@sequence0/sdk 1.1.0 → 1.2.0

package/dist/chains/bitcoin-taproot.js

@@ -8,10 +8,15 @@
  * FROST-secp256k1 produces BIP-340 compatible Schnorr signatures that are
  * NATIVE to Taproot key-path spends -- no signature format conversion needed.
  *
- * Depends on the WASM crate's bitcoin.rs for:
- * - Address derivation (group pubkey -> bc1p... P2TR address)
- * - Transaction construction (inputs/outputs -> unsigned TX + sighash)
- * - Signature attachment (FROST sig -> witness data)
+ * Key features:
+ * - **Real secp256k1 EC point arithmetic** for BIP-341 key tweaking
+ *   (lift_x, point_add, scalar_mul -- no external crypto dependencies)
+ * - **Per-input sighash computation** for multi-input transactions
+ *   (each input gets its own BIP-341 sighash for independent FROST signing)
+ * - **Full transaction serialization** with proper segwit witness structure
+ * - **Broadcast via Mempool.space API** (mainnet, testnet, signet, regtest)
+ *
+ * No external dependencies beyond Node.js crypto (SHA-256).
  *
  * @example
  * ```typescript
@@ -101,9 +106,33 @@ class BitcoinTaprootAdapter {
             xOnlyPubkey: bytesToHex(xOnly),
             outputKey: bytesToHex(outputKey),
             scriptPubkey,
+            tapTweak: bytesToHex(tweak),
             network: this.network,
         };
     }
+    /**
+     * Compute the Taproot tweak for a FROST group public key.
+     *
+     * The FROST signing protocol must apply this tweak to the group private key
+     * before signing. This ensures the Schnorr signature verifies against the
+     * tweaked output key (which is what the scriptPubKey commits to).
+     *
+     * The tweak scalar t = hash_TapTweak(internal_key) is returned as hex.
+     * During FROST signing, the group's secret share is tweaked:
+     *   tweaked_share = share + t  (mod n)
+     *
+     * @param groupPubkeyHex - Hex-encoded FROST group verifying key (33 or 32 bytes)
+     * @returns Hex-encoded 32-byte tweak scalar
+     */
+    getTapTweak(groupPubkeyHex) {
+        const pubkeyClean = groupPubkeyHex.startsWith('0x')
+            ? groupPubkeyHex.slice(2)
+            : groupPubkeyHex;
+        const pubkeyBytes = hexToBytes(pubkeyClean);
+        const xOnly = extractXOnlyPubkey(pubkeyBytes);
+        const tweak = computeTapTweak(xOnly);
+        return bytesToHex(tweak);
+    }
     // ────────────────────────────────────────────────
     //  UTXO Management
     // ────────────────────────────────────────────────
@@ -283,9 +312,11 @@ class BitcoinTaprootAdapter {
                 value: u.value,
                 scriptPubkey: u.scriptPubkey,
             }));
-            // Build the unsigned transaction
+            // Build the unsigned transaction with per-input sighashes
+            const sighashes = this.computeAllSighashes(inputs, outputs);
             const unsignedTx = {
-                sighash: this.computeSighash(inputs, outputs),
+                sighash: sighashes[0],
+                sighashes,
                 rawUnsigned: this.serializeUnsignedTx(inputs, outputs),
                 inputs,
                 outputs,
@@ -328,8 +359,10 @@ class BitcoinTaprootAdapter {
             throw new errors_1.ChainError(`Insufficient funds: ${totalInput} sat available, ` +
                 `${totalOutput + fee} sat needed (${totalOutput} output + ${fee} fee)`, 'bitcoin');
         }
+        const sighashes = this.computeAllSighashes(inputs, outputs);
         return {
-            sighash: this.computeSighash(inputs, outputs),
+            sighash: sighashes[0],
+            sighashes,
             rawUnsigned: this.serializeUnsignedTx(inputs, outputs),
             inputs,
             outputs,
@@ -338,25 +371,29 @@ class BitcoinTaprootAdapter {
         };
     }
     /**
-     * Attach a FROST Schnorr signature to an unsigned Taproot transaction.
