@permissionless-technologies/upp-sdk 0.1.0

package/README.md

@@ -0,0 +1,194 @@
+# Universal Private Pool (UPP) SDK
+
+Privacy-preserving token operations for any ERC20 token.
+
+## Features
+
+- **Multi-token support**: Shield any ERC20 into a single privacy pool
+- **Large anonymity set**: All token users share one Merkle tree
+- **Compliance-ready**: ASP-based whitelists with ragequit protection
+- **Modern stack**: Built on viem, not ethers.js
+
+## Package Structure
+
+The SDK is published as a single npm package with subpath exports:
+
+```typescript
+// Core crypto and utilities
+import { poseidon, computeSharedSecret } from '@upp/sdk/core'
+
+// Key derivation
+import { deriveKeysFromSignature } from '@upp/sdk/keys'
+
+// React hooks (requires React 18+)
+import { UPPAccountProvider, useUPPAccount } from '@upp/sdk/react'
+
+// Indexer for note scanning
+import { makeRpcIndexer } from '@upp/sdk/indexer'
+```
+
+**Why not separate packages?**
+
+We considered splitting into `@upp/core`, `@upp/react`, etc. (like Kohaku), but chose a single package because:
+
+1. **Same developer experience** - Subpath exports work identically to separate packages
+2. **Tree-shaking works** - Modern bundlers only include what you import
+3. **Simpler versioning** - No cross-package dependency management
+4. **Prototype-appropriate** - Less operational overhead
+
+The internal architecture maintains clean boundaries, so splitting later is straightforward if needed.
+
+## Installation
+
+```bash
+npm install @upp/sdk viem
+```
+
+## Quick Start
+
+```typescript
+import { createUPPClient } from '@upp/sdk'
+import { createPublicClient, createWalletClient, http } from 'viem'
+import { sepolia } from 'viem/chains'
+
+// Create viem clients
+const publicClient = createPublicClient({
+  chain: sepolia,
+  transport: http(),
+})
+
+const walletClient = createWalletClient({
+  chain: sepolia,
+  transport: http(),
+})
+
+// Create UPP client
+const upp = createUPPClient({
+  publicClient,
+  walletClient,
+  poolAddress: '0x...',
+  aspHubAddress: '0x...',
+})
+
+// Shield tokens
+const { commitment, note } = await upp.shield({
+  token: '0xUSDC...',
+  amount: 1000n * 10n ** 6n,
+})
+
+// Transfer privately
+await upp.transfer({
+  note: myNote,
+  recipient: recipientStealthAddress,
+  amount: 500n * 10n ** 6n,
+})
+
+// Withdraw
+await upp.withdraw({
+  note: myNote,
+  amount: 500n * 10n ** 6n,
+  recipient: '0xMyAddress...',
+  aspId: 1,
+})
+```
+
+## Local Development
+
+### Prerequisites
+
+- [Foundry](https://book.getfoundry.sh/getting-started/installation) for contract compilation and deployment
+- [Node.js](https://nodejs.org/) 18+
+- Local Ethereum node (Anvil recommended)
+
+### Starting a Local Node
+
+```bash
+# Start Anvil with auto-mining
+anvil
+```
+
+### Deploying Contracts
+
+The SDK includes deployment scripts and automatic address extraction:
+
+```bash
+# 1. Deploy contracts to local Anvil
+forge script src/contracts/script/DeployUPP.s.sol:DeployUPPLocal \
+  --rpc-url http://localhost:8545 \
+  --broadcast \
+  --private-key 0xac0974bec39a17e36ba4a6b4d238ff944bacb478cbed5efcae784d7bf4f2ff80
+
+# 2. Extract addresses to SDK deployment JSON
+node scripts/extract-deployment.js 31337
+
+# 3. Rebuild SDK to include new addresses
+npm run build
+```
+
+After deployment, addresses are written to `src/deployments/31337.json`:
+
+```json
+{
+  "UniversalPrivatePool": "0x2279b7a0a67db372996a5fab50d91eaa73d2ebe6",
+  "ASPRegistryHub": "0xe7f1725e7734ce288f8367e1bb143e90bb3f0512",
+  "TestToken": "0x610178da211fef7d417bc0e6fed39f05609ad788",
+  "verifiers": { ... },
+  "deployBlock": 2
+}
+```
+
+### Using Deployment Addresses
+
+The SDK provides helpers to load deployment addresses:
+
+```typescript
+import { getDeployment, getDeploymentOrThrow } from '@upp/sdk'
+
+// Get deployment for chain (returns null if not found)
+const deployment = getDeployment(31337)
+
+// Or throw if not found
+const deployment = getDeploymentOrThrow(31337)
+
+// Access addresses
+const poolAddress = deployment.UniversalPrivatePool
+const tokenAddress = deployment.TestToken // local dev
+// or
+const tokenAddress = deployment.USSC // production
+```
+
+### TestStableToken (TST)
+
+The local deployment includes a test ERC20 token with an ETH-to-token swap:
+
+```typescript
+// Mint TST by sending ETH (1 ETH = 3000 TST)
+await walletClient.sendTransaction({
+  to: deployment.TestToken,
+  value: parseEther('1'),
+  data: encodeFunctionData({
+    abi: USSC_ABI,
+    functionName: 'mintWithEth',
+  }),
+})
+```
+
+## Contract ABIs
+
+The SDK exports ABIs for all contracts:
+
+```typescript
+import {
+  UNIVERSAL_PRIVATE_POOL_ABI,
+  ASP_REGISTRY_HUB_ABI,
+  USSC_ABI,
+} from '@upp/sdk'
+```
+
+## Documentation
+
+See [CLAUDE.md](./CLAUDE.md) for detailed API documentation and architecture.
+
+## License
+
+MIT

package/dist/asp-TXSAFFD3.cjs

@@ -0,0 +1,53 @@
+'use strict';
+
+var chunkNDM5EJEV_cjs = require('./chunk-NDM5EJEV.cjs');
+require('./chunk-G7VZBCD6.cjs');
+
+
+
+Object.defineProperty(exports, "ASP_TREE_DEPTH", {
+  enumerable: true,
+  get: function () { return chunkNDM5EJEV_cjs.ASP_TREE_DEPTH; }
+});
+Object.defineProperty(exports, "DEMO_ASP_ID", {
+  enumerable: true,
+  get: function () { return chunkNDM5EJEV_cjs.DEMO_ASP_ID; }
+});
+Object.defineProperty(exports, "DEMO_ASP_NAME", {
+  enumerable: true,
+  get: function () { return chunkNDM5EJEV_cjs.DEMO_ASP_NAME; }
+});
+Object.defineProperty(exports, "buildASPTree", {
+  enumerable: true,
+  get: function () { return chunkNDM5EJEV_cjs.buildASPTree; }
+});
+Object.defineProperty(exports, "computeMultiOriginASPRoot", {
+  enumerable: true,
+  get: function () { return chunkNDM5EJEV_cjs.computeMultiOriginASPRoot; }
+});
+Object.defineProperty(exports, "computeSingleOriginASPRoot", {
+  enumerable: true,
+  get: function () { return chunkNDM5EJEV_cjs.computeSingleOriginASPRoot; }
+});
+Object.defineProperty(exports, "createDemoASPRoot", {
+  enumerable: true,
+  get: function () { return chunkNDM5EJEV_cjs.createDemoASPRoot; }
+});
+Object.defineProperty(exports, "generateASPProof", {
+  enumerable: true,
+  get: function () { return chunkNDM5EJEV_cjs.generateASPProof; }
+});
+Object.defineProperty(exports, "generateMultiOriginASPProof", {
+  enumerable: true,
+  get: function () { return chunkNDM5EJEV_cjs.generateMultiOriginASPProof; }
+});
+Object.defineProperty(exports, "generateSingleOriginASPProof", {
+  enumerable: true,
+  get: function () { return chunkNDM5EJEV_cjs.generateSingleOriginASPProof; }
+});
+Object.defineProperty(exports, "verifyASPProof", {
+  enumerable: true,
+  get: function () { return chunkNDM5EJEV_cjs.verifyASPProof; }
+});
+//# sourceMappingURL=asp-TXSAFFD3.cjs.map
+//# sourceMappingURL=asp-TXSAFFD3.cjs.map

