@pafi-dev/issuer 0.7.6 → 0.7.8

package/dist/index.d.cts

@@ -1,4 +1,4 @@
-import { PafiSdkError, SdkErrorHttpStatus, PointTokenDomainConfig, PartialUserOperation, BurnRequest, PoolKey, UserOpTypedData, decodeBatchExecuteCalls, BROKER_HASHES, Eip7702AuthorizationJsonRpc, BuiltSponsorAuth, ENTRY_POINT_V08 } from '@pafi-dev/core';
+import { PafiSdkError, SdkErrorHttpStatus, PointTokenDomainConfig, PartialUserOperation, BurnRequest, PoolKey, UserOpTypedData, decodeBatchExecuteCalls, BROKER_HASHES, BuiltSponsorAuth, ENTRY_POINT_V08 } from '@pafi-dev/core';
 export { PAFI_SUBGRAPH_URL, PafiSdkError, SdkErrorHttpStatus, ValidationError } from '@pafi-dev/core';
 import { Address, Hex, PublicClient, WalletClient } from 'viem';
 
@@ -1481,6 +1481,25 @@ interface PendingUserOpEntry {
         preVerificationGas: string;
         userOpHash: Hex;
     };
+    /**
+     * EIP-7702 authorization tuple — present only on the `delegate`
+     * scenario where the UserOp anchors the EOA's one-time delegation
+     * to a 7702 implementation. Embedded into the eth_sendUserOperation
+     * payload at submit time so Pimlico bundler applies the bytecode
+     * atomically with the UserOp execution. Pre-computed at prepare
+     * time from the user's `signAuthorization` signature so submit
+     * doesn't need to re-derive it.
+     *
+     * v0.7.7 — added per delegate-flow refactor (mobile prepare/submit).
+     */
+    eip7702Auth?: {
+        chainId: string;
+        address: string;
+        nonce: string;
+        r: string;
+        s: string;
+        yParity: string;
+    };
 }
 /**
  * Storage backend for pending UserOps in the mobile prepare/submit pattern.
@@ -1969,55 +1988,30 @@ declare class PerpDepositHandler {
     handle(request: PerpDepositRequest): Promise<PerpDepositResponse>;
 }
 
-/**
- * Pure mechanics for the EIP-7702 delegation submit flow. Builds the
- * delegation-anchor UserOp via `buildDelegationUserOp` (self-call EOA
- * with empty calldata), attaches paymaster sponsorship, splits the
- * user's authorization signature into the JSON-RPC tuple, and relays
- * via the PAFI sponsor-relayer.
- *
- * The UserOp itself is a no-op — a self-call to the user's EOA with
- * `data: "0x"`. The work is in the `eip7702Auth` object: the bundler
- * picks it up, runs the EIP-7702 path, and installs the delegation on
- * the user's EOA atomically with the (no-op) UserOp.
- *
- * v0.7.1 — switched from `encodeBatchExecute([])` (which throws
- * "operations array must not be empty") to `buildDelegationUserOp`
- * (self-call pattern). See SDK_CORE_TRADING_AUDIT.md C1.
- *
- * Throws the same `BundlerNotConfiguredError` / `BundlerRejectedError`
- * as other relay paths so issuer controllers can use one error mapper.
- */
 interface HandleDelegateSubmitParams {
-    userAddress: Address;
-    chainId: number;
-    /** Account nonce read at `delegate/prepare` time and signed by the user. */
-    delegationNonce: bigint;
-    /** ERC-4337 account nonce. Caller fetches via EntryPoint.getNonce. */
-    aaNonce: bigint;
-    /** 65-byte secp256k1 signature over the EIP-7702 authorization hash. */
-    authSig: Hex | string;
-    /** EIP-1559 fees from `provider.estimateFeesPerGas()` (or RPC equivalent). */
-    fees: {
-        maxFeePerGas?: bigint;
-        maxPriorityFeePerGas?: bigint;
-    };
+    lockId: string;
+    /** Authenticated user EOA — must match the entry's `sender`. */
+    authenticatedAddress: Address;
+    /** User signature over the persisted userOpHash. */
+    userOpSig: Hex;
+    store: IPendingUserOpStore;
     pafiBackendClient?: PafiBackendClient | null;
-    onWarning?: (msg: string) => void;
-    /** Override gas limits for the empty-batch UserOp. */
-    gasLimits?: {
-        callGasLimit?: bigint;
-        verificationGasLimit?: bigint;
-        preVerificationGas?: bigint;
-    };
+    /** Defaults to `ENTRY_POINT_V08`. */
+    entryPoint?: string;
 }
 interface HandleDelegateSubmitResult {
     userOpHash: Hex;
-    /** True when paymaster sponsorship was applied (gas is free). */
-    isSponsored: boolean;
-    /** The authorization tuple actually sent to the bundler. */
-    authorization: Eip7702AuthorizationJsonRpc;
 }
+/**
+ * Retrieve the persisted delegate UserOp, embed the user's signature,
+ * and submit to the bundler with the cached `eip7702Auth` field.
+ *
+ * Throws:
+ *   - `PendingUserOpNotFoundError` — entry expired or already submitted (404)
+ *   - `PendingUserOpForbiddenError` — sender mismatch (403)
+ *   - `BundlerNotConfiguredError` — `pafiBackendClient` missing (503)
+ *   - `BundlerRejectedError` — bundler rejected the UserOp (422)
+ */
 declare function handleDelegateSubmit(params: HandleDelegateSubmitParams): Promise<HandleDelegateSubmitResult>;
 
