@qrkit/core 0.1.0

package/LICENSE

@@ -0,0 +1,190 @@
+                                 Apache License
+                           Version 2.0, January 2004
+                        http://www.apache.org/licenses/
+
+   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+   1. Definitions.
+
+      "License" shall mean the terms and conditions for use, reproduction,
+      and distribution as defined by Sections 1 through 9 of this document.
+
+      "Licensor" shall mean the copyright owner or entity authorized by
+      the copyright owner that is granting the License.
+
+      "Legal Entity" shall mean the union of the acting entity and all
+      other entities that control, are controlled by, or are under common
+      control with that entity. For the purposes of this definition,
+      "control" means (i) the power, direct or indirect, to cause the
+      direction or management of such entity, whether by contract or
+      otherwise, or (ii) ownership of fifty percent (50%) or more of the
+      outstanding shares, or (iii) beneficial ownership of such entity.
+
+      "You" (or "Your") shall mean an individual or Legal Entity
+      exercising permissions granted by this License.
+
+      "Source" form shall mean the preferred form for making modifications,
+      including but not limited to software source code, documentation
+      source, and configuration files.
+
+      "Object" form shall mean any form resulting from mechanical
+      transformation or translation of a Source form, including but
+      not limited to compiled object code, generated documentation,
+      and conversions to other media types.
+
+      "Work" shall mean the work of authorship made available under
+      the License, as indicated by a copyright notice that is included in
+      or attached with the work (an example is provided in the Appendix below).
+
+      "Derivative Works" shall mean any work, whether in Source or Object
+      form, that is based on (or derived from) the Work and for which the
+      editorial revisions, annotations, elaborations, or other transformations
+      represent, as a whole, an original work of authorship. For the purposes
+      of this License, Derivative Works shall not include works that remain
+      separable from, or merely link (or bind by name) to the interfaces of,
+      the Work and Derivative Works thereof.
+
+      "Contribution" shall mean, as submitted to the Licensor for inclusion
+      in the Work by the copyright owner or by an individual or Legal Entity
+      authorized to submit on behalf of the copyright owner. For the purposes
+      of this definition, "submit" means any form of electronic, verbal, or
+      written communication sent to the Licensor or its representatives,
+      including but not limited to communication on electronic mailing lists,
+      source lists, defect tracking systems, and issue tracking systems that
+      are managed by, or on behalf of, the Licensor for the purpose of
+      discussing and improving the Work, but excluding communication that is
+      conspicuously marked or designated in writing by the copyright owner as
+      "Not a Contribution."
+
+      "Contributor" shall mean Licensor and any Legal Entity on behalf of
+      whom a Contribution has been received by the Licensor and included
+      within the Work.
+
+   2. Grant of Copyright License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      copyright license to reproduce, prepare Derivative Works of,
+      publicly display, publicly perform, sublicense, and distribute the
+      Work and such Derivative Works in Source or Object form.
+
+   3. Grant of Patent License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      (except as stated in this section) patent license to make, have made,
+      use, offer to sell, sell, import, and otherwise transfer the Work,
+      where such license applies only to those patent claims licensable
+      by such Contributor that are necessarily infringed by their
+      Contribution(s) alone or by the combination of their Contribution(s)
+      with the Work to which such Contribution(s) was submitted. If You
+      institute patent litigation against any entity (including a cross-claim
+      or counterclaim in a lawsuit) alleging that the Work or any patent
+      claim embodied in the Work constitutes direct or patent infringement,
+      then any patent rights granted to You under this License for that Work
+      shall terminate as of the date such litigation is filed.
+
+   4. Redistribution. You may reproduce and distribute copies of the
+      Work or Derivative Works thereof in any medium, with or without
+      modifications, and in Source or Object form, provided that You
+      meet the following conditions:
+
+      (a) You must give any other recipients of the Work or Derivative
+          Works a copy of this License; and
+
+      (b) You must cause any modified files to carry prominent notices
+          stating that You changed the files; and
+
+      (c) You must retain, in all Source or Derivative Works that You
+          distribute, all copyright, patent, trademark, and attribution
+          notices from the Source form of the Work, excluding those notices
+          that do not pertain to any part of the Derivative Works; and
+
+      (d) If the Work includes a "NOTICE" text file as part of its
+          distribution, then any Derivative Works that You distribute must
+          include a readable copy of the attribution notices contained
+          within such NOTICE file, except for those notices that do not
+          pertain to any part of the Derivative Works, in any part of
+          the Derivative Works in which You reproduce, separately or as
+          an addendum to the NOTICE text from the Work, provided that
+          such additional attribution notices cannot be construed as
+          modifying the License.
+
+      You may add Your own attribution notices within Derivative Works
+      that You distribute, alongside or in addition to the NOTICE text
+      from the Work, provided that such additional attribution notices
+      cannot be construed as modifying the License.
+
+      You may add Your own copyright statement to Your modifications and
+      may provide additional grant of rights to use, reproduce, prepare
+      Derivative Works of, publicly display, publicly perform, sublicense,
+      and distribute those Modifications, as in this License.
+
+   5. Submission of Contributions. Unless You explicitly state otherwise,
+      any Contribution intentionally submitted for inclusion in the Work
+      by You to the Licensor shall be under the terms and conditions of
+      this License, without any additional terms or conditions.
+      Notwithstanding the above, nothing herein shall supersede or modify
+      the terms of any separate license agreement you may have executed
+      with Licensor regarding such Contributions.
+
+   6. Trademarks. This License does not grant permission to use the trade
+      names, trademarks, service marks, or product names of the Licensor,
+      except as required for reasonable and customary use in describing the
+      origin of the Work and reproducing the content of the NOTICE file.
+
+   7. Disclaimer of Warranty. Unless required by applicable law or
+      agreed to in writing, Licensor provides the Work (and each
+      Contributor provides its Contributions) on an "AS IS" BASIS,
+      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+      implied, including, without limitation, any conditions of title,
+      MERCHANTIBILITY, or FITNESS FOR A PARTICULAR PURPOSE. You are solely
+      responsible for determining the appropriateness of using or
+      reproducing the Work and assume any risks associated with Your
+      exercise of permissions under this License.
+
+   8. Limitation of Liability. In no event and under no legal theory,
+      whether in tort (including negligence), contract, or otherwise,
+      unless required by applicable law (such as deliberate and grossly
+      negligent acts) or agreed to in writing, shall any Contributor be
+      liable to You for damages, including any direct, indirect, special,
+      incidental, or exemplary damages of any character arising as a
+      result of this License or out of the use or inability to use the
+      Work (including but not limited to damages for loss of goodwill,
+      work stoppage, computer failure or malfunction, or all other
+      commercial damages or losses), even if such Contributor has been
+      advised of the possibility of such damages.
+
+   9. Accepting Warranty or Additional Liability. While redistributing
+      the Work or Derivative Works thereof, You may wish to offer, and
+      charge a fee for, acceptance of support, warranty, indemnity, or
+      other liability obligations and/or rights consistent of this License.
+      However, in accepting such obligations, You may offer such conditions
+      only on Your own behalf and on Your sole responsibility, not on behalf
+      of any other Contributor, and only if You agree to indemnify, defend,
+      and hold each Contributor harmless for any liability incurred by, or
+      claims asserted against, such Contributor by reason of your accepting
+      any such warranty or additional liability.
+
+   END OF TERMS AND CONDITIONS
+
+   APPENDIX: How to apply the Apache License to your work.
+
+      To apply the Apache License to your work, attach the following
+      boilerplate notice, with the fields enclosed by brackets "[]"
+      replaced with your own identifying information. (Don't include
+      the brackets!)  The text should be enclosed in the appropriate
+      comment syntax for the format in question; you may also recommend
+      that file header to be included with the copyright notice:
+
+   Copyright 2026 Mladen Milankovic
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.

package/README.md

@@ -0,0 +1,61 @@
+# @qrkit/core
+
+Framework-agnostic protocol core for QR-based airgapped wallet flows. Designed for use in browser-based dApps.
+
+Handles the ERC-4527 / UR / CBOR stack: decoding scanned QR exports, deriving EVM addresses, building sign requests, and parsing signature responses. No DOM, no React, no external services.
+
+## Install
+
+```sh
+pnpm add @qrkit/core
+```
+
+## Usage
+
+```ts
+import { parseXpub, deriveEvmAccount, buildEthSignRequestURParts, parseEthSignature } from '@qrkit/core'
+
+// 1. Parse the connection QR exported from the wallet (crypto-hdkey or crypto-account)
+const parsed = parseXpub(scannedUR)
+const account = deriveEvmAccount(parsed)
+// account.address  → EIP-55 checksummed address
+// account.publicKey → compressed pubkey hex
+// account.sourceFingerprint → required by Shell for signing
+
+// 2. Build a sign request — returns UR parts to display as QR codes
+const parts = buildEthSignRequestURParts(message, account.address, account.sourceFingerprint)
+// parts.length === 1 for short messages, >1 for animated QR
+
+// 3. After the user scans the wallet's response QR
+const signature = parseEthSignature(scannedResponseUR)
+// → '0x...' hex string
+```
+
+## Browser usage
+
+This package is designed to run in the browser. It depends on [`@ngraveio/bc-ur`](https://github.com/ngraveio/bc-ur) which internally uses the Node.js `Buffer` API.
+
+Modern bundlers (Vite, webpack, etc.) polyfill `Buffer` automatically. If you see a `Buffer is not defined` error, add the [`buffer`](https://www.npmjs.com/package/buffer) package and configure your bundler to inject it:
+
+**Vite:**
+
+```ts
+// vite.config.ts
+import { defineConfig } from 'vite'
+import { nodePolyfills } from 'vite-plugin-node-polyfills'
+
+export default defineConfig({
+  plugins: [nodePolyfills({ include: ['buffer'] })],
+})
+```
+
+**Or manually in your entry file:**
+
+```ts
+import { Buffer } from 'buffer'
+globalThis.Buffer = Buffer
+```
+
+## License
+
+[Apache 2.0](../../LICENSE)