package/dist/asp-TXSAFFD3.cjs.map

@@ -0,0 +1 @@
+{"version":3,"sources":[],"names":[],"mappings":"","file":"asp-TXSAFFD3.cjs"}

package/dist/asp-ZA3RGN7G.js

@@ -0,0 +1,4 @@
+export { ASP_TREE_DEPTH, DEMO_ASP_ID, DEMO_ASP_NAME, buildASPTree, computeMultiOriginASPRoot, computeSingleOriginASPRoot, createDemoASPRoot, generateASPProof, generateMultiOriginASPProof, generateSingleOriginASPProof, verifyASPProof } from './chunk-P37MRZ73.js';
+import './chunk-Z6ZWNWWR.js';
+//# sourceMappingURL=asp-ZA3RGN7G.js.map
+//# sourceMappingURL=asp-ZA3RGN7G.js.map

package/dist/asp-ZA3RGN7G.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":[],"names":[],"mappings":"","file":"asp-ZA3RGN7G.js"}

package/dist/babyjubjub-2MGQVCKB.js

@@ -0,0 +1,5 @@
+export { addPoints, computeSharedSecret, deriveDecryptionViewingKey, deriveEncryptionViewingKey, getBasePoint, getSubOrder, isOnCurve, mulPointScalar, packPoint, pointToTuple, privateToPublic, reconstructPointFromX, reconstructPointFromXWithParity, tupleToPoint } from './chunk-YOWDERVC.js';
+import './chunk-V23OSL25.js';
+import './chunk-Z6ZWNWWR.js';
+//# sourceMappingURL=babyjubjub-2MGQVCKB.js.map
+//# sourceMappingURL=babyjubjub-2MGQVCKB.js.map

package/dist/babyjubjub-2MGQVCKB.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":[],"names":[],"mappings":"","file":"babyjubjub-2MGQVCKB.js"}

package/dist/babyjubjub-MWZLJOVZ.cjs

@@ -0,0 +1,66 @@
+'use strict';
+
+var chunkTSF6HEVS_cjs = require('./chunk-TSF6HEVS.cjs');
+require('./chunk-JWNXBALH.cjs');
+require('./chunk-G7VZBCD6.cjs');
+
+
+
+Object.defineProperty(exports, "addPoints", {
+  enumerable: true,
+  get: function () { return chunkTSF6HEVS_cjs.addPoints; }
+});
+Object.defineProperty(exports, "computeSharedSecret", {
+  enumerable: true,
+  get: function () { return chunkTSF6HEVS_cjs.computeSharedSecret; }
+});
+Object.defineProperty(exports, "deriveDecryptionViewingKey", {
+  enumerable: true,
+  get: function () { return chunkTSF6HEVS_cjs.deriveDecryptionViewingKey; }
+});
+Object.defineProperty(exports, "deriveEncryptionViewingKey", {
+  enumerable: true,
+  get: function () { return chunkTSF6HEVS_cjs.deriveEncryptionViewingKey; }
+});
+Object.defineProperty(exports, "getBasePoint", {
+  enumerable: true,
+  get: function () { return chunkTSF6HEVS_cjs.getBasePoint; }
+});
+Object.defineProperty(exports, "getSubOrder", {
+  enumerable: true,
+  get: function () { return chunkTSF6HEVS_cjs.getSubOrder; }
+});
+Object.defineProperty(exports, "isOnCurve", {
+  enumerable: true,
+  get: function () { return chunkTSF6HEVS_cjs.isOnCurve; }
+});
+Object.defineProperty(exports, "mulPointScalar", {
+  enumerable: true,
+  get: function () { return chunkTSF6HEVS_cjs.mulPointScalar; }
+});
+Object.defineProperty(exports, "packPoint", {
+  enumerable: true,
+  get: function () { return chunkTSF6HEVS_cjs.packPoint; }
+});
+Object.defineProperty(exports, "pointToTuple", {
+  enumerable: true,
+  get: function () { return chunkTSF6HEVS_cjs.pointToTuple; }
+});
+Object.defineProperty(exports, "privateToPublic", {
+  enumerable: true,
+  get: function () { return chunkTSF6HEVS_cjs.privateToPublic; }
+});
+Object.defineProperty(exports, "reconstructPointFromX", {
+  enumerable: true,
+  get: function () { return chunkTSF6HEVS_cjs.reconstructPointFromX; }
+});
+Object.defineProperty(exports, "reconstructPointFromXWithParity", {
+  enumerable: true,
+  get: function () { return chunkTSF6HEVS_cjs.reconstructPointFromXWithParity; }
+});
+Object.defineProperty(exports, "tupleToPoint", {
+  enumerable: true,
+  get: function () { return chunkTSF6HEVS_cjs.tupleToPoint; }
+});
+//# sourceMappingURL=babyjubjub-MWZLJOVZ.cjs.map
+//# sourceMappingURL=babyjubjub-MWZLJOVZ.cjs.map

package/dist/babyjubjub-MWZLJOVZ.cjs.map

@@ -0,0 +1 @@
+{"version":3,"sources":[],"names":[],"mappings":"","file":"babyjubjub-MWZLJOVZ.cjs"}

