@rhinestone/sdk 1.4.1 → 1.5.0

package/dist/src/execution/utils.js

@@ -29,15 +29,18 @@ const accounts_1 = require("../accounts");
 const common_1 = require("../accounts/signing/common");
 const startale_1 = require("../accounts/startale");
 const utils_1 = require("../accounts/utils");
+const provider_1 = require("../auth/provider");
 const modules_1 = require("../modules");
 const validators_1 = require("../modules/validators");
 const core_1 = require("../modules/validators/core");
+const permit2_1 = require("../modules/validators/policies/claim/permit2");
 const orchestrator_1 = require("../orchestrator");
 const registry_1 = require("../orchestrator/registry");
 const types_1 = require("../orchestrator/types");
+const utils_2 = require("../orchestrator/utils");
 const compact_1 = require("./compact");
 const error_1 = require("./error");
-const permit2_1 = require("./permit2");
+const permit2_2 = require("./permit2");
 const singleChainOps_1 = require("./singleChainOps");
 function isResolvedSessionSignerSet(signers) {
     return (signers?.type === 'experimental_session' && 'verifyExecutions' in signers);
@@ -49,11 +52,13 @@ async function resolveSignersForChain(config, signers, chainId) {
     const resolved = resolveSessionForChain(signers, chainId);
     const enabled = await (0, validators_1.isSessionEnabled)((0, accounts_1.getAddress)(config), config.provider, resolved.session, config.useDevContracts);
     const enableData = enabled ? undefined : resolved.enableData;
+    const hasExplicitActions = !!resolved.session.actions?.length;
+    const verifyExecutions = resolved.verifyExecutions ?? signers.verifyExecutions ?? hasExplicitActions;
     return {
         type: 'experimental_session',
         session: resolved.session,
         enableData,
-        verifyExecutions: !!enableData,
+        verifyExecutions,
     };
 }
 function resolveSessionForChain(signers, chainId) {
@@ -73,9 +78,10 @@ async function prepareTransaction(config, transaction) {
     if (isUserOpSigner) {
         throw new error_1.SignerNotSupportedError();
     }
-    const intentRoute = await prepareTransactionAsIntent(config, sourceChains, targetChain, await resolveCallInputs(transaction.calls, config, targetChain, accountAddress), transaction.gasLimit, tokenRequests, recipient, sponsored, eip7702InitSignature, settlementLayers, sourceAssets, feeAsset, lockFunds, auxiliaryFunds, account, signers);
+    const prepared = await prepareTransactionAsIntent(config, sourceChains, targetChain, await resolveCallInputs(transaction.calls, config, targetChain, accountAddress), transaction.gasLimit, tokenRequests, recipient, sponsored, eip7702InitSignature, settlementLayers, sourceAssets, feeAsset, lockFunds, auxiliaryFunds, account, signers);
     return {
-        intentRoute,
+        intentRoute: prepared.intentRoute,
+        intentInput: prepared.intentInput,
         transaction,
     };
 }
@@ -124,6 +130,7 @@ async function signTransaction(config, preparedTransaction) {
     const targetExecutionSignature = await getTargetExecutionSignature(config, intentRoute.intentOp, targetChain, signers);
     return {
         intentRoute,
+        intentInput: preparedTransaction.intentInput,
         transaction: preparedTransaction.transaction,
         originSignatures,
         destinationSignature,
@@ -134,7 +141,16 @@ async function getTargetExecutionSignature(config, intentOp, targetChain, signer
     if (signers?.type !== 'experimental_session') {
         return undefined;
     }
+    const settlementLayers = intentOp.elements.map((e) => e.mandate.qualifier.settlementContext.settlementLayer);
+    const hasIntentExecutorOps = settlementLayers.some((l) => l === 'INTENT_EXECUTOR' || l === 'SAME_CHAIN');
+    if (!hasIntentExecutorOps) {
+        return undefined;
+    }
     const resolvedSigners = await resolveSignersForChain(config, signers, targetChain.id);
+    if (!isResolvedSessionSignerSet(resolvedSigners) ||
+        !resolvedSigners.verifyExecutions) {
+        return undefined;
+    }
     const destination = getTargetExecutionMessage(config, intentOp);
     const validator = getValidator(config, signers);
     if (!validator) {
@@ -281,10 +297,10 @@ async function signAuthorizationsInternal(config, data) {
     return authorizations;
 }
 async function submitTransaction(config, signedTransaction, authorizations, dryRun = false) {
-    const { intentRoute, transaction, originSignatures, destinationSignature, targetExecutionSignature, } = signedTransaction;
+    const { intentRoute, intentInput, transaction, originSignatures, destinationSignature, targetExecutionSignature, } = signedTransaction;
     const { sourceChains, targetChain } = getTransactionParams(transaction);
     const intentOp = intentRoute.intentOp;
-    return await submitIntent(config, sourceChains, targetChain, intentOp, originSignatures, destinationSignature, targetExecutionSignature, authorizations, dryRun);
+    return await submitIntent(config, sourceChains, targetChain, intentOp, originSignatures, destinationSignature, targetExecutionSignature, authorizations, dryRun, intentInput);
 }
 async function submitUserOperation(config, signedUserOperation) {
     const chain = signedUserOperation.transaction.chain;
@@ -398,13 +414,50 @@ async function prepareTransactionAsIntent(config, sourceChains, targetChain, cal
     const intentAccount = {
         ...getIntentAccount(config, eip7702InitSignature, account),
         ...(signers?.type === 'experimental_session' && {
-            mockSignature: (0, validators_1.buildMockSignature)(resolveSessionForChain(signers, targetChain.id).session, config.useDevContracts, sourceChains?.length),
+            // Global fallback: target-chain sig for backward-compat with older orchestrators
+            mockSignature: (0, validators_1.buildMockSignature)(resolveSessionForChain(signers, targetChain.id).session, config.useDevContracts, sourceChains?.length ?? 1),
+            // Per-chain map: enables accurate per-chain session validation gas simulation
+            mockSignatures: Object.fromEntries([
+                ...new Set([
+                    ...(sourceChains ?? []).map((c) => c.id),
+                    targetChain.id,
+                ]),
+            ].map((chainId) => [
+                String(chainId),
+                (0, validators_1.buildMockSignature)(resolveSessionForChain(signers, chainId).session, config.useDevContracts, sourceChains?.length ?? 1, chainId),
+            ])),
         }),
     };
     const recipient = getRecipient(recipientInput);
     const signatureMode = signers?.type === 'experimental_session'
         ? types_1.SIG_MODE_EMISSARY_EXECUTION_ERC1271
         : types_1.SIG_MODE_ERC1271_EMISSARY;
+    // For session signers that need enabling, pass a dummy preclaimop per source chain
+    // so the orchestrator bakes it into the bundle before computing its HMAC. The filler
+    // executes the op via verifyExecution in ENABLE mode, enabling the session on-chain
+    // without a separate UserOp. Must be sent in the routing request — not injected
+    // post-facto — because the orchestrator HMAC covers preClaimOps.
+    const preClaimExecutions = {};
+    if (signers?.type === 'experimental_session' && sourceChains) {
+        const resolvedPerChain = await Promise.all(sourceChains.map(async (chain) => ({
+            chainId: chain.id,
+            resolved: await resolveSignersForChain(config, signers, chain.id),
+        })));
+        for (const { chainId, resolved } of resolvedPerChain) {
+            if (!isResolvedSessionSignerSet(resolved))
+                continue;
+            const { enableData, verifyExecutions } = resolved;
+            if (!verifyExecutions || !enableData)
+                continue;
+            preClaimExecutions[chainId] = [
+                {
+                    to: validators_1.DUMMY_PRECLAIMOP_TARGET,
+                    value: 0n,
+                    data: validators_1.DUMMY_PRECLAIMOP_SELECTOR,
+                },
+            ];
+        }
+    }
     const metaIntent = {
         destinationChainId: targetChain.id,
         tokenRequests: tokenRequests.map((tokenRequest) => ({
@@ -436,10 +489,12 @@ async function prepareTransactionAsIntent(config, sourceChains, targetChain, cal
             signatureMode,
             auxiliaryFunds,
         },
+        ...(Object.keys(preClaimExecutions).length > 0 && { preClaimExecutions }),
     };
-    const orchestrator = (0, orchestrator_1.getOrchestrator)(config.apiKey, config.endpointUrl, config.headers);
+    const serializedIntent = (0, utils_2.convertBigIntFields)(metaIntent);
+    const orchestrator = (0, orchestrator_1.getOrchestrator)(config._authProvider ?? (0, provider_1.createAuthProvider)(config), config.endpointUrl, config.headers);
     const intentRoute = await orchestrator.getIntentRoute(metaIntent);
-    return intentRoute;
+    return { intentRoute, intentInput: serializedIntent };
 }
 async function signIntent(config, intentOp, targetChain, signers, targetExecution) {
     const { origin, destination } = getIntentMessages(config, intentOp);
@@ -523,7 +578,7 @@ function getIntentMessages(config, intentOp) {
             origin.push(typedData);
         }
         else if (withPermit2) {
-            const typedData = (0, permit2_1.getTypedData)(element, BigInt(intentOp.nonce), BigInt(intentOp.expires));
+            const typedData = (0, permit2_2.getTypedData)(element, BigInt(intentOp.nonce), BigInt(intentOp.expires));
             origin.push(typedData);
         }
         else {
@@ -549,6 +604,22 @@ function getTargetExecutionMessage(config, intentOp) {
     };
     return typedData;
 }
+/** Computes claim policy calldata when parameters are Permit2 typed data with claim policies. */
+function resolveClaimPolicyData(signers, parameters) {
+    if (parameters.primaryType !== 'PermitBatchWitnessTransferFrom' ||
+        !signers.session.claimPolicies?.length) {
+        return undefined;
+    }
+    const msg = parameters.message;
+    if (!msg.permitted ||
+        !msg.mandate ||
+        typeof msg.spender !== 'string' ||
+        typeof msg.nonce !== 'bigint' ||
+        typeof msg.deadline !== 'bigint') {
+        return undefined;
+    }
+    return (0, permit2_1.buildPermit2ClaimPolicyCalldata)(signers.session.claimPolicies[0], parameters.message);
+}
 async function signIntentTypedData(config, signers, validator, isRoot, parameters, chain, targetExecution) {
     if ((0, core_1.supportsEip712)(validator)) {
         const isK1Validator = validator.address.toLowerCase() ===
@@ -564,18 +635,25 @@ async function signIntentTypedData(config, signers, validator, isRoot, parameter
     const hash = (0, viem_1.hashTypedData)(parameters);
     if (isResolvedSessionSignerSet(signers) && signers.verifyExecutions) {
         if (targetExecution) {
-            return await (0, accounts_1.getEmissarySignature)(config, {
+            const targetSigners = {
                 type: 'experimental_session',
                 session: signers.session,
                 verifyExecutions: true,
-            }, chain, hash);
+                enableData: signers.enableData,
+            };
+            // signWithSession (called inside getEmissarySignature) already calls packSignature
+            // internally, so no transform is needed here
+            return await (0, accounts_1.getEmissarySignature)(config, targetSigners, chain, hash);
         }
-        const eip1271Signature = await (0, accounts_1.getEip1271Signature)(config, {
+        const claimPolicyData = resolveClaimPolicyData(signers, parameters);
+        const sessionSignersForEip1271 = {
             type: 'experimental_session',
             session: signers.session,
             verifyExecutions: false,
             enableData: signers.enableData,
-        }, chain, {
+            claimPolicyData,
+        };
+        const eip1271Signature = await (0, accounts_1.getEip1271Signature)(config, sessionSignersForEip1271, chain, {
             address: validator.address,
             isRoot,
         }, hash);
@@ -590,6 +668,13 @@ async function signIntentTypedData(config, signers, validator, isRoot, parameter
             notarizedClaimSig: eip1271Signature,
         };
     }
+    if (isResolvedSessionSignerSet(signers)) {
+        const claimPolicyData = resolveClaimPolicyData(signers, parameters);
+        return await (0, accounts_1.getEip1271Signature)(config, claimPolicyData !== undefined ? { ...signers, claimPolicyData } : signers, chain, {
+            address: validator.address,
+            isRoot,
+        }, hash);
+    }
     return await (0, accounts_1.getEip1271Signature)(config, signers, chain, {
         address: validator.address,
         isRoot,
@@ -649,8 +734,8 @@ async function submitUserOp(config, chain, userOp, signature) {
         chain: chain.id,
     };
 }
-async function submitIntent(config, sourceChains, targetChain, intentOp, originSignatures, destinationSignature, targetExecutionSignature, authorizations, dryRun) {
-    return submitIntentInternal(config, sourceChains, targetChain, intentOp, originSignatures, destinationSignature, targetExecutionSignature, authorizations, dryRun);
+async function submitIntent(config, sourceChains, targetChain, intentOp, originSignatures, destinationSignature, targetExecutionSignature, authorizations, dryRun, intentInput) {
+    return submitIntentInternal(config, sourceChains, targetChain, intentOp, originSignatures, destinationSignature, targetExecutionSignature, authorizations, dryRun, intentInput);
 }
 function createSignedIntentOp(intentOp, originSignatures, destinationSignature, targetExecutionSignature, authorizations) {
     return {
@@ -670,13 +755,17 @@ function createSignedIntentOp(intentOp, originSignatures, destinationSignature,
             : undefined,
     };
 }
-async function submitIntentInternal(config, sourceChains, targetChain, intentOp, originSignatures, destinationSignature, targetExecutionSignature, authorizations, dryRun) {
+async function submitIntentInternal(config, sourceChains, targetChain, intentOp, originSignatures, destinationSignature, targetExecutionSignature, authorizations, dryRun, intentInput) {
     const signedIntentOp = createSignedIntentOp(intentOp, originSignatures, destinationSignature, targetExecutionSignature, authorizations);
-    const orchestrator = (0, orchestrator_1.getOrchestrator)(config.apiKey, config.endpointUrl, config.headers);
-    const intentResults = await orchestrator.submitIntent(signedIntentOp, dryRun);
+    const isSponsored = !!intentInput?.options?.sponsorSettings;
+    const orchestrator = (0, orchestrator_1.getOrchestrator)(config._authProvider ?? (0, provider_1.createAuthProvider)(config), config.endpointUrl, config.headers);
+    const intentResults = await orchestrator.submitIntent(signedIntentOp, dryRun, intentInput ? { intentInput, isSponsored } : undefined);
+    // Some settlement paths (e.g. SAME_CHAIN) may not return a result.id — fall
+    // back to the nonce which the orchestrator also accepts as an intent identifier.
+    const intentId = intentResults.result.id ?? intentOp.nonce;
     return {
         type: 'intent',
-        id: BigInt(intentResults.result.id),
+        id: BigInt(intentId),
         sourceChains: sourceChains?.map((chain) => chain.id),
         targetChain: targetChain.id,
     };

