@sip-protocol/sdk 0.6.0 → 0.6.2

package/dist/browser.js

@@ -3232,6 +3232,8 @@ __export(browser_exports, {
   PaymentBuilder: () => PaymentBuilder,
   PaymentStatus: () => import_types56.PaymentStatus,
   PrivacyLevel: () => import_types55.PrivacyLevel,
+  PrivateNFT: () => PrivateNFT,
+  PrivateVoting: () => PrivateVoting,
   ProofError: () => ProofError,
   ProofGenerationError: () => ProofGenerationError,
   ProofNotImplementedError: () => ProofNotImplementedError,
@@ -3244,10 +3246,12 @@ __export(browser_exports, {
   STABLECOIN_ADDRESSES: () => STABLECOIN_ADDRESSES,
   STABLECOIN_DECIMALS: () => STABLECOIN_DECIMALS,
   STABLECOIN_INFO: () => STABLECOIN_INFO,
+  SealedBidAuction: () => SealedBidAuction,
   SettlementRegistry: () => SettlementRegistry,
   SettlementRegistryError: () => SettlementRegistryError,
   SmartRouter: () => SmartRouter,
   SolanaWalletAdapter: () => SolanaWalletAdapter,
+  SuiStealthService: () => SuiStealthService,
   SwapStatus: () => SwapStatus,
   ThresholdViewingKey: () => ThresholdViewingKey,
   Treasury: () => Treasury,
@@ -3273,6 +3277,7 @@ __export(browser_exports, {
   checkEd25519StealthAddress: () => checkEd25519StealthAddress,
   checkMobileWASMCompatibility: () => checkMobileWASMCompatibility,
   checkStealthAddress: () => checkStealthAddress,
+  checkSuiStealthAddress: () => checkSuiStealthAddress,
   commit: () => commit,
   commitZero: () => commitZero,
   computeAttestationHash: () => computeAttestationHash,
@@ -3292,8 +3297,11 @@ __export(browser_exports, {
   createNEARIntentsAdapter: () => createNEARIntentsAdapter,
   createNEARIntentsBackend: () => createNEARIntentsBackend,
   createOracleRegistry: () => createOracleRegistry,
+  createPrivateOwnership: () => createPrivateOwnership,
+  createPrivateVoting: () => createPrivateVoting,
   createProductionSIP: () => createProductionSIP,
   createSIP: () => createSIP,
+  createSealedBidAuction: () => createSealedBidAuction,
   createShieldedIntent: () => createShieldedIntent,
   createShieldedPayment: () => createShieldedPayment,
   createSmartRouter: () => createSmartRouter,
@@ -3314,6 +3322,7 @@ __export(browser_exports, {
   deriveEd25519StealthPrivateKey: () => deriveEd25519StealthPrivateKey,
   deriveOracleId: () => deriveOracleId,
   deriveStealthPrivateKey: () => deriveStealthPrivateKey,
+  deriveSuiStealthPrivateKey: () => deriveSuiStealthPrivateKey,
   deriveViewingKey: () => deriveViewingKey,
   deserializeAttestationMessage: () => deserializeAttestationMessage,
   deserializeIntent: () => deserializeIntent,
@@ -3325,6 +3334,7 @@ __export(browser_exports, {
   ed25519PublicKeyToAptosAddress: () => ed25519PublicKeyToAptosAddress,
   ed25519PublicKeyToNearAddress: () => ed25519PublicKeyToNearAddress,
   ed25519PublicKeyToSolanaAddress: () => ed25519PublicKeyToSolanaAddress,
+  ed25519PublicKeyToSuiAddress: () => ed25519PublicKeyToSuiAddress,
   encodeStealthMetaAddress: () => encodeStealthMetaAddress,
   encryptForViewing: () => encryptForViewing,
   featureNotSupportedError: () => featureNotSupportedError,
@@ -3342,6 +3352,7 @@ __export(browser_exports, {
   generateRandomBytes: () => generateRandomBytes,
   generateStealthAddress: () => generateStealthAddress,
   generateStealthMetaAddress: () => generateStealthMetaAddress,
+  generateSuiStealthAddress: () => generateSuiStealthAddress,
   generateViewingKey: () => generateViewingKey,
   getActiveOracles: () => getActiveOracles,
   getAvailableTransports: () => getAvailableTransports,
@@ -3401,10 +3412,13 @@ __export(browser_exports, {
   isValidSlippage: () => isValidSlippage,
   isValidSolanaAddress: () => isValidSolanaAddress,