 /**
@@ -2310,9 +2304,35 @@ interface MobileSubmitDto {
 interface DelegateStatusDto {
     isDelegated: boolean;
     batchExecutorAddress: Address;
+    /**
+     * EOA tx count fetched on-chain via `getTransactionCount(blockTag: 'pending')`.
+     * Mobile passes this VERBATIM into Privy `signAuthorization({ ..., nonce })` —
+     * MUST NOT hardcode `0` or fetch independently. For a fresh embedded wallet
+     * it will be `"0"`, but re-delegation or post-activity wallets will be > 0.
+     * Returned as decimal string (preserves bigint precision over JSON).
+     */
+    delegationNonce: string;
+    chainId: number;
 }
 interface DelegatePrepareDto {
-    authorizationHash: Hex;
+    /**
+     * v0.7.7 — refactored to mobile prepare/submit pattern. Mobile signs
+     * the EIP-7702 authorization LOCALLY (Privy `signAuthorization`),
+     * then signs `userOpHash` (or `typedData`) BEFORE submit. See
+     * `handleDelegatePrepare` for rationale.
+     *
+     * Pre-v0.7.7 callers expected `{ authorizationHash, delegationNonce,
+     * batchExecutorAddress, chainId }` — `delegationNonce` +
+     * `batchExecutorAddress` retained for back-compat so mobile can
+     * compute the authorization hash if needed; `authorizationHash`
+     * removed (mobile's Privy hook computes it locally).
+     */
+    lockId: string;
+    userOpHash: Hex;
+    typedData: SerializedUserOpTypedData;
+    expiresInSeconds: number;
+    isSponsored: boolean;
+    /** Echoed for mobile to recompute the authorization hash if desired. */
     delegationNonce: string;
     batchExecutorAddress: Address;
     chainId: number;
@@ -2379,13 +2399,32 @@ declare class IssuerApiAdapter {
     claimStatus(authenticatedAddress: Address, lockId: string): Promise<MintStatusResponse>;
     redeemStatus(authenticatedAddress: Address, lockId: string): Promise<BurnStatusResponse>;
     delegateStatus(authenticatedAddress: Address, chainId: number): Promise<DelegateStatusDto>;
-    delegatePrepare(authenticatedAddress: Address, chainId: number): Promise<DelegatePrepareDto>;
-    delegateSubmit(input: {
-        authenticatedAddress: Address;
+    /**
+     * Build the delegation-anchor UserOp + obtain paymaster sponsorship
+     * + persist as a pending entry. Mobile must:
+     *
+     *   1. Sign EIP-7702 authorization LOCALLY (Privy `signAuthorization`
+     *      with `{contractAddress: batchExecutorAddress, chainId,
+     *      nonce: delegationNonce}`) → 65-byte authSig hex.
+     *   2. POST `/delegate/prepare` with `{ chainId, delegationNonce,
+     *      authSig }` → this method.
+     *   3. Sign returned `userOpHash` LOCALLY (`signTypedData(typedData)`).
+     *   4. POST `/delegate/submit` with `{ lockId, userOpSig }`.
+     *
+     * v0.7.7 — replaces single-shot delegateSubmit that tried to relay
+     * a UserOp with empty `signature: "0x"` (Simple7702Account's
+     * validateUserOp reverts `ECDSAInvalidSignatureLength` 0xfce698f7).
+     */
+    delegatePrepare(authenticatedAddress: Address, input: {
         chainId: number;
         delegationNonce: bigint;
-        aaNonce: bigint;
         authSig: Hex | string;
+        aaNonce: bigint;
+    }): Promise<DelegatePrepareDto>;
+    delegateSubmit(input: {
+        authenticatedAddress: Address;
+        lockId: string;
+        userOpSig: Hex;
     }): Promise<MobileSubmitDto>;
     /**
      * Build + sign a SponsorAuth payload. Returns `undefined` when no