package/dist/src/index.d.ts

@@ -8,7 +8,7 @@ import { type IntentRoute, type PreparedTransactionData, type PreparedUserOperat
 import { MULTI_FACTOR_VALIDATOR_ADDRESS, OWNABLE_VALIDATOR_ADDRESS, SMART_SESSION_EMISSARY_ADDRESS, WEBAUTHN_VALIDATOR_ADDRESS } from './modules';
 import { type SessionDetails } from './modules/validators/smart-sessions';
 import { type ApprovalRequired, type AuxiliaryFunds, getAllSupportedChainsAndTokens, getSupportedTokens, getTokenAddress, getTokenDecimals, type IntentInput, type IntentOp, type IntentOpStatus, type Portfolio, type SettlementLayer, type SignedIntentOp, type SplitIntentsInput, type SplitIntentsResult, type TokenRequirements, type WrapRequired } from './orchestrator';
-import type { AccountProviderConfig, AccountType, BundlerConfig, Call, CallInput, ChainSessionConfig, MultiFactorValidatorConfig, OwnableValidatorConfig, OwnerSet, PaymasterConfig, Policy, ProviderConfig, Recovery, RhinestoneAccountConfig, RhinestoneConfig, RhinestoneSDKConfig, Session, SignerSet, TokenRequest, TokenSymbol, Transaction, UniversalActionPolicyParamCondition, UserOperationTransaction, WebauthnValidatorConfig } from './types';
+import type { AccountProviderConfig, AccountType, BundlerConfig, Call, CallInput, ChainSessionConfig, MultiFactorValidatorConfig, OwnableValidatorConfig, OwnerSet, PaymasterConfig, Permit2ClaimPolicy, Policy, ProviderConfig, Recovery, RhinestoneAccountConfig, RhinestoneConfig, RhinestoneSDKConfig, Session, SignerSet, TokenRequest, TokenSymbol, Transaction, UniversalActionPolicyParamCondition, UserOperationTransaction, WebauthnValidatorConfig } from './types';
 interface RhinestoneAccount {
     config: RhinestoneAccountConfig;
     deploy: (chain: Chain, params?: {
@@ -60,7 +60,7 @@ interface RhinestoneAccount {
  */
 declare function createRhinestoneAccount(config: RhinestoneConfig): Promise<RhinestoneAccount>;
 declare class RhinestoneSDK {
-    private apiKey;
+    private authProvider;
     private endpointUrl?;
     private provider?;
     private bundler?;
@@ -75,5 +75,5 @@ declare class RhinestoneSDK {
     splitIntents(input: SplitIntentsInput): Promise<SplitIntentsResult>;
 }
 export { RhinestoneSDK, createRhinestoneAccount, deployAccountsForOwners, walletClientToAccount, wrapParaAccount, OWNABLE_VALIDATOR_ADDRESS, WEBAUTHN_VALIDATOR_ADDRESS, MULTI_FACTOR_VALIDATOR_ADDRESS, SMART_SESSION_EMISSARY_ADDRESS, getSupportedTokens, getTokenAddress, getTokenDecimals, getAllSupportedChainsAndTokens, checkERC20AllowanceDirect, getPermit2Address, signPermit2Batch, signPermit2Sequential, };
-export type { RhinestoneAccount, AccountType, RhinestoneAccountConfig, AccountProviderConfig, ProviderConfig, BundlerConfig, PaymasterConfig, Transaction, TokenSymbol, CallInput, Call, TokenRequest, OwnerSet, OwnableValidatorConfig, WebauthnValidatorConfig, MultiFactorValidatorConfig, SignerSet, ChainSessionConfig, Session, Recovery, Policy, UniversalActionPolicyParamCondition, PreparedTransactionData, SignedTransactionData, TransactionResult, PreparedUserOperationData, SignedUserOperationData, UserOperationResult, AuxiliaryFunds, IntentInput, IntentOp, IntentOpStatus, IntentRoute, SettlementLayer, SignedIntentOp, SplitIntentsInput, SplitIntentsResult, Portfolio, TokenRequirements, WrapRequired, ApprovalRequired, MultiChainPermit2Config, MultiChainPermit2Result, BatchPermit2Result, };
+export type { RhinestoneAccount, AccountType, RhinestoneAccountConfig, AccountProviderConfig, ProviderConfig, BundlerConfig, PaymasterConfig, Transaction, TokenSymbol, CallInput, Call, TokenRequest, OwnerSet, OwnableValidatorConfig, WebauthnValidatorConfig, MultiFactorValidatorConfig, SignerSet, ChainSessionConfig, Session, Recovery, Policy, Permit2ClaimPolicy, UniversalActionPolicyParamCondition, PreparedTransactionData, SignedTransactionData, TransactionResult, PreparedUserOperationData, SignedUserOperationData, UserOperationResult, AuxiliaryFunds, IntentInput, IntentOp, IntentOpStatus, IntentRoute, SettlementLayer, SignedIntentOp, SplitIntentsInput, SplitIntentsResult, Portfolio, TokenRequirements, WrapRequired, ApprovalRequired, MultiChainPermit2Config, MultiChainPermit2Result, BatchPermit2Result, };
 //# sourceMappingURL=index.d.ts.map