   isValidStealthMetaAddress: () => isValidStealthMetaAddress,
+  isValidSuiAddress: () => isValidSuiAddress,
   isValidTaprootAddress: () => isValidTaprootAddress,
   nearAddressToEd25519PublicKey: () => nearAddressToEd25519PublicKey,
   normalizeAddress: () => normalizeAddress,
+  normalizeSuiAddress: () => normalizeSuiAddress,
   notConnectedError: () => notConnectedError,
+  proveOwnership: () => proveOwnership,
   publicKeyToEthAddress: () => publicKeyToEthAddress,
   registerWallet: () => registerWallet,
   removeOracle: () => removeOracle,
@@ -3448,6 +3462,7 @@ __export(browser_exports, {
   verifyCommitment: () => verifyCommitment,
   verifyOpening: () => verifyOpening,
   verifyOracleSignature: () => verifyOracleSignature,
+  verifyOwnership: () => verifyOwnership,
   walletRegistry: () => walletRegistry,
   withSecureBuffer: () => withSecureBuffer,
   withSecureBufferSync: () => withSecureBufferSync,
@@ -3720,7 +3735,7 @@ function isNonNegativeAmount(value) {
 function isValidSlippage(value) {
   return typeof value === "number" && !isNaN(value) && value >= 0 && value < 1;
 }
-var STEALTH_META_ADDRESS_REGEX = /^sip:[a-z]+:0x[0-9a-fA-F]{66}:0x[0-9a-fA-F]{66}$/;
+var STEALTH_META_ADDRESS_REGEX = /^sip:[a-z]+:0x[0-9a-fA-F]{64,66}:0x[0-9a-fA-F]{64,66}$/;
 function isValidStealthMetaAddress(addr) {
   if (typeof addr !== "string") return false;
   return STEALTH_META_ADDRESS_REGEX.test(addr);
@@ -4051,17 +4066,33 @@ function validateStealthMetaAddress(metaAddress, field = "recipientMetaAddress")
       `${field}.chain`
     );
   }
-  if (!isValidCompressedPublicKey(metaAddress.spendingKey)) {
-    throw new ValidationError(
-      "spendingKey must be a valid compressed secp256k1 public key (33 bytes, starting with 02 or 03)",
-      `${field}.spendingKey`
-    );
-  }
-  if (!isValidCompressedPublicKey(metaAddress.viewingKey)) {
-    throw new ValidationError(
-      "viewingKey must be a valid compressed secp256k1 public key (33 bytes, starting with 02 or 03)",
-      `${field}.viewingKey`
-    );
+  const isEd25519 = isEd25519Chain(metaAddress.chain);
+  if (isEd25519) {
+    if (!isValidEd25519PublicKey(metaAddress.spendingKey)) {
+      throw new ValidationError(
+        "spendingKey must be a valid ed25519 public key (32 bytes)",
+        `${field}.spendingKey`
+      );
+    }
+    if (!isValidEd25519PublicKey(metaAddress.viewingKey)) {
+      throw new ValidationError(
+        "viewingKey must be a valid ed25519 public key (32 bytes)",
+        `${field}.viewingKey`
+      );
+    }
+  } else {
+    if (!isValidCompressedPublicKey(metaAddress.spendingKey)) {
+      throw new ValidationError(
+        "spendingKey must be a valid compressed secp256k1 public key (33 bytes, starting with 02 or 03)",
+        `${field}.spendingKey`
+      );
+    }
+    if (!isValidCompressedPublicKey(metaAddress.viewingKey)) {
+      throw new ValidationError(
+        "viewingKey must be a valid compressed secp256k1 public key (33 bytes, starting with 02 or 03)",
+        `${field}.viewingKey`
+      );
+    }
   }
 }
 function generateStealthAddress(recipientMetaAddress) {
@@ -5119,6 +5150,10 @@ var IntentBuilder = class {
   params = {};
   senderAddress;
   proofProvider;
+  ownershipSignature;
+  senderSecret;
+  authorizationSignature;
+  allowPlaceholders;
   /**
    * Set the input for the intent
    *
@@ -5270,6 +5305,49 @@ var IntentBuilder = class {
     this.proofProvider = provider;
     return this;
   }
+  /**
+   * Set the signatures and secret for proof generation
+   *
+   * Required for production proof generation. Provides the cryptographic
+   * materials needed to generate valid ZK proofs.
