@prism-ing/wallet 0.1.0

package/dist/schemas.js

@@ -0,0 +1,76 @@
+/**
+ * Zod schemas for @prism-ing/wallet input validation.
+ *
+ * @remarks
+ * External data enters the system exactly once, through these schemas.
+ * After parsing, the inferred types are trusted everywhere downstream.
+ *
+ * @packageDocumentation
+ */
+import { z } from 'zod';
+// ---------------------------------------------------------------------------
+// Primitives
+// ---------------------------------------------------------------------------
+/** Schema for an EVM address (0x-prefixed, 40 hex chars). */
+export const AddressSchema = z
+    .string()
+    .regex(/^0x[a-fA-F0-9]{40}$/, 'Invalid EVM address');
+/** Schema for a Solana public key (base58, 32-44 chars). */
+export const SolanaPublicKeySchema = z
+    .string()
+    .regex(/^[1-9A-HJ-NP-Za-km-z]{32,44}$/, 'Invalid Solana public key');
+/** Schema for a positive bigint amount. */
+export const PositiveBigIntSchema = z
+    .bigint()
+    .refine((n) => n > 0n, 'Amount must be positive');
+/** Schema for basis points (0-10000). */
+export const BpsSchema = z
+    .number()
+    .int()
+    .min(0)
+    .max(10_000);
+// ---------------------------------------------------------------------------
+// Wallet Config
+// ---------------------------------------------------------------------------
+export const SignerConfigSchema = z.object({
+    walletName: z.string().min(1, 'Wallet name is required'),
+    passphrase: z.string().optional(),
+    apiKey: z.string().optional(),
+    vaultPath: z.string().optional(),
+});
+export const RecoveryConfigSchema = z.object({
+    evm: z
+        .object({
+        guardians: z.array(AddressSchema).min(1),
+        threshold: z.number().int().min(1),
+    })
+        .optional(),
+});
+export const AccountTypeSchema = z.literal('kernel-v3.1-ecdsa');
+export const WalletConfigSchema = z.object({
+    signer: SignerConfigSchema,
+    oneBalanceApiKey: z.string().min(1, 'OneBalance API key is required'),
+    accountType: AccountTypeSchema.optional().default('kernel-v3.1-ecdsa'),
+    chains: z.array(z.number().int().positive()).optional(),
+    recovery: RecoveryConfigSchema.optional(),
+});
+// ---------------------------------------------------------------------------
+// Deposit
+// ---------------------------------------------------------------------------
+export const DepositParamsSchema = z.object({
+    token: AddressSchema,
+    amount: PositiveBigIntSchema,
+    chainId: z.number().int().positive(),
+});
+// ---------------------------------------------------------------------------
+// Cross-Chain Swap
+// ---------------------------------------------------------------------------
+export const CrossChainSwapParamsSchema = z.object({
+    tokenIn: AddressSchema,
+    chainIn: z.number().int().positive(),
+    tokenOut: AddressSchema,
+    chainOut: z.number().int().positive(),
+    amount: PositiveBigIntSchema,
+    slippageBps: BpsSchema.optional().default(50),
+});
+//# sourceMappingURL=schemas.js.map

package/dist/schemas.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"schemas.js","sourceRoot":"","sources":["../src/schemas.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AACH,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AAGxB,8EAA8E;AAC9E,aAAa;AACb,8EAA8E;AAE9E,6DAA6D;AAC7D,MAAM,CAAC,MAAM,aAAa,GAAG,CAAC;KAC3B,MAAM,EAAE;KACR,KAAK,CACJ,qBAAqB,EACrB,qBAAqB,CACW,CAAC;AAErC,4DAA4D;AAC5D,MAAM,CAAC,MAAM,qBAAqB,GAAG,CAAC;KACnC,MAAM,EAAE;KACR,KAAK,CAAC,+BAA+B,EAAE,2BAA2B,CAAC,CAAC;AAEvE,2CAA2C;AAC3C,MAAM,CAAC,MAAM,oBAAoB,GAAG,CAAC;KAClC,MAAM,EAAE;KACR,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,GAAG,EAAE,EAAE,yBAAyB,CAAC,CAAC;AAEpD,yCAAyC;AACzC,MAAM,CAAC,MAAM,SAAS,GAAG,CAAC;KACvB,MAAM,EAAE;KACR,GAAG,EAAE;KACL,GAAG,CAAC,CAAC,CAAC;KACN,GAAG,CAAC,MAAM,CAAC,CAAC;AAEf,8EAA8E;AAC9E,gBAAgB;AAChB,8EAA8E;AAE9E,MAAM,CAAC,MAAM,kBAAkB,GAAG,CAAC,CAAC,MAAM,CAAC;IACzC,UAAU,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,EAAE,yBAAyB,CAAC;IACxD,UAAU,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IACjC,MAAM,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAC7B,SAAS,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;CACjC,CAAC,CAAC;AAEH,MAAM,CAAC,MAAM,oBAAoB,GAAG,CAAC,CAAC,MAAM,CAAC;IAC3C,GAAG,EAAE,CAAC;SACH,MAAM,CAAC;QACN,SAAS,EAAE,CAAC,CAAC,KAAK,CAAC,aAAa,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;QACxC,SAAS,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;KACnC,CAAC;SACD,QAAQ,EAAE;CACd,CAAC,CAAC;AAEH,MAAM,CAAC,MAAM,iBAAiB,GAAG,CAAC,CAAC,OAAO,CAAC,mBAAmB,CAAC,CAAC;AAEhE,MAAM,CAAC,MAAM,kBAAkB,GAAG,CAAC,CAAC,MAAM,CAAC;IACzC,MAAM,EAAE,kBAAkB;IAC1B,gBAAgB,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,EAAE,gCAAgC,CAAC;IACrE,WAAW,EAAE,iBAAiB,CAAC,QAAQ,EAAE,CAAC,OAAO,CAAC,mBAAmB,CAAC;IACtE,MAAM,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,QAAQ,EAAE,CAAC,CAAC,QAAQ,EAAE;IACvD,QAAQ,EAAE,oBAAoB,CAAC,QAAQ,EAAE;CAC1C,CAAC,CAAC;AAEH,8EAA8E;AAC9E,UAAU;AACV,8EAA8E;AAE9E,MAAM,CAAC,MAAM,mBAAmB,GAAG,CAAC,CAAC,MAAM,CAAC;IAC1C,KAAK,EAAE,aAAa;IACpB,MAAM,EAAE,oBAAoB;IAC5B,OAAO,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,QAAQ,EAAE;CACrC,CAAC,CAAC;AAEH,8EAA8E;AAC9E,mBAAmB;AACnB,8EAA8E;AAE9E,MAAM,CAAC,MAAM,0BAA0B,GAAG,CAAC,CAAC,MAAM,CAAC;IACjD,OAAO,EAAE,aAAa;IACtB,OAAO,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,QAAQ,EAAE;IACpC,QAAQ,EAAE,aAAa;IACvB,QAAQ,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,QAAQ,EAAE;IACrC,MAAM,EAAE,oBAAoB;IAC5B,WAAW,EAAE,SAAS,CAAC,QAAQ,EAAE,CAAC,OAAO,CAAC,EAAE,CAAC;CAC9C,CAAC,CAAC"}