package/dist/index.cjs

@@ -0,0 +1,309 @@
+"use strict";
+var __create = Object.create;
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __getProtoOf = Object.getPrototypeOf;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__getProtoOf(mod)) : {}, __copyProps(
+  // If the importer is in node compatibility mode or this is not an ESM
+  // file that has been converted to a CommonJS file using a Babel-
+  // compatible transform (i.e. "__esModule" has not been set), then set
+  // "default" to the CommonJS "module.exports" for node compatibility.
+  isNodeMode || !mod || !mod.__esModule ? __defProp(target, "default", { value: mod, enumerable: true }) : target,
+  mod
+));
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+
+// src/index.ts
+var index_exports = {};
+__export(index_exports, {
+  buildEthSignRequestUR: () => buildEthSignRequestUR,
+  buildEthSignRequestURParts: () => buildEthSignRequestURParts,
+  parseConnection: () => parseConnection,
+  parseEthSignature: () => parseEthSignature
+});
+module.exports = __toCommonJS(index_exports);
+
+// src/parseXpub.ts
+var import_bip32 = require("@scure/bip32");
+var import_cborg = require("cborg");
+function get(m, k) {
+  if (m instanceof Map) return m.get(k);
+  return void 0;
+}
+var passthrough = (v) => v;
+function decodeCbor(cbor) {
+  return (0, import_cborg.decode)(cbor, {
+    useMaps: true,
+    tags: Object.assign([], {
+      303: passthrough,
+      // crypto-hdkey
+      304: passthrough,
+      // crypto-keypath
+      305: passthrough
+      // crypto-coin-info
+    })
+  });
+}
+function parseCryptoHdKey(map, raw) {
+  const keyData = get(map, 3);
+  const chainCode = get(map, 4);
+  if (!keyData || !chainCode) {
+    throw new Error("crypto-hdkey missing key-data or chain-code");
+  }
+  let purpose;
+  let coinType;
+  let sourceFingerprint;
+  const origin = get(map, 6);
+  if (origin) {
+    const components = get(origin, 1);
+    if (Array.isArray(components)) {
+      if (components.length >= 1) purpose = components[0];
+      if (components.length >= 3) coinType = components[2];
+    }
+    sourceFingerprint = get(origin, 2);
+  }
+  const hdKey = new import_bip32.HDKey({ publicKey: keyData, chainCode });
+  return { hdKey, type: "xpub", purpose, coinType, sourceFingerprint, raw };
+}
+function parseScannedUR(scanned) {
+  const { type, cbor } = scanned;
+  const raw = `ur:${type}`;
+  if (type !== "crypto-hdkey" && type !== "crypto-account") {
+    throw new Error(`Unsupported UR type: ${type}`);
+  }
+  const map = decodeCbor(cbor);
+  if (type === "crypto-hdkey") {
+    return parseCryptoHdKey(map, raw);
+  }
+  const accounts = map.get(2);
+  if (!Array.isArray(accounts) || accounts.length === 0) {
+    throw new Error("crypto-account contains no keys");
+  }
+  return accounts.map((entry) => parseCryptoHdKey(entry, raw));
+}
+function parseXpub(input) {
+  if (typeof input !== "string") {
+    const result = parseScannedUR(input);
+    return Array.isArray(result) ? result : [result];
+  }
+  const hdKey = import_bip32.HDKey.fromExtendedKey(input.trim());
+  return [
+    {
+      hdKey,
+      type: "xpub",
+      purpose: void 0,
+      coinType: void 0,
+      sourceFingerprint: void 0,
+      raw: input.trim()
+    }
+  ];
+}
+
+// src/eth/address.ts
+var import_sha3 = require("@noble/hashes/sha3.js");
+var secp = __toESM(require("@noble/secp256k1"), 1);
+function pubKeyToEthAddress(compressedPubKey) {
+  const uncompressed = secp.Point.fromBytes(compressedPubKey).toBytes(false);
+  const hash = (0, import_sha3.keccak_256)(uncompressed.slice(1));
+  const hex = [...hash.slice(12)].map((b) => b.toString(16).padStart(2, "0")).join("");
+  return toChecksumAddress(hex);
+}
+function toChecksumAddress(hex) {
+  const checksumHash = (0, import_sha3.keccak_256)(new TextEncoder().encode(hex));
+  return "0x" + [...hex].map((c, i) => {
+    if (c >= "0" && c <= "9") return c;
+    const nibble = i % 2 === 0 ? checksumHash[Math.floor(i / 2)] >> 4 & 15 : checksumHash[Math.floor(i / 2)] & 15;
+    return nibble >= 8 ? c.toUpperCase() : c.toLowerCase();
+  }).join("");
+}
+
+// src/eth/deriveAccount.ts
+function firstChild(accountKey) {
+  return accountKey.deriveChild(0).deriveChild(0);
+}
+function toHex(bytes) {
+  return [...bytes].map((b) => b.toString(16).padStart(2, "0")).join("");
+}
+function deriveEvmAccount(parsed) {
+  for (const entry of parsed) {
+    const { hdKey, purpose, coinType, type, sourceFingerprint } = entry;
+    const isEvm = purpose === 44 && coinType === 60 || purpose === void 0 && type === "xpub";
+    if (!isEvm) continue;
+    const child = firstChild(hdKey);
+    if (!child.publicKey) continue;
+    return {
+      address: pubKeyToEthAddress(child.publicKey),
+      publicKey: toHex(child.publicKey),
+      sourceFingerprint
+    };
+  }
+  return void 0;
+}
+
+// src/parseConnection.ts
+var ALL_CHAINS = ["evm", "btc"];
+function parseConnection(scannedUR, config = {}) {
+  const chains = config.chains ?? ALL_CHAINS;
+  const parsed = parseXpub(scannedUR);
+  const accounts = [];
+  if (chains.includes("evm")) {
+    const account = deriveEvmAccount(parsed);
+    if (account) {
+      accounts.push({ chain: "evm", ...account });
+    }
+  }
+  return accounts;
+}
+
+// src/cbor.ts
+function majorType(major, n) {
+  const base = major << 5;
+  if (n <= 23) return [base | n];
+  if (n <= 255) return [base | 24, n];
+  if (n <= 65535) return [base | 25, n >> 8 & 255, n & 255];
+  return [base | 26, n >> 24 & 255, n >> 16 & 255, n >> 8 & 255, n & 255];
+}
+function encodeItem(value) {
+  if (typeof value === "boolean") {
+    return [value ? 245 : 244];
+  }
+  if (typeof value === "number") {
+    return majorType(0, value);
+  }
+  if (value instanceof Uint8Array) {
+    return [...majorType(2, value.length), ...value];
+  }
+  if (typeof value === "string") {
+    const bytes = new TextEncoder().encode(value);
+    return [...majorType(3, bytes.length), ...bytes];
+  }
+  if (Array.isArray(value)) {
+    return [...majorType(4, value.length), ...value.flatMap(encodeItem)];
+  }
+  if (value instanceof CborTag) {
+    return [...majorType(6, value.tag), ...encodeItem(value.value)];
+  }
+  if (value instanceof Map) {
+    const entries = [...value.entries()];
+    return [
+      ...majorType(5, entries.length),
+      ...entries.flatMap(([k, v]) => [...encodeItem(k), ...encodeItem(v)])
+    ];
+  }
+  throw new Error(`Unsupported CBOR value: ${typeof value}`);
+}
+var CborTag = class {
+  tag;
+  value;
+  constructor(tag, value) {
+    this.tag = tag;
+    this.value = value;
+  }
+};
+function encode(value) {
+  return new Uint8Array(encodeItem(value));
+}
+
+// src/urEncoding.ts
+var import_bc_ur = require("@ngraveio/bc-ur");
+function encodeURParts(cbor, type, maxFragmentLength = 200) {
+  const ur = new import_bc_ur.UR(Buffer.from(cbor), type);
+  const encoder = new import_bc_ur.UREncoder(ur, maxFragmentLength);
+  return Array.from(
+    { length: encoder.fragmentsLength },
+    () => encoder.nextPart().toUpperCase()
+  );
+}
+function encodeURFirstPart(cbor, type, maxFragmentLength = 200) {
+  return encodeURParts(cbor, type, maxFragmentLength)[0];
+}
+
+// src/eth/signRequest.ts
+var DATA_TYPE_ETH_RAW_BYTES = 3;
+var TAG_KEYPATH = 304;
+function randomBytes(n) {
+  const buf = new Uint8Array(n);
+  crypto.getRandomValues(buf);
+  return buf;
+}
+function buildKeypath(purpose, coinType, sourceFingerprint) {
+  const components = [purpose, true, coinType, true, 0, true, 0, false, 0, false];
+  const keypathMap = /* @__PURE__ */ new Map([[1, components]]);
+  if (sourceFingerprint !== void 0) {
+    keypathMap.set(2, sourceFingerprint);
+  }
+  return new CborTag(TAG_KEYPATH, keypathMap);
+}
+function buildEthSignRequestCbor(message, address, sourceFingerprint, origin = "qrkit") {
+  const requestId = randomBytes(16);
+  const messageBytes = new TextEncoder().encode(message);
+  const keypath = buildKeypath(44, 60, sourceFingerprint);
+  const addrHex = address.replace(/^0x/i, "");
+  const addrBytes = new Uint8Array(addrHex.match(/.{2}/g).map((b) => parseInt(b, 16)));
+  const map = /* @__PURE__ */ new Map([
+    [1, new CborTag(37, requestId)],
+    // request-id: uuid = #6.37(bstr)
+    [2, messageBytes],
+    // sign-data
+    [3, DATA_TYPE_ETH_RAW_BYTES],
+    // data-type: eth-raw-bytes for EIP-191
+    [5, keypath],
+    // derivation-path
+    [6, addrBytes],
+    // address
+    [7, origin]
+    // origin
+  ]);
+  return encode(map);
+}
+function buildEthSignRequestURParts(message, address, sourceFingerprint, origin) {
+  return encodeURParts(
+    buildEthSignRequestCbor(message, address, sourceFingerprint, origin),
+    "eth-sign-request"
+  );
+}
+function buildEthSignRequestUR(message, address, sourceFingerprint, origin) {
+  return encodeURFirstPart(
+    buildEthSignRequestCbor(message, address, sourceFingerprint, origin),
+    "eth-sign-request"
+  );
+}
+
+// src/eth/signature.ts
+var import_cborg2 = require("cborg");
+function parseEthSignature(scanned) {
+  if (scanned.type !== "eth-signature") {
+    throw new Error(`Expected eth-signature, got: ${scanned.type}`);
+  }
+  const map = (0, import_cborg2.decode)(scanned.cbor, {
+    useMaps: true,
+    tags: Object.assign([], { 37: (v) => v })
+  });
+  const sigBytes = map.get(2);
+  if (!sigBytes || sigBytes.length < 64) {
+    throw new Error("Invalid or missing signature bytes");
+  }
+  return "0x" + [...sigBytes].map((b) => b.toString(16).padStart(2, "0")).join("");
+}
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  buildEthSignRequestUR,
+  buildEthSignRequestURParts,
+  parseConnection,
+  parseEthSignature
+});
+//# sourceMappingURL=index.cjs.map