+   *
+   * @param signatures - Object containing ownership signature, sender secret, and authorization signature
+   * @returns this for chaining
+   *
+   * @example
+   * ```typescript
+   * const intent = await builder
+   *   .input('near', 'NEAR', 100n)
+   *   .output('zcash', 'ZEC', 95n)
+   *   .privacy(PrivacyLevel.SHIELDED)
+   *   .withProvider(noirProvider)
+   *   .withSignatures({
+   *     ownershipSignature: await wallet.signMessage(address),
+   *     senderSecret: wallet.privateKey,
+   *     authorizationSignature: await wallet.signMessage(intentHash),
+   *   })
+   *   .build()
+   * ```
+   */
+  withSignatures(signatures) {
+    this.ownershipSignature = signatures.ownershipSignature;
+    this.senderSecret = signatures.senderSecret;
+    this.authorizationSignature = signatures.authorizationSignature;
+    return this;
+  }
+  /**
+   * Allow placeholder signatures for development/testing
+   *
+   * **WARNING**: Never use this in production! Proofs with placeholders
+   * are not cryptographically valid.
+   *
+   * @param allow - Whether to allow placeholders (default: true)
+   * @returns this for chaining
+   */
+  withPlaceholders(allow = true) {
+    this.allowPlaceholders = allow;
+    return this;
+  }
   /**
    * Build the shielded intent
    *
@@ -5281,14 +5359,25 @@ var IntentBuilder = class {
   async build() {
     return createShieldedIntent(this.params, {
       senderAddress: this.senderAddress,
-      proofProvider: this.proofProvider
+      proofProvider: this.proofProvider,
+      ownershipSignature: this.ownershipSignature,
+      senderSecret: this.senderSecret,
+      authorizationSignature: this.authorizationSignature,
+      allowPlaceholders: this.allowPlaceholders
     });
   }
 };
 async function createShieldedIntent(params, options) {
   validateCreateIntentParams(params);
   const { input, output, privacy, recipientMetaAddress, viewingKey, ttl = 300 } = params;
-  const { senderAddress, proofProvider } = options ?? {};
+  const {
+    senderAddress,
+    proofProvider,
+    ownershipSignature,
+    senderSecret,
+    authorizationSignature,
+    allowPlaceholders = false
+  } = options ?? {};
   let viewingKeyHash;
   if (viewingKey) {
     const keyHex = viewingKey.startsWith("0x") ? viewingKey.slice(2) : viewingKey;
@@ -5321,28 +5410,48 @@ async function createShieldedIntent(params, options) {
   let validityProof;
   const requiresProofs = privacy !== import_types.PrivacyLevel.TRANSPARENT;
   if (requiresProofs && proofProvider && proofProvider.isReady) {
+    const hasSignatures = ownershipSignature && senderSecret && authorizationSignature;
+    const usingPlaceholders = !hasSignatures;
+    if (usingPlaceholders && !allowPlaceholders) {
+      throw new ValidationError(
+        "Proof generation requires signatures. Provide ownershipSignature, senderSecret, and authorizationSignature in options, or set allowPlaceholders: true for development/testing.",
+        "options",
+        {
+          missing: [
+            !ownershipSignature && "ownershipSignature",
+            !senderSecret && "senderSecret",
+            !authorizationSignature && "authorizationSignature"
+          ].filter(Boolean)
+        }
+      );
+    }
+    if (usingPlaceholders) {
+      console.warn(
+        "[createShieldedIntent] WARNING: Using placeholder signatures for proof generation. These proofs are NOT cryptographically valid. Do NOT use in production!"
