number;
+    /** Total shares issued n. */
+    total: number;
+    /** 1-based custodian index this share was issued to. */
+    index: number;
+    /** The raw GF(256) share. */
+    share: Uint8Array;
+}
+/**
+ * Split a 32-byte viewing key into `custodians` shares, any `threshold` of
+ * which recover it. Returns base64 envelope strings, ordered by custodian
+ * index (1-based).
+ */
+export declare function splitViewingKey(viewingKey: Uint8Array, threshold: number, custodians: number): Promise<string[]>;
+/** Decode and validate a single share envelope. */
+export declare function parseShare(encoded: string): ParsedShare;
+/**
+ * Recover the viewing key from `>= threshold` envelope shares. Rejects shares
+ * from different splits (mismatched m/n), duplicate custodian indices, and
+ * share sets below the recorded threshold.
+ */
+export declare function recoverViewingKey(shares: string[]): Promise<Uint8Array>;
+//# sourceMappingURL=shamir.d.ts.map

package/dist/shamir.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"shamir.d.ts","sourceRoot":"","sources":["../src/shamir.ts"],"names":[],"mappings":"AAgBA,eAAO,MAAM,YAAY,oBAAoB,CAAC;AAM9C,MAAM,WAAW,WAAW;IAC1B,sCAAsC;IACtC,OAAO,EAAE,MAAM,CAAC;IAChB,4BAA4B;IAC5B,SAAS,EAAE,MAAM,CAAC;IAClB,6BAA6B;IAC7B,KAAK,EAAE,MAAM,CAAC;IACd,wDAAwD;IACxD,KAAK,EAAE,MAAM,CAAC;IACd,6BAA6B;IAC7B,KAAK,EAAE,UAAU,CAAC;CACnB;AAKD;;;;GAIG;AACH,wBAAsB,eAAe,CACnC,UAAU,EAAE,UAAU,EACtB,SAAS,EAAE,MAAM,EACjB,UAAU,EAAE,MAAM,GACjB,OAAO,CAAC,MAAM,EAAE,CAAC,CAqBnB;AAED,mDAAmD;AACnD,wBAAgB,UAAU,CAAC,OAAO,EAAE,MAAM,GAAG,WAAW,CAQvD;AAED;;;;GAIG;AACH,wBAAsB,iBAAiB,CAAC,MAAM,EAAE,MAAM,EAAE,GAAG,OAAO,CAAC,UAAU,CAAC,CAqB7E"}

package/dist/shamir.js

@@ -0,0 +1,93 @@
+/**
+ * Shamir viewing-key escrow — spec/conditional-disclosure.md §2.
+ *
+ * Splits the 32-byte CSAP viewing-key scalar into n shares with threshold m
+ * over GF(256) (audited `shamir-secret-sharing`). Each share is wrapped in the
+ * versioned envelope `base64(0x01 ‖ m ‖ n ‖ index ‖ raw_share)` so recovery can
+ * enforce the threshold and reject mixed share sets — the underlying scheme
+ * silently returns garbage when combined below threshold.
+ *
+ * NORMATIVE WARNING (spec §2): combining m shares reconstructs the FULL viewing
+ * key and reveals the owner's entire incoming-payment history to the combiner.
+ * This is the recovery backstop, not the disclosure path; active disclosure is
+ * the FROST-gated proof flow in prove.ts/tx.ts.
+ */
+import { split as gf256Split, combine as gf256Combine } from "shamir-secret-sharing";
+export const SHARE_SCHEME = "shamir-gf256-v1";
+const SHARE_VERSION = 0x01;
+const VIEWING_KEY_LENGTH = 32;
+/** envelope = version ‖ m ‖ n ‖ index */
+const ENVELOPE_HEADER_LENGTH = 4;
+const toBase64 = (bytes) => Buffer.from(bytes).toString("base64");
+const fromBase64 = (s) => new Uint8Array(Buffer.from(s, "base64"));
+/**
+ * Split a 32-byte viewing key into `custodians` shares, any `threshold` of
+ * which recover it. Returns base64 envelope strings, ordered by custodian
+ * index (1-based).
+ */
+export async function splitViewingKey(viewingKey, threshold, custodians) {
+    if (viewingKey.length !== VIEWING_KEY_LENGTH) {
+        throw new Error(`viewing key must be ${VIEWING_KEY_LENGTH} bytes, got ${viewingKey.length}`);
+    }
+    if (!Number.isInteger(threshold) || !Number.isInteger(custodians)) {
+        throw new Error("threshold and custodians must be integers");
+    }
+    if (threshold < 2)
+        throw new Error("threshold must be at least 2 (1 would be no escrow)");
+    if (custodians < threshold)
+        throw new Error("custodians must be >= threshold");
+    if (custodians > 255)
+        throw new Error("at most 255 custodians");
+    const raw = await gf256Split(viewingKey, custodians, threshold);
+    return raw.map((share, i) => {
+        const envelope = new Uint8Array(ENVELOPE_HEADER_LENGTH + share.length);
+        envelope[0] = SHARE_VERSION;
+        envelope[1] = threshold;
+        envelope[2] = custodians;
+        envelope[3] = i + 1;
+        envelope.set(share, ENVELOPE_HEADER_LENGTH);
+        return toBase64(envelope);
+    });
+}
+/** Decode and validate a single share envelope. */
+export function parseShare(encoded) {
+    const bytes = fromBase64(encoded);
+    if (bytes.length <= ENVELOPE_HEADER_LENGTH)
+        throw new Error("share envelope too short");
+    const [version, threshold, total, index] = bytes;
+    if (version !== SHARE_VERSION)
+        throw new Error(`unsupported share version ${version}`);
+    if (threshold < 2 || total < threshold)
+        throw new Error("corrupt share envelope (threshold/total)");
+    if (index < 1 || index > total)
+        throw new Error("corrupt share envelope (index)");
+    return { version, threshold, total, index, share: bytes.slice(ENVELOPE_HEADER_LENGTH) };
+}
+/**
+ * Recover the viewing key from `>= threshold` envelope shares. Rejects shares
+ * from different splits (mismatched m/n), duplicate custodian indices, and
+ * share sets below the recorded threshold.