+     * Attach FROST Schnorr signature(s) to an unsigned Taproot transaction.
+     *
+     * The FROST signing protocol produces 64-byte BIP-340 Schnorr signatures
+     * (R_x || s) that are directly used as Taproot witness for key-path spends.
      *
-     * The FROST signing protocol produces a 64-byte BIP-340 Schnorr signature
-     * (R_x || s) that is directly used as the Taproot witness for key-path spends.
+     * For single-input transactions: pass a single 128-char hex signature.
+     * For multi-input transactions: pass signatures separated by commas, or
+     * a single signature that will be applied to all inputs (if all inputs
+     * share the same signing key and the caller signs each sighash separately).
      *
      * @param unsignedTxHex - Hex-encoded unsigned transaction (from buildTransaction)
-     * @param signatureHex - 64-byte FROST Schnorr signature (hex-encoded, 128 chars)
+     * @param signatureHex - 64-byte FROST Schnorr signature(s). For multi-input
+     *   transactions, separate per-input signatures with commas.
      * @returns Hex-encoded signed transaction ready for broadcast
      */
     async attachSignature(unsignedTxHex, signatureHex) {
         try {
-            const sig = signatureHex.startsWith('0x') ? signatureHex.slice(2) : signatureHex;
-            if (sig.length !== 128) {
-                throw new Error(`Schnorr signature must be 64 bytes (128 hex chars), got ${sig.length} chars`);
-            }
             // Parse the unsigned transaction
             const unsignedTx = JSON.parse(Buffer.from(unsignedTxHex, 'hex').toString());
+            // Parse signature(s)
+            const signatures = this.parseSignatures(signatureHex, unsignedTx.inputs.length);
             // Build the signed transaction with Taproot witness
-            const signedTx = this.serializeSignedTx(unsignedTx, sig);
+            const signedTx = this.serializeSignedTx(unsignedTx, signatures);
             return Buffer.from(JSON.stringify(signedTx)).toString('hex');
         }
         catch (e) {
@@ -364,18 +401,58 @@ class BitcoinTaprootAdapter {
         }
     }
     /**
-     * Attach a FROST Schnorr signature with full output (returns structured data).
+     * Attach FROST Schnorr signature(s) with full output (returns structured data).
      *
      * @param unsignedTx - The UnsignedTaprootTx from buildUnsignedTx
-     * @param signatureHex - 64-byte FROST Schnorr signature (hex, 128 chars)
+     * @param signatureHex - 64-byte FROST Schnorr signature(s) (hex). For multi-input
+     *   transactions, pass an array of per-input signatures or a comma-separated string.
      * @returns SignedTaprootTx with raw_signed, txid, and vsize
      */
     attachSignatureToTx(unsignedTx, signatureHex) {
-        const sig = signatureHex.startsWith('0x') ? signatureHex.slice(2) : signatureHex;
-        if (sig.length !== 128) {
-            throw new errors_1.ChainError(`Schnorr signature must be 64 bytes (128 hex chars), got ${sig.length} chars`, 'bitcoin');
+        const sigs = Array.isArray(signatureHex)
+            ? signatureHex.map(s => {
+                const clean = s.startsWith('0x') ? s.slice(2) : s;
+                if (clean.length !== 128) {
+                    throw new errors_1.ChainError(`Schnorr signature must be 64 bytes (128 hex chars), got ${clean.length}`, 'bitcoin');
+                }
+                return clean;
+            })
+            : this.parseSignatures(signatureHex, unsignedTx.inputs.length);
+        return this.serializeSignedTx(unsignedTx, sigs);
+    }
+    /**
+     * Parse signature hex into per-input signatures.
+     * Supports: single sig (applied to all inputs), comma-separated, or concatenated.