package/dist/session-keys.d.ts

@@ -0,0 +1,53 @@
+import type { PrismSigner, SessionKeyHandle, SessionKeyManager, SessionKeyBackend, SpendPersistence } from './types.js';
+import type { WalletError } from './errors.js';
+/**
+ * Create a session key manager for the given root signer.
+ *
+ * @remarks
+ * The root signer is used as the underlying signing implementation.
+ * Session keys wrap it with policy enforcement — the root key's
+ * signing capability is gated by the session's constraints.
+ *
+ * If a {@link SessionKeyBackend} is provided, session keys are also
+ * registered on-chain via ZeroDev permission validators, providing
+ * contract-level enforcement in addition to client-side checks.
+ *
+ * @param rootSigner - The root PrismSigner to wrap.
+ * @param backend - Optional on-chain session key backend.
+ * @param persistence - Optional spend persistence adapter. Required when
+ *   `maxTotalAmount` is set without a backend, to ensure cumulative caps
+ *   survive process restarts.
+ * @returns A {@link SessionKeyManager} for creating and managing sessions.
+ */
+export declare function createSessionKeyManager(rootSigner: PrismSigner, backend?: SessionKeyBackend, persistence?: SpendPersistence): SessionKeyManager;
+/**
+ * Record a spend against a session key's cumulative total.
+ *
+ * @remarks
+ * Call this after a successful cross-chain execution to track
+ * cumulative spend against the session's {@link SessionKeyPolicy.maxTotalAmount}.
+ *
+ * @param manager - The session key manager.
+ * @param sessionId - The session key ID.
+ * @param amount - The amount spent (smallest unit, as string).
+ * @returns A WalletError if the spend would violate policy, undefined if ok.
+ */
+export declare function recordSessionSpend(manager: SessionKeyManager, sessionId: string, amount: string): WalletError | undefined;
+/**
+ * Validate an operation against a session key's policy before execution.
+ *
+ * @remarks
+ * Use this to pre-check whether a cross-chain operation would be allowed
+ * by the session key's policy. Call before `executeCrossChain` to fail fast.
+ *
+ * @param session - The session key handle.
+ * @param params - Operation parameters to validate.
+ * @returns A WalletError if the operation violates policy, undefined if allowed.
+ */
+export declare function validateSessionOperation(session: SessionKeyHandle, params: {
+    readonly asset?: string;
+    readonly amount?: string;
+    readonly recipient?: string;
+    readonly chainId?: number;
+}): WalletError | undefined;
+//# sourceMappingURL=session-keys.d.ts.map

package/dist/session-keys.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"session-keys.d.ts","sourceRoot":"","sources":["../src/session-keys.ts"],"names":[],"mappings":"AAsCA,OAAO,KAAK,EACV,WAAW,EAGX,gBAAgB,EAChB,iBAAiB,EACjB,iBAAiB,EACjB,gBAAgB,EACjB,MAAM,YAAY,CAAC;AACpB,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,aAAa,CAAC;AA4I/C;;;;;;;;;;;;;;;;;;GAkBG;AACH,wBAAgB,uBAAuB,CACrC,UAAU,EAAE,WAAW,EACvB,OAAO,CAAC,EAAE,iBAAiB,EAC3B,WAAW,CAAC,EAAE,gBAAgB,GAC7B,iBAAiB,CAkInB;AAMD;;;;;;;;;;;GAWG;AACH,wBAAgB,kBAAkB,CAChC,OAAO,EAAE,iBAAiB,EAC1B,SAAS,EAAE,MAAM,EACjB,MAAM,EAAE,MAAM,GACb,WAAW,GAAG,SAAS,CAqCzB;AAED;;;;;;;;;;GAUG;AACH,wBAAgB,wBAAwB,CACtC,OAAO,EAAE,gBAAgB,EACzB,MAAM,EAAE;IACN,QAAQ,CAAC,KAAK,CAAC,EAAE,MAAM,CAAC;IACxB,QAAQ,CAAC,MAAM,CAAC,EAAE,MAAM,CAAC;IACzB,QAAQ,CAAC,SAAS,CAAC,EAAE,MAAM,CAAC;IAC5B,QAAQ,CAAC,OAAO,CAAC,EAAE,MAAM,CAAC;CAC3B,GACA,WAAW,GAAG,SAAS,CA6EzB"}