package/dist/chunk-2JQISXBD.js

@@ -0,0 +1,150 @@
+import { splitToM31Limbs, computeStarkOwnerHash, keccakM31 } from './chunk-5V5HSN6Y.js';
+import { init_crypto, bytesToBigint, hexToBytes, bytesToHex } from './chunk-W77GRBO4.js';
+import { init_poseidon, FIELD_PRIME } from './chunk-V23OSL25.js';
+import { keccak256, toHex } from 'viem';
+
+// src/keys/types.ts
+var DEFAULT_KEY_DERIVATION_CONFIG = {
+  message: "UPP Stealth Key Derivation v1",
+  version: 1
+};
+
+// src/keys/derive.ts
+init_poseidon();
+init_crypto();
+async function deriveKeysFromSignature(signature, config = DEFAULT_KEY_DERIVATION_CONFIG) {
+  const { poseidon } = await import('./poseidon-UHTJLWQM.js');
+  const seed = keccak256(signature);
+  const spendingSecretHash = keccak256(
+    toHex(new TextEncoder().encode(`${seed}:spending:v${config.version}`))
+  );
+  const spendingSecretRaw = bytesToBigint(hexToBytes(spendingSecretHash));
+  const spendingSecret = spendingSecretRaw % FIELD_PRIME;
+  const ownerHash = await poseidon([spendingSecret]);
+  const viewingSecretHash = keccak256(
+    toHex(new TextEncoder().encode(`${seed}:viewing:v${config.version}`))
+  );
+  const viewingSecretRaw = bytesToBigint(hexToBytes(viewingSecretHash));
+  const viewingSecret = viewingSecretRaw % FIELD_PRIME;
+  const viewingHash = await poseidon([viewingSecret]);
+  return {
+    spendingSecret,
+    ownerHash,
+    viewingSecret,
+    viewingHash
+  };
+}
+function getKeyDerivationMessage(config = DEFAULT_KEY_DERIVATION_CONFIG) {
+  return config.message;
+}
+async function verifyKeysMatchSignature(keys, signature, config = DEFAULT_KEY_DERIVATION_CONFIG) {
+  const derivedKeys = await deriveKeysFromSignature(signature, config);
+  return keys.spendingSecret === derivedKeys.spendingSecret && keys.ownerHash === derivedKeys.ownerHash && keys.viewingSecret === derivedKeys.viewingSecret && keys.viewingHash === derivedKeys.viewingHash;
+}
+function deriveStarkKeysFromSignature(signature, config = DEFAULT_KEY_DERIVATION_CONFIG) {
+  const seed = keccak256(signature);
+  const starkSpendingHash = keccak256(
+    toHex(new TextEncoder().encode(`${seed}:stark:spending:v${config.version}`))
+  );
+  const starkSecret = splitToM31Limbs(starkSpendingHash);
+  const starkOwnerHash = computeStarkOwnerHash(starkSecret);
+  const starkViewingHash = keccak256(
+    toHex(new TextEncoder().encode(`${seed}:stark:viewing:v${config.version}`))
+  );
+  const starkViewingSecret = splitToM31Limbs(starkViewingHash);
+  const starkViewingHashDigest = computeStarkOwnerHash(starkViewingSecret);
+  return {
+    starkSecret,
+    starkOwnerHash,
+    starkViewingSecret,
+    starkViewingHash: starkViewingHashDigest
+  };
+}
+async function deriveDualKeysFromSignature(signature, config = DEFAULT_KEY_DERIVATION_CONFIG) {
+  const snark = await deriveKeysFromSignature(signature, config);
+  const stark = deriveStarkKeysFromSignature(signature, config);
+  return { snark, stark };
+}
+async function deriveNullifierKey(spendingSecret) {
+  const { poseidon } = await import('./poseidon-UHTJLWQM.js');
+  return await poseidon([spendingSecret, 0n]);
+}
+init_crypto();
+async function derivePerNoteKey(viewingSecret, nonce) {
+  const { poseidon } = await import('./poseidon-UHTJLWQM.js');
+  const perNoteKey = await poseidon([viewingSecret, nonce]);
+  return toHex(perNoteKey, { size: 32 });
+}
+async function derivePerNoteKeyFromKeys(keys, nonce) {
+  return derivePerNoteKey(keys.viewingSecret, nonce);
+}
+async function exportViewingKeysForAudit(keys, signerAddress, notes) {
+  const viewingKeys = [];
+  for (const note of notes) {
+    const decryptionKey = await derivePerNoteKey(keys.viewingSecret, note.nonce);
+    viewingKeys.push({
+      leafIndex: note.leafIndex,
+      nonce: note.nonce,
+      decryptionKey
+    });
+  }
+  return {
+    version: 4,
+    signerAddress,
+    viewingHash: keys.viewingHash,
+    viewingKeys,
+    instructions: `
+This export contains per-note decryption keys for ${viewingKeys.length} UPP note(s).
+
+To decrypt a note:
+1. Find the viewingKey entry for the desired leafIndex
+2. Retrieve the encrypted note from the blockchain (Shielded event at that leaf index)
+3. Derive AES key: key = keccak256(decryptionKey)
+4. Decrypt the note ciphertext with AES-GCM
+
+These per-note keys ONLY allow decryption of the specified notes.
+They do NOT reveal:
+- The master viewing secret (protected by Poseidon one-wayness)
+- Keys for any other notes
+- The spending secret (cannot spend funds)
+    `.trim()
+  };
+}
+function validateAuditKeyExport(exportData) {
+  if (exportData.version !== 4) {
+    return { valid: false, error: `Unsupported version: ${exportData.version}. Expected version 4.` };
+  }
+  if (!exportData.signerAddress || !exportData.signerAddress.startsWith("0x")) {
+    return { valid: false, error: "Invalid signer address" };
+  }
+  if (exportData.viewingHash === void 0 || exportData.viewingHash === null) {
+    return { valid: false, error: "Missing viewing hash" };
+  }
+  if (!Array.isArray(exportData.viewingKeys) || exportData.viewingKeys.length === 0) {
+    return { valid: false, error: "No viewing keys in export" };
+  }
+  return { valid: true };
+}
+function getViewingKeyFromExport(exportData, leafIndex) {
+  const key = exportData.viewingKeys.find((k) => k.leafIndex === leafIndex);
+  return key ? key.decryptionKey : null;
+}
+function deriveStarkPerNoteKey(starkViewingSecret, nonce) {
+  const digest = keccakM31([...starkViewingSecret, nonce]);
+  const bytes = new Uint8Array(16);
+  for (let i = 0; i < 4; i++) {
+    const val = Number(digest[i]);
+    bytes[i * 4] = val & 255;
+    bytes[i * 4 + 1] = val >> 8 & 255;
+    bytes[i * 4 + 2] = val >> 16 & 255;
+    bytes[i * 4 + 3] = val >> 24 & 255;
+  }
+  return keccak256(bytesToHex(bytes));
+}
+function deriveStarkPerNoteKeyFromKeys(keys, nonce) {
+  return deriveStarkPerNoteKey(keys.starkViewingSecret, nonce);
+}
+
+export { DEFAULT_KEY_DERIVATION_CONFIG, deriveDualKeysFromSignature, deriveKeysFromSignature, deriveNullifierKey, derivePerNoteKey, derivePerNoteKeyFromKeys, deriveStarkKeysFromSignature, deriveStarkPerNoteKey, deriveStarkPerNoteKeyFromKeys, exportViewingKeysForAudit, getKeyDerivationMessage, getViewingKeyFromExport, validateAuditKeyExport, verifyKeysMatchSignature };
+//# sourceMappingURL=chunk-2JQISXBD.js.map
+//# sourceMappingURL=chunk-2JQISXBD.js.map