package/dist/index.cjs.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../src/index.ts","../src/parseXpub.ts","../src/eth/address.ts","../src/eth/deriveAccount.ts","../src/parseConnection.ts","../src/cbor.ts","../src/urEncoding.ts","../src/eth/signRequest.ts","../src/eth/signature.ts"],"sourcesContent":["// Types\nexport type { ScannedUR, Chain, QRKitConfig, Account, EvmAccount } from \"./types.js\";\nexport type { ParsedXpub, XpubType } from \"./parseXpub.js\";\n\n// Connection\nexport { parseConnection } from \"./parseConnection.js\";\n\n// EVM signing\nexport { buildEthSignRequestUR, buildEthSignRequestURParts } from \"./eth/signRequest.js\";\nexport { parseEthSignature } from \"./eth/signature.js\";\n","import { HDKey } from \"@scure/bip32\";\nimport { decode as cborDecode, type TagDecoder } from \"cborg\";\n\nimport type { ScannedUR } from \"./types.js\";\n\nexport type XpubType = \"xpub\";\n\nexport interface ParsedXpub {\n  hdKey: HDKey;\n  type: XpubType;\n  /** BIP-44 purpose index: 44 for EVM */\n  purpose: number | undefined;\n  /** BIP-44 coin type: 60 = ETH */\n  coinType: number | undefined;\n  /** source-fingerprint from the origin keypath — required by Shell for signing */\n  sourceFingerprint: number | undefined;\n  raw: string;\n}\n\nfunction get(m: unknown, k: number): unknown {\n  if (m instanceof Map) return (m as Map<number, unknown>).get(k);\n  return undefined;\n}\n\nconst passthrough = (v: unknown) => v;\n\nfunction decodeCbor(cbor: Uint8Array): Map<number, unknown> {\n  return cborDecode(cbor, {\n    useMaps: true,\n    tags: Object.assign([] as TagDecoder[], {\n      303: passthrough, // crypto-hdkey\n      304: passthrough, // crypto-keypath\n      305: passthrough, // crypto-coin-info\n    }),\n  }) as Map<number, unknown>;\n}\n\nfunction parseCryptoHdKey(map: unknown, raw: string): ParsedXpub {\n  const keyData = get(map, 3) as Uint8Array | undefined;\n  const chainCode = get(map, 4) as Uint8Array | undefined;\n\n  if (!keyData || !chainCode) {\n    throw new Error(\"crypto-hdkey missing key-data or chain-code\");\n  }\n\n  let purpose: number | undefined;\n  let coinType: number | undefined;\n  let sourceFingerprint: number | undefined;\n  const origin = get(map, 6);\n  if (origin) {\n    const components = get(origin, 1);\n    if (Array.isArray(components)) {\n      if (components.length >= 1) purpose = components[0] as number;\n      if (components.length >= 3) coinType = components[2] as number;\n    }\n    sourceFingerprint = get(origin, 2) as number | undefined;\n  }\n\n  const hdKey = new HDKey({ publicKey: keyData, chainCode });\n  return { hdKey, type: \"xpub\", purpose, coinType, sourceFingerprint, raw };\n}\n\nfunction parseScannedUR(scanned: ScannedUR): ParsedXpub | ParsedXpub[] {\n  const { type, cbor } = scanned;\n  const raw = `ur:${type}`;\n\n  if (type !== \"crypto-hdkey\" && type !== \"crypto-account\") {\n    throw new Error(`Unsupported UR type: ${type}`);\n  }\n\n  const map = decodeCbor(cbor);\n\n  if (type === \"crypto-hdkey\") {\n    return parseCryptoHdKey(map, raw);\n  }\n\n  const accounts = map.get(2) as unknown[] | undefined;\n  if (!Array.isArray(accounts) || accounts.length === 0) {\n    throw new Error(\"crypto-account contains no keys\");\n  }\n  return accounts.map((entry) => parseCryptoHdKey(entry, raw));\n}\n\nexport function parseXpub(input: ScannedUR | string): ParsedXpub[] {\n  if (typeof input !== \"string\") {\n    const result = parseScannedUR(input);\n    return Array.isArray(result) ? result : [result];\n  }\n  // Raw base58 xpub string — @scure/bip32 handles decoding directly\n  const hdKey = HDKey.fromExtendedKey(input.trim());\n  return [\n    {\n      hdKey,\n      type: \"xpub\",\n      purpose: undefined,\n      coinType: undefined,\n      sourceFingerprint: undefined,\n      raw: input.trim(),\n    },\n  ];\n}\n","import { keccak_256 } from \"@noble/hashes/sha3.js\";\nimport * as secp from \"@noble/secp256k1\";\n\nexport function pubKeyToEthAddress(compressedPubKey: Uint8Array): string {\n  const uncompressed = secp.Point.fromBytes(compressedPubKey).toBytes(false);\n  const hash = keccak_256(uncompressed.slice(1));\n  const hex = [...hash.slice(12)]\n    .map((b: number) => b.toString(16).padStart(2, \"0\"))\n    .join(\"\");\n  return toChecksumAddress(hex);\n}\n\nfunction toChecksumAddress(hex: string): string {\n  const checksumHash = keccak_256(new TextEncoder().encode(hex));\n  return (\n    \"0x\" +\n    [...hex]\n      .map((c, i) => {\n        if (c >= \"0\" && c <= \"9\") return c;\n        const nibble =\n          i % 2 === 0\n            ? (checksumHash[Math.floor(i / 2)] >> 4) & 0xf\n            : checksumHash[Math.floor(i / 2)] & 0xf;\n        return nibble >= 8 ? c.toUpperCase() : c.toLowerCase();\n      })\n      .join(\"\")\n  );\n}\n","import type { HDKey } from \"@scure/bip32\";\n\nimport type { ParsedXpub } from \"../parseXpub.js\";\nimport { pubKeyToEthAddress } from \"./address.js\";\n\nexport interface DerivedAccount {\n  address: string;\n  publicKey: string;\n  /** source-fingerprint from the scanned xpub — required by Shell for signing */\n  sourceFingerprint: number | undefined;\n}\n\n// Derive the first external address (index 0) from an account-level xpub.\n// Account-level xpub is at depth 3 (m/purpose'/coin'/account').\n// External chain is child 0, then address index 0.\nfunction firstChild(accountKey: HDKey): HDKey {\n  return accountKey.deriveChild(0).deriveChild(0);\n}\n\nfunction toHex(bytes: Uint8Array): string {\n  return [...bytes].map((b) => b.toString(16).padStart(2, \"0\")).join(\"\");\n}\n\nexport function deriveEvmAccount(parsed: ParsedXpub[]): DerivedAccount | undefined {\n  for (const entry of parsed) {\n    const { hdKey, purpose, coinType, type, sourceFingerprint } = entry;\n    const isEvm =\n      (purpose === 44 && coinType === 60) || (purpose === undefined && type === \"xpub\");\n\n    if (!isEvm) continue;\n\n    const child = firstChild(hdKey);\n    if (!child.publicKey) continue;\n\n    return {\n      address: pubKeyToEthAddress(child.publicKey),\n      publicKey: toHex(child.publicKey),\n      sourceFingerprint,\n    };\n  }\n  return undefined;\n}\n","import { parseXpub } from \"./parseXpub.js\";\nimport { deriveEvmAccount } from \"./eth/deriveAccount.js\";\nimport type { Account, Chain, EvmAccount, QRKitConfig, ScannedUR } from \"./types.js\";\n\nconst ALL_CHAINS: Chain[] = [\"evm\", \"btc\"];\n\n/**\n * Parse a connection QR (crypto-hdkey or crypto-account) and return\n * only the accounts for the chains configured in QRKitConfig.\n *\n * A dApp configured with `chains: [\"evm\"]` will never see BTC accounts,\n * and vice versa. Both chains can be enabled with `chains: [\"evm\", \"btc\"]`.\n * If `chains` is omitted, all supported chains are tried.\n */\nexport function parseConnection(\n  scannedUR: ScannedUR,\n  config: QRKitConfig = {},\n): Account[] {\n  const chains = config.chains ?? ALL_CHAINS;\n  const parsed = parseXpub(scannedUR);\n  const accounts: Account[] = [];\n\n  if (chains.includes(\"evm\")) {\n    const account = deriveEvmAccount(parsed);\n    if (account) {\n      accounts.push({ chain: \"evm\", ...account } satisfies EvmAccount);\n    }\n  }\n\n  // \"btc\" — will be implemented in src/btc/ when Bitcoin support is added.\n\n  return accounts;\n}\n","// Minimal CBOR encoder.\n// Supports only the types needed for eth-sign-request: uint, bytes, text, array, map (integer keys), bool, tag.\n\nfunction majorType(major: number, n: number): number[] {\n  const base = major << 5;\n  if (n <= 23) return [base | n];\n  if (n <= 0xff) return [base | 0x18, n];\n  if (n <= 0xffff) return [base | 0x19, (n >> 8) & 0xff, n & 0xff];\n  return [base | 0x1a, (n >> 24) & 0xff, (n >> 16) & 0xff, (n >> 8) & 0xff, n & 0xff];\n}\n\nexport function encodeItem(value: unknown): number[] {\n  if (typeof value === \"boolean\") {\n    return [value ? 0xf5 : 0xf4];\n  }\n  if (typeof value === \"number\") {\n    return majorType(0, value);\n  }\n  if (value instanceof Uint8Array) {\n    return [...majorType(2, value.length), ...value];\n  }\n  if (typeof value === \"string\") {\n    const bytes = new TextEncoder().encode(value);\n    return [...majorType(3, bytes.length), ...bytes];\n  }\n  if (Array.isArray(value)) {\n    return [...majorType(4, value.length), ...value.flatMap(encodeItem)];\n  }\n  if (value instanceof CborTag) {\n    return [...majorType(6, value.tag), ...encodeItem(value.value)];\n  }\n  if (value instanceof Map) {\n    const entries = [...value.entries()];\n    return [\n      ...majorType(5, entries.length),\n      ...entries.flatMap(([k, v]) => [...encodeItem(k), ...encodeItem(v)]),\n    ];\n  }\n  throw new Error(`Unsupported CBOR value: ${typeof value}`);\n}\n\nexport class CborTag {\n  tag: number;\n  value: unknown;\n  constructor(tag: number, value: unknown) {\n    this.tag = tag;\n    this.value = value;\n  }\n}\n\nexport function encode(value: unknown): Uint8Array {\n  return new Uint8Array(encodeItem(value));\n}\n","import { UR, UREncoder } from \"@ngraveio/bc-ur\";\n\nexport function encodeURParts(\n  cbor: Uint8Array,\n  type: string,\n  maxFragmentLength = 200,\n): string[] {\n  // @ngraveio/bc-ur requires a Buffer. In Node.js it is a global; in browsers the\n  // bundler must provide the `buffer` polyfill (same requirement as the prototype).