package/dist/session-keys.js

@@ -0,0 +1,345 @@
+/**
+ * Session key manager — scoped, ephemeral signers with policy enforcement.
+ *
+ * @remarks
+ * Session keys wrap the root {@link PrismSigner} and enforce policy constraints
+ * (asset whitelist, amount caps, expiration, recipient restrictions) before
+ * delegating to the underlying signer. This limits blast radius if an agent
+ * process is compromised — the session key can only do what the policy allows.
+ *
+ * On-chain enforcement is optional via {@link SessionKeyBackend} (ZeroDev
+ * permission validators). Even without on-chain support, client-side policy
+ * enforcement provides defense-in-depth for agent workflows.
+ *
+ * @example
+ * ```ts
+ * import { createSessionKeyManager } from '@prism-ing/wallet';
+ *
+ * const manager = createSessionKeyManager(rootSigner);
+ *
+ * const session = manager.createSessionKey({
+ *   expiresAt: Math.floor(Date.now() / 1000) + 3600, // 1 hour
+ *   allowedAssets: ['ob:usdc'],
+ *   maxAmountPerOp: '1000000000',  // 1000 USDC (6 decimals)
+ *   maxTotalAmount: '5000000000',  // 5000 USDC cumulative
+ *   allowedChains: [8453, 42161],  // Base + Arbitrum only
+ * });
+ *
+ * // Use session.signer wherever PrismSigner is accepted
+ * const result = await executeCrossChain(client, session.signer, params, accounts);
+ *
+ * // Revoke when done
+ * manager.revokeSessionKey(session.sessionId);
+ * ```
+ *
+ * @packageDocumentation
+ */
+import { randomBytes, bytesToHex } from '@noble/hashes/utils';
+import { walletErrors } from './errors.js';
+/**
+ * Module-level registry for session state. Allows `recordSessionSpend` to
+ * mutate internal state without exposing it on the public interface.
+ * @internal
+ */
+const stateRegistry = new WeakMap();
+// ---------------------------------------------------------------------------
+// Policy Enforcement
+// ---------------------------------------------------------------------------
+/**
+ * Validate an operation against a session key policy.
+ * Returns a WalletError if the policy is violated, undefined if ok.
+ *
+ * @internal
+ */
+function checkPolicy(sessionId, policy, state, asset, amount, recipient, chainId) {
+    // Check revocation
+    if (state.revoked) {
+        return walletErrors.sessionKeyExpired(sessionId, 0);
+    }
+    // Check expiration
+    const nowSec = Math.floor(Date.now() / 1000);
+    if (nowSec >= policy.expiresAt) {
+        return walletErrors.sessionKeyExpired(sessionId, policy.expiresAt);
+    }
+    // Check allowed assets
+    if (asset !== undefined &&
+        policy.allowedAssets !== undefined &&
+        policy.allowedAssets.length > 0 &&
+        !policy.allowedAssets.includes(asset)) {
+        return walletErrors.sessionKeyPolicyViolation(sessionId, `Asset "${asset}" not in allowed list: [${policy.allowedAssets.join(', ')}]`);
+    }
+    // Check per-operation amount cap
+    if (amount !== undefined && policy.maxAmountPerOp !== undefined) {
+        const opAmount = BigInt(amount);
+        const maxPerOp = BigInt(policy.maxAmountPerOp);
+        if (opAmount > maxPerOp) {
+            return walletErrors.sessionKeyPolicyViolation(sessionId, `Amount ${amount} exceeds per-operation cap ${policy.maxAmountPerOp}`);
+        }
+    }
+    // Check cumulative total
+    if (amount !== undefined && policy.maxTotalAmount !== undefined) {
+        const opAmount = BigInt(amount);
+        const maxTotal = BigInt(policy.maxTotalAmount);
+        if (state.totalSpent + opAmount > maxTotal) {
+            return walletErrors.sessionKeyPolicyViolation(sessionId, `Cumulative spend ${String(state.totalSpent + opAmount)} would exceed total cap ${policy.maxTotalAmount}`);
+        }
+    }
+    // Check allowed recipients (case-insensitive for EVM addresses)
+    if (recipient !== undefined &&
+        policy.allowedRecipients !== undefined &&
+        policy.allowedRecipients.length > 0) {
+        const recipientLower = recipient.toLowerCase();
+        const allowed = policy.allowedRecipients.some((r) => r.toLowerCase() === recipientLower);
+        if (!allowed) {
+            return walletErrors.sessionKeyPolicyViolation(sessionId, `Recipient "${recipient}" not in allowed list`);
+        }
+    }
+    // Check allowed chains
+    if (chainId !== undefined &&
+        policy.allowedChains !== undefined &&
+        policy.allowedChains.length > 0 &&
+        !policy.allowedChains.includes(chainId)) {
+        return walletErrors.sessionKeyPolicyViolation(sessionId, `Chain ${chainId} not in allowed list: [${policy.allowedChains.join(', ')}]`);
+    }
+    return undefined;
+}
+/**
+ * Extract chain ID from EIP-712 typed data domain if present.
+ * @internal
+ */
+function extractChainId(payload) {
+    const chainId = payload.domain.chainId;
+    if (typeof chainId === 'number')
+        return chainId;
+    if (typeof chainId === 'string')
+        return parseInt(chainId, 10) || undefined;
+    return undefined;
+}
+// ---------------------------------------------------------------------------
+// Factory
+// ---------------------------------------------------------------------------
+/**
+ * Create a session key manager for the given root signer.
+ *
+ * @remarks
+ * The root signer is used as the underlying signing implementation.
+ * Session keys wrap it with policy enforcement — the root key's
+ * signing capability is gated by the session's constraints.
+ *
+ * If a {@link SessionKeyBackend} is provided, session keys are also
+ * registered on-chain via ZeroDev permission validators, providing
+ * contract-level enforcement in addition to client-side checks.
+ *
+ * @param rootSigner - The root PrismSigner to wrap.
+ * @param backend - Optional on-chain session key backend.
+ * @param persistence - Optional spend persistence adapter. Required when
+ *   `maxTotalAmount` is set without a backend, to ensure cumulative caps
+ *   survive process restarts.
+ * @returns A {@link SessionKeyManager} for creating and managing sessions.
+ */
+export function createSessionKeyManager(rootSigner, backend, persistence) {
+    const sessions = new Map();
+    // Register in module-level registry so recordSessionSpend can access state
+    // (set after manager is created, below)
+    const manager = {
+        createSessionKey(policy) {
+            // Enforce: if maxTotalAmount is set, require persistence or on-chain backend
+            if (policy.maxTotalAmount !== undefined &&
+                backend === undefined &&
+                persistence === undefined) {
+                throw new Error('maxTotalAmount requires either a SessionKeyBackend (on-chain enforcement) ' +
+                    'or SpendPersistence adapter. Without enforcement, cumulative spend caps ' +
+                    'reset on process restart. Remove maxTotalAmount or provide an enforcement backend.');
+            }
+            const sessionId = bytesToHex(randomBytes(16));
+            const state = { totalSpent: 0n, revoked: false };
+            const sessionSigner = {
+                evmAddress: rootSigner.evmAddress,
+                solanaAddress: rootSigner.solanaAddress,
+                async signMessage(message) {
+                    const violation = checkPolicy(sessionId, policy, state);
+                    if (violation !== undefined) {
+                        throw new Error(`Session key error: ${violation.code}`);
+                    }
+                    return rootSigner.signMessage(message);
+                },
+                async signTypedData(payload) {
+                    const chainId = extractChainId(payload);
+                    const violation = checkPolicy(sessionId, policy, state, undefined, undefined, undefined, chainId);
+                    if (violation !== undefined) {
+                        throw new Error(`Session key error: ${violation.code}`);
+                    }