package/dist/chunk-2JQISXBD.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../src/keys/types.ts","../src/keys/derive.ts","../src/keys/viewing.ts"],"names":["toHex","keccak256"],"mappings":";;;;;;AA8FO,IAAM,6BAAA,GAAqD;AAAA,EAChE,OAAA,EAAS,+BAAA;AAAA,EACT,OAAA,EAAS;AACX;;;ACnFA,aAAA,EAAA;AACA,WAAA,EAAA;AAwBA,eAAsB,uBAAA,CACpB,SAAA,EACA,MAAA,GAA8B,6BAAA,EACT;AACrB,EAAA,MAAM,EAAE,QAAA,EAAS,GAAI,MAAM,OAAO,wBAAsB,CAAA;AAGxD,EAAA,MAAM,IAAA,GAAO,UAAU,SAAS,CAAA;AAGhC,EAAA,MAAM,kBAAA,GAAqB,SAAA;AAAA,IACzB,KAAA,CAAM,IAAI,WAAA,EAAY,CAAE,MAAA,CAAO,CAAA,EAAG,IAAI,CAAA,WAAA,EAAc,MAAA,CAAO,OAAO,CAAA,CAAE,CAAC;AAAA,GACvE;AACA,EAAA,MAAM,iBAAA,GAAoB,aAAA,CAAc,UAAA,CAAW,kBAAkB,CAAC,CAAA;AACtE,EAAA,MAAM,iBAAiB,iBAAA,GAAoB,WAAA;AAI3C,EAAA,MAAM,SAAA,GAAY,MAAM,QAAA,CAAS,CAAC,cAAc,CAAC,CAAA;AAGjD,EAAA,MAAM,iBAAA,GAAoB,SAAA;AAAA,IACxB,KAAA,CAAM,IAAI,WAAA,EAAY,CAAE,MAAA,CAAO,CAAA,EAAG,IAAI,CAAA,UAAA,EAAa,MAAA,CAAO,OAAO,CAAA,CAAE,CAAC;AAAA,GACtE;AACA,EAAA,MAAM,gBAAA,GAAmB,aAAA,CAAc,UAAA,CAAW,iBAAiB,CAAC,CAAA;AACpE,EAAA,MAAM,gBAAgB,gBAAA,GAAmB,WAAA;AAGzC,EAAA,MAAM,WAAA,GAAc,MAAM,QAAA,CAAS,CAAC,aAAa,CAAC,CAAA;AAElD,EAAA,OAAO;AAAA,IACL,cAAA;AAAA,IACA,SAAA;AAAA,IACA,aAAA;AAAA,IACA;AAAA,GACF;AACF;AAKO,SAAS,uBAAA,CACd,SAA8B,6BAAA,EACtB;AACR,EAAA,OAAO,MAAA,CAAO,OAAA;AAChB;AAKA,eAAsB,wBAAA,CACpB,IAAA,EACA,SAAA,EACA,MAAA,GAA8B,6BAAA,EACZ;AAClB,EAAA,MAAM,WAAA,GAAc,MAAM,uBAAA,CAAwB,SAAA,EAAW,MAAM,CAAA;AAEnE,EAAA,OACE,IAAA,CAAK,cAAA,KAAmB,WAAA,CAAY,cAAA,IACpC,KAAK,SAAA,KAAc,WAAA,CAAY,SAAA,IAC/B,IAAA,CAAK,aAAA,KAAkB,WAAA,CAAY,aAAA,IACnC,IAAA,CAAK,gBAAgB,WAAA,CAAY,WAAA;AAErC;AAYO,SAAS,4BAAA,CACd,SAAA,EACA,MAAA,GAA8B,6BAAA,EACb;AACjB,EAAA,MAAM,IAAA,GAAO,UAAU,SAAS,CAAA;AAGhC,EAAA,MAAM,iBAAA,GAAoB,SAAA;AAAA,IACxB,KAAA,CAAM,IAAI,WAAA,EAAY,CAAE,MAAA,CAAO,CAAA,EAAG,IAAI,CAAA,iBAAA,EAAoB,MAAA,CAAO,OAAO,CAAA,CAAE,CAAC;AAAA,GAC7E;AACA,EAAA,MAAM,WAAA,GAAc,gBAAgB,iBAAiB,CAAA;AACrD,EAAA,MAAM,cAAA,GAAiB,sBAAsB,WAAW,CAAA;AAGxD,EAAA,MAAM,gBAAA,GAAmB,SAAA;AAAA,IACvB,KAAA,CAAM,IAAI,WAAA,EAAY,CAAE,MAAA,CAAO,CAAA,EAAG,IAAI,CAAA,gBAAA,EAAmB,MAAA,CAAO,OAAO,CAAA,CAAE,CAAC;AAAA,GAC5E;AACA,EAAA,MAAM,kBAAA,GAAqB,gBAAgB,gBAAgB,CAAA;AAC3D,EAAA,MAAM,sBAAA,GAAyB,sBAAsB,kBAAkB,CAAA;AAEvE,EAAA,OAAO;AAAA,IACL,WAAA;AAAA,IACA,cAAA;AAAA,IACA,kBAAA;AAAA,IACA,gBAAA,EAAkB;AAAA,GACpB;AACF;AAQA,eAAsB,2BAAA,CACpB,SAAA,EACA,MAAA,GAA8B,6BAAA,EACL;AACzB,EAAA,MAAM,KAAA,GAAQ,MAAM,uBAAA,CAAwB,SAAA,EAAW,MAAM,CAAA;AAC7D,EAAA,MAAM,KAAA,GAAQ,4BAAA,CAA6B,SAAA,EAAW,MAAM,CAAA;AAC5D,EAAA,OAAO,EAAE,OAAO,KAAA,EAAM;AACxB;AAOA,eAAsB,mBAAmB,cAAA,EAAyC;AAChF,EAAA,MAAM,EAAE,QAAA,EAAS,GAAI,MAAM,OAAO,wBAAsB,CAAA;AACxD,EAAA,OAAO,MAAM,QAAA,CAAS,CAAC,cAAA,EAAgB,EAAE,CAAC,CAAA;AAC5C;ACzIA,WAAA,EAAA;AASA,eAAsB,gBAAA,CACpB,eACA,KAAA,EACc;AACd,EAAA,MAAM,EAAE,QAAA,EAAS,GAAI,MAAM,OAAO,wBAAsB,CAAA;AACxD,EAAA,MAAM,aAAa,MAAM,QAAA,CAAS,CAAC,aAAA,EAAe,KAAK,CAAC,CAAA;AACxD,EAAA,OAAOA,KAAAA,CAAM,UAAA,EAAY,EAAE,IAAA,EAAM,IAAI,CAAA;AACvC;AAKA,eAAsB,wBAAA,CACpB,MACA,KAAA,EACc;AACd,EAAA,OAAO,gBAAA,CAAiB,IAAA,CAAK,aAAA,EAAe,KAAK,CAAA;AACnD;AAwBA,eAAsB,yBAAA,CACpB,IAAA,EACA,aAAA,EACA,KAAA,EACyB;AACzB,EAAA,MAAM,cAAuC,EAAC;AAE9C,EAAA,KAAA,MAAW,QAAQ,KAAA,EAAO;AAExB,IAAA,MAAM,gBAAgB,MAAM,gBAAA,CAAiB,IAAA,CAAK,aAAA,EAAe,KAAK,KAAK,CAAA;AAE3E,IAAA,WAAA,CAAY,IAAA,CAAK;AAAA,MACf,WAAW,IAAA,CAAK,SAAA;AAAA,MAChB,OAAO,IAAA,CAAK,KAAA;AAAA,MACZ;AAAA,KACD,CAAA;AAAA,EACH;AAEA,EAAA,OAAO;AAAA,IACL,OAAA,EAAS,CAAA;AAAA,IACT,aAAA;AAAA,IACA,aAAa,IAAA,CAAK,WAAA;AAAA,IAClB,WAAA;AAAA,IACA,YAAA,EAAc;AAAA,kDAAA,EACkC,YAAY,MAAM,CAAA;;AAAA;AAAA;AAAA;AAAA;AAAA;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,IAAA,CAAA,CAahE,IAAA;AAAK,GACT;AACF;AAKO,SAAS,uBACd,UAAA,EACoC;AACpC,EAAA,IAAI,UAAA,CAAW,YAAY,CAAA,EAAG;AAC5B,IAAA,OAAO,EAAE,KAAA,EAAO,KAAA,EAAO,OAAO,CAAA,qBAAA,EAAwB,UAAA,CAAW,OAAO,CAAA,qBAAA,CAAA,EAAwB;AAAA,EAClG;AAEA,EAAA,IAAI,CAAC,WAAW,aAAA,IAAiB,CAAC,WAAW,aAAA,CAAc,UAAA,CAAW,IAAI,CAAA,EAAG;AAC3E,IAAA,OAAO,EAAE,KAAA,EAAO,KAAA,EAAO,KAAA,EAAO,wBAAA,EAAyB;AAAA,EACzD;AAEA,EAAA,IAAI,UAAA,CAAW,WAAA,KAAgB,MAAA,IAAa,UAAA,CAAW,gBAAgB,IAAA,EAAM;AAC3E,IAAA,OAAO,EAAE,KAAA,EAAO,KAAA,EAAO,KAAA,EAAO,sBAAA,EAAuB;AAAA,EACvD;AAEA,EAAA,IAAI,CAAC,MAAM,OAAA,CAAQ,UAAA,CAAW,WAAW,CAAA,IAAK,UAAA,CAAW,WAAA,CAAY,MAAA,KAAW,CAAA,EAAG;AACjF,IAAA,OAAO,EAAE,KAAA,EAAO,KAAA,EAAO,KAAA,EAAO,2BAAA,EAA4B;AAAA,EAC5D;AAEA,EAAA,OAAO,EAAE,OAAO,IAAA,EAAK;AACvB;AAQO,SAAS,uBAAA,CACd,YACA,SAAA,EACY;AACZ,EAAA,MAAM,MAAM,UAAA,CAAW,WAAA,CAAY,KAAK,CAAA,CAAA,KAAK,CAAA,CAAE,cAAc,SAAS,CAAA;AACtE,EAAA,OAAO,GAAA,GAAM,IAAI,aAAA,GAAgB,IAAA;AACnC;AAmBO,SAAS,qBAAA,CACd,oBACA,KAAA,EACK;AAEL,EAAA,MAAM,SAAS,SAAA,CAAU,CAAC,GAAG,kBAAA,EAAoB,KAAK,CAAC,CAAA;AAGvD,EAAA,MAAM,KAAA,GAAQ,IAAI,UAAA,CAAW,EAAE,CAAA;AAC/B,EAAA,KAAA,IAAS,CAAA,GAAI,CAAA,EAAG,CAAA,GAAI,CAAA,EAAG,CAAA,EAAA,EAAK;AAC1B,IAAA,MAAM,GAAA,GAAM,MAAA,CAAO,MAAA,CAAO,CAAC,CAAE,CAAA;AAC7B,IAAA,KAAA,CAAM,CAAA,GAAI,CAAC,CAAA,GAAI,GAAA,GAAM,GAAA;AACrB,IAAA,KAAA,CAAM,CAAA,GAAI,CAAA,GAAI,CAAC,CAAA,GAAK,OAAO,CAAA,GAAK,GAAA;AAChC,IAAA,KAAA,CAAM,CAAA,GAAI,CAAA,GAAI,CAAC,CAAA,GAAK,OAAO,EAAA,GAAM,GAAA;AACjC,IAAA,KAAA,CAAM,CAAA,GAAI,CAAA,GAAI,CAAC,CAAA,GAAK,OAAO,EAAA,GAAM,GAAA;AAAA,EACnC;AAGA,EAAA,OAAOC,SAAAA,CAAU,UAAA,CAAW,KAAK,CAAC,CAAA;AACpC;AAKO,SAAS,6BAAA,CACd,MACA,KAAA,EACK;AACL,EAAA,OAAO,qBAAA,CAAsB,IAAA,CAAK,kBAAA,EAAoB,KAAK,CAAA;AAC7D","file":"chunk-2JQISXBD.js","sourcesContent":["/**\n * Key Type Definitions for UPP SDK\n *\n * Post-quantum key structure (hash-based, no elliptic curves):\n *\n * Wallet Signature → Seed\n *     ├── Spending Secret → Owner Hash = Poseidon(spendingSecret)\n *     └── Viewing Secret (for note encryption, derived from seed)\n *\n * Ownership is proven via hash preimage: \"I know secret such that Poseidon(secret) == ownerHash\"\n * This replaces the previous BabyJubJub ECDLP-based ownership proof.\n */\n\nimport type { Hex, Address } from 'viem'\n\n/**\n * Master keys derived from wallet signature\n *\n * Post-quantum: uses hash-based ownership instead of BabyJubJub curve.\n * ownerHash = Poseidon(spendingSecret) replaces spendingPubKey (curve point).\n */\nexport interface MasterKeys {\n  /** Spending secret - for note ownership proofs (hash preimage) */\n  spendingSecret: bigint\n  /** Owner hash = Poseidon(spendingSecret) - publicly committed in notes */\n  ownerHash: bigint\n  /** Viewing secret - for note encryption/decryption (symmetric key derivation) */\n  viewingSecret: bigint\n  /** Viewing hash = Poseidon(viewingSecret) - for search tags and indexing */\n  viewingHash: bigint\n}\n\n/**\n * Per-transaction viewing key (for decryption)\n *\n * Can be shared with auditors to reveal specific transactions\n * without compromising the master viewing secret.\n *\n * Post-quantum: uses hash-based key derivation instead of ECDH.\n */\nexport interface TransactionViewingKey {\n  /** The Merkle leaf index (for locating the on-chain event) */\n  leafIndex: number\n  /** The per-note nonce (used in key derivation) */\n  nonce: bigint\n  /** The per-note decryption key (derived from viewingSecret + nonce) */\n  decryptionKey: Hex\n}\n\n/**\n * Exported viewing keys for audit\n *\n * Contains the minimum information needed for an auditor\n * to decrypt specific transactions.