+ */
+export async function recoverViewingKey(shares) {
+    if (shares.length === 0)
+        throw new Error("no shares provided");
+    const parsed = shares.map(parseShare);
+    const { threshold, total } = parsed[0];
+    for (const p of parsed) {
+        if (p.threshold !== threshold || p.total !== total) {
+            throw new Error("shares are from different splits (threshold/total mismatch)");
+        }
+    }
+    const indices = new Set(parsed.map((p) => p.index));
+    if (indices.size !== parsed.length)
+        throw new Error("duplicate share indices");
+    if (parsed.length < threshold) {
+        throw new Error(`need ${threshold} shares to recover, got ${parsed.length}`);
+    }
+    const key = await gf256Combine(parsed.map((p) => p.share));
+    if (key.length !== VIEWING_KEY_LENGTH) {
+        throw new Error(`recovered ${key.length} bytes, expected ${VIEWING_KEY_LENGTH}`);
+    }
+    return key;
+}
+//# sourceMappingURL=shamir.js.map

package/dist/shamir.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"shamir.js","sourceRoot":"","sources":["../src/shamir.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;GAaG;AACH,OAAO,EAAE,KAAK,IAAI,UAAU,EAAE,OAAO,IAAI,YAAY,EAAE,MAAM,uBAAuB,CAAC;AAErF,MAAM,CAAC,MAAM,YAAY,GAAG,iBAAiB,CAAC;AAC9C,MAAM,aAAa,GAAG,IAAI,CAAC;AAC3B,MAAM,kBAAkB,GAAG,EAAE,CAAC;AAC9B,yCAAyC;AACzC,MAAM,sBAAsB,GAAG,CAAC,CAAC;AAejC,MAAM,QAAQ,GAAG,CAAC,KAAiB,EAAU,EAAE,CAAC,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;AACtF,MAAM,UAAU,GAAG,CAAC,CAAS,EAAc,EAAE,CAAC,IAAI,UAAU,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,EAAE,QAAQ,CAAC,CAAC,CAAC;AAEvF;;;;GAIG;AACH,MAAM,CAAC,KAAK,UAAU,eAAe,CACnC,UAAsB,EACtB,SAAiB,EACjB,UAAkB;IAElB,IAAI,UAAU,CAAC,MAAM,KAAK,kBAAkB,EAAE,CAAC;QAC7C,MAAM,IAAI,KAAK,CAAC,uBAAuB,kBAAkB,eAAe,UAAU,CAAC,MAAM,EAAE,CAAC,CAAC;IAC/F,CAAC;IACD,IAAI,CAAC,MAAM,CAAC,SAAS,CAAC,SAAS,CAAC,IAAI,CAAC,MAAM,CAAC,SAAS,CAAC,UAAU,CAAC,EAAE,CAAC;QAClE,MAAM,IAAI,KAAK,CAAC,2CAA2C,CAAC,CAAC;IAC/D,CAAC;IACD,IAAI,SAAS,GAAG,CAAC;QAAE,MAAM,IAAI,KAAK,CAAC,qDAAqD,CAAC,CAAC;IAC1F,IAAI,UAAU,GAAG,SAAS;QAAE,MAAM,IAAI,KAAK,CAAC,iCAAiC,CAAC,CAAC;IAC/E,IAAI,UAAU,GAAG,GAAG;QAAE,MAAM,IAAI,KAAK,CAAC,wBAAwB,CAAC,CAAC;IAEhE,MAAM,GAAG,GAAG,MAAM,UAAU,CAAC,UAAU,EAAE,UAAU,EAAE,SAAS,CAAC,CAAC;IAChE,OAAO,GAAG,CAAC,GAAG,CAAC,CAAC,KAAK,EAAE,CAAC,EAAE,EAAE;QAC1B,MAAM,QAAQ,GAAG,IAAI,UAAU,CAAC,sBAAsB,GAAG,KAAK,CAAC,MAAM,CAAC,CAAC;QACvE,QAAQ,CAAC,CAAC,CAAC,GAAG,aAAa,CAAC;QAC5B,QAAQ,CAAC,CAAC,CAAC,GAAG,SAAS,CAAC;QACxB,QAAQ,CAAC,CAAC,CAAC,GAAG,UAAU,CAAC;QACzB,QAAQ,CAAC,CAAC,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;QACpB,QAAQ,CAAC,GAAG,CAAC,KAAK,EAAE,sBAAsB,CAAC,CAAC;QAC5C,OAAO,QAAQ,CAAC,QAAQ,CAAC,CAAC;IAC5B,CAAC,CAAC,CAAC;AACL,CAAC;AAED,mDAAmD;AACnD,MAAM,UAAU,UAAU,CAAC,OAAe;IACxC,MAAM,KAAK,GAAG,UAAU,CAAC,OAAO,CAAC,CAAC;IAClC,IAAI,KAAK,CAAC,MAAM,IAAI,sBAAsB;QAAE,MAAM,IAAI,KAAK,CAAC,0BAA0B,CAAC,CAAC;IACxF,MAAM,CAAC,OAAO,EAAE,SAAS,EAAE,KAAK,EAAE,KAAK,CAAC,GAAG,KAAK,CAAC;IACjD,IAAI,OAAO,KAAK,aAAa;QAAE,MAAM,IAAI,KAAK,CAAC,6BAA6B,OAAO,EAAE,CAAC,CAAC;IACvF,IAAI,SAAS,GAAG,CAAC,IAAI,KAAK,GAAG,SAAS;QAAE,MAAM,IAAI,KAAK,CAAC,0CAA0C,CAAC,CAAC;IACpG,IAAI,KAAK,GAAG,CAAC,IAAI,KAAK,GAAG,KAAK;QAAE,MAAM,IAAI,KAAK,CAAC,gCAAgC,CAAC,CAAC;IAClF,OAAO,EAAE,OAAO,EAAE,SAAS,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,CAAC,KAAK,CAAC,sBAAsB,CAAC,EAAE,CAAC;AAC1F,CAAC;AAED;;;;GAIG;AACH,MAAM,CAAC,KAAK,UAAU,iBAAiB,CAAC,MAAgB;IACtD,IAAI,MAAM,CAAC,MAAM,KAAK,CAAC;QAAE,MAAM,IAAI,KAAK,CAAC,oBAAoB,CAAC,CAAC;IAC/D,MAAM,MAAM,GAAG,MAAM,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC;IAEtC,MAAM,EAAE,SAAS,EAAE,KAAK,EAAE,GAAG,MAAM,CAAC,CAAC,CAAC,CAAC;IACvC,KAAK,MAAM,CAAC,IAAI,MAAM,EAAE,CAAC;QACvB,IAAI,CAAC,CAAC,SAAS,KAAK,SAAS,IAAI,CAAC,CAAC,KAAK,KAAK,KAAK,EAAE,CAAC;YACnD,MAAM,IAAI,KAAK,CAAC,6DAA6D,CAAC,CAAC;QACjF,CAAC;IACH,CAAC;IACD,MAAM,OAAO,GAAG,IAAI,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC;IACpD,IAAI,OAAO,CAAC,IAAI,KAAK,MAAM,CAAC,MAAM;QAAE,MAAM,IAAI,KAAK,CAAC,yBAAyB,CAAC,CAAC;IAC/E,IAAI,MAAM,CAAC,MAAM,GAAG,SAAS,EAAE,CAAC;QAC9B,MAAM,IAAI,KAAK,CAAC,QAAQ,SAAS,2BAA2B,MAAM,CAAC,MAAM,EAAE,CAAC,CAAC;IAC/E,CAAC;IAED,MAAM,GAAG,GAAG,MAAM,YAAY,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC;IAC3D,IAAI,GAAG,CAAC,MAAM,KAAK,kBAAkB,EAAE,CAAC;QACtC,MAAM,IAAI,KAAK,CAAC,aAAa,GAAG,CAAC,MAAM,oBAAoB,kBAAkB,EAAE,CAAC,CAAC;IACnF,CAAC;IACD,OAAO,GAAG,CAAC;AACb,CAAC"}