\n  const ur = new UR(Buffer.from(cbor), type);\n  const encoder = new UREncoder(ur, maxFragmentLength);\n  return Array.from({ length: encoder.fragmentsLength }, () =>\n    encoder.nextPart().toUpperCase(),\n  );\n}\n\nexport function encodeURFirstPart(\n  cbor: Uint8Array,\n  type: string,\n  maxFragmentLength = 200,\n): string {\n  return encodeURParts(cbor, type, maxFragmentLength)[0];\n}\n","import { encode, CborTag } from \"../cbor.js\";\nimport { encodeURFirstPart, encodeURParts } from \"../urEncoding.js\";\n\n// EIP-191 personal_sign = eth-raw-bytes (ERC-4527 data type 3)\nconst DATA_TYPE_ETH_RAW_BYTES = 3;\n\n// CBOR tag for crypto-keypath\nconst TAG_KEYPATH = 304;\n\nfunction randomBytes(n: number): Uint8Array {\n  const buf = new Uint8Array(n);\n  crypto.getRandomValues(buf);\n  return buf;\n}\n\nfunction buildKeypath(\n  purpose: number,\n  coinType: number,\n  sourceFingerprint: number | undefined,\n): CborTag {\n  // m/purpose'/coinType'/0'/0/0\n  const components = [purpose, true, coinType, true, 0, true, 0, false, 0, false];\n  const keypathMap = new Map<number, unknown>([[1, components]]);\n  if (sourceFingerprint !== undefined) {\n    keypathMap.set(2, sourceFingerprint);\n  }\n  return new CborTag(TAG_KEYPATH, keypathMap);\n}\n\nfunction buildEthSignRequestCbor(\n  message: string,\n  address: string,\n  sourceFingerprint: number | undefined,\n  origin = \"qrkit\",\n): Uint8Array {\n  const requestId = randomBytes(16);\n  const messageBytes = new TextEncoder().encode(message);\n  const keypath = buildKeypath(44, 60, sourceFingerprint);\n\n  const addrHex = address.replace(/^0x/i, \"\");\n  const addrBytes = new Uint8Array(addrHex.match(/.{2}/g)!.map((b) => parseInt(b, 16)));\n\n  const map = new Map<number, unknown>([\n    [1, new CborTag(37, requestId)], // request-id: uuid = #6.37(bstr)\n    [2, messageBytes], // sign-data\n    [3, DATA_TYPE_ETH_RAW_BYTES], // data-type: eth-raw-bytes for EIP-191\n    [5, keypath], // derivation-path\n    [6, addrBytes], // address\n    [7, origin], // origin\n  ]);\n\n  return encode(map);\n}\n\nexport function buildEthSignRequestURParts(\n  message: string,\n  address: string,\n  sourceFingerprint: number | undefined,\n  origin?: string,\n): string[] {\n  return encodeURParts(\n    buildEthSignRequestCbor(message, address, sourceFingerprint, origin),\n    \"eth-sign-request\",\n  );\n}\n\nexport function buildEthSignRequestUR(\n  message: string,\n  address: string,\n  sourceFingerprint: number | undefined,\n  origin?: string,\n): string {\n  return encodeURFirstPart(\n    buildEthSignRequestCbor(message, address, sourceFingerprint, origin),\n    \"eth-sign-request\",\n  );\n}\n","import { decode as cborDecode, type TagDecoder } from \"cborg\";\n\nimport type { ScannedUR } from \"../types.js\";\n\nexport function parseEthSignature(scanned: ScannedUR): string {\n  if (scanned.type !== \"eth-signature\") {\n    throw new Error(`Expected eth-signature, got: ${scanned.type}`);\n  }\n\n  const map = cborDecode(scanned.cbor, {\n    useMaps: true,\n    tags: Object.assign([] as TagDecoder[], { 37: (v: unknown) => v }),\n  }) as Map<number, unknown>;\n\n  const sigBytes = map.get(2) as Uint8Array | undefined;\n  if (!sigBytes || sigBytes.length < 64) {\n    throw new Error(\"Invalid or missing signature bytes\");\n  }\n\n  return \"0x\" + [...sigBytes].map((b) => b.toString(16).padStart(2, \"0\")).join(\"\");\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;;;ACAA,mBAAsB;AACtB,mBAAsD;AAkBtD,SAAS,IAAI,GAAY,GAAoB;AAC3C,MAAI,aAAa,IAAK,QAAQ,EAA2B,IAAI,CAAC;AAC9D,SAAO;AACT;AAEA,IAAM,cAAc,CAAC,MAAe;AAEpC,SAAS,WAAW,MAAwC;AAC1D,aAAO,aAAAA,QAAW,MAAM;AAAA,IACtB,SAAS;AAAA,IACT,MAAM,OAAO,OAAO,CAAC,GAAmB;AAAA,MACtC,KAAK;AAAA;AAAA,MACL,KAAK;AAAA;AAAA,MACL,KAAK;AAAA;AAAA,IACP,CAAC;AAAA,EACH,CAAC;AACH;AAEA,SAAS,iBAAiB,KAAc,KAAyB;AAC/D,QAAM,UAAU,IAAI,KAAK,CAAC;AAC1B,QAAM,YAAY,IAAI,KAAK,CAAC;AAE5B,MAAI,CAAC,WAAW,CAAC,WAAW;AAC1B,UAAM,IAAI,MAAM,6CAA6C;AAAA,EAC/D;AAEA,MAAI;AACJ,MAAI;AACJ,MAAI;AACJ,QAAM,SAAS,IAAI,KAAK,CAAC;AACzB,MAAI,QAAQ;AACV,UAAM,aAAa,IAAI,QAAQ,CAAC;AAChC,QAAI,MAAM,QAAQ,UAAU,GAAG;AAC7B,UAAI,WAAW,UAAU,EAAG,WAAU,WAAW,CAAC;AAClD,UAAI,WAAW,UAAU,EAAG,YAAW,WAAW,CAAC;AAAA,IACrD;AACA,wBAAoB,IAAI,QAAQ,CAAC;AAAA,EACnC;AAEA,QAAM,QAAQ,IAAI,mBAAM,EAAE,WAAW,SAAS,UAAU,CAAC;AACzD,SAAO,EAAE,OAAO,MAAM,QAAQ,SAAS,UAAU,mBAAmB,IAAI;AAC1E;AAEA,SAAS,eAAe,SAA+C;AACrE,QAAM,EAAE,MAAM,KAAK,IAAI;AACvB,QAAM,MAAM,MAAM,IAAI;AAEtB,MAAI,SAAS,kBAAkB,SAAS,kBAAkB;AACxD,UAAM,IAAI,MAAM,wBAAwB,IAAI,EAAE;AAAA,EAChD;AAEA,QAAM,MAAM,WAAW,IAAI;AAE3B,MAAI,SAAS,gBAAgB;AAC3B,WAAO,iBAAiB,KAAK,GAAG;AAAA,EAClC;AAEA,QAAM,WAAW,IAAI,IAAI,CAAC;AAC1B,MAAI,CAAC,MAAM,QAAQ,QAAQ,KAAK,SAAS,WAAW,GAAG;AACrD,UAAM,IAAI,MAAM,iCAAiC;AAAA,EACnD;AACA,SAAO,SAAS,IAAI,CAAC,UAAU,iBAAiB,OAAO,GAAG,CAAC;AAC7D;AAEO,SAAS,UAAU,OAAyC;AACjE,MAAI,OAAO,UAAU,UAAU;AAC7B,UAAM,SAAS,eAAe,KAAK;AACnC,WAAO,MAAM,QAAQ,MAAM,IAAI,SAAS,CAAC,MAAM;AAAA,EACjD;AAEA,QAAM,QAAQ,mBAAM,gBAAgB,MAAM,KAAK,CAAC;AAChD,SAAO;AAAA,IACL;AAAA,MACE;AAAA,MACA,MAAM;AAAA,MACN,SAAS;AAAA,MACT,UAAU;AAAA,MACV,mBAAmB;AAAA,MACnB,KAAK,MAAM,KAAK;AAAA,IAClB;AAAA,EACF;AACF;;;ACpGA,kBAA2B;AAC3B,WAAsB;AAEf,SAAS,mBAAmB,kBAAsC;AACvE,QAAM,eAAoB,WAAM,UAAU,gBAAgB,EAAE,QAAQ,KAAK;AACzE,QAAM,WAAO,wBAAW,aAAa,MAAM,CAAC,CAAC;AAC7C,QAAM,MAAM,CAAC,GAAG,KAAK,MAAM,EAAE,CAAC,EAC3B,IAAI,CAAC,MAAc,EAAE,SAAS,EAAE,EAAE,SAAS,GAAG,GAAG,CAAC,EAClD,KAAK,EAAE;AACV,SAAO,kBAAkB,GAAG;AAC9B;AAEA,SAAS,kBAAkB,KAAqB;AAC9C,QAAM,mBAAe,wBAAW,IAAI,YAAY,EAAE,OAAO,GAAG,CAAC;AAC7D,SACE,OACA,CAAC,GAAG,GAAG,EACJ,IAAI,CAAC,GAAG,MAAM;AACb,QAAI,KAAK,OAAO,KAAK,IAAK,QAAO;AACjC,UAAM,SACJ,IAAI,MAAM,IACL,aAAa,KAAK,MAAM,IAAI,CAAC,CAAC,KAAK,IAAK,KACzC,aAAa,KAAK,MAAM,IAAI,CAAC,CAAC,IAAI;AACxC,WAAO,UAAU,IAAI,EAAE,YAAY,IAAI,EAAE,YAAY;AAAA,EACvD,CAAC,EACA,KAAK,EAAE;AAEd;;;ACZA,SAAS,WAAW,YAA0B;AAC5C,SAAO,WAAW,YAAY,CAAC,EAAE,YAAY,CAAC;AAChD;AAEA,SAAS,MAAM,OAA2B;AACxC,SAAO,CAAC,GAAG,KAAK,EAAE,IAAI,CAAC,MAAM,EAAE,SAAS,EAAE,EAAE,SAAS,GAAG,GAAG,CAAC,EAAE,KAAK,EAAE;AACvE;AAEO,SAAS,iBAAiB,QAAkD;AACjF,aAAW,SAAS,QAAQ;AAC1B,UAAM,EAAE,OAAO,SAAS,UAAU,MAAM,kBAAkB,IAAI;AAC9D,UAAM,QACH,YAAY,MAAM,aAAa,MAAQ,YAAY,UAAa,SAAS;AAE5E,QAAI,CAAC,MAAO;AAEZ,UAAM,QAAQ,WAAW,KAAK;AAC9B,QAAI,CAAC,MAAM,UAAW;AAEtB,WAAO;AAAA,MACL,SAAS,mBAAmB,MAAM,SAAS;AAAA,MAC3C,WAAW,MAAM,MAAM,SAAS;AAAA,MAChC;AAAA,IACF;AAAA,EACF;AACA,SAAO;AACT;;;ACrCA,IAAM,aAAsB,CAAC,OAAO,KAAK;AAUlC,SAAS,gBACd,WACA,SAAsB,CAAC,GACZ;AACX,QAAM,SAAS,OAAO,UAAU;AAChC,QAAM,SAAS,UAAU,SAAS;AAClC,QAAM,WAAsB,CAAC;AAE7B,MAAI,OAAO,SAAS,KAAK,GAAG;AAC1B,UAAM,UAAU,iBAAiB,MAAM;AACvC,QAAI,SAAS;AACX,eAAS,KAAK,EAAE,OAAO,OAAO,GAAG,QAAQ,CAAsB;AAAA,IACjE;AAAA,EACF;AAIA,SAAO;AACT;;;AC7BA,SAAS,UAAU,OAAe,GAAqB;AACrD,QAAM,OAAO,SAAS;AACtB,MAAI,KAAK,GAAI,QAAO,CAAC,OAAO,CAAC;AAC7B,MAAI,KAAK,IAAM,QAAO,CAAC,OAAO,IAAM,CAAC;AACrC,MAAI,KAAK,MAAQ,QAAO,CAAC,OAAO,IAAO,KAAK,IAAK,KAAM,IAAI,GAAI;AAC/D,SAAO,CAAC,OAAO,IAAO,KAAK,KAAM,KAAO,KAAK,KAAM,KAAO,KAAK,IAAK,KAAM,IAAI,GAAI;AACpF;AAEO,SAAS,WAAW,OAA0B;AACnD,MAAI,OAAO,UAAU,WAAW;AAC9B,WAAO,CAAC,QAAQ,MAAO,GAAI;AAAA,EAC7B;AACA,MAAI,OAAO,UAAU,UAAU;AAC7B,WAAO,UAAU,GAAG,KAAK;AAAA,EAC3B;AACA,MAAI,iBAAiB,YAAY;AAC/B,WAAO,CAAC,GAAG,UAAU,GAAG,MAAM,MAAM,GAAG,GAAG,KAAK;AAAA,EACjD;AACA,MAAI,OAAO,UAAU,UAAU;AAC7B,UAAM,QAAQ,IAAI,YAAY,EAAE,OAAO,KAAK;AAC5C,WAAO,CAAC,GAAG,UAAU,GAAG,MAAM,MAAM,GAAG,GAAG,KAAK;AAAA,EACjD;AACA,MAAI,MAAM,QAAQ,KAAK,GAAG;AACxB,WAAO,CAAC,GAAG,UAAU,GAAG,MAAM,MAAM,GAAG,GAAG,MAAM,QAAQ,UAAU,CAAC;AAAA,EACrE;AACA,MAAI,iBAAiB,SAAS;AAC5B,WAAO,CAAC,GAAG,UAAU,GAAG,MAAM,GAAG,GAAG,GAAG,WAAW,MAAM,KAAK,CAAC;AAAA,EAChE;AACA,MAAI,iBAAiB,KAAK;AACxB,UAAM,UAAU,CAAC,GAAG,MAAM,QAAQ,CAAC;AACnC,WAAO;AAAA,MACL,GAAG,UAAU,GAAG,QAAQ,MAAM;AAAA,MAC9B,GAAG,QAAQ,QAAQ,CAAC,CAAC,GAAG,CAAC,MAAM,CAAC,GAAG,WAAW,CAAC,GAAG,GAAG,WAAW,CAAC,CAAC,CAAC;AAAA,IACrE;AAAA,EACF;AACA,QAAM,IAAI,MAAM,2BAA2B,OAAO,KAAK,EAAE;AAC3D;AAEO,IAAM,UAAN,MAAc;AAAA,EACnB;AAAA,EACA;AAAA,EACA,YAAY,KAAa,OAAgB;AACvC,SAAK,MAAM;AACX,SAAK,QAAQ;AAAA,EACf;AACF;AAEO,SAAS,OAAO,OAA4B;AACjD,SAAO,IAAI,WAAW,WAAW,KAAK,CAAC;AACzC;;;ACpDA,mBAA8B;AAEvB,SAAS,cACd,MACA,MACA,oBAAoB,KACV;AAGV,QAAM,KAAK,IAAI,gBAAG,OAAO,KAAK,IAAI,GAAG,IAAI;AACzC,QAAM,UAAU,IAAI,uBAAU,IAAI,iBAAiB;AACnD,SAAO,MAAM;AAAA,IAAK,EAAE,QAAQ,QAAQ,gBAAgB;AAAA,IAAG,MACrD,QAAQ,SAAS,EAAE,YAAY;AAAA,EACjC;AACF;AAEO,SAAS,kBACd,MACA,MACA,oBAAoB,KACZ;AACR,SAAO,cAAc,MAAM,MAAM,iBAAiB,EAAE,CAAC;AACvD;;;AClBA,IAAM,0BAA0B;AAGhC,IAAM,cAAc;AAEpB,SAAS,YAAY,GAAuB;AAC1C,QAAM,MAAM,IAAI,WAAW,CAAC;AAC5B,SAAO,gBAAgB,GAAG;AAC1B,SAAO;AACT;AAEA,SAAS,aACP,SACA,UACA,mBACS;AAET,QAAM,aAAa,CAAC,SAAS,MAAM,UAAU,MAAM,GAAG,MAAM,GAAG,OAAO,GAAG,KAAK;AAC9E,QAAM,aAAa,oBAAI,IAAqB,CAAC,CAAC,GAAG,UAAU,CAAC,CAAC;AAC7D,MAAI,sBAAsB,QAAW;AACnC,eAAW,IAAI,GAAG,iBAAiB;AAAA,EACrC;AACA,SAAO,IAAI,QAAQ,aAAa,UAAU;AAC5C;AAEA,SAAS,wBACP,SACA,SACA,mBACA,SAAS,SACG;AACZ,QAAM,YAAY,YAAY,EAAE;AAChC,QAAM,eAAe,IAAI,YAAY,EAAE,OAAO,OAAO;AACrD,QAAM,UAAU,aAAa,IAAI,IAAI,iBAAiB;AAEtD,QAAM,UAAU,QAAQ,QAAQ,QAAQ,EAAE;AAC1C,QAAM,YAAY,IAAI,WAAW,QAAQ,MAAM,OAAO,EAAG,IAAI,CAAC,MAAM,SAAS,GAAG,EAAE,CAAC,CAAC;AAEpF,QAAM,MAAM,oBAAI,IAAqB;AAAA,IACnC,CAAC,GAAG,IAAI,QAAQ,IAAI,SAAS,CAAC;AAAA;AAAA,IAC9B,CAAC,GAAG,YAAY;AAAA;AAAA,IAChB,CAAC,GAAG,uBAAuB;AAAA;AAAA,IAC3B,CAAC,GAAG,OAAO;AAAA;AAAA,IACX,CAAC,GAAG,SAAS;AAAA;AAAA,IACb,CAAC,GAAG,MAAM;AAAA;AAAA,EACZ,CAAC;AAED,SAAO,OAAO,GAAG;AACnB;AAEO,SAAS,2BACd,SACA,SACA,mBACA,QACU;AACV,SAAO;AAAA,IACL,wBAAwB,SAAS,SAAS,mBAAmB,MAAM;AAAA,IACnE;AAAA,EACF;AACF;AAEO,SAAS,sBACd,SACA,SACA,mBACA,QACQ;AACR,SAAO;AAAA,IACL,wBAAwB,SAAS,SAAS,mBAAmB,MAAM;AAAA,IACnE;AAAA,EACF;AACF;;;AC5EA,IAAAC,gBAAsD;AAI/C,SAAS,kBAAkB,SAA4B;AAC5D,MAAI,QAAQ,SAAS,iBAAiB;AACpC,UAAM,IAAI,MAAM,gCAAgC,QAAQ,IAAI,EAAE;AAAA,EAChE;AAEA,QAAM,UAAM,cAAAC,QAAW,QAAQ,MAAM;AAAA,IACnC,SAAS;AAAA,IACT,MAAM,OAAO,OAAO,CAAC,GAAmB,EAAE,IAAI,CAAC,MAAe,EAAE,CAAC;AAAA,EACnE,CAAC;AAED,QAAM,WAAW,IAAI,IAAI,CAAC;AAC1B,MAAI,CAAC,YAAY,SAAS,SAAS,IAAI;AACrC,UAAM,IAAI,MAAM,oCAAoC;AAAA,EACtD;AAEA,SAAO,OAAO,CAAC,GAAG,QAAQ,EAAE,IAAI,CAAC,MAAM,EAAE,SAAS,EAAE,EAAE,SAAS,GAAG,GAAG,CAAC,EAAE,KAAK,EAAE;AACjF;","names":["cborDecode","import_cborg","cborDecode"]}