package/dist/src/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../index.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EACV,OAAO,EACP,KAAK,EACL,uBAAuB,EACvB,GAAG,EACH,eAAe,EACf,uBAAuB,EACvB,SAAS,EACT,mBAAmB,EACpB,MAAM,MAAM,CAAA;AACb,OAAO,KAAK,EAAE,oBAAoB,EAAE,MAAM,0BAA0B,CAAA;AAapE,OAAO,EAAE,qBAAqB,EAAE,eAAe,EAAE,MAAM,yBAAyB,CAAA;AAChF,OAAO,EAAE,uBAAuB,EAAE,MAAM,sBAAsB,CAAA;AAC9D,OAAO,EAML,KAAK,iBAAiB,EACtB,KAAK,iBAAiB,EACtB,KAAK,mBAAmB,EAEzB,MAAM,aAAa,CAAA;AACpB,OAAO,EACL,KAAK,kBAAkB,EACvB,yBAAyB,EAEzB,iBAAiB,EACjB,KAAK,uBAAuB,EAC5B,KAAK,uBAAuB,EAC5B,gBAAgB,EAChB,qBAAqB,EACtB,MAAM,qBAAqB,CAAA;AAC5B,OAAO,EAEL,KAAK,WAAW,EAChB,KAAK,uBAAuB,EAC5B,KAAK,yBAAyB,EAG9B,KAAK,qBAAqB,EAC1B,KAAK,uBAAuB,EAQ7B,MAAM,mBAAmB,CAAA;AAC1B,OAAO,EAKL,8BAA8B,EAC9B,yBAAyB,EACzB,8BAA8B,EAE9B,0BAA0B,EAC3B,MAAM,WAAW,CAAA;AAClB,OAAO,EAEL,KAAK,cAAc,EACpB,MAAM,qCAAqC,CAAA;AAC5C,OAAO,EACL,KAAK,gBAAgB,EACrB,KAAK,cAAc,EACnB,8BAA8B,EAC9B,kBAAkB,EAClB,eAAe,EACf,gBAAgB,EAChB,KAAK,WAAW,EAChB,KAAK,QAAQ,EACb,KAAK,cAAc,EACnB,KAAK,SAAS,EACd,KAAK,eAAe,EACpB,KAAK,cAAc,EACnB,KAAK,iBAAiB,EACtB,KAAK,kBAAkB,EACvB,KAAK,iBAAiB,EACtB,KAAK,YAAY,EAClB,MAAM,gBAAgB,CAAA;AACvB,OAAO,KAAK,EACV,qBAAqB,EACrB,WAAW,EACX,aAAa,EACb,IAAI,EACJ,SAAS,EACT,kBAAkB,EAClB,0BAA0B,EAC1B,sBAAsB,EACtB,QAAQ,EACR,eAAe,EACf,MAAM,EACN,cAAc,EACd,QAAQ,EACR,uBAAuB,EACvB,gBAAgB,EAChB,mBAAmB,EACnB,OAAO,EACP,SAAS,EACT,YAAY,EACZ,WAAW,EACX,WAAW,EACX,mCAAmC,EACnC,wBAAwB,EACxB,uBAAuB,EACxB,MAAM,SAAS,CAAA;AAEhB,UAAU,iBAAiB;IACzB,MAAM,EAAE,uBAAuB,CAAA;IAC/B,MAAM,EAAE,CACN,KAAK,EAAE,KAAK,EACZ,MAAM,CAAC,EAAE;QAAE,OAAO,CAAC,EAAE,OAAO,CAAC;QAAC,SAAS,CAAC,EAAE,OAAO,CAAA;KAAE,KAChD,OAAO,CAAC,OAAO,CAAC,CAAA;IACrB,UAAU,EAAE,CAAC,KAAK,EAAE,KAAK,KAAK,OAAO,CAAC,OAAO,CAAC,CAAA;IAC9C,KAAK,EAAE,CAAC,KAAK,EAAE,KAAK,KAAK,OAAO,CAAC,OAAO,CAAC,CAAA;IACzC,WAAW,IAAI;QACb,OAAO,EAAE,OAAO,CAAA;QAChB,WAAW,EAAE,GAAG,CAAA;KACjB,CAAA;IACD,mBAAmB,EAAE,MAAM,OAAO,CAAC,GAAG,CAAC,CAAA;IACvC,kBAAkB,EAAE,CAClB,WAAW,EAAE,WAAW,KACrB,OAAO,CAAC,uBAAuB,CAAC,CAAA;IACrC,sBAAsB,EAAE,CAAC,mBAAmB,EAAE,uBAAuB,KAAK;QACxE,MAAM,EAAE,mBAAmB,EAAE,CAAA;QAC7B,WAAW,EAAE,mBAAmB,CAAA;KACjC,CAAA;IACD,eAAe,EAAE,CACf,mBAAmB,EAAE,uBAAuB,KACzC,OAAO,CAAC,qBAAqB,CAAC,CAAA;IACnC,kBAAkB,EAAE,CAClB,mBAAmB,EAAE,uBAAuB,KACzC,OAAO,CAAC,uBAAuB,CAAC,CAAA;IACrC,WAAW,EAAE,CACX,OAAO,EAAE,eAAe,EACxB,KAAK,EAAE,KAAK,EACZ,OAAO,EAAE,SAAS,GAAG,SAAS,KAC3B,OAAO,CAAC,GAAG,CAAC,CAAA;IACjB,aAAa,EAAE,CACb,SAAS,SAAS,SAAS,GAAG,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,SAAS,EACjE,WAAW,SAAS,MAAM,SAAS,GAAG,cAAc,GAAG,MAAM,SAAS,EAEtE,UAAU,EAAE,uBAAuB,CAAC,SAAS,EAAE,WAAW,CAAC,EAC3D,KAAK,EAAE,KAAK,EACZ,OAAO,EAAE,SAAS,GAAG,SAAS,KAC3B,OAAO,CAAC,GAAG,CAAC,CAAA;IACjB,iBAAiB,EAAE,CACjB,iBAAiB,EAAE,qBAAqB,EACxC,cAAc,CAAC,EAAE,uBAAuB,EACxC,MAAM,CAAC,EAAE,OAAO,KACb,OAAO,CAAC,iBAAiB,CAAC,CAAA;IAC/B,eAAe,EAAE,CAAC,WAAW,EAAE,WAAW,KAAK,OAAO,CAAC,iBAAiB,CAAC,CAAA;IACzE,oBAAoB,EAAE,CACpB,WAAW,EAAE,wBAAwB,KAClC,OAAO,CAAC,yBAAyB,CAAC,CAAA;IACvC,iBAAiB,EAAE,CACjB,qBAAqB,EAAE,yBAAyB,KAC7C,OAAO,CAAC,uBAAuB,CAAC,CAAA;IACrC,mBAAmB,EAAE,CACnB,mBAAmB,EAAE,uBAAuB,KACzC,OAAO,CAAC,mBAAmB,CAAC,CAAA;IACjC,iBAAiB,EAAE,CACjB,WAAW,EAAE,wBAAwB,KAClC,OAAO,CAAC,mBAAmB,CAAC,CAAA;IACjC,gBAAgB,CACd,MAAM,EAAE,iBAAiB,EACzB,uBAAuB,CAAC,EAAE,OAAO,GAChC,OAAO,CAAC,iBAAiB,CAAC,CAAA;IAC7B,gBAAgB,CACd,MAAM,EAAE,mBAAmB,EAC3B,uBAAuB,CAAC,EAAE,OAAO,GAChC,OAAO,CAAC,oBAAoB,CAAC,CAAA;IAChC,UAAU,EAAE,MAAM,OAAO,CAAA;IACzB,YAAY,EAAE,CAAC,UAAU,CAAC,EAAE,OAAO,KAAK,OAAO,CAAC,SAAS,CAAC,CAAA;IAC1D,8BAA8B,EAAE,CAC9B,QAAQ,EAAE,OAAO,EAAE,KAChB,OAAO,CAAC,cAAc,CAAC,CAAA;IAC5B,6BAA6B,EAAE,CAAC,OAAO,EAAE,OAAO,KAAK,OAAO,CAAC,OAAO,CAAC,CAAA;IACrE,8BAA8B,EAAE,CAAC,OAAO,EAAE,cAAc,KAAK,OAAO,CAAC,GAAG,CAAC,CAAA;IACzE,SAAS,EAAE,CAAC,KAAK,EAAE,KAAK,KAAK,OAAO,CAAC;QACnC,QAAQ,EAAE,OAAO,EAAE,CAAA;QACnB,SAAS,EAAE,MAAM,CAAA;KAClB,GAAG,IAAI,CAAC,CAAA;IACT,aAAa,EAAE,CAAC,KAAK,EAAE,KAAK,KAAK,OAAO,CAAC,OAAO,EAAE,CAAC,CAAA;IACnD,YAAY,EAAE,CAAC,KAAK,EAAE,KAAK,KAAK,OAAO,CAAC,OAAO,EAAE,CAAC,CAAA;IAClD,mBAAmB,EAAE,CAAC,YAAY,EAAE,OAAO,EAAE,KAAK,EAAE,KAAK,KAAK,OAAO,CAAC,MAAM,CAAC,CAAA;CAC9E;AAED;;;;;GAKG;AACH,iBAAe,uBAAuB,CACpC,MAAM,EAAE,gBAAgB,GACvB,OAAO,CAAC,iBAAiB,CAAC,CA2V5B;AAED,cAAM,aAAa;IACjB,OAAO,CAAC,MAAM,CAAQ;IACtB,OAAO,CAAC,WAAW,CAAC,CAAQ;IAC5B,OAAO,CAAC,QAAQ,CAAC,CAAgB;IACjC,OAAO,CAAC,OAAO,CAAC,CAAe;IAC/B,OAAO,CAAC,SAAS,CAAC,CAAiB;IACnC,OAAO,CAAC,eAAe,CAAC,CAAS;IACjC,OAAO,CAAC,OAAO,CAAC,CAAwB;gBAE5B,OAAO,EAAE,mBAAmB;IAUxC,aAAa,CAAC,MAAM,EAAE,uBAAuB;IAc7C,eAAe,CAAC,QAAQ,EAAE,MAAM;;;IAShC,YAAY,CAAC,KAAK,EAAE,iBAAiB;CAQtC;AAED,OAAO,EACL,aAAa,EACb,uBAAuB,EACvB,uBAAuB,EACvB,qBAAqB,EACrB,eAAe,EAEf,yBAAyB,EACzB,0BAA0B,EAC1B,8BAA8B,EAC9B,8BAA8B,EAE9B,kBAAkB,EAClB,eAAe,EACf,gBAAgB,EAChB,8BAA8B,EAE9B,yBAAyB,EACzB,iBAAiB,EAEjB,gBAAgB,EAChB,qBAAqB,GACtB,CAAA;AACD,YAAY,EACV,iBAAiB,EACjB,WAAW,EACX,uBAAuB,EACvB,qBAAqB,EACrB,cAAc,EACd,aAAa,EACb,eAAe,EACf,WAAW,EACX,WAAW,EACX,SAAS,EACT,IAAI,EACJ,YAAY,EACZ,QAAQ,EACR,sBAAsB,EACtB,uBAAuB,EACvB,0BAA0B,EAC1B,SAAS,EACT,kBAAkB,EAClB,OAAO,EACP,QAAQ,EACR,MAAM,EACN,mCAAmC,EACnC,uBAAuB,EACvB,qBAAqB,EACrB,iBAAiB,EACjB,yBAAyB,EACzB,uBAAuB,EACvB,mBAAmB,EACnB,cAAc,EACd,WAAW,EACX,QAAQ,EACR,cAAc,EACd,WAAW,EACX,eAAe,EACf,cAAc,EACd,iBAAiB,EACjB,kBAAkB,EAClB,SAAS,EACT,iBAAiB,EACjB,YAAY,EACZ,gBAAgB,EAEhB,uBAAuB,EACvB,uBAAuB,EACvB,kBAAkB,GACnB,CAAA"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../index.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EACV,OAAO,EACP,KAAK,EACL,uBAAuB,EACvB,GAAG,EACH,eAAe,EACf,uBAAuB,EACvB,SAAS,EACT,mBAAmB,EACpB,MAAM,MAAM,CAAA;AACb,OAAO,KAAK,EAAE,oBAAoB,EAAE,MAAM,0BAA0B,CAAA;AAapE,OAAO,EAAE,qBAAqB,EAAE,eAAe,EAAE,MAAM,yBAAyB,CAAA;AAChF,OAAO,EAAE,uBAAuB,EAAE,MAAM,sBAAsB,CAAA;AAE9D,OAAO,EAML,KAAK,iBAAiB,EACtB,KAAK,iBAAiB,EACtB,KAAK,mBAAmB,EAEzB,MAAM,aAAa,CAAA;AACpB,OAAO,EACL,KAAK,kBAAkB,EACvB,yBAAyB,EAEzB,iBAAiB,EACjB,KAAK,uBAAuB,EAC5B,KAAK,uBAAuB,EAC5B,gBAAgB,EAChB,qBAAqB,EACtB,MAAM,qBAAqB,CAAA;AAC5B,OAAO,EAEL,KAAK,WAAW,EAChB,KAAK,uBAAuB,EAC5B,KAAK,yBAAyB,EAG9B,KAAK,qBAAqB,EAC1B,KAAK,uBAAuB,EAQ7B,MAAM,mBAAmB,CAAA;AAC1B,OAAO,EAKL,8BAA8B,EAC9B,yBAAyB,EACzB,8BAA8B,EAE9B,0BAA0B,EAC3B,MAAM,WAAW,CAAA;AAClB,OAAO,EAEL,KAAK,cAAc,EACpB,MAAM,qCAAqC,CAAA;AAC5C,OAAO,EACL,KAAK,gBAAgB,EACrB,KAAK,cAAc,EACnB,8BAA8B,EAC9B,kBAAkB,EAClB,eAAe,EACf,gBAAgB,EAChB,KAAK,WAAW,EAChB,KAAK,QAAQ,EACb,KAAK,cAAc,EACnB,KAAK,SAAS,EACd,KAAK,eAAe,EACpB,KAAK,cAAc,EACnB,KAAK,iBAAiB,EACtB,KAAK,kBAAkB,EACvB,KAAK,iBAAiB,EACtB,KAAK,YAAY,EAClB,MAAM,gBAAgB,CAAA;AACvB,OAAO,KAAK,EACV,qBAAqB,EACrB,WAAW,EACX,aAAa,EACb,IAAI,EACJ,SAAS,EACT,kBAAkB,EAClB,0BAA0B,EAC1B,sBAAsB,EACtB,QAAQ,EACR,eAAe,EACf,kBAAkB,EAClB,MAAM,EACN,cAAc,EACd,QAAQ,EACR,uBAAuB,EACvB,gBAAgB,EAChB,mBAAmB,EACnB,OAAO,EACP,SAAS,EACT,YAAY,EACZ,WAAW,EACX,WAAW,EACX,mCAAmC,EACnC,wBAAwB,EACxB,uBAAuB,EACxB,MAAM,SAAS,CAAA;AAEhB,UAAU,iBAAiB;IACzB,MAAM,EAAE,uBAAuB,CAAA;IAC/B,MAAM,EAAE,CACN,KAAK,EAAE,KAAK,EACZ,MAAM,CAAC,EAAE;QAAE,OAAO,CAAC,EAAE,OAAO,CAAC;QAAC,SAAS,CAAC,EAAE,OAAO,CAAA;KAAE,KAChD,OAAO,CAAC,OAAO,CAAC,CAAA;IACrB,UAAU,EAAE,CAAC,KAAK,EAAE,KAAK,KAAK,OAAO,CAAC,OAAO,CAAC,CAAA;IAC9C,KAAK,EAAE,CAAC,KAAK,EAAE,KAAK