package/dist/tx.d.ts

@@ -0,0 +1,204 @@
+/**
+ * Disclosure transaction builders — spec/conditional-disclosure.md §6.
+ * Ethereum: calldata for OpaqueDisclosureRegistry. Solana: raw instructions for the
+ * conditional-disclosure program (no IDL dependency; matches the program's borsh
+ * layout exactly).
+ */
+import { type Address, type Hex } from "viem";
+import { PublicKey, TransactionInstruction } from "@solana/web3.js";
+import { toSolidityProof, type SolidityProof } from "@opaquecash/privacy-pool";
+import type { QuorumSignature } from "./schnorr.js";
+export declare const opaqueDisclosureRegistryAbi: readonly [{
+    readonly type: "function";
+    readonly name: "registerPolicy";
+    readonly stateMutability: "nonpayable";
+    readonly inputs: readonly [{
+        readonly name: "pool";
+        readonly type: "address";
+    }, {
+        readonly name: "groupKeyX";
+        readonly type: "uint256";
+    }, {
+        readonly name: "threshold";
+        readonly type: "uint128";
+    }, {
+        readonly name: "m";
+        readonly type: "uint8";
+    }, {
+        readonly name: "n";
+        readonly type: "uint8";
+    }];
+    readonly outputs: readonly [{
+        readonly name: "policyId";
+        readonly type: "uint256";
+    }];
+}, {
+    readonly type: "function";
+    readonly name: "disclose";
+    readonly stateMutability: "nonpayable";
+    readonly inputs: readonly [{
+        readonly name: "a";
+        readonly type: "uint256[2]";
+    }, {
+        readonly name: "b";
+        readonly type: "uint256[2][2]";
+    }, {
+        readonly name: "c";
+        readonly type: "uint256[2]";
+    }, {
+        readonly name: "signals";
+        readonly type: "uint256[6]";
+    }, {
+        readonly name: "policyId";
+        readonly type: "uint256";
+    }, {
+        readonly name: "caseId";
+        readonly type: "bytes32";
+    }, {
+        readonly name: "sig";
+        readonly type: "tuple";
+        readonly components: readonly [{
+            readonly name: "rx";
+            readonly type: "uint256";
+        }, {
+            readonly name: "ry";
+            readonly type: "uint256";
+        }, {
+            readonly name: "s";
+            readonly type: "uint256";
+        }];
+    }];
+    readonly outputs: readonly [];
+}, {
+    readonly type: "function";
+    readonly name: "context";
+    readonly stateMutability: "pure";
+    readonly inputs: readonly [{
+        readonly name: "policyId";
+        readonly type: "uint256";
+    }, {
+        readonly name: "caseId";
+        readonly type: "bytes32";
+    }, {
+        readonly name: "requester";
+        readonly type: "address";
+    }];
+    readonly outputs: readonly [{
+        readonly type: "uint256";
+    }];
+}, {
+    readonly type: "function";
+    readonly name: "policies";
+    readonly stateMutability: "view";
+    readonly inputs: readonly [{
+        readonly type: "uint256";
+    }];
+    readonly outputs: readonly [{
+        readonly name: "pool";
+        readonly type: "address";
+    }, {
+        readonly name: "groupKeyX";
+        readonly type: "uint256";
+    }, {
+        readonly name: "threshold";
+        readonly type: "uint128";
+    }, {
+        readonly name: "m";
+        readonly type: "uint8";
+    }, {
+        readonly name: "n";
+        readonly type: "uint8";
+    }];
+}, {
+    readonly type: "function";
+    readonly name: "nullifierConsumed";
+    readonly stateMutability: "view";
+    readonly inputs: readonly [{
+        readonly type: "bytes32";
+    }];
+    readonly outputs: readonly [{
+        readonly type: "bool";
+    }];
+}, {
+    readonly type: "event";
+    readonly name: "Disclosure";
+    readonly inputs: readonly [{
+        readonly name: "policyId";
+        readonly type: "uint256";
+        readonly indexed: true;
+    }, {
+        readonly name: "caseId";
+        readonly type: "bytes32";
+        readonly indexed: true;
+    }, {
+        readonly name: "requester";
+        readonly type: "address";
+        readonly indexed: true;
+    }, {
+        readonly name: "label";