+                    return rootSigner.signTypedData(payload);
+                },
+                async signTransaction(tx) {
+                    const violation = checkPolicy(sessionId, policy, state);
+                    if (violation !== undefined) {
+                        throw new Error(`Session key error: ${violation.code}`);
+                    }
+                    return rootSigner.signTransaction(tx);
+                },
+            };
+            // Start on-chain registration (non-blocking, but awaitable)
+            const onChainRegistration = backend !== undefined
+                ? backend.registerSessionKey(rootSigner.evmAddress, policy)
+                : undefined;
+            // Load persisted spend state if persistence is available
+            const initialized = persistence !== undefined
+                ? persistence.load(sessionId).then((loaded) => { state.totalSpent = loaded; })
+                : undefined;
+            const handle = {
+                sessionId,
+                signer: sessionSigner,
+                policy,
+                get totalSpent() {
+                    return String(state.totalSpent);
+                },
+                get isActive() {
+                    if (state.revoked)
+                        return false;
+                    const nowSec = Math.floor(Date.now() / 1000);
+                    return nowSec < policy.expiresAt;
+                },
+                onChainRegistration,
+                ...(initialized !== undefined ? { initialized } : {}),
+            };
+            sessions.set(sessionId, { handle, state });
+            return handle;
+        },
+        revokeSessionKey(sessionId) {
+            const entry = sessions.get(sessionId);
+            if (entry === undefined)
+                return false;
+            entry.state.revoked = true;
+            sessions.delete(sessionId);
+            // Fire-and-forget on-chain revocation if backend provided
+            if (backend !== undefined) {
+                void backend.revokeSessionKey(rootSigner.evmAddress);
+            }
+            return true;
+        },
+        getActiveSessions() {
+            const active = [];
+            for (const entry of sessions.values()) {
+                if (entry.handle.isActive) {
+                    active.push(entry.handle);
+                }
+            }
+            return active;
+        },
+        getSession(sessionId) {
+            const entry = sessions.get(sessionId);
+            if (entry === undefined)
+                return undefined;
+            return entry.handle;
+        },
+    };
+    const registry = persistence !== undefined
+        ? { sessions, persistence }
+        : { sessions };
+    stateRegistry.set(manager, registry);
+    return manager;
+}
+// ---------------------------------------------------------------------------
+// Session-Aware Cross-Chain Execution
+// ---------------------------------------------------------------------------
+/**
+ * Record a spend against a session key's cumulative total.
+ *
+ * @remarks
+ * Call this after a successful cross-chain execution to track
+ * cumulative spend against the session's {@link SessionKeyPolicy.maxTotalAmount}.
+ *
+ * @param manager - The session key manager.
+ * @param sessionId - The session key ID.
+ * @param amount - The amount spent (smallest unit, as string).
+ * @returns A WalletError if the spend would violate policy, undefined if ok.
+ */
+export function recordSessionSpend(manager, sessionId, amount) {
+    const registry = stateRegistry.get(manager);
+    if (registry === undefined) {
+        return walletErrors.sessionKeyExpired(sessionId, 0);
+    }
+    const entry = registry.sessions.get(sessionId);
+    if (entry === undefined) {
+        return walletErrors.sessionKeyExpired(sessionId, 0);
+    }
+    if (!entry.handle.isActive) {
+        return walletErrors.sessionKeyExpired(sessionId, entry.handle.policy.expiresAt);
+    }
+    const opAmount = BigInt(amount);
+    // Check cumulative total before recording
+    if (entry.handle.policy.maxTotalAmount !== undefined) {
+        const totalAfter = entry.state.totalSpent + opAmount;
+        if (totalAfter > BigInt(entry.handle.policy.maxTotalAmount)) {
+            return walletErrors.sessionKeyPolicyViolation(sessionId, `Cumulative spend ${String(totalAfter)} would exceed total cap ${entry.handle.policy.maxTotalAmount}`);
+        }
+    }
+    // Actually increment the spend counter
+    entry.state.totalSpent += opAmount;
+    // Persist if adapter available (fire-and-forget)
+    if (registry.persistence !== undefined) {
+        void registry.persistence.save(sessionId, entry.state.totalSpent);
+    }
+    return undefined;
+}
+/**
+ * Validate an operation against a session key's policy before execution.
+ *
+ * @remarks
+ * Use this to pre-check whether a cross-chain operation would be allowed
+ * by the session key's policy. Call before `executeCrossChain` to fail fast.
+ *
+ * @param session - The session key handle.
+ * @param params - Operation parameters to validate.
+ * @returns A WalletError if the operation violates policy, undefined if allowed.
+ */
+export function validateSessionOperation(session, params) {
+    if (!session.isActive) {
+        return walletErrors.sessionKeyExpired(session.sessionId, session.policy.expiresAt);
+    }
+    // Check expiration
+    const nowSec = Math.floor(Date.now() / 1000);
+    if (nowSec >= session.policy.expiresAt) {
+        return walletErrors.sessionKeyExpired(session.sessionId, session.policy.expiresAt);
+    }
+    // Check allowed assets
+    if (params.asset !== undefined &&
+        session.policy.allowedAssets !== undefined &&
+        session.policy.allowedAssets.length > 0 &&
+        !session.policy.allowedAssets.includes(params.asset)) {
+        return walletErrors.sessionKeyPolicyViolation(session.sessionId, `Asset "${params.asset}" not in allowed list: [${session.policy.allowedAssets.join(', ')}]`);
+    }
+    // Check per-operation amount cap
+    if (params.amount !== undefined && session.policy.maxAmountPerOp !== undefined) {
+        if (BigInt(params.amount) > BigInt(session.policy.maxAmountPerOp)) {
+            return walletErrors.sessionKeyPolicyViolation(session.sessionId, `Amount ${params.amount} exceeds per-operation cap ${session.policy.maxAmountPerOp}`);
+        }
+    }
+    // Check cumulative total
+    if (params.amount !== undefined && session.policy.maxTotalAmount !== undefined) {
+        const totalAfter = BigInt(session.totalSpent) + BigInt(params.amount);
+        if (totalAfter > BigInt(session.policy.maxTotalAmount)) {
+            return walletErrors.sessionKeyPolicyViolation(session.sessionId, `Cumulative spend ${String(totalAfter)} would exceed total cap ${session.policy.maxTotalAmount}`);
+        }
+    }
+    // Check allowed recipients (case-insensitive for EVM addresses)
+    if (params.recipient !== undefined &&
+        session.policy.allowedRecipients !== undefined &&
+        session.policy.allowedRecipients.length > 0) {
+        const recipientLower = params.recipient.toLowerCase();
+        const allowed = session.policy.allowedRecipients.some((r) => r.toLowerCase() === recipientLower);
+        if (!allowed) {
+            return walletErrors.sessionKeyPolicyViolation(session.sessionId, `Recipient "${params.recipient}" not in allowed list`);
+        }
+    }
+    // Check allowed chains
+    if (params.chainId !== undefined &&
+        session.policy.allowedChains !== undefined &&
+        session.policy.allowedChains.length > 0 &&
+        !session.policy.allowedChains.includes(params.chainId)) {
+        return walletErrors.sessionKeyPolicyViolation(session.sessionId, `Chain ${params.chainId} not in allowed list: [${session.policy.allowedChains.join(', ')}]`);
+    }
+    return undefined;
+}
+//# sourceMappingURL=session-keys.js.map