,KAAK,OAAO,CAAC,OAAO,CAAC,CAAA;IACzC,WAAW,IAAI;QACb,OAAO,EAAE,OAAO,CAAA;QAChB,WAAW,EAAE,GAAG,CAAA;KACjB,CAAA;IACD,mBAAmB,EAAE,MAAM,OAAO,CAAC,GAAG,CAAC,CAAA;IACvC,kBAAkB,EAAE,CAClB,WAAW,EAAE,WAAW,KACrB,OAAO,CAAC,uBAAuB,CAAC,CAAA;IACrC,sBAAsB,EAAE,CAAC,mBAAmB,EAAE,uBAAuB,KAAK;QACxE,MAAM,EAAE,mBAAmB,EAAE,CAAA;QAC7B,WAAW,EAAE,mBAAmB,CAAA;KACjC,CAAA;IACD,eAAe,EAAE,CACf,mBAAmB,EAAE,uBAAuB,KACzC,OAAO,CAAC,qBAAqB,CAAC,CAAA;IACnC,kBAAkB,EAAE,CAClB,mBAAmB,EAAE,uBAAuB,KACzC,OAAO,CAAC,uBAAuB,CAAC,CAAA;IACrC,WAAW,EAAE,CACX,OAAO,EAAE,eAAe,EACxB,KAAK,EAAE,KAAK,EACZ,OAAO,EAAE,SAAS,GAAG,SAAS,KAC3B,OAAO,CAAC,GAAG,CAAC,CAAA;IACjB,aAAa,EAAE,CACb,SAAS,SAAS,SAAS,GAAG,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,SAAS,EACjE,WAAW,SAAS,MAAM,SAAS,GAAG,cAAc,GAAG,MAAM,SAAS,EAEtE,UAAU,EAAE,uBAAuB,CAAC,SAAS,EAAE,WAAW,CAAC,EAC3D,KAAK,EAAE,KAAK,EACZ,OAAO,EAAE,SAAS,GAAG,SAAS,KAC3B,OAAO,CAAC,GAAG,CAAC,CAAA;IACjB,iBAAiB,EAAE,CACjB,iBAAiB,EAAE,qBAAqB,EACxC,cAAc,CAAC,EAAE,uBAAuB,EACxC,MAAM,CAAC,EAAE,OAAO,KACb,OAAO,CAAC,iBAAiB,CAAC,CAAA;IAC/B,eAAe,EAAE,CAAC,WAAW,EAAE,WAAW,KAAK,OAAO,CAAC,iBAAiB,CAAC,CAAA;IACzE,oBAAoB,EAAE,CACpB,WAAW,EAAE,wBAAwB,KAClC,OAAO,CAAC,yBAAyB,CAAC,CAAA;IACvC,iBAAiB,EAAE,CACjB,qBAAqB,EAAE,yBAAyB,KAC7C,OAAO,CAAC,uBAAuB,CAAC,CAAA;IACrC,mBAAmB,EAAE,CACnB,mBAAmB,EAAE,uBAAuB,KACzC,OAAO,CAAC,mBAAmB,CAAC,CAAA;IACjC,iBAAiB,EAAE,CACjB,WAAW,EAAE,wBAAwB,KAClC,OAAO,CAAC,mBAAmB,CAAC,CAAA;IACjC,gBAAgB,CACd,MAAM,EAAE,iBAAiB,EACzB,uBAAuB,CAAC,EAAE,OAAO,GAChC,OAAO,CAAC,iBAAiB,CAAC,CAAA;IAC7B,gBAAgB,CACd,MAAM,EAAE,mBAAmB,EAC3B,uBAAuB,CAAC,EAAE,OAAO,GAChC,OAAO,CAAC,oBAAoB,CAAC,CAAA;IAChC,UAAU,EAAE,MAAM,OAAO,CAAA;IACzB,YAAY,EAAE,CAAC,UAAU,CAAC,EAAE,OAAO,KAAK,OAAO,CAAC,SAAS,CAAC,CAAA;IAC1D,8BAA8B,EAAE,CAC9B,QAAQ,EAAE,OAAO,EAAE,KAChB,OAAO,CAAC,cAAc,CAAC,CAAA;IAC5B,6BAA6B,EAAE,CAAC,OAAO,EAAE,OAAO,KAAK,OAAO,CAAC,OAAO,CAAC,CAAA;IACrE,8BAA8B,EAAE,CAAC,OAAO,EAAE,cAAc,KAAK,OAAO,CAAC,GAAG,CAAC,CAAA;IACzE,SAAS,EAAE,CAAC,KAAK,EAAE,KAAK,KAAK,OAAO,CAAC;QACnC,QAAQ,EAAE,OAAO,EAAE,CAAA;QACnB,SAAS,EAAE,MAAM,CAAA;KAClB,GAAG,IAAI,CAAC,CAAA;IACT,aAAa,EAAE,CAAC,KAAK,EAAE,KAAK,KAAK,OAAO,CAAC,OAAO,EAAE,CAAC,CAAA;IACnD,YAAY,EAAE,CAAC,KAAK,EAAE,KAAK,KAAK,OAAO,CAAC,OAAO,EAAE,CAAC,CAAA;IAClD,mBAAmB,EAAE,CAAC,YAAY,EAAE,OAAO,EAAE,KAAK,EAAE,KAAK,KAAK,OAAO,CAAC,MAAM,CAAC,CAAA;CAC9E;AAED;;;;;GAKG;AACH,iBAAe,uBAAuB,CACpC,MAAM,EAAE,gBAAgB,GACvB,OAAO,CAAC,iBAAiB,CAAC,CA2V5B;AAED,cAAM,aAAa;IACjB,OAAO,CAAC,YAAY,CAAc;IAClC,OAAO,CAAC,WAAW,CAAC,CAAQ;IAC5B,OAAO,CAAC,QAAQ,CAAC,CAAgB;IACjC,OAAO,CAAC,OAAO,CAAC,CAAe;IAC/B,OAAO,CAAC,SAAS,CAAC,CAAiB;IACnC,OAAO,CAAC,eAAe,CAAC,CAAS;IACjC,OAAO,CAAC,OAAO,CAAC,CAAwB;gBAE5B,OAAO,EAAE,mBAAmB;IAUxC,aAAa,CAAC,MAAM,EAAE,uBAAuB;IAc7C,eAAe,CAAC,QAAQ,EAAE,MAAM;;;IAShC,YAAY,CAAC,KAAK,EAAE,iBAAiB;CAQtC;AAED,OAAO,EACL,aAAa,EACb,uBAAuB,EACvB,uBAAuB,EACvB,qBAAqB,EACrB,eAAe,EAEf,yBAAyB,EACzB,0BAA0B,EAC1B,8BAA8B,EAC9B,8BAA8B,EAE9B,kBAAkB,EAClB,eAAe,EACf,gBAAgB,EAChB,8BAA8B,EAE9B,yBAAyB,EACzB,iBAAiB,EAEjB,gBAAgB,EAChB,qBAAqB,GACtB,CAAA;AACD,YAAY,EACV,iBAAiB,EACjB,WAAW,EACX,uBAAuB,EACvB,qBAAqB,EACrB,cAAc,EACd,aAAa,EACb,eAAe,EACf,WAAW,EACX,WAAW,EACX,SAAS,EACT,IAAI,EACJ,YAAY,EACZ,QAAQ,EACR,sBAAsB,EACtB,uBAAuB,EACvB,0BAA0B,EAC1B,SAAS,EACT,kBAAkB,EAClB,OAAO,EACP,QAAQ,EACR,MAAM,EACN,kBAAkB,EAClB,mCAAmC,EACnC,uBAAuB,EACvB,qBAAqB,EACrB,iBAAiB,EACjB,yBAAyB,EACzB,uBAAuB,EACvB,mBAAmB,EACnB,cAAc,EACd,WAAW,EACX,QAAQ,EACR,cAAc,EACd,WAAW,EACX,eAAe,EACf,cAAc,EACd,iBAAiB,EACjB,kBAAkB,EAClB,SAAS,EACT,iBAAiB,EACjB,YAAY,EACZ,gBAAgB,EAEhB,uBAAuB,EACvB,uBAAuB,EACvB,kBAAkB,GACnB,CAAA"}