package/dist/index.d.ts

@@ -1,4 +1,4 @@
-import { PafiSdkError, SdkErrorHttpStatus, PointTokenDomainConfig, PartialUserOperation, BurnRequest, PoolKey, UserOpTypedData, decodeBatchExecuteCalls, BROKER_HASHES, Eip7702AuthorizationJsonRpc, BuiltSponsorAuth, ENTRY_POINT_V08 } from '@pafi-dev/core';
+import { PafiSdkError, SdkErrorHttpStatus, PointTokenDomainConfig, PartialUserOperation, BurnRequest, PoolKey, UserOpTypedData, decodeBatchExecuteCalls, BROKER_HASHES, BuiltSponsorAuth, ENTRY_POINT_V08 } from '@pafi-dev/core';
 export { PAFI_SUBGRAPH_URL, PafiSdkError, SdkErrorHttpStatus, ValidationError } from '@pafi-dev/core';
 import { Address, Hex, PublicClient, WalletClient } from 'viem';
 
@@ -1481,6 +1481,25 @@ interface PendingUserOpEntry {
         preVerificationGas: string;
         userOpHash: Hex;
     };
+    /**
+     * EIP-7702 authorization tuple — present only on the `delegate`
+     * scenario where the UserOp anchors the EOA's one-time delegation
+     * to a 7702 implementation. Embedded into the eth_sendUserOperation
+     * payload at submit time so Pimlico bundler applies the bytecode
+     * atomically with the UserOp execution. Pre-computed at prepare
+     * time from the user's `signAuthorization` signature so submit
+     * doesn't need to re-derive it.
+     *
+     * v0.7.7 — added per delegate-flow refactor (mobile prepare/submit).
+     */
+    eip7702Auth?: {
+        chainId: string;
+        address: string;
+        nonce: string;
+        r: string;
+        s: string;
+        yParity: string;
+    };
 }
 /**
  * Storage backend for pending UserOps in the mobile prepare/submit pattern.
@@ -1969,55 +1988,30 @@ declare class PerpDepositHandler {
     handle(request: PerpDepositRequest): Promise<PerpDepositResponse>;
 }
 
-/**
- * Pure mechanics for the EIP-7702 delegation submit flow. Builds the
- * delegation-anchor UserOp via `buildDelegationUserOp` (self-call EOA
- * with empty calldata), attaches paymaster sponsorship, splits the
- * user's authorization signature into the JSON-RPC tuple, and relays
- * via the PAFI sponsor-relayer.
- *
- * The UserOp itself is a no-op — a self-call to the user's EOA with
- * `data: "0x"`. The work is in the `eip7702Auth` object: the bundler
- * picks it up, runs the EIP-7702 path, and installs the delegation on
- * the user's EOA atomically with the (no-op) UserOp.
- *
- * v0.7.1 — switched from `encodeBatchExecute([])` (which throws
- * "operations array must not be empty") to `buildDelegationUserOp`
- * (self-call pattern). See SDK_CORE_TRADING_AUDIT.md C1.
- *
- * Throws the same `BundlerNotConfiguredError` / `BundlerRejectedError`
- * as other relay paths so issuer controllers can use one error mapper.
- */
 interface HandleDelegateSubmitParams {
-    userAddress: Address;
-    chainId: number;
-    /** Account nonce read at `delegate/prepare` time and signed by the user. */
-    delegationNonce: bigint;
-    /** ERC-4337 account nonce. Caller fetches via EntryPoint.getNonce. */
-    aaNonce: bigint;
-    /** 65-byte secp256k1 signature over the EIP-7702 authorization hash. */
-    authSig: Hex | string;
-    /** EIP-1559 fees from `provider.estimateFeesPerGas()` (or RPC equivalent). */
-    fees: {
-        maxFeePerGas?: bigint;
-        maxPriorityFeePerGas?: bigint;
-    };
+    lockId: string;
+    /** Authenticated user EOA — must match the entry's `sender`. */
+    authenticatedAddress: Address;
+    /** User signature over the persisted userOpHash. */
+    userOpSig: Hex;
+    store: IPendingUserOpStore;
     pafiBackendClient?: PafiBackendClient | null;
-    onWarning?: (msg: string) => void;
-    /** Override gas limits for the empty-batch UserOp. */
-    gasLimits?: {
-        callGasLimit?: bigint;
-        verificationGasLimit?: bigint;
-        preVerificationGas?: bigint;
-    };
+    /** Defaults to `ENTRY_POINT_V08`. */
+    entryPoint?: string;
 }
 interface HandleDelegateSubmitResult {
     userOpHash: Hex;
-    /** True when paymaster sponsorship was applied (gas is free). */
-    isSponsored: boolean;
-    /** The authorization tuple actually sent to the bundler. */
-    authorization: Eip7702AuthorizationJsonRpc;
 }
+/**
+ * Retrieve the persisted delegate UserOp, embed the user's signature,
+ * and submit to the bundler with the cached `eip7702Auth` field.
+ *
+ * Throws:
+ *   - `PendingUserOpNotFoundError` — entry expired or already submitted (404)
+ *   - `PendingUserOpForbiddenError` — sender mismatch (403)
+ *   - `BundlerNotConfiguredError` — `pafiBackendClient` missing (503)
+ *   - `BundlerRejectedError` — bundler rejected the UserOp (422)
+ */
 declare function handleDelegateSubmit(params: HandleDelegateSubmitParams): Promise<HandleDelegateSubmitResult>;
 