\n */\nexport interface AuditKeyExport {\n  /** Version for forward compatibility (v4 = post-quantum hash-based) */\n  version: 4\n  /** Ethereum address that signed to derive keys (for identification) */\n  signerAddress: Address\n  /** The viewing hash (for verification) */\n  viewingHash: bigint\n  /** Per-transaction viewing keys */\n  viewingKeys: TransactionViewingKey[]\n  /** Instructions for auditor */\n  instructions: string\n}\n\n/**\n * Stealth address components (simplified for hash-based system)\n * Published once, used by senders to encrypt notes\n */\nexport interface StealthAddressComponents {\n  /** Owner hash = Poseidon(spendingSecret) */\n  ownerHash: bigint\n  /** Viewing hash = Poseidon(viewingSecret) - for encryption */\n  viewingHash: bigint\n  /** Optional chain ID (for multi-chain support) */\n  chainId?: number\n}\n\n/**\n * Configuration for key derivation\n */\nexport interface KeyDerivationConfig {\n  /** The message to sign for key derivation */\n  message: string\n  /** Version number for the key derivation scheme */\n  version: 1\n}\n\n/**\n * Default key derivation configuration\n */\nexport const DEFAULT_KEY_DERIVATION_CONFIG: KeyDerivationConfig = {\n  message: 'UPP Stealth Key Derivation v1',\n  version: 1,\n}\n\n/**\n * Result of deriving one-time keys for a transaction (hash-based)\n */\nexport interface OneTimeKeys {\n  /** One-time secret (for the owner to spend the note) */\n  oneTimeSecret: bigint\n  /** One-time owner hash = Poseidon(oneTimeSecret) - in the commitment */\n  ownerHash: bigint\n}\n\n/**\n * Serialized key format for storage\n */\nexport interface SerializedKeys {\n  version: 1\n  /** Hex-encoded encrypted key data */\n  encryptedData: Hex\n  /** Salt for key derivation (if password protected) */\n  salt?: Hex\n  /** Nonce for encryption */\n  nonce: Hex\n}\n\n// =========================================================================\n// STARK Key Types (M31/Keccak-based, post-quantum)\n// =========================================================================\n\nimport type { M31Digest, M31Secret } from '../utils/keccak-m31.js'\n\n/** Which proving system to use */\nexport type ProvingSystem = 'snark' | 'stark'\n\n/**\n * STARK master keys derived from wallet signature.\n *\n * Uses M31 field and keccak-256 hashing — no elliptic curves.\n * ownerHash = keccak_m31(starkSecret) — 4 M31 elements.\n */\nexport interface StarkMasterKeys {\n  /** 8 M31 limbs (248 bits of entropy) — for ownership proofs */\n  starkSecret: M31Secret\n  /** keccak_m31(starkSecret) — publicly committed in STARK notes */\n  starkOwnerHash: M31Digest\n  /** 8 M31 limbs — for note encryption/decryption */\n  starkViewingSecret: M31Secret\n  /** keccak_m31(starkViewingSecret) — for search tags and indexing */\n  starkViewingHash: M31Digest\n}\n\n/**\n * Dual master keys: both SNARK (BN254/Poseidon) and STARK (M31/Keccak).\n *\n * Derived from the same wallet signature via domain-separated keccak256.\n * Breaking BJJ (quantum) does NOT compromise STARK keys (keccak preimage resistance).\n */\nexport interface DualMasterKeys {\n  snark: MasterKeys\n  stark: StarkMasterKeys\n}\n","/**\n * Key Derivation from Wallet Signature (Post-Quantum / Hash-Based)\n *\n * Derives keys from an Ethereum wallet signature using only hash functions.\n * No elliptic curve operations — quantum-resistant by design.\n *\n * Security Model:\n * - Keys are derived deterministically from the signature\n * - No seed phrase management required\n * - Same signature always produces same keys\n * - Ownership proven via hash preimage (Poseidon), not discrete log\n */\n\nimport { keccak256, toHex, type Hex } from 'viem'\nimport { FIELD_PRIME } from '../utils/poseidon.js'\nimport { hexToBytes, bytesToBigint } from '../utils/crypto.js'\nimport { splitToM31Limbs, computeStarkOwnerHash } from '../utils/keccak-m31.js'\nimport type { MasterKeys, StarkMasterKeys, DualMasterKeys, KeyDerivationConfig } from './types.js'\nimport { DEFAULT_KEY_DERIVATION_CONFIG } from './types.js'\n\n/**\n * Derive master keys from a wallet signature (hash-based, post-quantum)\n *\n * This replaces the previous BabyJubJub-based derivation.\n * Instead of curve points, we use Poseidon hashes for ownership proofs.\n *\n * @param signature - The wallet signature (from personal_sign or EIP-712)\n * @param config - Optional key derivation configuration\n * @returns Master keys for stealth operations\n *\n * @example\n * ```ts\n * const signature = await walletClient.signMessage({\n *   message: 'UPP Stealth Key Derivation v1'\n * })\n * const keys = await deriveKeysFromSignature(signature)\n * // keys.ownerHash is Poseidon(spendingSecret) — used in note commitments\n * ```\n */\nexport async function deriveKeysFromSignature(\n  signature: Hex,\n  config: KeyDerivationConfig = DEFAULT_KEY_DERIVATION_CONFIG\n): Promise<MasterKeys> {\n  const { poseidon } = await import('../utils/poseidon.js')\n\n  // Create a seed from the signature using keccak256\n  const seed = keccak256(signature)\n\n  // Derive spending secret from seed\n  const spendingSecretHash = keccak256(\n    toHex(new TextEncoder().encode(`${seed}:spending:v${config.version}`))\n  )\n  const spendingSecretRaw = bytesToBigint(hexToBytes(spendingSecretHash))\n  const spendingSecret = spendingSecretRaw % FIELD_PRIME\n\n  // Derive owner hash: Poseidon(spendingSecret)\n  // This replaces BabyJubJub public key derivation\n  const ownerHash = await poseidon([spendingSecret])\n\n  // Derive viewing secret from seed\n  const viewingSecretHash = keccak256(\n    toHex(new TextEncoder().encode(`${seed}:viewing:v${config.version}`))\n  )\n  const viewingSecretRaw = bytesToBigint(hexToBytes(viewingSecretHash))\n  const viewingSecret = viewingSecretRaw % FIELD_PRIME\n\n  // Derive viewing hash: Poseidon(viewingSecret)\n  const viewingHash = await poseidon([viewingSecret])\n\n  return {\n    spendingSecret,\n    ownerHash,\n    viewingSecret,\n    viewingHash,\n  }\n}\n\n/**\n * Get the message to sign for key derivation\n */\nexport function getKeyDerivationMessage(\n  config: KeyDerivationConfig = DEFAULT_KEY_DERIVATION_CONFIG\n): string {\n  return config.message\n}\n\n/**\n * Verify that keys match a given signature\n */\nexport async function verifyKeysMatchSignature(\n  keys: MasterKeys,\n  signature: Hex,\n  config: KeyDerivationConfig = DEFAULT_KEY_DERIVATION_CONFIG\n): Promise<boolean> {\n  const derivedKeys = await deriveKeysFromSignature(signature, config)\n\n  return (\n    keys.spendingSecret === derivedKeys.spendingSecret &&\n    keys.ownerHash === derivedKeys.ownerHash &&\n    keys.viewingSecret === derivedKeys.viewingSecret &&\n    keys.viewingHash === derivedKeys.viewingHash\n  )\n}\n\n/**\n * Derive STARK master keys from a wallet signature (M31/Keccak, post-quantum)\n *\n * Uses domain-separated keccak256 to derive M31 secrets, then keccak_m31\n * for owner/viewing hashes. No elliptic curve operations.\n *\n * @param signature - The wallet signature (same one used for SNARK keys)\n * @param config - Optional key derivation configuration\n * @returns STARK master keys for stealth operations\n */\nexport function deriveStarkKeysFromSignature(\n  signature: Hex,\n  config: KeyDerivationConfig = DEFAULT_KEY_DERIVATION_CONFIG\n): StarkMasterKeys {\n  const seed = keccak256(signature)\n\n  // Derive STARK spending secret: 8 M31 limbs from a single keccak256\n  const starkSpendingHash = keccak256(\n    toHex(new TextEncoder().encode(`${seed}:stark:spending:v${config.version}`))\n  )\n  const starkSecret = splitToM31Limbs(starkSpendingHash)\n  const starkOwnerHash = computeStarkOwnerHash(starkSecret)\n\n  // Derive STARK viewing secret: 8 M31 limbs from a separate keccak256\n  const starkViewingHash = keccak256(\n    toHex(new TextEncoder().encode(`${seed}:stark:viewing:v${config.version}`))\n  )\n  const starkViewingSecret = splitToM31Limbs(starkViewingHash)\n  const starkViewingHashDigest = computeStarkOwnerHash(starkViewingSecret)\n\n  return {\n    starkSecret,\n    starkOwnerHash,\n    starkViewingSecret,\n    starkViewingHash: starkViewingHashDigest,\n  }\n}\n\n/**\n * Derive both SNARK and STARK keys from a single wallet signature.