package/dist/src/index.js

@@ -8,6 +8,7 @@ Object.defineProperty(exports, "walletClientToAccount", { enumerable: true, get:
 Object.defineProperty(exports, "wrapParaAccount", { enumerable: true, get: function () { return walletClient_1.wrapParaAccount; } });
 const deployment_1 = require("./actions/deployment");
 Object.defineProperty(exports, "deployAccountsForOwners", { enumerable: true, get: function () { return deployment_1.deployAccountsForOwners; } });
+const provider_1 = require("./auth/provider");
 const execution_1 = require("./execution");
 const permit2_1 = require("./execution/permit2");
 Object.defineProperty(exports, "checkERC20AllowanceDirect", { enumerable: true, get: function () { return permit2_1.checkERC20AllowanceDirect; } });
@@ -293,7 +294,7 @@ async function createRhinestoneAccount(config) {
     };
 }
 class RhinestoneSDK {
-    apiKey;
+    authProvider;
     endpointUrl;
     provider;
     bundler;
@@ -301,7 +302,7 @@ class RhinestoneSDK {
     useDevContracts;
     headers;
     constructor(options) {
-        this.apiKey = options.apiKey;
+        this.authProvider = (0, provider_1.createAuthProvider)(options);
         this.endpointUrl = options.endpointUrl;
         this.provider = options.provider;
         this.bundler = options.bundler;
@@ -312,7 +313,7 @@ class RhinestoneSDK {
     createAccount(config) {
         const rhinestoneConfig = {
             ...config,
-            apiKey: this.apiKey,
+            _authProvider: this.authProvider,
             endpointUrl: this.endpointUrl,
             provider: this.provider,
             bundler: this.bundler,
@@ -323,10 +324,10 @@ class RhinestoneSDK {
         return createRhinestoneAccount(rhinestoneConfig);
     }
     getIntentStatus(intentId) {
-        return (0, execution_1.getIntentStatus)(this.apiKey, this.endpointUrl, intentId, this.headers);
+        return (0, execution_1.getIntentStatus)(this.authProvider, this.endpointUrl, intentId, this.headers);
     }
     splitIntents(input) {
-        return (0, execution_1.splitIntents)(this.apiKey, this.endpointUrl, input, this.headers);
+        return (0, execution_1.splitIntents)(this.authProvider, this.endpointUrl, input, this.headers);
     }
 }
 exports.RhinestoneSDK = RhinestoneSDK;

package/dist/src/jwt-server/digest.d.ts

@@ -0,0 +1,11 @@
+/**
+ * Compute a deterministic hex-encoded SHA-256 digest of an intent input object.
+ *
+ * 1. JCS-canonicalise the intent input (RFC 8785)
+ * 2. SHA-256 hash the UTF-8 bytes
+ * 3. Return lowercase hex string
+ *
+ * Uses the Web Crypto API (available in Node.js ≥ 15 and all modern browsers).
+ */
+export declare function computeIntentInputDigest(intentInput: unknown): Promise<string>;
+//# sourceMappingURL=digest.d.ts.map

package/dist/src/jwt-server/digest.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"digest.d.ts","sourceRoot":"","sources":["../../../jwt-server/digest.ts"],"names":[],"mappings":"AAEA;;;;;;;;GAQG;AACH,wBAAsB,wBAAwB,CAC5C,WAAW,EAAE,OAAO,GACnB,OAAO,CAAC,MAAM,CAAC,CAQjB"}