+        readonly type: "uint256";
+        readonly indexed: false;
+    }, {
+        readonly name: "value";
+        readonly type: "uint256";
+        readonly indexed: false;
+    }, {
+        readonly name: "disclosureNullifier";
+        readonly type: "bytes32";
+        readonly indexed: false;
+    }];
+}];
+export interface EvmTxRequest {
+    to: Address;
+    data: Hex;
+}
+export declare function buildRegisterPolicyTx(registry: Address, p: {
+    pool: Address;
+    groupKeyX: bigint;
+    threshold: bigint;
+    m: number;
+    n: number;
+}): EvmTxRequest;
+export declare function buildDiscloseTx(registry: Address, p: {
+    proof: SolidityProof;
+    signals: [bigint, bigint, bigint, bigint, bigint, bigint];
+    policyId: bigint;
+    caseId: Hex;
+    sig: QuorumSignature;
+}): EvmTxRequest;
+export declare function policyPda(program: PublicKey, groupKeyX: bigint): PublicKey;
+export declare function disclosureNullifierPda(program: PublicKey, nullifier: bigint): PublicKey;
+export declare function buildRegisterPolicyIx(program: PublicKey, p: {
+    pool: PublicKey;
+    groupKeyX: bigint;
+    threshold: bigint;
+    m: number;
+    n: number;
+    payer: PublicKey;
+}): TransactionInstruction;
+/** Groth16 proof in the program's byte encoding (negated-A handled on-chain). */
+export interface SolanaProofBytes {
+    a: Uint8Array;
+    b: Uint8Array;
+    c: Uint8Array;
+}
+/** snarkjs proof object → the program's G1/G2 byte encoding. */
+export declare function toSolanaProof(proof: {
+    pi_a: string[];
+    pi_b: string[][];
+    pi_c: string[];
+}): SolanaProofBytes;
+export declare function buildDiscloseIx(program: PublicKey, p: {
+    pool: PublicKey;
+    groupKeyX: bigint;
+    proof: SolanaProofBytes;
+    value: bigint;
+    label: bigint;
+    stateRoot: bigint;
+    disclosureNullifier: bigint;
+    caseId: Uint8Array;
+    sig: QuorumSignature;
+    requester: PublicKey;
+}): TransactionInstruction;
+export { toSolidityProof, type SolidityProof };
+//# sourceMappingURL=tx.d.ts.map

package/dist/tx.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"tx.d.ts","sourceRoot":"","sources":["../src/tx.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AACH,OAAO,EAAsB,KAAK,OAAO,EAAE,KAAK,GAAG,EAAE,MAAM,MAAM,CAAC;AAClE,OAAO,EAAE,SAAS,EAAiB,sBAAsB,EAAE,MAAM,iBAAiB,CAAC;AACnF,OAAO,EAAE,eAAe,EAAE,KAAK,aAAa,EAAE,MAAM,0BAA0B,CAAC;AAE/E,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,cAAc,CAAC;AAEpD,eAAO,MAAM,2BAA2B;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;EAgF9B,CAAC;AAEX,MAAM,WAAW,YAAY;IAC3B,EAAE,EAAE,OAAO,CAAC;IACZ,IAAI,EAAE,GAAG,CAAC;CACX;AAED,wBAAgB,qBAAqB,CACnC,QAAQ,EAAE,OAAO,EACjB,CAAC,EAAE;IAAE,IAAI,EAAE,OAAO,CAAC;IAAC,SAAS,EAAE,MAAM,CAAC;IAAC,SAAS,EAAE,MAAM,CAAC;IAAC,CAAC,EAAE,MAAM,CAAC;IAAC,CAAC,EAAE,MAAM,CAAA;CAAE,GAC/E,YAAY,CASd;AAED,wBAAgB,eAAe,CAC7B,QAAQ,EAAE,OAAO,EACjB,CAAC,EAAE;IACD,KAAK,EAAE,aAAa,CAAC;IACrB,OAAO,EAAE,CAAC,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,CAAC,CAAC;IAC1D,QAAQ,EAAE,MAAM,CAAC;IACjB,MAAM,EAAE,GAAG,CAAC;IACZ,GAAG,EAAE,eAAe,CAAC;CACtB,GACA,YAAY,CAiBd;AAaD,wBAAgB,SAAS,CAAC,OAAO,EAAE,SAAS,EAAE,SAAS,EAAE,MAAM,GAAG,SAAS,CAK1E;AAED,wBAAgB,sBAAsB,CAAC,OAAO,EAAE,SAAS,EAAE,SAAS,EAAE,MAAM,GAAG,SAAS,CAKvF;AAED,wBAAgB,qBAAqB,CACnC,OAAO,EAAE,SAAS,EAClB,CAAC,EAAE;IAAE,IAAI,EAAE,SAAS,CAAC;IAAC,SAAS,EAAE,MAAM,CAAC;IAAC,SAAS,EAAE,MAAM,CAAC;IAAC,CAAC,EAAE,MAAM,CAAC;IAAC,CAAC,EAAE,MAAM,CAAC;IAAC,KAAK,EAAE,SAAS,CAAA;CAAE,GACnG,sBAAsB,CAgBxB;AAED,iFAAiF;AACjF,MAAM,WAAW,gBAAgB;IAC/B,CAAC,EAAE,UAAU,CAAC;IACd,CAAC,EAAE,UAAU,CAAC;IACd,CAAC,EAAE,UAAU,CAAC;CACf;AAED,gEAAgE;AAChE,wBAAgB,aAAa,CAAC,KAAK,EAAE;IACnC,IAAI,EAAE,MAAM,EAAE,CAAC;IACf,IAAI,EAAE,MAAM,EAAE,EAAE,CAAC;IACjB,IAAI,EAAE,MAAM,EAAE,CAAC;CAChB,GAAG,gBAAgB,CAUnB;AAED,wBAAgB,eAAe,CAC7B,OAAO,EAAE,SAAS,EAClB,CAAC,EAAE;IACD,IAAI,EAAE,SAAS,CAAC;IAChB,SAAS,EAAE,MAAM,CAAC;IAClB,KAAK,EAAE,gBAAgB,CAAC;IACxB,KAAK,EAAE,MAAM,CAAC;IACd,KAAK,EAAE,MAAM,CAAC;IACd,SAAS,EAAE,MAAM,CAAC;IAClB,mBAAmB,EAAE,MAAM,CAAC;IAC5B,MAAM,EAAE,UAAU,CAAC;IACnB,GAAG,EAAE,eAAe,CAAC;IACrB,SAAS,EAAE,SAAS,CAAC;CACtB,GACA,sBAAsB,CA8BxB;AAED,OAAO,EAAE,eAAe,EAAE,KAAK,aAAa,EAAE,CAAC"}

package/dist/tx.js

@@ -0,0 +1,195 @@
+/**
+ * Disclosure transaction builders — spec/conditional-disclosure.md §6.