\n *\n * Same seed, domain-separated derivation. Breaking BJJ (quantum) does NOT\n * compromise STARK keys — keccak preimage resistance provides 2^128 quantum security.\n */\nexport async function deriveDualKeysFromSignature(\n  signature: Hex,\n  config: KeyDerivationConfig = DEFAULT_KEY_DERIVATION_CONFIG\n): Promise<DualMasterKeys> {\n  const snark = await deriveKeysFromSignature(signature, config)\n  const stark = deriveStarkKeysFromSignature(signature, config)\n  return { snark, stark }\n}\n\n/**\n * Derive a nullifier key from the spending secret\n *\n * nullifier = Poseidon(nullifierKey, leafIndex, commitment)\n */\nexport async function deriveNullifierKey(spendingSecret: bigint): Promise<bigint> {\n  const { poseidon } = await import('../utils/poseidon.js')\n  return await poseidon([spendingSecret, 0n]) // 0n = nullifier domain\n}\n","/**\n * Per-Transaction Viewing Key Derivation (Post-Quantum, Hash-Based)\n *\n * Implements hierarchical viewing keys using Poseidon hash instead of ECDH.\n *\n * Key Properties:\n * - Per-note decryption key: Poseidon(viewingSecret, nonce)\n * - AES key: keccak256(perNoteKey) for symmetric encryption\n *\n * Derivation:\n *   perNoteKey = Poseidon(viewingSecret, nonce)\n *   aesKey = keccak256(perNoteKey)\n *\n * SECURITY (v4):\n * Audit exports contain per-note decryption keys derived from viewingSecret + nonce.\n * This prevents master key recovery: knowing Poseidon(viewingSecret, nonce) doesn't\n * reveal viewingSecret due to the one-wayness of Poseidon.\n */\n\nimport type { Address, Hex } from 'viem'\nimport { keccak256, toHex } from 'viem'\nimport type {\n  MasterKeys,\n  StarkMasterKeys,\n  TransactionViewingKey,\n  AuditKeyExport,\n} from './types.js'\nimport { keccakM31, type M31Secret } from '../utils/keccak-m31.js'\nimport { bytesToHex } from '../utils/crypto.js'\n\n/**\n * Derive a per-note decryption key from master viewing secret and nonce\n *\n * @param viewingSecret - Master viewing secret\n * @param nonce - Unique per-note nonce\n * @returns Per-note decryption key as hex\n */\nexport async function derivePerNoteKey(\n  viewingSecret: bigint,\n  nonce: bigint\n): Promise<Hex> {\n  const { poseidon } = await import('../utils/poseidon.js')\n  const perNoteKey = await poseidon([viewingSecret, nonce])\n  return toHex(perNoteKey, { size: 32 })\n}\n\n/**\n * Derive per-note key from MasterKeys convenience wrapper\n */\nexport async function derivePerNoteKeyFromKeys(\n  keys: MasterKeys,\n  nonce: bigint\n): Promise<Hex> {\n  return derivePerNoteKey(keys.viewingSecret, nonce)\n}\n\n/**\n * Note reference for audit export\n */\nexport interface NoteReference {\n  /** The Merkle leaf index (for locating the on-chain event) */\n  leafIndex: number\n  /** The nonce used in per-note key derivation */\n  nonce: bigint\n}\n\n/**\n * Export viewing keys for specific notes\n *\n * Creates an export package that can be shared with an auditor.\n * The auditor can use these keys to decrypt the specified notes,\n * but cannot derive keys for other notes.\n *\n * @param keys - Master keys\n * @param signerAddress - The Ethereum address that signed to derive keys\n * @param notes - Array of note references (leafIndex + nonce) to export\n * @returns Audit key export package\n */\nexport async function exportViewingKeysForAudit(\n  keys: MasterKeys,\n  signerAddress: Address,\n  notes: NoteReference[]\n): Promise<AuditKeyExport> {\n  const viewingKeys: TransactionViewingKey[] = []\n\n  for (const note of notes) {\n    // Derive the per-note decryption key\n    const decryptionKey = await derivePerNoteKey(keys.viewingSecret, note.nonce)\n\n    viewingKeys.push({\n      leafIndex: note.leafIndex,\n      nonce: note.nonce,\n      decryptionKey,\n    })\n  }\n\n  return {\n    version: 4,\n    signerAddress,\n    viewingHash: keys.viewingHash,\n    viewingKeys,\n    instructions: `\nThis export contains per-note decryption keys for ${viewingKeys.length} UPP note(s).\n\nTo decrypt a note:\n1. Find the viewingKey entry for the desired leafIndex\n2. Retrieve the encrypted note from the blockchain (Shielded event at that leaf index)\n3. Derive AES key: key = keccak256(decryptionKey)\n4. Decrypt the note ciphertext with AES-GCM\n\nThese per-note keys ONLY allow decryption of the specified notes.\nThey do NOT reveal:\n- The master viewing secret (protected by Poseidon one-wayness)\n- Keys for any other notes\n- The spending secret (cannot spend funds)\n    `.trim(),\n  }\n}\n\n/**\n * Validate an audit key export\n */\nexport function validateAuditKeyExport(\n  exportData: AuditKeyExport\n): { valid: boolean; error?: string } {\n  if (exportData.version !== 4) {\n    return { valid: false, error: `Unsupported version: ${exportData.version}. Expected version 4.` }\n  }\n\n  if (!exportData.signerAddress || !exportData.signerAddress.startsWith('0x')) {\n    return { valid: false, error: 'Invalid signer address' }\n  }\n\n  if (exportData.viewingHash === undefined || exportData.viewingHash === null) {\n    return { valid: false, error: 'Missing viewing hash' }\n  }\n\n  if (!Array.isArray(exportData.viewingKeys) || exportData.viewingKeys.length === 0) {\n    return { valid: false, error: 'No viewing keys in export' }\n  }\n\n  return { valid: true }\n}\n\n/**\n * Look up a decryption key from an audit export by leaf index\n *\n * Returns the per-note decryption key for direct use in AES-GCM decryption.\n * Derive AES key: keccak256(decryptionKey)\n */\nexport function getViewingKeyFromExport(\n  exportData: AuditKeyExport,\n  leafIndex: number\n): Hex | null {\n  const key = exportData.viewingKeys.find(k => k.leafIndex === leafIndex)\n  return key ? key.decryptionKey : null\n}\n\n// =========================================================================\n// STARK Per-Note Viewing Key Derivation (Keccak-based, no elliptic curves)\n// =========================================================================\n\n/**\n * Derive a STARK per-note decryption key from viewing secret and nonce.\n *\n * Uses keccak_m31 instead of Poseidon — purely symmetric, post-quantum safe.\n * The nonce is encoded as a single M31 element appended to the viewing secret.\n *\n * perNoteDigest = keccak_m31(viewingSecret[0..8], nonce)\n * aesKey = keccak256(perNoteDigest_packed_as_16_LE_bytes)\n *\n * @param starkViewingSecret - 8 M31 limbs (the master STARK viewing secret)\n * @param nonce - Per-note nonce (M31 range)\n * @returns 32-byte AES key as hex\n */\nexport function deriveStarkPerNoteKey(\n  starkViewingSecret: M31Secret,\n  nonce: bigint\n): Hex {\n  // keccak_m31(viewingSecret[0..8], nonce) → 4 M31 elements\n  const digest = keccakM31([...starkViewingSecret, nonce])\n\n  // Pack digest as 16 bytes LE for AES key derivation\n  const bytes = new Uint8Array(16)\n  for (let i = 0; i < 4; i++) {\n    const val = Number(digest[i]!)\n    bytes[i * 4] = val & 0xff\n    bytes[i * 4 + 1] = (val >> 8) & 0xff\n    bytes[i * 4 + 2] = (val >> 16) & 0xff\n    bytes[i * 4 + 3] = (val >> 24) & 0xff\n  }\n\n  // Derive 32-byte AES key via keccak256\n  return keccak256(bytesToHex(bytes))\n}\n\n/**\n * Derive STARK per-note key from StarkMasterKeys convenience wrapper\n */\nexport function deriveStarkPerNoteKeyFromKeys(\n  keys: StarkMasterKeys,\n  nonce: bigint\n): Hex {\n  return deriveStarkPerNoteKey(keys.starkViewingSecret, nonce)\n}\n"]}