+      );
+    }
     const hexToUint8 = (hex) => {
       const cleanHex = hex.startsWith("0x") ? hex.slice(2) : hex;
       return (0, import_utils6.hexToBytes)(cleanHex);
     };
+    const effectiveOwnershipSig = ownershipSignature ?? new Uint8Array(64);
+    const effectiveSenderSecret = senderSecret ?? new Uint8Array(32);
+    const effectiveAuthSig = authorizationSignature ?? new Uint8Array(64);
     const fundingResult = await proofProvider.generateFundingProof({
       balance: input.amount,
       minimumRequired: output.minAmount,
       blindingFactor: hexToUint8(inputCommitment.blindingFactor),
       assetId: input.asset.symbol,
       userAddress: senderAddress ?? "0x0",
-      ownershipSignature: new Uint8Array(64)
-      // Placeholder - would come from wallet
+      ownershipSignature: effectiveOwnershipSig
     });
     fundingProof = fundingResult.proof;
     const validityResult = await proofProvider.generateValidityProof({
       intentHash: hash(intentId),
       senderAddress: senderAddress ?? "0x0",
       senderBlinding: hexToUint8(senderCommitment.blindingFactor),
-      senderSecret: new Uint8Array(32),
-      // Placeholder - would come from wallet
-      authorizationSignature: new Uint8Array(64),
-      // Placeholder - would come from wallet
+      senderSecret: effectiveSenderSecret,
+      authorizationSignature: effectiveAuthSig,
       nonce: new Uint8Array(32),
       // Could use randomBytes here
       timestamp: now,
@@ -5701,111 +5810,383 @@ var OneClickClient = class {
 
 // src/adapters/near-intents.ts
 var import_types3 = require("@sip-protocol/types");
-var DEFAULT_ASSET_MAPPINGS = {
-  // NEAR assets
-  "near:NEAR": "nep141:wrap.near",
-  "near:wNEAR": "nep141:wrap.near",
-  "near:USDC": "nep141:17208628f84f5d6ad33f0da3bbbeb27ffcb398eac501a31bd6ad2011e36133a1",
-  // Ethereum assets (via OMFT bridge)
-  "ethereum:ETH": "nep141:eth.omft.near",
-  "ethereum:USDC": "nep141:eth-0xa0b86991c6218b36c1d19d4a2e9eb0ce3606eb48.omft.near",
-  "ethereum:USDT": "nep141:eth-0xdac17f958d2ee523a2206206994597c13d831ec7.omft.near",
-  // Solana assets (via OMFT bridge)
-  "solana:SOL": "nep141:sol.omft.near",
-  "solana:USDC": "nep141:sol-5ce3bf3a31af18be40ba30f721101b4341690186.omft.near",
-  "solana:USDT": "nep141:sol-c800a4bd850783ccb82c2b2c7e84175443606352.omft.near",
-  // Zcash assets
-  "zcash:ZEC": "nep141:zec.omft.near",
-  // Arbitrum assets
-  "arbitrum:ETH": "nep141:arb.omft.near",
-  "arbitrum:ARB": "nep141:arb-0x912ce59144191c1204e64559fe8253a0e49e6548.omft.near",