package/dist/index.d.cts

@@ -0,0 +1,50 @@
+import { HDKey } from '@scure/bip32';
+
+interface ScannedUR {
+    type: string;
+    cbor: Uint8Array;
+}
+type Chain = "evm" | "btc";
+interface QRKitConfig {
+    /** Which chains the dApp supports. Accounts for other chains are excluded.
+     *  If omitted, all supported chains are tried. */
+    chains?: Chain[];
+}
+interface EvmAccount {
+    chain: "evm";
+    address: string;
+    publicKey: string;
+    /** source-fingerprint from the scanned xpub — required by Shell for signing */
+    sourceFingerprint: number | undefined;
+}
+type Account = EvmAccount;
+
+type XpubType = "xpub";
+interface ParsedXpub {
+    hdKey: HDKey;
+    type: XpubType;
+    /** BIP-44 purpose index: 44 for EVM */
+    purpose: number | undefined;
+    /** BIP-44 coin type: 60 = ETH */
+    coinType: number | undefined;
+    /** source-fingerprint from the origin keypath — required by Shell for signing */
+    sourceFingerprint: number | undefined;
+    raw: string;
+}
+
+/**
+ * Parse a connection QR (crypto-hdkey or crypto-account) and return
+ * only the accounts for the chains configured in QRKitConfig.
+ *
+ * A dApp configured with `chains: ["evm"]` will never see BTC accounts,
+ * and vice versa. Both chains can be enabled with `chains: ["evm", "btc"]`.
+ * If `chains` is omitted, all supported chains are tried.
+ */
+declare function parseConnection(scannedUR: ScannedUR, config?: QRKitConfig): Account[];
+
+declare function buildEthSignRequestURParts(message: string, address: string, sourceFingerprint: number | undefined, origin?: string): string[];
+declare function buildEthSignRequestUR(message: string, address: string, sourceFingerprint: number | undefined, origin?: string): string;
+
+declare function parseEthSignature(scanned: ScannedUR): string;
+
+export { type Account, type Chain, type EvmAccount, type ParsedXpub, type QRKitConfig, type ScannedUR, type XpubType, buildEthSignRequestUR, buildEthSignRequestURParts, parseConnection, parseEthSignature };

package/dist/index.d.ts

@@ -0,0 +1,50 @@
+import { HDKey } from '@scure/bip32';
+
+interface ScannedUR {
+    type: string;
+    cbor: Uint8Array;
+}
+type Chain = "evm" | "btc";
+interface QRKitConfig {
+    /** Which chains the dApp supports. Accounts for other chains are excluded.
+     *  If omitted, all supported chains are tried. */
+    chains?: Chain[];
+}
+interface EvmAccount {
+    chain: "evm";
+    address: string;
+    publicKey: string;
+    /** source-fingerprint from the scanned xpub — required by Shell for signing */
+    sourceFingerprint: number | undefined;
+}
+type Account = EvmAccount;
+
+type XpubType = "xpub";
+interface ParsedXpub {
+    hdKey: HDKey;
+    type: XpubType;
+    /** BIP-44 purpose index: 44 for EVM */
+    purpose: number | undefined;
+    /** BIP-44 coin type: 60 = ETH */
+    coinType: number | undefined;
+    /** source-fingerprint from the origin keypath — required by Shell for signing */
+    sourceFingerprint: number | undefined;
+    raw: string;
+}
+
+/**
+ * Parse a connection QR (crypto-hdkey or crypto-account) and return
+ * only the accounts for the chains configured in QRKitConfig.
+ *
+ * A dApp configured with `chains: ["evm"]` will never see BTC accounts,
+ * and vice versa. Both chains can be enabled with `chains: ["evm", "btc"]`.
+ * If `chains` is omitted, all supported chains are tried.
+ */
+declare function parseConnection(scannedUR: ScannedUR, config?: QRKitConfig): Account[];
+
+declare function buildEthSignRequestURParts(message: string, address: string, sourceFingerprint: number | undefined, origin?: string): string[];
+declare function buildEthSignRequestUR(message: string, address: string, sourceFingerprint: number | undefined, origin?: string): string;
+
+declare function parseEthSignature(scanned: ScannedUR): string;
+
+export { type Account, type Chain, type EvmAccount, type ParsedXpub, type QRKitConfig, type ScannedUR, type XpubType, buildEthSignRequestUR, buildEthSignRequestURParts, parseConnection, parseEthSignature };

package/dist/index.js

@@ -0,0 +1,269 @@
+// src/parseXpub.ts
+import { HDKey } from "@scure/bip32";
+import { decode as cborDecode } from "cborg";
+function get(m, k) {
+  if (m instanceof Map) return m.get(k);
+  return void 0;
+}
+var passthrough = (v) => v;
+function decodeCbor(cbor) {
+  return cborDecode(cbor, {
+    useMaps: true,
+    tags: Object.assign([], {
+      303: passthrough,
+      // crypto-hdkey
+      304: passthrough,
+      // crypto-keypath
+      305: passthrough
+      // crypto-coin-info
+    })
+  });
+}
+function parseCryptoHdKey(map, raw) {
+  const keyData = get(map, 3);
+  const chainCode = get(map, 4);
+  if (!keyData || !chainCode) {
+    throw new Error("crypto-hdkey missing key-data or chain-code");
+  }
+  let purpose;
+  let coinType;
+  let sourceFingerprint;
+  const origin = get(map, 6);
+  if (origin) {
+    const components = get(origin, 1);
+    if (Array.isArray(components)) {
+      if (components.length >= 1) purpose = components[0];
+      if (components.length >= 3) coinType = components[2];
+    }
+    sourceFingerprint = get(origin, 2);
+  }
+  const hdKey = new HDKey({ publicKey: keyData, chainCode });
+  return { hdKey, type: "xpub", purpose, coinType, sourceFingerprint, raw };
+}
+function parseScannedUR(scanned) {
+  const { type, cbor } = scanned;
+  const raw = `ur:${type}`;
+  if (type !== "crypto-hdkey" && type !== "crypto-account") {
+    throw new Error(`Unsupported UR type: ${type}`);
+  }
+  const map = decodeCbor(cbor);
+  if (type === "crypto-hdkey") {
+    return parseCryptoHdKey(map, raw);
+  }
+  const accounts = map.get(2);
+  if (!Array.isArray(accounts) || accounts.length === 0) {
+    throw new Error("crypto-account contains no keys");
+  }
+  return accounts.map((entry) => parseCryptoHdKey(entry, raw));
+}
+function parseXpub(input) {
+  if (typeof input !== "string") {
+    const result = parseScannedUR(input);
+    return Array.isArray(result) ? result : [result];
+  }
+  const hdKey = HDKey.fromExtendedKey(input.trim());
+  return [
+    {
+      hdKey,
+      type: "xpub",
+      purpose: void 0,
+      coinType: void 0,
+      sourceFingerprint: void 0,
+      raw: input.trim()
+    }
+  ];
+}
+
+// src/eth/address.ts
+import { keccak_256 } from "@noble/hashes/sha3.js";
+import * as secp from "@noble/secp256k1";
+function pubKeyToEthAddress(compressedPubKey) {
+  const uncompressed = secp.Point.fromBytes(compressedPubKey).toBytes(false);
+  const hash = keccak_256(uncompressed.slice(1));
+  const hex = [...hash.slice(12)].map((b) => b.toString(16).padStart(2, "0")).join("");
+  return toChecksumAddress(hex);
+}
+function toChecksumAddress(hex) {
+  const checksumHash = keccak_256(new TextEncoder().encode(hex));
+  return "0x" + [...hex].map((c, i) => {
+    if (c >= "0" && c <= "9") return c;
+    const nibble = i % 2 === 0 ? checksumHash[Math.floor(i / 2)] >> 4 & 15 : checksumHash[Math.floor(i / 2)] & 15;
+    return nibble >= 8 ? c.toUpperCase() : c.toLowerCase();
+  }).join("");
+}
+
+// src/eth/deriveAccount.ts
+function firstChild(accountKey) {
+  return accountKey.deriveChild(0).deriveChild(0);
+}
+function toHex(bytes) {
+  return [...bytes].map((b) => b.toString(16).padStart(2, "0")).join("");
+}
+function deriveEvmAccount(parsed) {
+  for (const entry of parsed) {
+    const { hdKey, purpose, coinType, type, sourceFingerprint } = entry;
+    const isEvm = purpose === 44 && coinType === 60 || purpose === void 0 && type === "xpub";
+    if (!isEvm) continue;
+    const child = firstChild(hdKey);
+    if (!child.publicKey) continue;
+    return {
+      address: pubKeyToEthAddress(child.publicKey),
+      publicKey: toHex(child.publicKey),
+      sourceFingerprint
+    };
+  }
+  return void 0;
+}
+
+// src/parseConnection.ts
+var ALL_CHAINS = ["evm", "btc"];
+function parseConnection(scannedUR, config = {}) {
+  const chains = config.chains ?? ALL_CHAINS;
+  const parsed = parseXpub(scannedUR);
+  const accounts = [];
+  if (chains.includes("evm")) {
+    const account = deriveEvmAccount(parsed);
+    if (account) {
+      accounts.push({ chain: "evm", ...account });
+    }
+  }
+  return accounts;
+}
+
+// src/cbor.ts
+function majorType(major, n) {
+  const base = major << 5;
+  if (n <= 23) return [base | n];
+  if (n <= 255) return [base | 24, n];
+  if (n <= 65535) return [base | 25, n >> 8 & 255, n & 255];
+  return [base | 26, n >> 24 & 255, n >> 16 & 255, n >> 8 & 255, n & 255];
+}
+function encodeItem(value) {
+  if (typeof value === "boolean") {
+    return [value ? 245 : 244];
+  }
+  if (typeof value === "number") {
+    return majorType(0, value);
+  }
+  if (value instanceof Uint8Array) {
+    return [...majorType(2, value.length), ...value];
+  }
+  if (typeof value === "string") {
+    const bytes = new TextEncoder().encode(value);
+    return [...majorType(3, bytes.length), ...bytes];
+  }
+  if (Array.isArray(value)) {
+    return [...majorType(4, value.length), ...value.flatMap(encodeItem)];
+  }
+  if (value instanceof CborTag) {
+    return [...majorType(6, value.tag), ...encodeItem(value.value)];
+  }
+  if (value instanceof Map) {
+    const entries = [...value.entries()];
+    return [
+      ...majorType(5, entries.length),
+      ...entries.flatMap(([k, v]) => [...encodeItem(k), ...encodeItem(v)])
+    ];
+  }
+  throw new Error(`Unsupported CBOR value: ${typeof value}`);
+}
+var CborTag = class {
+  tag;
+  value;
+  constructor(tag, value) {
+    this.tag = tag;
+    this.value = value;
+  }
+};
+function encode(value) {
+  return new Uint8Array(encodeItem(value));
+}
+
+// src/urEncoding.ts
+import { UR, UREncoder } from "@ngraveio/bc-ur";
+function encodeURParts(cbor, type, maxFragmentLength = 200) {
+  const ur = new UR(Buffer.from(cbor), type);
+  const encoder = new UREncoder(ur, maxFragmentLength);
+  return Array.from(
+    { length: encoder.fragmentsLength },
+    () => encoder.nextPart().toUpperCase()
+  );
+}
+function encodeURFirstPart(cbor, type, maxFragmentLength = 200) {
+  return encodeURParts(cbor, type, maxFragmentLength)[0];
+}
+
+// src/eth/signRequest.ts
+var DATA_TYPE_ETH_RAW_BYTES = 3;
+var TAG_KEYPATH = 304;
+function randomBytes(n) {
+  const buf = new Uint8Array(n);
+  crypto.getRandomValues(buf);
+  return buf;
+}
+function buildKeypath(purpose, coinType, sourceFingerprint) {
+  const components = [purpose, true, coinType, true, 0, true, 0, false, 0, false];
+  const keypathMap = /* @__PURE__ */ new Map([[1, components]]);
+  if (sourceFingerprint !== void 0) {
+    keypathMap.set(2, sourceFingerprint);
+  }
+  return new CborTag(TAG_KEYPATH, keypathMap);
+}
+function buildEthSignRequestCbor(message, address, sourceFingerprint, origin = "qrkit") {
+  const requestId = randomBytes(16);
+  const messageBytes = new TextEncoder().encode(message);
+  const keypath = buildKeypath(44, 60, sourceFingerprint);
+  const addrHex = address.replace(/^0x/i, "");
+  const addrBytes = new Uint8Array(addrHex.match(/.{2}/g).map((b) => parseInt(b, 16)));
+  const map = /* @__PURE__ */ new Map([
+    [1, new CborTag(37, requestId)],
+    // request-id: uuid = #6.37(bstr)
+    [2, messageBytes],
+    // sign-data
+    [3, DATA_TYPE_ETH_RAW_BYTES],
+    // data-type: eth-raw-bytes for EIP-191
+    [5, keypath],
+    // derivation-path
+    [6, addrBytes],
+    // address
+    [7, origin]
+    // origin
+  ]);
+  return encode(map);
+}
+function buildEthSignRequestURParts(message, address, sourceFingerprint, origin) {
+  return encodeURParts(
+    buildEthSignRequestCbor(message, address, sourceFingerprint, origin),
+    "eth-sign-request"
+  );
+}
+function buildEthSignRequestUR(message, address, sourceFingerprint, origin) {
+  return encodeURFirstPart(
+    buildEthSignRequestCbor(message, address, sourceFingerprint, origin),
+    "eth-sign-request"
+  );
+}
+
+// src/eth/signature.ts
+import { decode as cborDecode2 } from "cborg";
+function parseEthSignature(scanned) {
+  if (scanned.type !== "eth-signature") {
+    throw new Error(`Expected eth-signature, got: ${scanned.type}`);
+  }
+  const map = cborDecode2(scanned.cbor, {
+    useMaps: true,
+    tags: Object.assign([], { 37: (v) => v })
+  });
+  const sigBytes = map.get(2);
+  if (!sigBytes || sigBytes.length < 64) {
+    throw new Error("Invalid or missing signature bytes");
+  }
+  return "0x" + [...sigBytes].map((b) => b.toString(16).padStart(2, "0")).join("");
+}
+export {
+  buildEthSignRequestUR,
+  buildEthSignRequestURParts,
+  parseConnection,
+  parseEthSignature
+};
+//# sourceMappingURL=index.js.map