package/dist/session-keys.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"session-keys.js","sourceRoot":"","sources":["../src/session-keys.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAmCG;AACH,OAAO,EAAE,WAAW,EAAE,UAAU,EAAE,MAAM,qBAAqB,CAAC;AAY9D,OAAO,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAgB3C;;;;GAIG;AACH,MAAM,aAAa,GAAG,IAAI,OAAO,EAAsC,CAAC;AAExE,8EAA8E;AAC9E,qBAAqB;AACrB,8EAA8E;AAE9E;;;;;GAKG;AACH,SAAS,WAAW,CAClB,SAAiB,EACjB,MAAwB,EACxB,KAA0B,EAC1B,KAAc,EACd,MAAe,EACf,SAAkB,EAClB,OAAgB;IAEhB,mBAAmB;IACnB,IAAI,KAAK,CAAC,OAAO,EAAE,CAAC;QAClB,OAAO,YAAY,CAAC,iBAAiB,CAAC,SAAS,EAAE,CAAC,CAAC,CAAC;IACtD,CAAC;IAED,mBAAmB;IACnB,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;IAC7C,IAAI,MAAM,IAAI,MAAM,CAAC,SAAS,EAAE,CAAC;QAC/B,OAAO,YAAY,CAAC,iBAAiB,CAAC,SAAS,EAAE,MAAM,CAAC,SAAS,CAAC,CAAC;IACrE,CAAC;IAED,uBAAuB;IACvB,IACE,KAAK,KAAK,SAAS;QACnB,MAAM,CAAC,aAAa,KAAK,SAAS;QAClC,MAAM,CAAC,aAAa,CAAC,MAAM,GAAG,CAAC;QAC/B,CAAC,MAAM,CAAC,aAAa,CAAC,QAAQ,CAAC,KAAK,CAAC,EACrC,CAAC;QACD,OAAO,YAAY,CAAC,yBAAyB,CAC3C,SAAS,EACT,UAAU,KAAK,2BAA2B,MAAM,CAAC,aAAa,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,CAC7E,CAAC;IACJ,CAAC;IAED,iCAAiC;IACjC,IAAI,MAAM,KAAK,SAAS,IAAI,MAAM,CAAC,cAAc,KAAK,SAAS,EAAE,CAAC;QAChE,MAAM,QAAQ,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC;QAChC,MAAM,QAAQ,GAAG,MAAM,CAAC,MAAM,CAAC,cAAc,CAAC,CAAC;QAC/C,IAAI,QAAQ,GAAG,QAAQ,EAAE,CAAC;YACxB,OAAO,YAAY,CAAC,yBAAyB,CAC3C,SAAS,EACT,UAAU,MAAM,8BAA8B,MAAM,CAAC,cAAc,EAAE,CACtE,CAAC;QACJ,CAAC;IACH,CAAC;IAED,yBAAyB;IACzB,IAAI,MAAM,KAAK,SAAS,IAAI,MAAM,CAAC,cAAc,KAAK,SAAS,EAAE,CAAC;QAChE,MAAM,QAAQ,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC;QAChC,MAAM,QAAQ,GAAG,MAAM,CAAC,MAAM,CAAC,cAAc,CAAC,CAAC;QAC/C,IAAI,KAAK,CAAC,UAAU,GAAG,QAAQ,GAAG,QAAQ,EAAE,CAAC;YAC3C,OAAO,YAAY,CAAC,yBAAyB,CAC3C,SAAS,EACT,oBAAoB,MAAM,CAAC,KAAK,CAAC,UAAU,GAAG,QAAQ,CAAC,2BAA2B,MAAM,CAAC,cAAc,EAAE,CAC1G,CAAC;QACJ,CAAC;IACH,CAAC;IAED,gEAAgE;IAChE,IACE,SAAS,KAAK,SAAS;QACvB,MAAM,CAAC,iBAAiB,KAAK,SAAS;QACtC,MAAM,CAAC,iBAAiB,CAAC,MAAM,GAAG,CAAC,EACnC,CAAC;QACD,MAAM,cAAc,GAAG,SAAS,CAAC,WAAW,EAAE,CAAC;QAC/C,MAAM,OAAO,GAAG,MAAM,CAAC,iBAAiB,CAAC,IAAI,CAC3C,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,WAAW,EAAE,KAAK,cAAc,CAC1C,CAAC;QACF,IAAI,CAAC,OAAO,EAAE,CAAC;YACb,OAAO,YAAY,CAAC,yBAAyB,CAC3C,SAAS,EACT,cAAc,SAAS,uBAAuB,CAC/C,CAAC;QACJ,CAAC;IACH,CAAC;IAED,uBAAuB;IACvB,IACE,OAAO,KAAK,SAAS;QACrB,MAAM,CAAC,aAAa,KAAK,SAAS;QAClC,MAAM,CAAC,aAAa,CAAC,MAAM,GAAG,CAAC;QAC/B,CAAC,MAAM,CAAC,aAAa,CAAC,QAAQ,CAAC,OAAO,CAAC,EACvC,CAAC;QACD,OAAO,YAAY,CAAC,yBAAyB,CAC3C,SAAS,EACT,SAAS,OAAO,0BAA0B,MAAM,CAAC,aAAa,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,CAC7E,CAAC;IACJ,CAAC;IAED,OAAO,SAAS,CAAC;AACnB,CAAC;AAED;;;GAGG;AACH,SAAS,cAAc,CAAC,OAAyB;IAC/C,MAAM,OAAO,GAAG,OAAO,CAAC,MAAM,CAAC,OAAO,CAAC;IACvC,IAAI,OAAO,OAAO,KAAK,QAAQ;QAAE,OAAO,OAAO,CAAC;IAChD,IAAI,OAAO,OAAO,KAAK,QAAQ;QAAE,OAAO,QAAQ,CAAC,OAAO,EAAE,EAAE,CAAC,IAAI,SAAS,CAAC;IAC3E,OAAO,SAAS,CAAC;AACnB,CAAC;AAED,8EAA8E;AAC9E,UAAU;AACV,8EAA8E;AAE9E;;;;;;;;;;;;;;;;;;GAkBG;AACH,MAAM,UAAU,uBAAuB,CACrC,UAAuB,EACvB,OAA2B,EAC3B,WAA8B;IAE9B,MAAM,QAAQ,GAAG,IAAI,GAAG,EAAoE,CAAC;IAE7F,2EAA2E;IAC3E,wCAAwC;IAExC,MAAM,OAAO,GAAsB;QACjC,gBAAgB,CAAC,MAAwB;YACvC,6EAA6E;YAC7E,IACE,MAAM,CAAC,cAAc,KAAK,SAAS;gBACnC,OAAO,KAAK,SAAS;gBACrB,WAAW,KAAK,SAAS,EACzB,CAAC;gBACD,MAAM,IAAI,KAAK,CACb,4EAA4E;oBAC5E,0EAA0E;oBAC1E,oFAAoF,CACrF,CAAC;YACJ,CAAC;YAED,MAAM,SAAS,GAAG,UAAU,CAAC,WAAW,CAAC,EAAE,CAAC,CAAC,CAAC;YAC9C,MAAM,KAAK,GAAwB,EAAE,UAAU,EAAE,EAAE,EAAE,OAAO,EAAE,KAAK,EAAE,CAAC;YAEtE,MAAM,aAAa,GAAgB;gBACjC,UAAU,EAAE,UAAU,CAAC,UAAU;gBACjC,aAAa,EAAE,UAAU,CAAC,aAAa;gBAEvC,KAAK,CAAC,WAAW,CAAC,OAAY;oBAC5B,MAAM,SAAS,GAAG,WAAW,CAAC,SAAS,EAAE,MAAM,EAAE,KAAK,CAAC,CAAC;oBACxD,IAAI,SAAS,KAAK,SAAS,EAAE,CAAC;wBAC5B,MAAM,IAAI,KAAK,CAAC,sBAAsB,SAAS,CAAC,IAAI,EAAE,CAAC,CAAC;oBAC1D,CAAC;oBACD,OAAO,UAAU,CAAC,WAAW,CAAC,OAAO,CAAC,CAAC;gBACzC,CAAC;gBAED,KAAK,CAAC,aAAa,CAAC,OAAyB;oBAC3C,MAAM,OAAO,GAAG,cAAc,CAAC,OAAO,CAAC,CAAC;oBACxC,MAAM,SAAS,GAAG,WAAW,CAC3B,SAAS,EACT,MAAM,EACN,KAAK,EACL,SAAS,EACT,SAAS,EACT,SAAS,EACT,OAAO,CACR,CAAC;oBACF,IAAI,SAAS,KAAK,SAAS,EAAE,CAAC;wBAC5B,MAAM,IAAI,KAAK,CAAC,sBAAsB,SAAS,CAAC,IAAI,EAAE,CAAC,CAAC;oBAC1D,CAAC;oBACD,OAAO,UAAU,CAAC,aAAa,CAAC,OAAO,CAAC,CAAC;gBAC3C,CAAC;gBAED,KAAK,CAAC,eAAe,CAAI,EAAK;oBAC5B,MAAM,SAAS,GAAG,WAAW,CAAC,SAAS,EAAE,MAAM,EAAE,KAAK,CAAC,CAAC;oBACxD,IAAI,SAAS,KAAK,SAAS,EAAE,CAAC;wBAC5B,MAAM,IAAI,KAAK,CAAC,sBAAsB,SAAS,CAAC,IAAI,EAAE,CAAC,CAAC;oBAC1D,CAAC;oBACD,OAAO,UAAU,CAAC,eAAe,CAAC,EAAE,CAAC,CAAC;gBACxC,CAAC;aACF,CAAC;YAEF,4DAA4D;YAC5D,MAAM,mBAAmB,GAAG,OAAO,KAAK,SAAS;gBAC/C,CAAC,CAAC,OAAO,CAAC,kBAAkB,CAAC,UAAU,CAAC,UAAU,EAAE,MAAM,CAAC;gBAC3D,CAAC,CAAC,SAAS,CAAC;YAEd,yDAAyD;YACzD,MAAM,WAAW,GAAG,WAAW,KAAK,SAAS;gBAC3C,CAAC,CAAC,WAAW,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC,IAAI,CAAC,CAAC,MAAM,EAAE,EAAE,GAAG,KAAK,CAAC,UAAU,GAAG,MAAM,CAAC,CAAC,CAAC,CAAC;gBAC9E,CAAC,CAAC,SAAS,CAAC;YAEd,MAAM,MAAM,GAAqB;gBAC/B,SAAS;gBACT,MAAM,EAAE,aAAa;gBACrB,MAAM;gBACN,IAAI,UAAU;oBACZ,OAAO,MAAM,CAAC,KAAK,CAAC,UAAU,CAAC,CAAC;gBAClC,CAAC;gBACD,IAAI,QAAQ;oBACV,IAAI,KAAK,CAAC,OAAO;wBAAE,OAAO,KAAK,CAAC;oBAChC,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;oBAC7C,OAAO,MAAM,GAAG,MAAM,CAAC,SAAS,CAAC;gBACnC,CAAC;gBACD,mBAAmB;gBACnB,GAAG,CAAC,WAAW,