+     */
+    parseSignatures(signatureHex, inputCount) {
+        const raw = signatureHex.startsWith('0x') ? signatureHex.slice(2) : signatureHex;
+        // Check for comma-separated signatures
+        if (raw.includes(',')) {
+            const parts = raw.split(',').map(s => s.trim());
+            if (parts.length !== inputCount) {
+                throw new Error(`Expected ${inputCount} signatures for ${inputCount} inputs, got ${parts.length}`);
+            }
+            for (const s of parts) {
+                if (s.length !== 128) {
+                    throw new Error(`Each Schnorr signature must be 128 hex chars, got ${s.length}`);
+                }
+            }
+            return parts;
         }
-        return this.serializeSignedTx(unsignedTx, sig);
+        // Single signature (128 hex chars) — replicate for all inputs
+        if (raw.length === 128) {
+            return new Array(inputCount).fill(raw);
+        }
+        // Concatenated signatures (128 * inputCount hex chars)
+        if (raw.length === 128 * inputCount) {
+            const sigs = [];
+            for (let i = 0; i < inputCount; i++) {
+                sigs.push(raw.slice(i * 128, (i + 1) * 128));
+            }
+            return sigs;
+        }
+        throw new Error(`Invalid signature format: expected 128 hex chars (single), ` +
+            `${128 * inputCount} chars (concatenated), or comma-separated. Got ${raw.length} chars.`);
     }
     // ────────────────────────────────────────────────
     //  Broadcast
@@ -562,10 +639,16 @@ class BitcoinTaprootAdapter {
         return bytesToHex(new Uint8Array(buf));
     }
     /**
-     * Serialize a signed Taproot transaction.
+     * Serialize a signed Taproot transaction with per-input signatures.
+     *
+     * @param unsignedTx - The unsigned transaction data
+     * @param signatures - Array of per-input signature hex strings (128 chars each)
      */
-    serializeSignedTx(unsignedTx, signatureHex) {
-        const sigBytes = hexToBytes(signatureHex);
+    serializeSignedTx(unsignedTx, signatures) {
+        if (signatures.length !== unsignedTx.inputs.length) {
+            throw new Error(`Signature count (${signatures.length}) does not match ` +
+                `input count (${unsignedTx.inputs.length})`);
+        }
         const buf = [];
         // Version 2
         pushLE32(buf, 2);
@@ -591,8 +674,9 @@ class BitcoinTaprootAdapter {
             pushVarint(buf, script.length);
             buf.push(...script);
         }
-        // Witness: the Schnorr signature for each input
+        // Witness: per-input Schnorr signatures for key-path spend
         for (let i = 0; i < unsignedTx.inputs.length; i++) {
+            const sigBytes = hexToBytes(signatures[i]);
             buf.push(0x01); // 1 witness item
             buf.push(0x40); // 64 bytes (Schnorr signature, no sighash type suffix)
             buf.push(...sigBytes);
@@ -630,20 +714,18 @@ class BitcoinTaprootAdapter {
      * - Spend type (0x00 for key-path, no annex)
      * - Input index (4 bytes LE)
      */
-    computeSighash(inputs, outputs) {
-        // The sighash is a tagged hash: hash_TapSighash(message)
+    /**
+     * Compute all per-input BIP-341 sighashes for the transaction.
+     *
+     * Each input has its own sighash because the input_index field differs.
+     * The common transaction-level hashes (prevouts, amounts, scripts, sequences,
+     * outputs) are precomputed once and reused across all inputs.