+ * Ethereum: calldata for OpaqueDisclosureRegistry. Solana: raw instructions for the
+ * conditional-disclosure program (no IDL dependency; matches the program's borsh
+ * layout exactly).
+ */
+import { encodeFunctionData } from "viem";
+import { PublicKey, SystemProgram, TransactionInstruction } from "@solana/web3.js";
+import { toSolidityProof } from "@opaquecash/privacy-pool";
+import { createHash } from "node:crypto";
+export const opaqueDisclosureRegistryAbi = [
+    {
+        type: "function",
+        name: "registerPolicy",
+        stateMutability: "nonpayable",
+        inputs: [
+            { name: "pool", type: "address" },
+            { name: "groupKeyX", type: "uint256" },
+            { name: "threshold", type: "uint128" },
+            { name: "m", type: "uint8" },
+            { name: "n", type: "uint8" },
+        ],
+        outputs: [{ name: "policyId", type: "uint256" }],
+    },
+    {
+        type: "function",
+        name: "disclose",
+        stateMutability: "nonpayable",
+        inputs: [
+            { name: "a", type: "uint256[2]" },
+            { name: "b", type: "uint256[2][2]" },
+            { name: "c", type: "uint256[2]" },
+            { name: "signals", type: "uint256[6]" },
+            { name: "policyId", type: "uint256" },
+            { name: "caseId", type: "bytes32" },
+            {
+                name: "sig",
+                type: "tuple",
+                components: [
+                    { name: "rx", type: "uint256" },
+                    { name: "ry", type: "uint256" },
+                    { name: "s", type: "uint256" },
+                ],
+            },
+        ],
+        outputs: [],
+    },
+    {
+        type: "function",
+        name: "context",
+        stateMutability: "pure",
+        inputs: [
+            { name: "policyId", type: "uint256" },
+            { name: "caseId", type: "bytes32" },
+            { name: "requester", type: "address" },
+        ],
+        outputs: [{ type: "uint256" }],
+    },
+    {
+        type: "function",
+        name: "policies",
+        stateMutability: "view",
+        inputs: [{ type: "uint256" }],
+        outputs: [
+            { name: "pool", type: "address" },
+            { name: "groupKeyX", type: "uint256" },
+            { name: "threshold", type: "uint128" },
+            { name: "m", type: "uint8" },
+            { name: "n", type: "uint8" },
+        ],
+    },
+    {
+        type: "function",
+        name: "nullifierConsumed",
+        stateMutability: "view",
+        inputs: [{ type: "bytes32" }],
+        outputs: [{ type: "bool" }],
+    },
+    {
+        type: "event",
+        name: "Disclosure",
+        inputs: [
+            { name: "policyId", type: "uint256", indexed: true },
+            { name: "caseId", type: "bytes32", indexed: true },
+            { name: "requester", type: "address", indexed: true },
+            { name: "label", type: "uint256", indexed: false },
+            { name: "value", type: "uint256", indexed: false },
+            { name: "disclosureNullifier", type: "bytes32", indexed: false },
+        ],
+    },
+];
+export function buildRegisterPolicyTx(registry, p) {
+    return {
+        to: registry,
+        data: encodeFunctionData({
+            abi: opaqueDisclosureRegistryAbi,
+            functionName: "registerPolicy",
+            args: [p.pool, p.groupKeyX, p.threshold, p.m, p.n],
+        }),
+    };
+}
+export function buildDiscloseTx(registry, p) {
+    return {
+        to: registry,
+        data: encodeFunctionData({
+            abi: opaqueDisclosureRegistryAbi,
+            functionName: "disclose",
+            args: [
+                p.proof.a,
+                p.proof.b,
+                p.proof.c,
+                p.signals,
+                p.policyId,
+                p.caseId,