package/dist/index.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../src/parseXpub.ts","../src/eth/address.ts","../src/eth/deriveAccount.ts","../src/parseConnection.ts","../src/cbor.ts","../src/urEncoding.ts","../src/eth/signRequest.ts","../src/eth/signature.ts"],"sourcesContent":["import { HDKey } from \"@scure/bip32\";\nimport { decode as cborDecode, type TagDecoder } from \"cborg\";\n\nimport type { ScannedUR } from \"./types.js\";\n\nexport type XpubType = \"xpub\";\n\nexport interface ParsedXpub {\n  hdKey: HDKey;\n  type: XpubType;\n  /** BIP-44 purpose index: 44 for EVM */\n  purpose: number | undefined;\n  /** BIP-44 coin type: 60 = ETH */\n  coinType: number | undefined;\n  /** source-fingerprint from the origin keypath — required by Shell for signing */\n  sourceFingerprint: number | undefined;\n  raw: string;\n}\n\nfunction get(m: unknown, k: number): unknown {\n  if (m instanceof Map) return (m as Map<number, unknown>).get(k);\n  return undefined;\n}\n\nconst passthrough = (v: unknown) => v;\n\nfunction decodeCbor(cbor: Uint8Array): Map<number, unknown> {\n  return cborDecode(cbor, {\n    useMaps: true,\n    tags: Object.assign([] as TagDecoder[], {\n      303: passthrough, // crypto-hdkey\n      304: passthrough, // crypto-keypath\n      305: passthrough, // crypto-coin-info\n    }),\n  }) as Map<number, unknown>;\n}\n\nfunction parseCryptoHdKey(map: unknown, raw: string): ParsedXpub {\n  const keyData = get(map, 3) as Uint8Array | undefined;\n  const chainCode = get(map, 4) as Uint8Array | undefined;\n\n  if (!keyData || !chainCode) {\n    throw new Error(\"crypto-hdkey missing key-data or chain-code\");\n  }\n\n  let purpose: number | undefined;\n  let coinType: number | undefined;\n  let sourceFingerprint: number | undefined;\n  const origin = get(map, 6);\n  if (origin) {\n    const components = get(origin, 1);\n    if (Array.isArray(components)) {\n      if (components.length >= 1) purpose = components[0] as number;\n      if (components.length >= 3) coinType = components[2] as number;\n    }\n    sourceFingerprint = get(origin, 2) as number | undefined;\n  }\n\n  const hdKey = new HDKey({ publicKey: keyData, chainCode });\n  return { hdKey, type: \"xpub\", purpose, coinType, sourceFingerprint, raw };\n}\n\nfunction parseScannedUR(scanned: ScannedUR): ParsedXpub | ParsedXpub[] {\n  const { type, cbor } = scanned;\n  const raw = `ur:${type}`;\n\n  if (type !== \"crypto-hdkey\" && type !== \"crypto-account\") {\n    throw new Error(`Unsupported UR type: ${type}`);\n  }\n\n  const map = decodeCbor(cbor);\n\n  if (type === \"crypto-hdkey\") {\n    return parseCryptoHdKey(map, raw);\n  }\n\n  const accounts = map.get(2) as unknown[] | undefined;\n  if (!Array.isArray(accounts) || accounts.length === 0) {\n    throw new Error(\"crypto-account contains no keys\");\n  }\n  return accounts.map((entry) => parseCryptoHdKey(entry, raw));\n}\n\nexport function parseXpub(input: ScannedUR | string): ParsedXpub[] {\n  if (typeof input !== \"string\") {\n    const result = parseScannedUR(input);\n    return Array.isArray(result) ? result : [result];\n  }\n  // Raw base58 xpub string — @scure/bip32 handles decoding directly\n  const hdKey = HDKey.fromExtendedKey(input.trim());\n  return [\n    {\n      hdKey,\n      type: \"xpub\",\n      purpose: undefined,\n      coinType: undefined,\n      sourceFingerprint: undefined,\n      raw: input.trim(),\n    },\n  ];\n}\n","import { keccak_256 } from \"@noble/hashes/sha3.js\";\nimport * as secp from \"@noble/secp256k1\";\n\nexport function pubKeyToEthAddress(compressedPubKey: Uint8Array): string {\n  const uncompressed = secp.Point.fromBytes(compressedPubKey).toBytes(false);\n  const hash = keccak_256(uncompressed.slice(1));\n  const hex = [...hash.slice(12)]\n    .map((b: number) => b.toString(16).padStart(2, \"0\"))\n    .join(\"\");\n  return toChecksumAddress(hex);\n}\n\nfunction toChecksumAddress(hex: string): string {\n  const checksumHash = keccak_256(new TextEncoder().encode(hex));\n  return (\n    \"0x\" +\n    [...hex]\n      .map((c, i) => {\n        if (c >= \"0\" && c <= \"9\") return c;\n        const nibble =\n          i % 2 === 0\n            ? (checksumHash[Math.floor(i / 2)] >> 4) & 0xf\n            : checksumHash[Math.floor(i / 2)] & 0xf;\n        return nibble >= 8 ? c.toUpperCase() : c.toLowerCase();\n      })\n      .join(\"\")\n  );\n}\n","import type { HDKey } from \"@scure/bip32\";\n\nimport type { ParsedXpub } from \"../parseXpub.js\";\nimport { pubKeyToEthAddress } from \"./address.js\";\n\nexport interface DerivedAccount {\n  address: string;\n  publicKey: string;\n  /** source-fingerprint from the scanned xpub — required by Shell for signing */\n  sourceFingerprint: number | undefined;\n}\n\n// Derive the first external address (index 0) from an account-level xpub.\n// Account-level xpub is at depth 3 (m/purpose'/coin'/account').\n// External chain is child 0, then address index 0.\nfunction firstChild(accountKey: HDKey): HDKey {\n  return accountKey.deriveChild(0).deriveChild(0);\n}\n\nfunction toHex(bytes: Uint8Array): string {\n  return [...bytes].map((b) => b.toString(16).padStart(2, \"0\")).join(\"\");\n}\n\nexport function deriveEvmAccount(parsed: ParsedXpub[]): DerivedAccount | undefined {\n  for (const entry of parsed) {\n    const { hdKey, purpose, coinType, type, sourceFingerprint } = entry;\n    const isEvm =\n      (purpose === 44 && coinType === 60) || (purpose === undefined && type === \"xpub\");\n\n    if (!isEvm) continue;\n\n    const child = firstChild(hdKey);\n    if (!child.publicKey) continue;\n\n    return {\n      address: pubKeyToEthAddress(child.publicKey),\n      publicKey: toHex(child.publicKey),\n      sourceFingerprint,\n    };\n  }\n  return undefined;\n}\n","import { parseXpub } from \"./parseXpub.js\";\nimport { deriveEvmAccount } from \"./eth/deriveAccount.js\";\nimport type { Account, Chain, EvmAccount, QRKitConfig, ScannedUR } from \"./types.js\";\n\nconst ALL_CHAINS: Chain[] = [\"evm\", \"btc\"];\n\n/**\n * Parse a connection QR (crypto-hdkey or crypto-account) and return\n * only the accounts for the chains configured in QRKitConfig.\n *\n * A dApp configured with `chains: [\"evm\"]` will never see BTC accounts,\n * and vice versa. Both chains can be enabled with `chains: [\"evm\", \"btc\"]`.\n * If `chains` is omitted, all supported chains are tried.\n */\nexport function parseConnection(\n  scannedUR: ScannedUR,\n  config: QRKitConfig = {},\n): Account[] {\n  const chains = config.chains ?? ALL_CHAINS;\n  const parsed = parseXpub(scannedUR);\n  const accounts: Account[] = [];\n\n  if (chains.includes(\"evm\")) {\n    const account = deriveEvmAccount(parsed);\n    if (account) {\n      accounts.push({ chain: \"evm\", ...account } satisfies EvmAccount);\n    }\n  }\n\n  // \"btc\" — will be implemented in src/btc/ when Bitcoin support is added.\n\n  return accounts;\n}\n","// Minimal CBOR encoder.\n// Supports only the types needed for eth-sign-request: uint, bytes, text, array, map (integer keys), bool, tag.\n\nfunction majorType(major: number, n: number): number[] {\n  const base = major << 5;\n  if (n <= 23) return [base | n];\n  if (n <= 0xff) return [base | 0x18, n];\n  if (n <= 0xffff) return [base | 0x19, (n >> 8) & 0xff, n & 0xff];\n  return [base | 0x1a, (n >> 24) & 0xff, (n >> 16) & 0xff, (n >> 8) & 0xff, n & 0xff];\n}\n\nexport function encodeItem(value: unknown): number[] {\n  if (typeof value === \"boolean\") {\n    return [value ? 0xf5 : 0xf4];\n  }\n  if (typeof value === \"number\") {\n    return majorType(0, value);\n  }\n  if (value instanceof Uint8Array) {\n    return [...majorType(2, value.length), ...value];\n  }\n  if (typeof value === \"string\") {\n    const bytes = new TextEncoder().encode(value);\n    return [...majorType(3, bytes.length), ...bytes];\n  }\n  if (Array.isArray(value)) {\n    return [...majorType(4, value.length), ...value.flatMap(encodeItem)];\n  }\n  if (value instanceof CborTag) {\n    return [...majorType(6, value.tag), ...encodeItem(value.value)];\n  }\n  if (value instanceof Map) {\n    const entries = [...value.entries()];\n    return [\n      ...majorType(5, entries.length),\n      ...entries.flatMap(([k, v]) => [...encodeItem(k), ...encodeItem(v)]),\n    ];\n  }\n  throw new Error(`Unsupported CBOR value: ${typeof value}`);\n}\n\nexport class CborTag {\n  tag: number;\n  value: unknown;\n  constructor(tag: number, value: unknown) {\n    this.tag = tag;\n    this.value = value;\n  }\n}\n\nexport function encode(value: unknown): Uint8Array {\n  return new Uint8Array(encodeItem(value));\n}\n","import { UR, UREncoder } from \"@ngraveio/bc-ur\";\n\nexport function encodeURParts(\n  cbor: Uint8Array,\n  type: string,\n  maxFragmentLength = 200,\n): string[] {\n  // @ngraveio/bc-ur requires a Buffer. In Node.js it is a global; in browsers the\n  // bundler must provide the `buffer` polyfill (same requirement as the prototype).