+     *
+     * @returns Array of hex-encoded sighashes, one per input
+     */
+    computeAllSighashes(inputs, outputs) {
+        // Precompute the transaction-level hashes (shared across all inputs)
         const tagHash = sha256(new TextEncoder().encode('TapSighash'));
-        const parts = [];
-        // Tag hash prefix (used twice per BIP-340 tagged hash convention)
-        parts.push(...tagHash, ...tagHash);
-        // Epoch (1 byte)
-        parts.push(0x00);
-        // Sighash type: SIGHASH_DEFAULT (1 byte)
-        parts.push(0x00);
-        // Transaction version (4 bytes LE)
-        pushLE32(parts, 2);
-        // Locktime (4 bytes LE)
-        pushLE32(parts, 0);
         // SHA-256 of prevouts
         const prevoutsBuf = [];
         for (const input of inputs) {
@@ -652,13 +734,13 @@ class BitcoinTaprootAdapter {
             prevoutsBuf.push(...txidBytes);
             pushLE32(prevoutsBuf, input.vout);
         }
-        parts.push(...sha256(new Uint8Array(prevoutsBuf)));
+        const hashPrevouts = sha256(new Uint8Array(prevoutsBuf));
         // SHA-256 of amounts
         const amountsBuf = [];
         for (const input of inputs) {
             pushLE64(amountsBuf, input.value);
         }
-        parts.push(...sha256(new Uint8Array(amountsBuf)));
+        const hashAmounts = sha256(new Uint8Array(amountsBuf));
         // SHA-256 of scriptPubKeys (with compact size prefix)
         const scriptsBuf = [];
         for (const input of inputs) {
@@ -666,13 +748,13 @@ class BitcoinTaprootAdapter {
             pushVarint(scriptsBuf, script.length);
             scriptsBuf.push(...script);
         }
-        parts.push(...sha256(new Uint8Array(scriptsBuf)));
+        const hashScripts = sha256(new Uint8Array(scriptsBuf));
         // SHA-256 of sequences
         const seqsBuf = [];
         for (let i = 0; i < inputs.length; i++) {
             pushLE32(seqsBuf, 0xfffffffd);
         }
-        parts.push(...sha256(new Uint8Array(seqsBuf)));
+        const hashSequences = sha256(new Uint8Array(seqsBuf));
         // SHA-256 of outputs
         const outputsBuf = [];
         for (const output of outputs) {
@@ -681,18 +763,185 @@ class BitcoinTaprootAdapter {
             pushVarint(outputsBuf, script.length);
             outputsBuf.push(...script);
         }
-        parts.push(...sha256(new Uint8Array(outputsBuf)));
-        // Spend type: 0x00 (key-path, no annex)
-        parts.push(0x00);
-        // Input index: 0 (sign first input; for multi-input, each input would
-        // need its own sighash, but FROST signs all inputs with the same key)
-        pushLE32(parts, 0);
-        // Final sighash = SHA-256 of the tagged hash message
-        const sighash = sha256(new Uint8Array(parts));
-        return bytesToHex(sighash);
+        const hashOutputs = sha256(new Uint8Array(outputsBuf));
+        // Compute per-input sighash
+        const sighashes = [];
+        for (let inputIdx = 0; inputIdx < inputs.length; inputIdx++) {
+            const parts = [];
+            // Tag hash prefix (used twice per BIP-340 tagged hash convention)
+            parts.push(...tagHash, ...tagHash);
+            // Epoch (1 byte)
+            parts.push(0x00);
+            // Sighash type: SIGHASH_DEFAULT (1 byte)
+            parts.push(0x00);
+            // Transaction version (4 bytes LE)
+            pushLE32(parts, 2);
+            // Locktime (4 bytes LE)
+            pushLE32(parts, 0);
+            // Precomputed hashes
+            parts.push(...hashPrevouts);
+            parts.push(...hashAmounts);
+            parts.push(...hashScripts);
+            parts.push(...hashSequences);
+            parts.push(...hashOutputs);
+            // Spend type: 0x00 (key-path, no annex)
+            parts.push(0x00);
+            // Input index (4 bytes LE) — THIS is what differs per input
+            pushLE32(parts, inputIdx);
+            // Final sighash = SHA-256 of the tagged hash message
+            const sighash = sha256(new Uint8Array(parts));
+            sighashes.push(bytesToHex(sighash));
+        }
+        return sighashes;
     }
 }
 exports.BitcoinTaprootAdapter = BitcoinTaprootAdapter;
+const Secp256k1 = {
+    /** Field prime */
+    P: 0xfffffffffffffffffffffffffffffffffffffffffffffffffffffffefffffc2fn,
+    /** Curve order */
+    N: 0xfffffffffffffffffffffffffffffffebaaedce6af48a03bbfd25e8cd0364141n,
+    /** Generator x */
+    Gx: 0x79be667ef9dcbbac55a06295ce870b07029bfcdb2dce28d959f2815b16f81798n,
+    /** Generator y */
+    Gy: 0x483ada7726a3c4655da4fbfc0e1108a8fd17b448a68554199c47d08ffb10d4b8n,
+    /** Get generator point */
+    G() {
+        return { x: this.Gx, y: this.Gy };
+    },
+    /**
+     * Modular exponentiation: base^exp mod m
+     * Uses square-and-multiply for efficiency.