+                { rx: p.sig.rx, ry: p.sig.ry, s: p.sig.s },
+            ],
+        }),
+    };
+}
+// ----------------------------------------------------------------- Solana
+const disc = (name) => createHash("sha256").update(`global:${name}`).digest().subarray(0, 8);
+const be32 = (x) => Buffer.from(x.toString(16).padStart(64, "0"), "hex");
+const u64le = (n) => {
+    const b = Buffer.alloc(8);
+    b.writeBigUInt64LE(n);
+    return b;
+};
+export function policyPda(program, groupKeyX) {
+    return PublicKey.findProgramAddressSync([Buffer.from("policy"), be32(groupKeyX)], program)[0];
+}
+export function disclosureNullifierPda(program, nullifier) {
+    return PublicKey.findProgramAddressSync([Buffer.from("nullifier"), be32(nullifier)], program)[0];
+}
+export function buildRegisterPolicyIx(program, p) {
+    return new TransactionInstruction({
+        programId: program,
+        keys: [
+            { pubkey: policyPda(program, p.groupKeyX), isSigner: false, isWritable: true },
+            { pubkey: p.pool, isSigner: false, isWritable: false },
+            { pubkey: p.payer, isSigner: true, isWritable: true },
+            { pubkey: SystemProgram.programId, isSigner: false, isWritable: false },
+        ],
+        data: Buffer.concat([
+            disc("register_policy"),
+            be32(p.groupKeyX),
+            u64le(p.threshold),
+            Buffer.from([p.m, p.n]),
+        ]),
+    });
+}
+/** snarkjs proof object → the program's G1/G2 byte encoding. */
+export function toSolanaProof(proof) {
+    const g1 = (p) => Buffer.concat([be32(BigInt(p[0])), be32(BigInt(p[1]))]);
+    const g2 = (p) => Buffer.concat([
+        be32(BigInt(p[0][1])),
+        be32(BigInt(p[0][0])),
+        be32(BigInt(p[1][1])),
+        be32(BigInt(p[1][0])),
+    ]);
+    return { a: g1(proof.pi_a), b: g2(proof.pi_b), c: g1(proof.pi_c) };
+}
+export function buildDiscloseIx(program, p) {
+    if (p.caseId.length !== 32)
+        throw new Error("caseId must be 32 bytes");
+    return new TransactionInstruction({
+        programId: program,
+        keys: [
+            { pubkey: policyPda(program, p.groupKeyX), isSigner: false, isWritable: false },
+            { pubkey: p.pool, isSigner: false, isWritable: false },
+            {
+                pubkey: disclosureNullifierPda(program, p.disclosureNullifier),
+                isSigner: false,
+                isWritable: true,
+            },
+            { pubkey: p.requester, isSigner: true, isWritable: true },
+            { pubkey: SystemProgram.programId, isSigner: false, isWritable: false },
+        ],
+        data: Buffer.concat([
+            disc("disclose"),
+            p.proof.a,
+            p.proof.b,
+            p.proof.c,
+            u64le(p.value),
+            be32(p.label),
+            be32(p.stateRoot),
+            be32(p.disclosureNullifier),
+            p.caseId,
+            be32(p.sig.rx),
+            be32(p.sig.ry),
+            be32(p.sig.s),
+        ]),
+    });
+}
+export { toSolidityProof };
+//# sourceMappingURL=tx.js.map

package/dist/tx.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"tx.js","sourceRoot":"","sources":["../src/tx.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AACH,OAAO,EAAE,kBAAkB,EAA0B,MAAM,MAAM,CAAC;AAClE,OAAO,EAAE,SAAS,EAAE,aAAa,EAAE,sBAAsB,EAAE,MAAM,iBAAiB,CAAC;AACnF,OAAO,EAAE,eAAe,EAAsB,MAAM,0BAA0B,CAAC;AAC/E,OAAO,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AAGzC,MAAM,CAAC,MAAM,2BAA2B,GAAG;IACzC;QACE,IAAI,EAAE,UAAU;QAChB,IAAI,EAAE,gBAAgB;QACtB,eAAe,EAAE,YAAY;QAC7B,MAAM,EAAE;YACN,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,SAAS,EAAE;YACjC,EAAE,IAAI,EAAE,WAAW,EAAE,IAAI,EAAE,SAAS,EAAE;YACtC,EAAE,IAAI,EAAE,WAAW,EAAE,IAAI,EAAE,SAAS,EAAE;YACtC,EAAE,IAAI,EAAE,GAAG,EAAE,IAAI,EAAE,OAAO,EAAE;YAC5B,EAAE,IAAI,EAAE,GAAG,EAAE,IAAI,EAAE,OAAO,EAAE;SAC7B;