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,WAAW,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;aACtD,CAAC;YAEF,QAAQ,CAAC,GAAG,CAAC,SAAS,EAAE,EAAE,MAAM,EAAE,KAAK,EAAE,CAAC,CAAC;YAE3C,OAAO,MAAM,CAAC;QAChB,CAAC;QAED,gBAAgB,CAAC,SAAiB;YAChC,MAAM,KAAK,GAAG,QAAQ,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC;YACtC,IAAI,KAAK,KAAK,SAAS;gBAAE,OAAO,KAAK,CAAC;YAEtC,KAAK,CAAC,KAAK,CAAC,OAAO,GAAG,IAAI,CAAC;YAC3B,QAAQ,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;YAE3B,0DAA0D;YAC1D,IAAI,OAAO,KAAK,SAAS,EAAE,CAAC;gBAC1B,KAAK,OAAO,CAAC,gBAAgB,CAAC,UAAU,CAAC,UAAU,CAAC,CAAC;YACvD,CAAC;YAED,OAAO,IAAI,CAAC;QACd,CAAC;QAED,iBAAiB;YACf,MAAM,MAAM,GAAuB,EAAE,CAAC;YACtC,KAAK,MAAM,KAAK,IAAI,QAAQ,CAAC,MAAM,EAAE,EAAE,CAAC;gBACtC,IAAI,KAAK,CAAC,MAAM,CAAC,QAAQ,EAAE,CAAC;oBAC1B,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC;gBAC5B,CAAC;YACH,CAAC;YACD,OAAO,MAAM,CAAC;QAChB,CAAC;QAED,UAAU,CAAC,SAAiB;YAC1B,MAAM,KAAK,GAAG,QAAQ,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC;YACtC,IAAI,KAAK,KAAK,SAAS;gBAAE,OAAO,SAAS,CAAC;YAC1C,OAAO,KAAK,CAAC,MAAM,CAAC;QACtB,CAAC;KACF,CAAC;IAEF,MAAM,QAAQ,GAAoB,WAAW,KAAK,SAAS;QACzD,CAAC,CAAC,EAAE,QAAQ,EAAE,WAAW,EAAE;QAC3B,CAAC,CAAC,EAAE,QAAQ,EAAE,CAAC;IACjB,aAAa,CAAC,GAAG,CAAC,OAAO,EAAE,QAAQ,CAAC,CAAC;IACrC,OAAO,OAAO,CAAC;AACjB,CAAC;AAED,8EAA8E;AAC9E,sCAAsC;AACtC,8EAA8E;AAE9E;;;;;;;;;;;GAWG;AACH,MAAM,UAAU,kBAAkB,CAChC,OAA0B,EAC1B,SAAiB,EACjB,MAAc;IAEd,MAAM,QAAQ,GAAG,aAAa,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;IAC5C,IAAI,QAAQ,KAAK,SAAS,EAAE,CAAC;QAC3B,OAAO,YAAY,CAAC,iBAAiB,CAAC,SAAS,EAAE,CAAC,CAAC,CAAC;IACtD,CAAC;IAED,MAAM,KAAK,GAAG,QAAQ,CAAC,QAAQ,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC;IAC/C,IAAI,KAAK,KAAK,SAAS,EAAE,CAAC;QACxB,OAAO,YAAY,CAAC,iBAAiB,CAAC,SAAS,EAAE,CAAC,CAAC,CAAC;IACtD,CAAC;IAED,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,QAAQ,EAAE,CAAC;QAC3B,OAAO,YAAY,CAAC,iBAAiB,CAAC,SAAS,EAAE,KAAK,CAAC,MAAM,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;IAClF,CAAC;IAED,MAAM,QAAQ,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC;IAEhC,0CAA0C;IAC1C,IAAI,KAAK,CAAC,MAAM,CAAC,MAAM,CAAC,cAAc,KAAK,SAAS,EAAE,CAAC;QACrD,MAAM,UAAU,GAAG,KAAK,CAAC,KAAK,CAAC,UAAU,GAAG,QAAQ,CAAC;QACrD,IAAI,UAAU,GAAG,MAAM,CAAC,KAAK,CAAC,MAAM,CAAC,MAAM,CAAC,cAAc,CAAC,EAAE,CAAC;YAC5D,OAAO,YAAY,CAAC,yBAAyB,CAC3C,SAAS,EACT,oBAAoB,MAAM,CAAC,UAAU,CAAC,2BAA2B,KAAK,CAAC,MAAM,CAAC,MAAM,CAAC,cAAc,EAAE,CACtG,CAAC;QACJ,CAAC;IACH,CAAC;IAED,uCAAuC;IACvC,KAAK,CAAC,KAAK,CAAC,UAAU,IAAI,QAAQ,CAAC;IAEnC,iDAAiD;IACjD,IAAI,QAAQ,CAAC,WAAW,KAAK,SAAS,EAAE,CAAC;QACvC,KAAK,QAAQ,CAAC,WAAW,CAAC,IAAI,CAAC,SAAS,EAAE,KAAK,CAAC,KAAK,CAAC,UAAU,CAAC,CAAC;IACpE,CAAC;IAED,OAAO,SAAS,CAAC;AACnB,CAAC;AAED;;;;;;;;;;GAUG;AACH,MAAM,UAAU,wBAAwB,CACtC,OAAyB,EACzB,MAKC;IAED,IAAI,CAAC,OAAO,CAAC,QAAQ,EAAE,CAAC;QACtB,OAAO,YAAY,CAAC,iBAAiB,CAAC,OAAO,CAAC,SAAS,EAAE,OAAO,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;IACrF,CAAC;IAED,mBAAmB;IACnB,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;IAC7C,IAAI,MAAM,IAAI,OAAO,CAAC,MAAM,CAAC,SAAS,EAAE,CAAC;QACvC,OAAO,YAAY,CAAC,iBAAiB,CAAC,OAAO,CAAC,SAAS,EAAE,OAAO,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;IACrF,CAAC;IAED,uBAAuB;IACvB,IACE,MAAM,CAAC,KAAK,KAAK,SAAS;QAC1B,OAAO,CAAC,MAAM,CAAC,aAAa,KAAK,SAAS;QAC1C,OAAO,CAAC,MAAM,CAAC,aAAa,CAAC,MAAM,GAAG,CAAC;QACvC,CAAC,OAAO,CAAC,MAAM,CAAC,aAAa,CAAC,QAAQ,CAAC,MAAM,CAAC,KAAK,CAAC,EACpD,CAAC;QACD,OAAO,YAAY,CAAC,yBAAyB,CAC3C,OAAO,CAAC,SAAS,EACjB,UAAU,MAAM,CAAC,KAAK,2BAA2B,OAAO,CAAC,MAAM,CAAC,aAAa,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,CAC5F,CAAC;IACJ,CAAC;IAED,iCAAiC;IACjC,IAAI,MAAM,CAAC,MAAM,KAAK,SAAS,IAAI,OAAO,CAAC,MAAM,CAAC,cAAc,KAAK,SAAS,EAAE,CAAC;QAC/E,IAAI,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,GAAG,MAAM,CAAC,OAAO,CAAC,MAAM,CAAC,cAAc,CAAC,EAAE,CAAC;YAClE,OAAO,YAAY,CAAC,yBAAyB,CAC3C,OAAO,CAAC,SAAS,EACjB,UAAU,MAAM,CAAC,MAAM,8BAA8B,OAAO,CAAC,MAAM,CAAC,cAAc,EAAE,CACrF,CAAC;QACJ,CAAC;IACH,CAAC;IAED,yBAAyB;IACzB,IAAI,MAAM,CAAC,MAAM,KAAK,SAAS,IAAI,OAAO,CAAC,MAAM,CAAC,cAAc,KAAK,SAAS,EAAE,CAAC;QAC/E,MAAM,UAAU,GAAG,MAAM,CAAC,OAAO,CAAC,UAAU,CAAC,GAAG,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC;QACtE,IAAI,UAAU,GAAG,MAAM,CAAC,OAAO,CAAC,MAAM,CAAC,cAAc,CAAC,EAAE,CAAC;YACvD,OAAO,YAAY,CAAC,yBAAyB,CAC3C,OAAO,CAAC,SAAS,EACjB,oBAAoB,MAAM,CAAC,UAAU,CAAC,2BAA2B,OAAO,CAAC,MAAM,CAAC,cAAc,EAAE,CACjG,CAAC;QACJ,CAAC;IACH,CAAC;IAED,gEAAgE;IAChE,IACE,MAAM,CAAC,SAAS,KAAK,SAAS;QAC9B,OAAO,CAAC,MAAM,CAAC,iBAAiB,KAAK,SAAS;QAC9C,OAAO,CAAC,MAAM,CAAC,iBAAiB,CAAC,MAAM,GAAG,CAAC,EAC3C,CAAC;QACD,MAAM,cAAc,GAAG,MAAM,CAAC,SAAS,CAAC,WAAW,EAAE,CAAC;QACtD,MAAM,OAAO,GAAG,OAAO,CAAC,MAAM,CAAC,iBAAiB,CAAC,IAAI,CACnD,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,WAAW,EAAE,KAAK,cAAc,CAC1C,CAAC;QACF,IAAI,CAAC,OAAO,EAAE,CAAC;YACb,OAAO,YAAY,CAAC,yBAAyB,CAC3C,OAAO,CAAC,SAAS,EACjB,cAAc,MAAM,CAAC,SAAS,uBAAuB,CACtD,CAAC;QACJ,CAAC;IACH,CAAC;IAED,uBAAuB;IACvB,IACE,MAAM,CAAC,OAAO,KAAK,SAAS;QAC5B,OAAO,CAAC,MAAM,CAAC,aAAa,KAAK,SAAS;QAC1C,OAAO,CAAC,MAAM,CAAC,aAAa,CAAC,MAAM,GAAG,CAAC;QACvC,CAAC,OAAO,CAAC,MAAM,CAAC,aAAa,CAAC,QAAQ,CAAC,MAAM,CAAC,OAAO,CAAC,EACtD,CAAC;QACD,OAAO,YAAY,CAAC,yBAAyB,CAC3C,OAAO,CAAC,SAAS,EACjB,SAAS,MAAM,CAAC,OAAO,0BAA0B,OAAO,CAAC,MAAM,CAAC,aAAa,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,CAC5F,CAAC;IACJ,CAAC;IAED,OAAO,SAAS,CAAC;AACnB,CAAC"}