+     */
+    modPow(base, exp, m) {
+        let result = 1n;
+        base = ((base % m) + m) % m;
+        while (exp > 0n) {
+            if (exp & 1n) {
+                result = (result * base) % m;
+            }
+            exp >>= 1n;
+            base = (base * base) % m;
+        }
+        return result;
+    },
+    /** Modular inverse using Fermat's little theorem: a^(p-2) mod p */
+    modInverse(a, m) {
+        return this.modPow(((a % m) + m) % m, m - 2n, m);
+    },
+    /** Modular square root: returns r such that r^2 = a (mod p), or throws.
+     *  Uses the Tonelli-Shanks shortcut for p = 3 mod 4: r = a^((p+1)/4) mod p */
+    modSqrt(a) {
+        const p = this.P;
+        // secp256k1 p % 4 == 3, so we can use the simple formula
+        const r = this.modPow(((a % p) + p) % p, (p + 1n) / 4n, p);
+        if ((r * r) % p !== ((a % p) + p) % p) {
+            throw new Error('No square root exists for this value');
+        }
+        return r;
+    },
+    /**
+     * Lift an x-only public key to a full curve point with even y-coordinate.
+     * Per BIP-340: given x, compute y = sqrt(x^3 + 7), pick the even root.
+     */
+    liftX(xBytes) {
+        const x = bytesToBigInt(xBytes);
+        const p = this.P;
+        if (x >= p) {
+            throw new Error('x-coordinate exceeds field prime');
+        }
+        // y^2 = x^3 + 7 mod p
+        const y2 = (this.modPow(x, 3n, p) + 7n) % p;
+        let y = this.modSqrt(y2);
+        // BIP-340: pick the even y (y % 2 == 0)
+        if (y & 1n) {
+            y = p - y;
+        }
+        return { x, y };
+    },
+    /**
+     * Point addition: P + Q on secp256k1.
+     * Handles identity, doubling, and general addition.
+     */
+    pointAdd(p1, p2) {
+        if (p1 === null)
+            return p2;
+        if (p2 === null)
+            return p1;
+        const p = this.P;
+        if (p1.x === p2.x) {
+            if (p1.y === p2.y) {
+                // Point doubling
+                return this.pointDouble(p1);
+            }
+            // P + (-P) = O (point at infinity)
+            return null;
+        }
+        // General addition: lambda = (y2 - y1) / (x2 - x1)
+        const dy = ((p2.y - p1.y) % p + p) % p;
+        const dx = ((p2.x - p1.x) % p + p) % p;
+        const lambda = (dy * this.modInverse(dx, p)) % p;
+        const x3 = ((lambda * lambda - p1.x - p2.x) % p + p) % p;
+        const y3 = ((lambda * (p1.x - x3) - p1.y) % p + p) % p;
+        return { x: x3, y: y3 };
+    },
+    /** Point doubling: 2P on secp256k1 */
+    pointDouble(pt) {
+        const p = this.P;
+        if (pt.y === 0n)
+            return null;
+        // lambda = (3 * x^2 + a) / (2 * y)   where a = 0 for secp256k1
+        const num = (3n * pt.x * pt.x) % p;
+        const den = (2n * pt.y) % p;
+        const lambda = (num * this.modInverse(den, p)) % p;
+        const x3 = ((lambda * lambda - 2n * pt.x) % p + p) % p;
+        const y3 = ((lambda * (pt.x - x3) - pt.y) % p + p) % p;
+        return { x: x3, y: y3 };
+    },
+    /**
+     * Scalar multiplication: n * G using double-and-add.