QACD,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,UAAU,EAAE,IAAI,EAAE,SAAS,EAAE,CAAC;KACjD;IACD;QACE,IAAI,EAAE,UAAU;QAChB,IAAI,EAAE,UAAU;QAChB,eAAe,EAAE,YAAY;QAC7B,MAAM,EAAE;YACN,EAAE,IAAI,EAAE,GAAG,EAAE,IAAI,EAAE,YAAY,EAAE;YACjC,EAAE,IAAI,EAAE,GAAG,EAAE,IAAI,EAAE,eAAe,EAAE;YACpC,EAAE,IAAI,EAAE,GAAG,EAAE,IAAI,EAAE,YAAY,EAAE;YACjC,EAAE,IAAI,EAAE,SAAS,EAAE,IAAI,EAAE,YAAY,EAAE;YACvC,EAAE,IAAI,EAAE,UAAU,EAAE,IAAI,EAAE,SAAS,EAAE;YACrC,EAAE,IAAI,EAAE,QAAQ,EAAE,IAAI,EAAE,SAAS,EAAE;YACnC;gBACE,IAAI,EAAE,KAAK;gBACX,IAAI,EAAE,OAAO;gBACb,UAAU,EAAE;oBACV,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,SAAS,EAAE;oBAC/B,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,SAAS,EAAE;oBAC/B,EAAE,IAAI,EAAE,GAAG,EAAE,IAAI,EAAE,SAAS,EAAE;iBAC/B;aACF;SACF;QACD,OAAO,EAAE,EAAE;KACZ;IACD;QACE,IAAI,EAAE,UAAU;QAChB,IAAI,EAAE,SAAS;QACf,eAAe,EAAE,MAAM;QACvB,MAAM,EAAE;YACN,EAAE,IAAI,EAAE,UAAU,EAAE,IAAI,EAAE,SAAS,EAAE;YACrC,EAAE,IAAI,EAAE,QAAQ,EAAE,IAAI,EAAE,SAAS,EAAE;YACnC,EAAE,IAAI,EAAE,WAAW,EAAE,IAAI,EAAE,SAAS,EAAE;SACvC;QACD,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,SAAS,EAAE,CAAC;KAC/B;IACD;QACE,IAAI,EAAE,UAAU;QAChB,IAAI,EAAE,UAAU;QAChB,eAAe,EAAE,MAAM;QACvB,MAAM,EAAE,CAAC,EAAE,IAAI,EAAE,SAAS,EAAE,CAAC;QAC7B,OAAO,EAAE;YACP,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,SAAS,EAAE;YACjC,EAAE,IAAI,EAAE,WAAW,EAAE,IAAI,EAAE,SAAS,EAAE;YACtC,EAAE,IAAI,EAAE,WAAW,EAAE,IAAI,EAAE,SAAS,EAAE;YACtC,EAAE,IAAI,EAAE,GAAG,EAAE,IAAI,EAAE,OAAO,EAAE;YAC5B,EAAE,IAAI,EAAE,GAAG,EAAE,IAAI,EAAE,OAAO,EAAE;SAC7B;KACF;IACD;QACE,IAAI,EAAE,UAAU;QAChB,IAAI,EAAE,mBAAmB;QACzB,eAAe,EAAE,MAAM;QACvB,MAAM,EAAE,CAAC,EAAE,IAAI,EAAE,SAAS,EAAE,CAAC;QAC7B,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,CAAC;KAC5B;IACD;QACE,IAAI,EAAE,OAAO;QACb,IAAI,EAAE,YAAY;QAClB,MAAM,EAAE;YACN,EAAE,IAAI,EAAE,UAAU,EAAE,IAAI,EAAE,SAAS,EAAE,OAAO,EAAE,IAAI,EAAE;YACpD,EAAE,IAAI,EAAE,QAAQ,EAAE,IAAI,EAAE,SAAS,EAAE,OAAO,EAAE,IAAI,EAAE;YAClD,EAAE,IAAI,EAAE,WAAW,EAAE,IAAI,EAAE,SAAS,EAAE,OAAO,EAAE,IAAI,EAAE;YACrD,EAAE,IAAI,EAAE,OAAO,EAAE,IAAI,EAAE,SAAS,EAAE,OAAO,EAAE,KAAK,EAAE;YAClD,EAAE,IAAI,EAAE,OAAO,EAAE,IAAI,EAAE,SAAS,EAAE,OAAO,EAAE,KAAK,EAAE;YAClD,EAAE,IAAI,EAAE,qBAAqB,EAAE,IAAI,EAAE,SAAS,EAAE,OAAO,EAAE,KAAK,EAAE;SACjE;KACF;CACO,CAAC;AAOX,MAAM,UAAU,qBAAqB,CACnC,QAAiB,EACjB,CAAgF;IAEhF,OAAO;QACL,EAAE,EAAE,QAAQ;QACZ,IAAI,EAAE,kBAAkB,CAAC;YACvB,GAAG,EAAE,2BAA2B;YAChC,YAAY,EAAE,gBAAgB;YAC9B,IAAI,EAAE,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC,SAAS,EAAE,CAAC,CAAC,SAAS,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC;SACnD,CAAC;KACH,CAAC;AACJ,CAAC;AAED,MAAM,UAAU,eAAe,CAC7B,QAAiB,EACjB,CAMC;IAED,OAAO;QACL,EAAE,EAAE,QAAQ;QACZ,IAAI,EAAE,kBAAkB,CAAC;YACvB,GAAG,EAAE,2BAA2B;YAChC,YAAY,EAAE,UAAU;YACxB,IAAI,EAAE;gBACJ,CAAC,CAAC,KAAK,CAAC,CAAC;gBACT,CAAC,CAAC,KAAK,CAAC,CAAC;gBACT,CAAC,CAAC,KAAK,CAAC,CAAC;gBACT,CAAC,CAAC,OAAO;gBACT,CAAC,CAAC,QAAQ;gBACV,CAAC,CAAC,MAAM;gBACR,EAAE,EAAE,EAAE,CAAC,CAAC,GAAG,CAAC,EAAE,EAAE,EAAE,EAAE,CAAC,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC,EAAE,CAAC,CAAC,GAAG,CAAC,CAAC,EAAE;aAC3C;SACF,CAAC;KACH,CAAC;AACJ,CAAC;AAED,2EAA2E;AAE3E,MAAM,IAAI,GAAG,CAAC,IAAY,EAAU,EAAE,CACpC,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,UAAU,IAAI,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC;AACxE,MAAM,IAAI,GAAG,CAAC,CAAS,EAAE,EAAE,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,EAAE,EAAE,GAAG,CAAC,EAAE,KAAK,CAAC,CAAC;AACjF,MAAM,KAAK,GAAG,CAAC,CAAS,EAAE,EAAE;IAC1B,MAAM,CAAC,GAAG,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;IAC1B,CAAC,CAAC,gBAAgB,CAAC,CAAC,CAAC,CAAC;IACtB,OAAO,CAAC,CAAC;AACX,CAAC,CAAC;AAEF,MAAM,UAAU,SAAS,CAAC,OAAkB,EAAE,SAAiB;IAC7D,OAAO,SAAS,CAAC,sBAAsB,CACrC,CAAC,MAAM,CAAC,IAAI,CAAC,QAAQ,CAAC,EAAE,IAAI,CAAC,SAAS,CAAC,CAAC,EACxC,OAAO,CACR,CAAC,CAAC,CAAC,CAAC;AACP,CAAC;AAED,MAAM,UAAU,sBAAsB,CAAC,OAAkB,EAAE,SAAiB;IAC1E,OAAO,SAAS,CAAC,sBAAsB,CACrC,CAAC,MAAM,CAAC,IAAI,CAAC,WAAW,CAAC,EAAE,IAAI,CAAC,SAAS,CAAC,CAAC,EAC3C,OAAO,CACR,CAAC,CAAC,CAAC,CAAC;AACP,CAAC;AAED,MAAM,UAAU,qBAAqB,CACnC,OAAkB,EAClB,CAAoG;IAEpG,OAAO,IAAI,sBAAsB,CAAC;QAChC,SAAS,EAAE,OAAO;QAClB,IAAI,EAAE;YACJ,EAAE,MAAM,EAAE,SAAS,CAAC,OAAO,EAAE,CAAC,CAAC,SAAS,CAAC,EAAE,QAAQ,EAAE,KAAK,EAAE,UAAU,EAAE,IAAI,EAAE;YAC9E,EAAE,MAAM,EAAE,CAAC,CAAC,IAAI,EAAE,QAAQ,EAAE,KAAK,EAAE,UAAU,EAAE,KAAK,EAAE;YACtD,EAAE,MAAM,EAAE,CAAC,CAAC,KAAK,EAAE,QAAQ,EAAE,IAAI,EAAE,UAAU,EAAE,IAAI,EAAE;YACrD,EAAE,MAAM,EAAE,aAAa,CAAC,SAAS,EAAE,QAAQ,EAAE,KAAK,EAAE,UAAU,EAAE,KAAK,EAAE;SACxE;QACD,IAAI,EAAE,MAAM,CAAC,MAAM,CAAC;YAClB,IAAI,CAAC,iBAAiB,CAAC;YACvB,IAAI,CAAC,CAAC,CAAC,SAAS,CAAC;YACjB,KAAK,CAAC,CAAC,CAAC,SAAS,CAAC;YAClB,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC;SACxB,CAAC;KACH,CAAC,CAAC;AACL,CAAC;AASD,gEAAgE;AAChE,MAAM,UAAU,aAAa,CAAC,KAI7B;IACC,MAAM,EAAE,GAAG,CAAC,CAAW,EAAE,EAAE,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,EAAE,IAAI,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;IACpF,MAAM,EAAE,GAAG,CAAC,CAAa,EAAE,EAAE,CAC3B,MAAM,CAAC,MAAM,CAAC;QACZ,IAAI,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;QACrB,IAAI,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;QACrB,IAAI,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;QACrB,IAAI,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;KACtB,CAAC,CAAC;IACL,OAAO,EAAE,CAAC,EAAE,EAAE,CAAC,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC;AACrE,CAAC;AAED,MAAM,UAAU,eAAe,CAC7B,OAAkB,EAClB,CAWC;IAED,IAAI,CAAC,CAAC,MAAM,CAAC,MAAM,KAAK,EAAE;QAAE,MAAM,IAAI,KAAK,CAAC,yBAAyB,CAAC,CAAC;IACvE,OAAO,IAAI,sBAAsB,CAAC;QAChC,SAAS,EAAE,OAAO;QAClB,IAAI,EAAE;YACJ,EAAE,MAAM,EAAE,SAAS,CAAC,OAAO,EAAE,CAAC,CAAC,SAAS,CAAC,EAAE,QAAQ,EAAE,KAAK,EAAE,UAAU,EAAE,KAAK,EAAE;YAC/E,EAAE,MAAM,EAAE,CAAC,CAAC,IAAI,EAAE,QAAQ,EAAE,KAAK,EAAE,UAAU,EAAE,KAAK,EAAE;YACtD;gBACE,MAAM,EAAE,sBAAsB,CAAC,OAAO,EAAE,CAAC,CAAC,mBAAmB,CAAC;gBAC9D,QAAQ,EAAE,KAAK;gBACf,UAAU,EAAE,IAAI;aACjB;YACD,EAAE,MAAM,EAAE,CAAC,CAAC,SAAS,EAAE,QAAQ,EAAE,IAAI,EAAE,UAAU,EAAE,IAAI,EAAE;YACzD,EAAE,MAAM,EAAE,aAAa,CAAC,SAAS,EAAE,QAAQ,EAAE,KAAK,EAAE,UAAU,EAAE,KAAK,EAAE;SACxE;QACD,IAAI,EAAE,MAAM,CAAC,MAAM,CAAC;YAClB,IAAI,CAAC,UAAU,CAAC;YAChB,CAAC,CAAC,KAAK,CAAC,CAAC;YACT,CAAC,CAAC,KAAK,CAAC,CAAC;YACT,CAAC,CAAC,KAAK,CAAC,CAAC;YACT,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC;YACd,IAAI,CAAC,CAAC,CAAC,KAAK,CAAC;YACb,IAAI,CAAC,CAAC,CAAC,SAAS,CAAC;YACjB,IAAI,CAAC,CAAC,CAAC,mBAAmB,CAAC;YAC3B,CAAC,CAAC,MAAM;YACR,IAAI,CAAC,CAAC,CAAC,GAAG,CAAC,EAAE,CAAC;YACd,IAAI,CAAC,CAAC,CAAC,GAAG,CAAC,EAAE,CAAC;YACd,IAAI,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;SACd,CAAC;KACH,CAAC,CAAC;AACL,CAAC;AAED,OAAO,EAAE,eAAe,EAAsB,CAAC"}

package/package.json

@@ -0,0 +1,41 @@
+{
+  "name": "@opaquecash/disclosure",
+  "version": "0.2.0",
+  "description": "Conditional disclosure client: Shamir viewing-key escrow, disclosure witness + Groth16 proof generation, BIP-340 quorum-signature helpers, and disclose tx building (spec/conditional-disclosure.md)",
+  "type": "module",
+  "main": "./dist/index.js",
+  "types": "./dist/index.d.ts",
+  "exports": {
+    ".": {
+      "types": "./dist/index.d.ts",
+      "import": "./dist/index.js"
+    }
+  },
+  "files": [
+    "dist"
+  ],
+  "scripts": {
+    "build": "tsc -p tsconfig.json",
+    "clean": "rm -rf dist"
+  },
+  "dependencies": {
+    "@noble/curves": "^1.6.0",
+    "@solana/web3.js": "^1.98.4",
+    "@opaquecash/deployments": "0.2.0",
+    "@opaquecash/privacy-pool": "0.2.0",
+    "shamir-secret-sharing": "^0.0.4",
+    "snarkjs": "^0.7.5",
+    "viem": "^2.21.0"
+  },
+  "sideEffects": false,
+  "license": "Apache-2.0",
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/opaquecash/sdk.git",
+    "directory": "packages/disclosure"
+  },
+  "homepage": "https://docs.opaque.cash",
+  "publishConfig": {
+    "access": "public"
+  }
+}