package/dist/src/jwt-server/digest.js

@@ -0,0 +1,22 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.computeIntentInputDigest = computeIntentInputDigest;
+const jcs_1 = require("./jcs");
+/**
+ * Compute a deterministic hex-encoded SHA-256 digest of an intent input object.
+ *
+ * 1. JCS-canonicalise the intent input (RFC 8785)
+ * 2. SHA-256 hash the UTF-8 bytes
+ * 3. Return lowercase hex string
+ *
+ * Uses the Web Crypto API (available in Node.js ≥ 15 and all modern browsers).
+ */
+async function computeIntentInputDigest(intentInput) {
+    const canonical = (0, jcs_1.jcsCanonicalise)(intentInput);
+    const encoded = new TextEncoder().encode(canonical);
+    const hashBuffer = await crypto.subtle.digest('SHA-256', encoded);
+    const hashArray = new Uint8Array(hashBuffer);
+    return Array.from(hashArray)
+        .map((b) => b.toString(16).padStart(2, '0'))
+        .join('');
+}

package/dist/src/jwt-server/express.d.ts

@@ -0,0 +1,16 @@
+import { type JwtHandlerConfig } from './handlers';
+interface ExpressRequest {
+    body?: unknown;
+}
+interface ExpressResponse {
+    status(code: number): ExpressResponse;
+    json(body: unknown): void;
+}
+type ExpressHandler = (req: ExpressRequest, res: ExpressResponse) => void;
+interface ExpressRouter {
+    get(path: string, handler: ExpressHandler): ExpressRouter;
+    post(path: string, handler: ExpressHandler): ExpressRouter;
+}
+export declare function createExpressRouter(config: JwtHandlerConfig): ExpressRouter;
+export {};
+//# sourceMappingURL=express.d.ts.map

package/dist/src/jwt-server/express.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"express.d.ts","sourceRoot":"","sources":["../../../jwt-server/express.ts"],"names":[],"mappings":"AAAA,OAAO,EAGL,KAAK,gBAAgB,EACtB,MAAM,YAAY,CAAA;AAEnB,UAAU,cAAc;IACtB,IAAI,CAAC,EAAE,OAAO,CAAA;CACf;AAED,UAAU,eAAe;IACvB,MAAM,CAAC,IAAI,EAAE,MAAM,GAAG,eAAe,CAAA;IACrC,IAAI,CAAC,IAAI,EAAE,OAAO,GAAG,IAAI,CAAA;CAC1B;AAED,KAAK,cAAc,GAAG,CAAC,GAAG,EAAE,cAAc,EAAE,GAAG,EAAE,eAAe,KAAK,IAAI,CAAA;AAEzE,UAAU,aAAa;IACrB,GAAG,CAAC,IAAI,EAAE,MAAM,EAAE,OAAO,EAAE,cAAc,GAAG,aAAa,CAAA;IACzD,IAAI,CAAC,IAAI,EAAE,MAAM,EAAE,OAAO,EAAE,cAAc,GAAG,aAAa,CAAA;CAC3D;AAED,wBAAgB,mBAAmB,CAAC,MAAM,EAAE,gBAAgB,GAAG,aAAa,CAyB3E"}

package/dist/src/jwt-server/express.js

@@ -0,0 +1,24 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.createExpressRouter = createExpressRouter;
+const handlers_1 = require("./handlers");
+function createExpressRouter(config) {
+    // Dynamic import avoidance: we type the router interface manually
+    // so express doesn't need to be installed unless this function is called.
+    // eslint-disable-next-line @typescript-eslint/no-require-imports
+    const { Router } = require('express');
+    const router = Router();
+    const handleAccessToken = (0, handlers_1.createCoreAccessTokenHandler)(config);
+    const handleExtensionToken = (0, handlers_1.createCoreExtensionTokenHandler)(config);
+    router.get('/access-token', async (_req, res) => {
+        const result = await handleAccessToken();
+        res.status(result.status).json(result.body);
+    });
+    router.post('/extension-token', async (req, res) => {
+        const body = req.body;
+        const intentInput = body?.intentInput;
+        const result = await handleExtensionToken(intentInput);
+        res.status(result.status).json(result.body);
+    });
+    return router;
+}

package/dist/src/jwt-server/handlers.d.ts

@@ -0,0 +1,10 @@
+import { type JwtSignerConfig } from './signer';
+export type JwtHandlerConfig = JwtSignerConfig;
+interface HandlerResult {
+    status: number;
+    body: Record<string, unknown>;
+}
+export declare function createCoreAccessTokenHandler(config: JwtHandlerConfig): () => Promise<HandlerResult>;
+export declare function createCoreExtensionTokenHandler(config: JwtHandlerConfig): (intentInput: unknown) => Promise<HandlerResult>;
+export {};
+//# sourceMappingURL=handlers.d.ts.map

package/dist/src/jwt-server/handlers.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"handlers.d.ts","sourceRoot":"","sources":["../../../jwt-server/handlers.ts"],"names":[],"mappings":"AAAA,OAAO,EAAmB,KAAK,eAAe,EAAE,MAAM,UAAU,CAAA;AAGhE,MAAM,MAAM,gBAAgB,GAAG,eAAe,CAAA;AAE9C,UAAU,aAAa;IACrB,MAAM,EAAE,MAAM,CAAA;IACd,IAAI,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAA;CAC9B;AAED,wBAAgB,4BAA4B,CAC1C,MAAM,EAAE,gBAAgB,GACvB,MAAM,OAAO,CAAC,aAAa,CAAC,CAa9B;AAED,wBAAgB,+BAA+B,CAC7C,MAAM,EAAE,gBAAgB,GACvB,CAAC,WAAW,EAAE,OAAO,KAAK,OAAO,CAAC,aAAa,CAAC,CAuBlD"}

package/dist/src/jwt-server/handlers.js

@@ -0,0 +1,41 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.createCoreAccessTokenHandler = createCoreAccessTokenHandler;
+exports.createCoreExtensionTokenHandler = createCoreExtensionTokenHandler;
+const signer_1 = require("./signer");
+const sponsorship_1 = require("./sponsorship");
+function createCoreAccessTokenHandler(config) {
+    const signer = (0, signer_1.createJwtSigner)(config);
+    return async () => {
+        try {
+            const token = await signer.accessToken();
+            return { status: 200, body: { token } };
+        }
+        catch (error) {
+            const message = error instanceof Error ? error.message : 'Internal server error';
+            return { status: 500, body: { error: message } };
+        }
+    };
+}
+function createCoreExtensionTokenHandler(config) {
+    const signer = (0, signer_1.createJwtSigner)(config);
+    return async (intentInput) => {
+        if (intentInput === undefined || intentInput === null) {
+            return {
+                status: 400,
+                body: { error: 'Missing intentInput in request body' },
+            };
+        }
+        try {
+            const token = await signer.getIntentExtensionToken(intentInput);
+            return { status: 200, body: { token } };
+        }
+        catch (error) {
+            if (error instanceof sponsorship_1.SponsorshipDeniedError) {
+                return { status: 403, body: { error: error.message } };
+            }
+            const message = error instanceof Error ? error.message : 'Internal server error';
+            return { status: 500, body: { error: message } };
+        }
+    };
+}

package/dist/src/jwt-server/index.d.ts

@@ -0,0 +1,8 @@
+export { computeIntentInputDigest } from './digest';
+export { createExpressRouter } from './express';
+export type { JwtHandlerConfig } from './handlers';
+export { jcsCanonicalise } from './jcs';
+export { createJwtSigner, type JwtCredentials, type JwtSignerConfig, } from './signer';
+export { SponsorshipDeniedError, type SponsorshipFilter, shouldSponsor, } from './sponsorship';
+export { createAccessTokenHandler, createExtensionTokenHandler, } from './web';
+//# sourceMappingURL=index.d.ts.map