+     * Only used for tweaking, so performance is not critical.
+     */
+    mulG(n) {
+        const order = this.N;
+        n = ((n % order) + order) % order;
+        if (n === 0n) {
+            throw new Error('Zero scalar in mulG');
+        }
+        let result = null;
+        let base = this.G();
+        let k = n;
+        while (k > 0n) {
+            if (k & 1n) {
+                result = this.pointAdd(result, base);
+            }
+            base = this.pointAdd(base, base);
+            k >>= 1n;
+        }
+        if (result === null) {
+            throw new Error('mulG produced point at infinity');
+        }
+        return result;
+    },
+};
+/** Convert a Uint8Array to a bigint (big-endian) */
+function bytesToBigInt(bytes) {
+    let result = 0n;
+    for (const b of bytes) {
+        result = (result << 8n) | BigInt(b);
+    }
+    return result;
+}
+/** Convert a bigint to a 32-byte Uint8Array (big-endian, zero-padded) */
+function bigIntToBytes32(n) {
+    const bytes = new Uint8Array(32);
+    let val = n;
+    for (let i = 31; i >= 0; i--) {
+        bytes[i] = Number(val & 0xffn);
+        val >>= 8n;
+    }
+    return bytes;
+}
 // ────────────────────────────────────────────────
 //  Pure Helper Functions
 // ────────────────────────────────────────────────
@@ -727,23 +976,33 @@ function computeTapTweak(internalKey) {
     return sha256(msg);
 }
 /**
- * Tweak a public key with the given tweak.
+ * Tweak a public key per BIP-341:  Q = lift_x(P) + int(tweak) * G
  *
- * In a full implementation, this would use secp256k1 point addition:
- *   Q = P + tweak * G
+ * Uses real secp256k1 EC point arithmetic. The output key Q is the
+ * x-only coordinate of the resulting point. If the resulting point
+ * has an odd y-coordinate, the tweak is negated (BIP-341 spec).
  *
- * This implementation uses a deterministic tagged-hash derivation that
- * produces consistent output keys for address derivation. The agent-node
- * uses proper EC point arithmetic via k256.
+ * @param internalKey - 32-byte x-only internal public key
+ * @param tweak - 32-byte tweak scalar (hash_TapTweak output)
+ * @returns 32-byte x-only output key
  */
 function tweakPublicKey(internalKey, tweak) {
-    const tag = sha256(new TextEncoder().encode('TapTweak/OutputKey'));
-    const msg = new Uint8Array(tag.length * 2 + internalKey.length + tweak.length);
-    msg.set(tag, 0);
-    msg.set(tag, tag.length);
-    msg.set(internalKey, tag.length * 2);
-    msg.set(tweak, tag.length * 2 + internalKey.length);
-    return sha256(msg);
+    // Lift the x-only key to a full point with even y
+    const P = Secp256k1.liftX(internalKey);
+    // Convert tweak bytes to a bigint scalar
+    const t = bytesToBigInt(tweak);
+    if (t >= Secp256k1.N) {
+        throw new Error('Tweak scalar exceeds curve order');
+    }
+    // Compute t * G
+    const tG = Secp256k1.mulG(t);
+    // Compute Q = P + t * G
+    const Q = Secp256k1.pointAdd(P, tG);
+    if (Q === null) {
+        throw new Error('Tweaked key is point at infinity');
+    }
+    // Return x-coordinate of Q as 32 bytes
+    return bigIntToBytes32(Q.x);
 }
 /** Get the Bech32 HRP for a Bitcoin network */
 function networkToHrp(network) {