package/dist/chunk-3HQ7A6ZM.cjs

@@ -0,0 +1,61 @@
+'use strict';
+
+var chunkJWNXBALH_cjs = require('./chunk-JWNXBALH.cjs');
+var chunkG7VZBCD6_cjs = require('./chunk-G7VZBCD6.cjs');
+
+// src/utils/crypto.ts
+function randomBytes(length) {
+  const bytes = new Uint8Array(length);
+  crypto.getRandomValues(bytes);
+  return bytes;
+}
+function randomFieldElement() {
+  const bytes = randomBytes(32);
+  let value = 0n;
+  for (let i = 0; i < bytes.length; i++) {
+    value = (value << 8n) + BigInt(bytes[i]);
+  }
+  return value % chunkJWNXBALH_cjs.FIELD_PRIME;
+}
+function bytesToHex(bytes) {
+  return `0x${Array.from(bytes).map((b) => b.toString(16).padStart(2, "0")).join("")}`;
+}
+function hexToBytes(hex) {
+  const str = hex.slice(2);
+  const bytes = new Uint8Array(str.length / 2);
+  for (let i = 0; i < bytes.length; i++) {
+    bytes[i] = parseInt(str.slice(i * 2, i * 2 + 2), 16);
+  }
+  return bytes;
+}
+function bigintToBytes(value, length) {
+  const bytes = new Uint8Array(length);
+  let temp = value;
+  for (let i = length - 1; i >= 0; i--) {
+    bytes[i] = Number(temp & 0xffn);
+    temp >>= 8n;
+  }
+  return bytes;
+}
+function bytesToBigint(bytes) {
+  let value = 0n;
+  for (let i = 0; i < bytes.length; i++) {
+    value = (value << 8n) + BigInt(bytes[i]);
+  }
+  return value;
+}
+var init_crypto = chunkG7VZBCD6_cjs.__esm({
+  "src/utils/crypto.ts"() {
+    chunkJWNXBALH_cjs.init_poseidon();
+  }
+});
+
+exports.bigintToBytes = bigintToBytes;
+exports.bytesToBigint = bytesToBigint;
+exports.bytesToHex = bytesToHex;
+exports.hexToBytes = hexToBytes;
+exports.init_crypto = init_crypto;
+exports.randomBytes = randomBytes;
+exports.randomFieldElement = randomFieldElement;
+//# sourceMappingURL=chunk-3HQ7A6ZM.cjs.map
+//# sourceMappingURL=chunk-3HQ7A6ZM.cjs.map