package/dist/src/jwt-server/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../jwt-server/index.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,wBAAwB,EAAE,MAAM,UAAU,CAAA;AACnD,OAAO,EAAE,mBAAmB,EAAE,MAAM,WAAW,CAAA;AAC/C,YAAY,EAAE,gBAAgB,EAAE,MAAM,YAAY,CAAA;AAClD,OAAO,EAAE,eAAe,EAAE,MAAM,OAAO,CAAA;AACvC,OAAO,EACL,eAAe,EACf,KAAK,cAAc,EACnB,KAAK,eAAe,GACrB,MAAM,UAAU,CAAA;AACjB,OAAO,EACL,sBAAsB,EACtB,KAAK,iBAAiB,EACtB,aAAa,GACd,MAAM,eAAe,CAAA;AACtB,OAAO,EACL,wBAAwB,EACxB,2BAA2B,GAC5B,MAAM,OAAO,CAAA"}

package/dist/src/jwt-server/index.js

@@ -0,0 +1,18 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.createExtensionTokenHandler = exports.createAccessTokenHandler = exports.shouldSponsor = exports.SponsorshipDeniedError = exports.createJwtSigner = exports.jcsCanonicalise = exports.createExpressRouter = exports.computeIntentInputDigest = void 0;
+// biome-ignore lint/performance/noBarrelFile: subpath entry point for @rhinestone/sdk/jwt-server
+var digest_1 = require("./digest");
+Object.defineProperty(exports, "computeIntentInputDigest", { enumerable: true, get: function () { return digest_1.computeIntentInputDigest; } });
+var express_1 = require("./express");
+Object.defineProperty(exports, "createExpressRouter", { enumerable: true, get: function () { return express_1.createExpressRouter; } });
+var jcs_1 = require("./jcs");
+Object.defineProperty(exports, "jcsCanonicalise", { enumerable: true, get: function () { return jcs_1.jcsCanonicalise; } });
+var signer_1 = require("./signer");
+Object.defineProperty(exports, "createJwtSigner", { enumerable: true, get: function () { return signer_1.createJwtSigner; } });
+var sponsorship_1 = require("./sponsorship");
+Object.defineProperty(exports, "SponsorshipDeniedError", { enumerable: true, get: function () { return sponsorship_1.SponsorshipDeniedError; } });
+Object.defineProperty(exports, "shouldSponsor", { enumerable: true, get: function () { return sponsorship_1.shouldSponsor; } });
+var web_1 = require("./web");
+Object.defineProperty(exports, "createAccessTokenHandler", { enumerable: true, get: function () { return web_1.createAccessTokenHandler; } });
+Object.defineProperty(exports, "createExtensionTokenHandler", { enumerable: true, get: function () { return web_1.createExtensionTokenHandler; } });

package/dist/src/jwt-server/jcs.d.ts

@@ -0,0 +1,12 @@
+/**
+ * RFC 8785 JSON Canonicalization Scheme (JCS).
+ *
+ * Produces a deterministic JSON serialization by:
+ * 1. Sorting object keys lexicographically (Unicode code-point order)
+ * 2. Using ES2015+ `JSON.stringify` number serialization (IEEE 754 → shortest round-trip)
+ * 3. No whitespace
+ *
+ * Reference: https://www.rfc-editor.org/rfc/rfc8785
+ */
+export declare function jcsCanonicalise(value: unknown): string;
+//# sourceMappingURL=jcs.d.ts.map

package/dist/src/jwt-server/jcs.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"jcs.d.ts","sourceRoot":"","sources":["../../../jwt-server/jcs.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAEH,wBAAgB,eAAe,CAAC,KAAK,EAAE,OAAO,GAAG,MAAM,CAEtD"}

package/dist/src/jwt-server/jcs.js

@@ -0,0 +1,60 @@
+"use strict";
+/**
+ * RFC 8785 JSON Canonicalization Scheme (JCS).
+ *
+ * Produces a deterministic JSON serialization by:
+ * 1. Sorting object keys lexicographically (Unicode code-point order)
+ * 2. Using ES2015+ `JSON.stringify` number serialization (IEEE 754 → shortest round-trip)
+ * 3. No whitespace
+ *
+ * Reference: https://www.rfc-editor.org/rfc/rfc8785
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.jcsCanonicalise = jcsCanonicalise;
+function jcsCanonicalise(value) {
+    return serialize(value);
+}
+function serialize(value) {
+    if (value === null || value === undefined) {
+        return 'null';
+    }
+    switch (typeof value) {
+        case 'boolean':
+            return value ? 'true' : 'false';
+        case 'number':
+            if (!Number.isFinite(value)) {
+                throw new Error(`JCS: non-finite number: ${value}`);
+            }
+            // ES2015 Number-to-String satisfies RFC 8785 §3.2.2.3
+            return Object.is(value, -0) ? '0' : String(value);
+        case 'string':
+            return JSON.stringify(value);
+        case 'bigint':
+            // BigInt is not valid JSON; coerce to bare decimal string.
+            // Values above MAX_SAFE_INTEGER are rejected because downstream
+            // JSON parsers using IEEE 754 doubles would silently lose precision,
+            // producing a different digest.
+            if (value > BigInt(Number.MAX_SAFE_INTEGER) ||
+                value < BigInt(-Number.MAX_SAFE_INTEGER)) {
+                throw new Error(`JCS: BigInt ${value} exceeds safe integer range — convert to string before calling`);
+            }
+            return String(value);
+        default:
+            break;
+    }
+    if (Array.isArray(value)) {
+        const items = value.map((item) => serialize(item));
+        return `[${items.join(',')}]`;
+    }
+    // Object — sort keys by Unicode code-point order
+    const obj = value;
+    const keys = Object.keys(obj).sort();
+    const members = [];
+    for (const key of keys) {
+        const v = obj[key];
+        if (v === undefined)
+            continue; // skip undefined properties
+        members.push(`${JSON.stringify(key)}:${serialize(v)}`);
+    }
+    return `{${members.join(',')}}`;
+}

package/dist/src/jwt-server/signer.d.ts

@@ -0,0 +1,18 @@
+import { type SponsorshipFilter } from './sponsorship';
+export interface JwtCredentials {
+    privateKey: JsonWebKey;
+    integratorId: string;
+    projectId: string;
+    appId: string;
+    keyId: string;
+    audience?: string;
+}
+export interface JwtSignerConfig {
+    jwt: JwtCredentials;
+    shouldSponsor?: SponsorshipFilter;
+}
+export declare function createJwtSigner(config: JwtSignerConfig): {
+    accessToken: () => Promise<string>;
+    getIntentExtensionToken: (intentInput: unknown) => Promise<string>;
+};
+//# sourceMappingURL=signer.d.ts.map

package/dist/src/jwt-server/signer.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"signer.d.ts","sourceRoot":"","sources":["../../../jwt-server/signer.ts"],"names":[],"mappings":"AAEA,OAAO,EAGL,KAAK,iBAAiB,EACvB,MAAM,eAAe,CAAA;AAEtB,MAAM,WAAW,cAAc;IAC7B,UAAU,EAAE,UAAU,CAAA;IACtB,YAAY,EAAE,MAAM,CAAA;IACpB,SAAS,EAAE,MAAM,CAAA;IACjB,KAAK,EAAE,MAAM,CAAA;IACb,KAAK,EAAE,MAAM,CAAA;IACb,QAAQ,CAAC,EAAE,MAAM,CAAA;CAClB;AAED,MAAM,WAAW,eAAe;IAC9B,GAAG,EAAE,cAAc,CAAA;IACnB,aAAa,CAAC,EAAE,iBAAiB,CAAA;CAClC;AAeD,wBAAgB,eAAe,CAAC,MAAM,EAAE,eAAe,GAAG;IACxD,WAAW,EAAE,MAAM,OAAO,CAAC,MAAM,CAAC,CAAA;IAClC,uBAAuB,EAAE,CAAC,WAAW,EAAE,OAAO,KAAK,OAAO,CAAC,MAAM,CAAC,CAAA;CACnE,CAoEA"}