\n  const ur = new UR(Buffer.from(cbor), type);\n  const encoder = new UREncoder(ur, maxFragmentLength);\n  return Array.from({ length: encoder.fragmentsLength }, () =>\n    encoder.nextPart().toUpperCase(),\n  );\n}\n\nexport function encodeURFirstPart(\n  cbor: Uint8Array,\n  type: string,\n  maxFragmentLength = 200,\n): string {\n  return encodeURParts(cbor, type, maxFragmentLength)[0];\n}\n","import { encode, CborTag } from \"../cbor.js\";\nimport { encodeURFirstPart, encodeURParts } from \"../urEncoding.js\";\n\n// EIP-191 personal_sign = eth-raw-bytes (ERC-4527 data type 3)\nconst DATA_TYPE_ETH_RAW_BYTES = 3;\n\n// CBOR tag for crypto-keypath\nconst TAG_KEYPATH = 304;\n\nfunction randomBytes(n: number): Uint8Array {\n  const buf = new Uint8Array(n);\n  crypto.getRandomValues(buf);\n  return buf;\n}\n\nfunction buildKeypath(\n  purpose: number,\n  coinType: number,\n  sourceFingerprint: number | undefined,\n): CborTag {\n  // m/purpose'/coinType'/0'/0/0\n  const components = [purpose, true, coinType, true, 0, true, 0, false, 0, false];\n  const keypathMap = new Map<number, unknown>([[1, components]]);\n  if (sourceFingerprint !== undefined) {\n    keypathMap.set(2, sourceFingerprint);\n  }\n  return new CborTag(TAG_KEYPATH, keypathMap);\n}\n\nfunction buildEthSignRequestCbor(\n  message: string,\n  address: string,\n  sourceFingerprint: number | undefined,\n  origin = \"qrkit\",\n): Uint8Array {\n  const requestId = randomBytes(16);\n  const messageBytes = new TextEncoder().encode(message);\n  const keypath = buildKeypath(44, 60, sourceFingerprint);\n\n  const addrHex = address.replace(/^0x/i, \"\");\n  const addrBytes = new Uint8Array(addrHex.match(/.{2}/g)!.map((b) => parseInt(b, 16)));\n\n  const map = new Map<number, unknown>([\n    [1, new CborTag(37, requestId)], // request-id: uuid = #6.37(bstr)\n    [2, messageBytes], // sign-data\n    [3, DATA_TYPE_ETH_RAW_BYTES], // data-type: eth-raw-bytes for EIP-191\n    [5, keypath], // derivation-path\n    [6, addrBytes], // address\n    [7, origin], // origin\n  ]);\n\n  return encode(map);\n}\n\nexport function buildEthSignRequestURParts(\n  message: string,\n  address: string,\n  sourceFingerprint: number | undefined,\n  origin?: string,\n): string[] {\n  return encodeURParts(\n    buildEthSignRequestCbor(message, address, sourceFingerprint, origin),\n    \"eth-sign-request\",\n  );\n}\n\nexport function buildEthSignRequestUR(\n  message: string,\n  address: string,\n  sourceFingerprint: number | undefined,\n  origin?: string,\n): string {\n  return encodeURFirstPart(\n    buildEthSignRequestCbor(message, address, sourceFingerprint, origin),\n    \"eth-sign-request\",\n  );\n}\n","import { decode as cborDecode, type TagDecoder } from \"cborg\";\n\nimport type { ScannedUR } from \"../types.js\";\n\nexport function parseEthSignature(scanned: ScannedUR): string {\n  if (scanned.type !== \"eth-signature\") {\n    throw new Error(`Expected eth-signature, got: ${scanned.type}`);\n  }\n\n  const map = cborDecode(scanned.cbor, {\n    useMaps: true,\n    tags: Object.assign([] as TagDecoder[], { 37: (v: unknown) => v }),\n  }) as Map<number, unknown>;\n\n  const sigBytes = map.get(2) as Uint8Array | undefined;\n  if (!sigBytes || sigBytes.length < 64) {\n    throw new Error(\"Invalid or missing signature bytes\");\n  }\n\n  return \"0x\" + [...sigBytes].map((b) => b.toString(16).padStart(2, \"0\")).join(\"\");\n}\n"],"mappings":";AAAA,SAAS,aAAa;AACtB,SAAS,UAAU,kBAAmC;AAkBtD,SAAS,IAAI,GAAY,GAAoB;AAC3C,MAAI,aAAa,IAAK,QAAQ,EAA2B,IAAI,CAAC;AAC9D,SAAO;AACT;AAEA,IAAM,cAAc,CAAC,MAAe;AAEpC,SAAS,WAAW,MAAwC;AAC1D,SAAO,WAAW,MAAM;AAAA,IACtB,SAAS;AAAA,IACT,MAAM,OAAO,OAAO,CAAC,GAAmB;AAAA,MACtC,KAAK;AAAA;AAAA,MACL,KAAK;AAAA;AAAA,MACL,KAAK;AAAA;AAAA,IACP,CAAC;AAAA,EACH,CAAC;AACH;AAEA,SAAS,iBAAiB,KAAc,KAAyB;AAC/D,QAAM,UAAU,IAAI,KAAK,CAAC;AAC1B,QAAM,YAAY,IAAI,KAAK,CAAC;AAE5B,MAAI,CAAC,WAAW,CAAC,WAAW;AAC1B,UAAM,IAAI,MAAM,6CAA6C;AAAA,EAC/D;AAEA,MAAI;AACJ,MAAI;AACJ,MAAI;AACJ,QAAM,SAAS,IAAI,KAAK,CAAC;AACzB,MAAI,QAAQ;AACV,UAAM,aAAa,IAAI,QAAQ,CAAC;AAChC,QAAI,MAAM,QAAQ,UAAU,GAAG;AAC7B,UAAI,WAAW,UAAU,EAAG,WAAU,WAAW,CAAC;AAClD,UAAI,WAAW,UAAU,EAAG,YAAW,WAAW,CAAC;AAAA,IACrD;AACA,wBAAoB,IAAI,QAAQ,CAAC;AAAA,EACnC;AAEA,QAAM,QAAQ,IAAI,MAAM,EAAE,WAAW,SAAS,UAAU,CAAC;AACzD,SAAO,EAAE,OAAO,MAAM,QAAQ,SAAS,UAAU,mBAAmB,IAAI;AAC1E;AAEA,SAAS,eAAe,SAA+C;AACrE,QAAM,EAAE,MAAM,KAAK,IAAI;AACvB,QAAM,MAAM,MAAM,IAAI;AAEtB,MAAI,SAAS,kBAAkB,SAAS,kBAAkB;AACxD,UAAM,IAAI,MAAM,wBAAwB,IAAI,EAAE;AAAA,EAChD;AAEA,QAAM,MAAM,WAAW,IAAI;AAE3B,MAAI,SAAS,gBAAgB;AAC3B,WAAO,iBAAiB,KAAK,GAAG;AAAA,EAClC;AAEA,QAAM,WAAW,IAAI,IAAI,CAAC;AAC1B,MAAI,CAAC,MAAM,QAAQ,QAAQ,KAAK,SAAS,WAAW,GAAG;AACrD,UAAM,IAAI,MAAM,iCAAiC;AAAA,EACnD;AACA,SAAO,SAAS,IAAI,CAAC,UAAU,iBAAiB,OAAO,GAAG,CAAC;AAC7D;AAEO,SAAS,UAAU,OAAyC;AACjE,MAAI,OAAO,UAAU,UAAU;AAC7B,UAAM,SAAS,eAAe,KAAK;AACnC,WAAO,MAAM,QAAQ,MAAM,IAAI,SAAS,CAAC,MAAM;AAAA,EACjD;AAEA,QAAM,QAAQ,MAAM,gBAAgB,MAAM,KAAK,CAAC;AAChD,SAAO;AAAA,IACL;AAAA,MACE;AAAA,MACA,MAAM;AAAA,MACN,SAAS;AAAA,MACT,UAAU;AAAA,MACV,mBAAmB;AAAA,MACnB,KAAK,MAAM,KAAK;AAAA,IAClB;AAAA,EACF;AACF;;;ACpGA,SAAS,kBAAkB;AAC3B,YAAY,UAAU;AAEf,SAAS,mBAAmB,kBAAsC;AACvE,QAAM,eAAoB,WAAM,UAAU,gBAAgB,EAAE,QAAQ,KAAK;AACzE,QAAM,OAAO,WAAW,aAAa,MAAM,CAAC,CAAC;AAC7C,QAAM,MAAM,CAAC,GAAG,KAAK,MAAM,EAAE,CAAC,EAC3B,IAAI,CAAC,MAAc,EAAE,SAAS,EAAE,EAAE,SAAS,GAAG,GAAG,CAAC,EAClD,KAAK,EAAE;AACV,SAAO,kBAAkB,GAAG;AAC9B;AAEA,SAAS,kBAAkB,KAAqB;AAC9C,QAAM,eAAe,WAAW,IAAI,YAAY,EAAE,OAAO,GAAG,CAAC;AAC7D,SACE,OACA,CAAC,GAAG,GAAG,EACJ,IAAI,CAAC,GAAG,MAAM;AACb,QAAI,KAAK,OAAO,KAAK,IAAK,QAAO;AACjC,UAAM,SACJ,IAAI,MAAM,IACL,aAAa,KAAK,MAAM,IAAI,CAAC,CAAC,KAAK,IAAK,KACzC,aAAa,KAAK,MAAM,IAAI,CAAC,CAAC,IAAI;AACxC,WAAO,UAAU,IAAI,EAAE,YAAY,IAAI,EAAE,YAAY;AAAA,EACvD,CAAC,EACA,KAAK,EAAE;AAEd;;;ACZA,SAAS,WAAW,YAA0B;AAC5C,SAAO,WAAW,YAAY,CAAC,EAAE,YAAY,CAAC;AAChD;AAEA,SAAS,MAAM,OAA2B;AACxC,SAAO,CAAC,GAAG,KAAK,EAAE,IAAI,CAAC,MAAM,EAAE,SAAS,EAAE,EAAE,SAAS,GAAG,GAAG,CAAC,EAAE,KAAK,EAAE;AACvE;AAEO,SAAS,iBAAiB,QAAkD;AACjF,aAAW,SAAS,QAAQ;AAC1B,UAAM,EAAE,OAAO,SAAS,UAAU,MAAM,kBAAkB,IAAI;AAC9D,UAAM,QACH,YAAY,MAAM,aAAa,MAAQ,YAAY,UAAa,SAAS;AAE5E,QAAI,CAAC,MAAO;AAEZ,UAAM,QAAQ,WAAW,KAAK;AAC9B,QAAI,CAAC,MAAM,UAAW;AAEtB,WAAO;AAAA,MACL,SAAS,mBAAmB,MAAM,SAAS;AAAA,MAC3C,WAAW,MAAM,MAAM,SAAS;AAAA,MAChC;AAAA,IACF;AAAA,EACF;AACA,SAAO;AACT;;;ACrCA,IAAM,aAAsB,CAAC,OAAO,KAAK;AAUlC,SAAS,gBACd,WACA,SAAsB,CAAC,GACZ;AACX,QAAM,SAAS,OAAO,UAAU;AAChC,QAAM,SAAS,UAAU,SAAS;AAClC,QAAM,WAAsB,CAAC;AAE7B,MAAI,OAAO,SAAS,KAAK,GAAG;AAC1B,UAAM,UAAU,iBAAiB,MAAM;AACvC,QAAI,SAAS;AACX,eAAS,KAAK,EAAE,OAAO,OAAO,GAAG,QAAQ,CAAsB;AAAA,IACjE;AAAA,EACF;AAIA,SAAO;AACT;;;AC7BA,SAAS,UAAU,OAAe,GAAqB;AACrD,QAAM,OAAO,SAAS;AACtB,MAAI,KAAK,GAAI,QAAO,CAAC,OAAO,CAAC;AAC7B,MAAI,KAAK,IAAM,QAAO,CAAC,OAAO,IAAM,CAAC;AACrC,MAAI,KAAK,MAAQ,QAAO,CAAC,OAAO,IAAO,KAAK,IAAK,KAAM,IAAI,GAAI;AAC/D,SAAO,CAAC,OAAO,IAAO,KAAK,KAAM,KAAO,KAAK,KAAM,KAAO,KAAK,IAAK,KAAM,IAAI,GAAI;AACpF;AAEO,SAAS,WAAW,OAA0B;AACnD,MAAI,OAAO,UAAU,WAAW;AAC9B,WAAO,CAAC,QAAQ,MAAO,GAAI;AAAA,EAC7B;AACA,MAAI,OAAO,UAAU,UAAU;AAC7B,WAAO,UAAU,GAAG,KAAK;AAAA,EAC3B;AACA,MAAI,iBAAiB,YAAY;AAC/B,WAAO,CAAC,GAAG,UAAU,GAAG,MAAM,MAAM,GAAG,GAAG,KAAK;AAAA,EACjD;AACA,MAAI,OAAO,UAAU,UAAU;AAC7B,UAAM,QAAQ,IAAI,YAAY,EAAE,OAAO,KAAK;AAC5C,WAAO,CAAC,GAAG,UAAU,GAAG,MAAM,MAAM,GAAG,GAAG,KAAK;AAAA,EACjD;AACA,MAAI,MAAM,QAAQ,KAAK,GAAG;AACxB,WAAO,CAAC,GAAG,UAAU,GAAG,MAAM,MAAM,GAAG,GAAG,MAAM,QAAQ,UAAU,CAAC;AAAA,EACrE;AACA,MAAI,iBAAiB,SAAS;AAC5B,WAAO,CAAC,GAAG,UAAU,GAAG,MAAM,GAAG,GAAG,GAAG,WAAW,MAAM,KAAK,CAAC;AAAA,EAChE;AACA,MAAI,iBAAiB,KAAK;AACxB,UAAM,UAAU,CAAC,GAAG,MAAM,QAAQ,CAAC;AACnC,WAAO;AAAA,MACL,GAAG,UAAU,GAAG,QAAQ,MAAM;AAAA,MAC9B,GAAG,QAAQ,QAAQ,CAAC,CAAC,GAAG,CAAC,MAAM,CAAC,GAAG,WAAW,CAAC,GAAG,GAAG,WAAW,CAAC,CAAC,CAAC;AAAA,IACrE;AAAA,EACF;AACA,QAAM,IAAI,MAAM,2BAA2B,OAAO,KAAK,EAAE;AAC3D;AAEO,IAAM,UAAN,MAAc;AAAA,EACnB;AAAA,EACA;AAAA,EACA,YAAY,KAAa,OAAgB;AACvC,SAAK,MAAM;AACX,SAAK,QAAQ;AAAA,EACf;AACF;AAEO,SAAS,OAAO,OAA4B;AACjD,SAAO,IAAI,WAAW,WAAW,KAAK,CAAC;AACzC;;;ACpDA,SAAS,IAAI,iBAAiB;AAEvB,SAAS,cACd,MACA,MACA,oBAAoB,KACV;AAGV,QAAM,KAAK,IAAI,GAAG,OAAO,KAAK,IAAI,GAAG,IAAI;AACzC,QAAM,UAAU,IAAI,UAAU,IAAI,iBAAiB;AACnD,SAAO,MAAM;AAAA,IAAK,EAAE,QAAQ,QAAQ,gBAAgB;AAAA,IAAG,MACrD,QAAQ,SAAS,EAAE,YAAY;AAAA,EACjC;AACF;AAEO,SAAS,kBACd,MACA,MACA,oBAAoB,KACZ;AACR,SAAO,cAAc,MAAM,MAAM,iBAAiB,EAAE,CAAC;AACvD;;;AClBA,IAAM,0BAA0B;AAGhC,IAAM,cAAc;AAEpB,SAAS,YAAY,GAAuB;AAC1C,QAAM,MAAM,IAAI,WAAW,CAAC;AAC5B,SAAO,gBAAgB,GAAG;AAC1B,SAAO;AACT;AAEA,SAAS,aACP,SACA,UACA,mBACS;AAET,QAAM,aAAa,CAAC,SAAS,MAAM,UAAU,MAAM,GAAG,MAAM,GAAG,OAAO,GAAG,KAAK;AAC9E,QAAM,aAAa,oBAAI,IAAqB,CAAC,CAAC,GAAG,UAAU,CAAC,CAAC;AAC7D,MAAI,sBAAsB,QAAW;AACnC,eAAW,IAAI,GAAG,iBAAiB;AAAA,EACrC;AACA,SAAO,IAAI,QAAQ,aAAa,UAAU;AAC5C;AAEA,SAAS,wBACP,SACA,SACA,mBACA,SAAS,SACG;AACZ,QAAM,YAAY,YAAY,EAAE;AAChC,QAAM,eAAe,IAAI,YAAY,EAAE,OAAO,OAAO;AACrD,QAAM,UAAU,aAAa,IAAI,IAAI,iBAAiB;AAEtD,QAAM,UAAU,QAAQ,QAAQ,QAAQ,EAAE;AAC1C,QAAM,YAAY,IAAI,WAAW,QAAQ,MAAM,OAAO,EAAG,IAAI,CAAC,MAAM,SAAS,GAAG,EAAE,CAAC,CAAC;AAEpF,QAAM,MAAM,oBAAI,IAAqB;AAAA,IACnC,CAAC,GAAG,IAAI,QAAQ,IAAI,SAAS,CAAC;AAAA;AAAA,IAC9B,CAAC,GAAG,YAAY;AAAA;AAAA,IAChB,CAAC,GAAG,uBAAuB;AAAA;AAAA,IAC3B,CAAC,GAAG,OAAO;AAAA;AAAA,IACX,CAAC,GAAG,SAAS;AAAA;AAAA,IACb,CAAC,GAAG,MAAM;AAAA;AAAA,EACZ,CAAC;AAED,SAAO,OAAO,GAAG;AACnB;AAEO,SAAS,2BACd,SACA,SACA,mBACA,QACU;AACV,SAAO;AAAA,IACL,wBAAwB,SAAS,SAAS,mBAAmB,MAAM;AAAA,IACnE;AAAA,EACF;AACF;AAEO,SAAS,sBACd,SACA,SACA,mBACA,QACQ;AACR,SAAO;AAAA,IACL,wBAAwB,SAAS,SAAS,mBAAmB,MAAM;AAAA,IACnE;AAAA,EACF;AACF;;;AC5EA,SAAS,UAAUA,mBAAmC;AAI/C,SAAS,kBAAkB,SAA4B;AAC5D,MAAI,QAAQ,SAAS,iBAAiB;AACpC,UAAM,IAAI,MAAM,gCAAgC,QAAQ,IAAI,EAAE;AAAA,EAChE;AAEA,QAAM,MAAMA,YAAW,QAAQ,MAAM;AAAA,IACnC,SAAS;AAAA,IACT,MAAM,OAAO,OAAO,CAAC,GAAmB,EAAE,IAAI,CAAC,MAAe,EAAE,CAAC;AAAA,EACnE,CAAC;AAED,QAAM,WAAW,IAAI,IAAI,CAAC;AAC1B,MAAI,CAAC,YAAY,SAAS,SAAS,IAAI;AACrC,UAAM,IAAI,MAAM,oCAAoC;AAAA,EACtD;AAEA,SAAO,OAAO,CAAC,GAAG,QAAQ,EAAE,IAAI,CAAC,MAAM,EAAE,SAAS,EAAE,EAAE,SAAS,GAAG,GAAG,CAAC,EAAE,KAAK,EAAE;AACjF;","names":["cborDecode"]}