package/dist/signers/node-signing-backend.d.ts

@@ -0,0 +1,11 @@
+import type { SigningBackend } from '../signers/ows-adapter.js';
+/**
+ * Create a Node.js software signing backend.
+ *
+ * @remarks
+ * Generates secp256k1 (EVM) and ed25519 (Solana) key pairs using
+ * cryptographically secure randomness from `@noble/hashes`.
+ * Private key material is held in memory only — never serialized or exported.
+ */
+export declare function createNodeSigningBackend(): SigningBackend;
+//# sourceMappingURL=node-signing-backend.d.ts.map

package/dist/signers/node-signing-backend.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"node-signing-backend.d.ts","sourceRoot":"","sources":["../../src/signers/node-signing-backend.ts"],"names":[],"mappings":"AAmBA,OAAO,KAAK,EAAE,cAAc,EAAc,MAAM,2BAA2B,CAAC;AAgD5E;;;;;;;GAOG;AACH,wBAAgB,wBAAwB,IAAI,cAAc,CA2FzD"}

package/dist/signers/node-signing-backend.js

@@ -0,0 +1,120 @@
+/**
+ * Node.js software signing backend for OWS.
+ *
+ * @remarks
+ * Uses `@noble/curves` for secp256k1 (EVM) and ed25519 (Solana) signing.
+ * Private key material is held in memory and never exposed via public types.
+ * For production iOS builds, the Secure Enclave backend replaces this.
+ *
+ * @internal
+ */
+import { secp256k1 } from '@noble/curves/secp256k1';
+import { ed25519 } from '@noble/curves/ed25519';
+import { keccak_256 } from '@noble/hashes/sha3';
+import { bytesToHex, randomBytes } from '@noble/hashes/utils';
+import { Ok, Err } from '../result.js';
+import { walletErrors } from '../errors.js';
+import { base58Encode } from '../internal/base58.js';
+import { hashTypedData, personalSignHash, isSolanaTransaction } from '../internal/eip712.js';
+/** Overwrite a Uint8Array with zeros to clear key material from memory. */
+function zeroUint8Array(arr) {
+    arr.fill(0);
+}
+// ---------------------------------------------------------------------------
+// EVM Address Derivation
+// ---------------------------------------------------------------------------
+function deriveEvmAddress(privateKey) {
+    const publicKey = secp256k1.getPublicKey(privateKey, false);
+    // Drop the 0x04 prefix byte, hash the remaining 64 bytes
+    const hash = keccak_256(publicKey.subarray(1));
+    // Take last 20 bytes
+    const addressBytes = hash.subarray(12);
+    return `0x${bytesToHex(addressBytes)}`;
+}
+// ---------------------------------------------------------------------------
+// Signature Encoding
+// ---------------------------------------------------------------------------
+function encodeSecp256k1Signature(sig) {
+    const r = sig.r.toString(16).padStart(64, '0');
+    const s = sig.s.toString(16).padStart(64, '0');
+    const v = (sig.recovery + 27).toString(16).padStart(2, '0');
+    return `0x${r}${s}${v}`;
+}
+// ---------------------------------------------------------------------------
+// Factory
+// ---------------------------------------------------------------------------
+/**
+ * Create a Node.js software signing backend.
+ *
+ * @remarks
+ * Generates secp256k1 (EVM) and ed25519 (Solana) key pairs using
+ * cryptographically secure randomness from `@noble/hashes`.
+ * Private key material is held in memory only — never serialized or exported.
+ */
+export function createNodeSigningBackend() {
+    const keyStore = new Map();
+    const backend = {
+        async generateKeyPair() {
+            const evmPrivateKey = randomBytes(32);
+            const solanaPrivateKey = randomBytes(32);
+            const evmAddress = deriveEvmAddress(evmPrivateKey);
+            const solanaPubkey = ed25519.getPublicKey(solanaPrivateKey);
+            const solanaAddress = base58Encode(solanaPubkey);
+            keyStore.set(evmAddress, { evmPrivateKey, solanaPrivateKey });
+            return Ok({
+                evmAddress,
+                solanaAddress,
+                platform: 'node',
+            });
+        },
+        async signMessage(keys, message) {
+            const stored = keyStore.get(keys.evmAddress);
+            if (!stored)
+                return Err(walletErrors.keyNotFound(keys.evmAddress));
+            const hash = personalSignHash(message);
+            const sig = secp256k1.sign(hash, stored.evmPrivateKey);
+            return Ok(encodeSecp256k1Signature(sig));
+        },
+        async signTypedData(keys, payload) {
+            const stored = keyStore.get(keys.evmAddress);
+            if (!stored)
+                return Err(walletErrors.keyNotFound(keys.evmAddress));
+            const hash = hashTypedData(payload);
+            const sig = secp256k1.sign(hash, stored.evmPrivateKey);
+            return Ok(encodeSecp256k1Signature(sig));
+        },
+        async signTransaction(keys, tx) {
+            const stored = keyStore.get(keys.evmAddress);
+            if (!stored)
+                return Err(walletErrors.keyNotFound(keys.evmAddress));
+            if (!isSolanaTransaction(tx)) {
+                return Err(walletErrors.signingRejected('Unsupported transaction type'));
+            }
+            const messageBytes = tx.message.serialize();
+            const signature = ed25519.sign(messageBytes, stored.solanaPrivateKey);
+            tx.signatures[0] = signature;
+            return Ok(tx);
+        },
+        async withAuthContext(_prompt, fn) {
+            return Ok(await fn());
+        },
+        destroy() {
+            for (const stored of keyStore.values()) {
+                zeroUint8Array(stored.evmPrivateKey);
+                zeroUint8Array(stored.solanaPrivateKey);
+            }
+            keyStore.clear();
+        },
+        removeKeyPair(evmAddress) {
+            const stored = keyStore.get(evmAddress);
+            if (!stored)
+                return Err(walletErrors.keyNotFound(evmAddress));
+            zeroUint8Array(stored.evmPrivateKey);
+            zeroUint8Array(stored.solanaPrivateKey);
+            keyStore.delete(evmAddress);
+            return Ok(undefined);
+        },
+    };
+    return backend;
+}
+//# sourceMappingURL=node-signing-backend.js.map