package/dist/chunk-3HQ7A6ZM.cjs.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../src/utils/crypto.ts"],"names":["FIELD_PRIME","__esm","init_poseidon"],"mappings":";;;;;;AAWO,SAAS,YAAY,MAAA,EAA4B;AACtD,EAAA,MAAM,KAAA,GAAQ,IAAI,UAAA,CAAW,MAAM,CAAA;AACnC,EAAA,MAAA,CAAO,gBAAgB,KAAK,CAAA;AAC5B,EAAA,OAAO,KAAA;AACT;AAOO,SAAS,kBAAA,GAA6B;AAE3C,EAAA,MAAM,KAAA,GAAQ,YAAY,EAAE,CAAA;AAG5B,EAAA,IAAI,KAAA,GAAQ,EAAA;AACZ,EAAA,KAAA,IAAS,CAAA,GAAI,CAAA,EAAG,CAAA,GAAI,KAAA,CAAM,QAAQ,CAAA,EAAA,EAAK;AACrC,IAAA,KAAA,GAAA,CAAS,KAAA,IAAS,EAAA,IAAM,MAAA,CAAO,KAAA,CAAM,CAAC,CAAE,CAAA;AAAA,EAC1C;AAGA,EAAA,OAAO,KAAA,GAAQA,6BAAA;AACjB;AAKO,SAAS,WAAW,KAAA,EAAkC;AAC3D,EAAA,OAAO,KAAK,KAAA,CAAM,IAAA,CAAK,KAAK,CAAA,CACzB,GAAA,CAAI,OAAK,CAAA,CAAE,QAAA,CAAS,EAAE,CAAA,CAAE,SAAS,CAAA,EAAG,GAAG,CAAC,CAAA,CACxC,IAAA,CAAK,EAAE,CAAC,CAAA,CAAA;AACb;AAKO,SAAS,WAAW,GAAA,EAAgC;AACzD,EAAA,MAAM,GAAA,GAAM,GAAA,CAAI,KAAA,CAAM,CAAC,CAAA;AACvB,EAAA,MAAM,KAAA,GAAQ,IAAI,UAAA,CAAW,GAAA,CAAI,SAAS,CAAC,CAAA;AAC3C,EAAA,KAAA,IAAS,CAAA,GAAI,CAAA,EAAG,CAAA,GAAI,KAAA,CAAM,QAAQ,CAAA,EAAA,EAAK;AACrC,IAAA,KAAA,CAAM,CAAC,CAAA,GAAI,QAAA,CAAS,GAAA,CAAI,KAAA,CAAM,CAAA,GAAI,CAAA,EAAG,CAAA,GAAI,CAAA,GAAI,CAAC,CAAA,EAAG,EAAE,CAAA;AAAA,EACrD;AACA,EAAA,OAAO,KAAA;AACT;AAKO,SAAS,aAAA,CAAc,OAAe,MAAA,EAA4B;AACvE,EAAA,MAAM,KAAA,GAAQ,IAAI,UAAA,CAAW,MAAM,CAAA;AACnC,EAAA,IAAI,IAAA,GAAO,KAAA;AACX,EAAA,KAAA,IAAS,CAAA,GAAI,MAAA,GAAS,CAAA,EAAG,CAAA,IAAK,GAAG,CAAA,EAAA,EAAK;AACpC,IAAA,KAAA,CAAM,CAAC,CAAA,GAAI,MAAA,CAAO,IAAA,GAAO,KAAK,CAAA;AAC9B,IAAA,IAAA,KAAS,EAAA;AAAA,EACX;AACA,EAAA,OAAO,KAAA;AACT;AAKO,SAAS,cAAc,KAAA,EAA2B;AACvD,EAAA,IAAI,KAAA,GAAQ,EAAA;AACZ,EAAA,KAAA,IAAS,CAAA,GAAI,CAAA,EAAG,CAAA,GAAI,KAAA,CAAM,QAAQ,CAAA,EAAA,EAAK;AACrC,IAAA,KAAA,GAAA,CAAS,KAAA,IAAS,EAAA,IAAM,MAAA,CAAO,KAAA,CAAM,CAAC,CAAE,CAAA;AAAA,EAC1C;AACA,EAAA,OAAO,KAAA;AACT;AA/EA,IAAA,WAAA,GAAAC,uBAAA,CAAA;AAAA,EAAA,qBAAA,GAAA;AAMA,IAAAC,+BAAA,EAAA;AAAA,EAAA;AAAA,CAAA","file":"chunk-3HQ7A6ZM.cjs","sourcesContent":["/**\n * Cryptographic Utilities\n *\n * Secure random number generation and field arithmetic.\n */\n\nimport { FIELD_PRIME } from './poseidon.js'\n\n/**\n * Generate cryptographically secure random bytes\n */\nexport function randomBytes(length: number): Uint8Array {\n  const bytes = new Uint8Array(length)\n  crypto.getRandomValues(bytes)\n  return bytes\n}\n\n/**\n * Generate a random field element (for blinding factors, etc.)\n *\n * Returns a value in range [0, FIELD_PRIME)\n */\nexport function randomFieldElement(): bigint {\n  // Generate 32 bytes of randomness\n  const bytes = randomBytes(32)\n\n  // Convert to bigint\n  let value = 0n\n  for (let i = 0; i < bytes.length; i++) {\n    value = (value << 8n) + BigInt(bytes[i]!)\n  }\n\n  // Reduce modulo field prime\n  return value % FIELD_PRIME\n}\n\n/**\n * Convert bytes to hex string\n */\nexport function bytesToHex(bytes: Uint8Array): `0x${string}` {\n  return `0x${Array.from(bytes)\n    .map(b => b.toString(16).padStart(2, '0'))\n    .join('')}`\n}\n\n/**\n * Convert hex string to bytes\n */\nexport function hexToBytes(hex: `0x${string}`): Uint8Array {\n  const str = hex.slice(2)\n  const bytes = new Uint8Array(str.length / 2)\n  for (let i = 0; i < bytes.length; i++) {\n    bytes[i] = parseInt(str.slice(i * 2, i * 2 + 2), 16)\n  }\n  return bytes\n}\n\n/**\n * Convert bigint to bytes (big-endian)\n */\nexport function bigintToBytes(value: bigint, length: number): Uint8Array {\n  const bytes = new Uint8Array(length)\n  let temp = value\n  for (let i = length - 1; i >= 0; i--) {\n    bytes[i] = Number(temp & 0xffn)\n    temp >>= 8n\n  }\n  return bytes\n}\n\n/**\n * Convert bytes to bigint (big-endian)\n */\nexport function bytesToBigint(bytes: Uint8Array): bigint {\n  let value = 0n\n  for (let i = 0; i < bytes.length; i++) {\n    value = (value << 8n) + BigInt(bytes[i]!)\n  }\n  return value\n}\n\n/**\n * Modular exponentiation: base^exp mod modulus\n */\nexport function modPow(base: bigint, exp: bigint, modulus: bigint): bigint {\n  let result = 1n\n  base = base % modulus\n\n  while (exp > 0n) {\n    if (exp % 2n === 1n) {\n      result = (result * base) % modulus\n    }\n    exp = exp >> 1n\n    base = (base * base) % modulus\n  }\n\n  return result\n}\n\n/**\n * Modular inverse using extended Euclidean algorithm\n */\nexport function modInverse(a: bigint, modulus: bigint): bigint {\n  let [oldR, r] = [a, modulus]\n  let [oldS, s] = [1n, 0n]\n\n  while (r !== 0n) {\n    const quotient = oldR / r\n    ;[oldR, r] = [r, oldR - quotient * r]\n    ;[oldS, s] = [s, oldS - quotient * s]\n  }\n\n  if (oldR !== 1n) {\n    throw new Error('Modular inverse does not exist')\n  }\n\n  return ((oldS % modulus) + modulus) % modulus\n}\n"]}