package/package.json

@@ -0,0 +1,50 @@
+{
+  "name": "@qrkit/core",
+  "version": "0.1.0",
+  "description": "Protocol core for QR-based airgapped wallet flows — UR decoding, xpub parsing, address derivation, sign request and signature handling.",
+  "license": "Apache-2.0",
+  "type": "module",
+  "exports": {
+    ".": {
+      "types": "./dist/index.d.ts",
+      "import": "./dist/index.js",
+      "require": "./dist/index.cjs"
+    }
+  },
+  "main": "./dist/index.cjs",
+  "module": "./dist/index.js",
+  "types": "./dist/index.d.ts",
+  "files": [
+    "dist"
+  ],
+  "dependencies": {
+    "@ngraveio/bc-ur": "^1.1.13",
+    "@noble/hashes": "^2.0.1",
+    "@noble/secp256k1": "^3.0.0",
+    "@scure/bip32": "^2.0.1",
+    "cborg": "^4.5.8"
+  },
+  "peerDependencies": {
+    "buffer": ">=6"
+  },
+  "peerDependenciesMeta": {
+    "buffer": {
+      "optional": true
+    }
+  },
+  "devDependencies": {
+    "eslint": "^10.2.0",
+    "tsup": "^8.4.0",
+    "tsx": "^4.21.0",
+    "typescript": "~5.9.3",
+    "vitest": "^4.1.2"
+  },
+  "scripts": {
+    "build": "tsup",
+    "dev": "tsup --watch",
+    "test": "vitest run",
+    "typecheck": "tsc --noEmit",
+    "lint": "eslint src",
+    "example": "tsx examples/eth-flow.ts"
+  }
+}