package/dist/signers/node-signing-backend.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"node-signing-backend.js","sourceRoot":"","sources":["../../src/signers/node-signing-backend.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AACH,OAAO,EAAE,SAAS,EAAE,MAAM,yBAAyB,CAAC;AACpD,OAAO,EAAE,OAAO,EAAE,MAAM,uBAAuB,CAAC;AAChD,OAAO,EAAE,UAAU,EAAE,MAAM,oBAAoB,CAAC;AAChD,OAAO,EAAE,UAAU,EAAE,WAAW,EAAE,MAAM,qBAAqB,CAAC;AAE9D,OAAO,EAAE,EAAE,EAAE,GAAG,EAAE,MAAM,cAAc,CAAC;AAGvC,OAAO,EAAE,YAAY,EAAE,MAAM,cAAc,CAAC;AAE5C,OAAO,EAAE,YAAY,EAAE,MAAM,uBAAuB,CAAC;AACrD,OAAO,EAAE,aAAa,EAAE,gBAAgB,EAAE,mBAAmB,EAAE,MAAM,uBAAuB,CAAC;AAW7F,2EAA2E;AAC3E,SAAS,cAAc,CAAC,GAAe;IACrC,GAAG,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;AACd,CAAC;AAED,8EAA8E;AAC9E,yBAAyB;AACzB,8EAA8E;AAE9E,SAAS,gBAAgB,CAAC,UAAsB;IAC9C,MAAM,SAAS,GAAG,SAAS,CAAC,YAAY,CAAC,UAAU,EAAE,KAAK,CAAC,CAAC;IAC5D,yDAAyD;IACzD,MAAM,IAAI,GAAG,UAAU,CAAC,SAAS,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAC;IAC/C,qBAAqB;IACrB,MAAM,YAAY,GAAG,IAAI,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC;IACvC,OAAO,KAAK,UAAU,CAAC,YAAY,CAAC,EAAa,CAAC;AACpD,CAAC;AAED,8EAA8E;AAC9E,qBAAqB;AACrB,8EAA8E;AAE9E,SAAS,wBAAwB,CAC/B,GAA+C;IAE/C,MAAM,CAAC,GAAG,GAAG,CAAC,CAAC,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,EAAE,EAAE,GAAG,CAAC,CAAC;IAC/C,MAAM,CAAC,GAAG,GAAG,CAAC,CAAC,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,EAAE,EAAE,GAAG,CAAC,CAAC;IAC/C,MAAM,CAAC,GAAG,CAAC,GAAG,CAAC,QAAQ,GAAG,EAAE,CAAC,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC;IAC5D,OAAO,KAAK,CAAC,GAAG,CAAC,GAAG,CAAC,EAAS,CAAC;AACjC,CAAC;AAED,8EAA8E;AAC9E,UAAU;AACV,8EAA8E;AAE9E;;;;;;;GAOG;AACH,MAAM,UAAU,wBAAwB;IACtC,MAAM,QAAQ,GAAG,IAAI,GAAG,EAAsB,CAAC;IAE/C,MAAM,OAAO,GAAmB;QAC9B,KAAK,CAAC,eAAe;YACnB,MAAM,aAAa,GAAG,WAAW,CAAC,EAAE,CAAC,CAAC;YACtC,MAAM,gBAAgB,GAAG,WAAW,CAAC,EAAE,CAAC,CAAC;YAEzC,MAAM,UAAU,GAAG,gBAAgB,CAAC,aAAa,CAAC,CAAC;YACnD,MAAM,YAAY,GAAG,OAAO,CAAC,YAAY,CAAC,gBAAgB,CAAC,CAAC;YAC5D,MAAM,aAAa,GAAG,YAAY,CAAC,YAAY,CAAC,CAAC;YAEjD,QAAQ,CAAC,GAAG,CAAC,UAAU,EAAE,EAAE,aAAa,EAAE,gBAAgB,EAAE,CAAC,CAAC;YAE9D,OAAO,EAAE,CAAC;gBACR,UAAU;gBACV,aAAa;gBACb,QAAQ,EAAE,MAAe;aAC1B,CAAC,CAAC;QACL,CAAC;QAED,KAAK,CAAC,WAAW,CACf,IAAgB,EAChB,OAAY;YAEZ,MAAM,MAAM,GAAG,QAAQ,CAAC,GAAG,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;YAC7C,IAAI,CAAC,MAAM;gBAAE,OAAO,GAAG,CAAC,YAAY,CAAC,WAAW,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC,CAAC;YAEnE,MAAM,IAAI,GAAG,gBAAgB,CAAC,OAAO,CAAC,CAAC;YACvC,MAAM,GAAG,GAAG,SAAS,CAAC,IAAI,CAAC,IAAI,EAAE,MAAM,CAAC,aAAa,CAAC,CAAC;YACvD,OAAO,EAAE,CAAC,wBAAwB,CAAC,GAAG,CAAC,CAAC,CAAC;QAC3C,CAAC;QAED,KAAK,CAAC,aAAa,CACjB,IAAgB,EAChB,OAAyB;YAEzB,MAAM,MAAM,GAAG,QAAQ,CAAC,GAAG,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;YAC7C,IAAI,CAAC,MAAM;gBAAE,OAAO,GAAG,CAAC,YAAY,CAAC,WAAW,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC,CAAC;YAEnE,MAAM,IAAI,GAAG,aAAa,CAAC,OAAO,CAAC,CAAC;YACpC,MAAM,GAAG,GAAG,SAAS,CAAC,IAAI,CAAC,IAAI,EAAE,MAAM,CAAC,aAAa,CAAC,CAAC;YACvD,OAAO,EAAE,CAAC,wBAAwB,CAAC,GAAG,CAAC,CAAC,CAAC;QAC3C,CAAC;QAED,KAAK,CAAC,eAAe,CACnB,IAAgB,EAChB,EAAK;YAEL,MAAM,MAAM,GAAG,QAAQ,CAAC,GAAG,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;YAC7C,IAAI,CAAC,MAAM;gBAAE,OAAO,GAAG,CAAC,YAAY,CAAC,WAAW,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC,CAAC;YAEnE,IAAI,CAAC,mBAAmB,CAAC,EAAE,CAAC,EAAE,CAAC;gBAC7B,OAAO,GAAG,CACR,YAAY,CAAC,eAAe,CAAC,8BAA8B,CAAC,CAC7D,CAAC;YACJ,CAAC;YAED,MAAM,YAAY,GAAG,EAAE,CAAC,OAAO,CAAC,SAAS,EAAE,CAAC;YAC5C,MAAM,SAAS,GAAG,OAAO,CAAC,IAAI,CAAC,YAAY,EAAE,MAAM,CAAC,gBAAgB,CAAC,CAAC;YACtE,EAAE,CAAC,UAAU,CAAC,CAAC,CAAC,GAAG,SAAS,CAAC;YAE7B,OAAO,EAAE,CAAC,EAAO,CAAC,CAAC;QACrB,CAAC;QAED,KAAK,CAAC,eAAe,CACnB,OAAe,EACf,EAAoB;YAEpB,OAAO,EAAE,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC;QACxB,CAAC;QAED,OAAO;YACL,KAAK,MAAM,MAAM,IAAI,QAAQ,CAAC,MAAM,EAAE,EAAE,CAAC;gBACvC,cAAc,CAAC,MAAM,CAAC,aAAa,CAAC,CAAC;gBACrC,cAAc,CAAC,MAAM,CAAC,gBAAgB,CAAC,CAAC;YAC1C,CAAC;YACD,QAAQ,CAAC,KAAK,EAAE,CAAC;QACnB,CAAC;QAED,aAAa,CAAC,UAAkB;YAC9B,MAAM,MAAM,GAAG,QAAQ,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC;YACxC,IAAI,CAAC,MAAM;gBAAE,OAAO,GAAG,CAAC,YAAY,CAAC,WAAW,CAAC,UAAU,CAAC,CAAC,CAAC;YAC9D,cAAc,CAAC,MAAM,CAAC,aAAa,CAAC,CAAC;YACrC,cAAc,CAAC,MAAM,CAAC,gBAAgB,CAAC,CAAC;YACxC,QAAQ,CAAC,MAAM,CAAC,UAAU,CAAC,CAAC;YAC5B,OAAO,EAAE,CAAC,SAAS,CAAC,CAAC;QACvB,CAAC;KACF,CAAC;IAEF,OAAO,OAAO,CAAC;AACjB,CAAC"}