 /**
@@ -2310,9 +2304,35 @@ interface MobileSubmitDto {
 interface DelegateStatusDto {
     isDelegated: boolean;
     batchExecutorAddress: Address;
+    /**
+     * EOA tx count fetched on-chain via `getTransactionCount(blockTag: 'pending')`.
+     * Mobile passes this VERBATIM into Privy `signAuthorization({ ..., nonce })` —
+     * MUST NOT hardcode `0` or fetch independently. For a fresh embedded wallet
+     * it will be `"0"`, but re-delegation or post-activity wallets will be > 0.
+     * Returned as decimal string (preserves bigint precision over JSON).
+     */
+    delegationNonce: string;
+    chainId: number;
 }
 interface DelegatePrepareDto {
-    authorizationHash: Hex;
+    /**
+     * v0.7.7 — refactored to mobile prepare/submit pattern. Mobile signs
+     * the EIP-7702 authorization LOCALLY (Privy `signAuthorization`),
+     * then signs `userOpHash` (or `typedData`) BEFORE submit. See
+     * `handleDelegatePrepare` for rationale.
+     *
+     * Pre-v0.7.7 callers expected `{ authorizationHash, delegationNonce,
+     * batchExecutorAddress, chainId }` — `delegationNonce` +
+     * `batchExecutorAddress` retained for back-compat so mobile can
+     * compute the authorization hash if needed; `authorizationHash`
+     * removed (mobile's Privy hook computes it locally).
+     */
+    lockId: string;
+    userOpHash: Hex;
+    typedData: SerializedUserOpTypedData;
+    expiresInSeconds: number;
+    isSponsored: boolean;
+    /** Echoed for mobile to recompute the authorization hash if desired. */
     delegationNonce: string;
     batchExecutorAddress: Address;
     chainId: number;
@@ -2379,13 +2399,32 @@ declare class IssuerApiAdapter {
     claimStatus(authenticatedAddress: Address, lockId: string): Promise<MintStatusResponse>;
     redeemStatus(authenticatedAddress: Address, lockId: string): Promise<BurnStatusResponse>;
     delegateStatus(authenticatedAddress: Address, chainId: number): Promise<DelegateStatusDto>;
-    delegatePrepare(authenticatedAddress: Address, chainId: number): Promise<DelegatePrepareDto>;
-    delegateSubmit(input: {
-        authenticatedAddress: Address;
+    /**
+     * Build the delegation-anchor UserOp + obtain paymaster sponsorship
+     * + persist as a pending entry. Mobile must:
+     *
+     *   1. Sign EIP-7702 authorization LOCALLY (Privy `signAuthorization`
+     *      with `{contractAddress: batchExecutorAddress, chainId,
+     *      nonce: delegationNonce}`) → 65-byte authSig hex.
+     *   2. POST `/delegate/prepare` with `{ chainId, delegationNonce,
+     *      authSig }` → this method.
+     *   3. Sign returned `userOpHash` LOCALLY (`signTypedData(typedData)`).
+     *   4. POST `/delegate/submit` with `{ lockId, userOpSig }`.
+     *
+     * v0.7.7 — replaces single-shot delegateSubmit that tried to relay
+     * a UserOp with empty `signature: "0x"` (Simple7702Account's
+     * validateUserOp reverts `ECDSAInvalidSignatureLength` 0xfce698f7).
+     */
+    delegatePrepare(authenticatedAddress: Address, input: {
         chainId: number;
         delegationNonce: bigint;
-        aaNonce: bigint;
         authSig: Hex | string;
+        aaNonce: bigint;
+    }): Promise<DelegatePrepareDto>;
+    delegateSubmit(input: {
+        authenticatedAddress: Address;
+        lockId: string;
+        userOpSig: Hex;
     }): Promise<MobileSubmitDto>;
     /**
      * Build + sign a SponsorAuth payload. Returns `undefined` when no