-  "arbitrum:USDC": "nep141:arb-0xaf88d065e77c8cc2239327c5edb3a432268e5831.omft.near",
-  // Base assets
-  "base:ETH": "nep141:base.omft.near",
-  "base:USDC": "nep141:base-0x833589fcd6edb6e08f4c7c32d4f71b54bda02913.omft.near",
-  // Optimism assets (via HOT bridge - uses nep245)
-  "optimism:ETH": "nep245:v2_1.omni.hot.tg:10_11111111111111111111",
-  "optimism:OP": "nep245:v2_1.omni.hot.tg:10_vLAiSt9KfUGKpw5cD3vsSyNYBo7",
-  "optimism:USDC": "nep245:v2_1.omni.hot.tg:10_A2ewyUyDp6qsue1jqZsGypkCxRJ",
-  // Polygon assets (via HOT bridge - uses nep245)
-  "polygon:POL": "nep245:v2_1.omni.hot.tg:137_11111111111111111111",
-  "polygon:MATIC": "nep245:v2_1.omni.hot.tg:137_11111111111111111111",
-  // POL is the rebranded MATIC
-  "polygon:USDC": "nep245:v2_1.omni.hot.tg:137_qiStmoQJDQPTebaPjgx5VBxZv6L",
-  // BNB Chain assets (via HOT bridge - uses nep245)
-  "bsc:BNB": "nep245:v2_1.omni.hot.tg:56_11111111111111111111",
-  "bsc:USDC": "nep245:v2_1.omni.hot.tg:56_2w93GqMcEmQFDru84j3HZZWt557r",
-  // Avalanche assets (via HOT bridge - uses nep245)
-  "avalanche:AVAX": "nep245:v2_1.omni.hot.tg:43114_11111111111111111111",
-  "avalanche:USDC": "nep245:v2_1.omni.hot.tg:43114_3atVJH3r5c4GqiSYmg9fECvjc47o",
-  // Bitcoin
-  "bitcoin:BTC": "nep141:btc.omft.near",
-  // Aptos
-  "aptos:APT": "nep141:aptos.omft.near"
-};
-var CHAIN_BLOCKCHAIN_MAP = {
-  near: "near",
-  ethereum: "evm",
-  solana: "solana",
-  zcash: "zcash",
-  polygon: "evm",
-  arbitrum: "evm",
-  optimism: "evm",
-  base: "evm",
-  bitcoin: "bitcoin",
-  aptos: "aptos",
-  sui: "sui",
-  cosmos: "cosmos",
-  osmosis: "cosmos",
-  injective: "cosmos",
-  celestia: "cosmos",
-  sei: "cosmos",
-  dydx: "cosmos"
-};
-var NEARIntentsAdapter = class {
-  client;
-  defaultSlippage;
-  defaultDeadlineOffset;
-  assetMappings;
-  constructor(config = {}) {
-    this.client = config.client ?? new OneClickClient({
-      baseUrl: config.baseUrl,
-      jwtToken: config.jwtToken
-    });
-    this.defaultSlippage = config.defaultSlippage ?? 100;
-    this.defaultDeadlineOffset = config.defaultDeadlineOffset ?? 3600;
-    this.assetMappings = {
-      ...DEFAULT_ASSET_MAPPINGS,
-      ...config.assetMappings
-    };
+
+// src/move/aptos.ts
+var import_sha32 = require("@noble/hashes/sha3");
+var import_utils7 = require("@noble/hashes/utils");
+var APTOS_SINGLE_ED25519_SCHEME = 0;
+function ed25519PublicKeyToAptosAddress(publicKey) {
+  if (!isValidHex(publicKey)) {
+    throw new ValidationError(
+      "publicKey must be a valid hex string with 0x prefix",
+      "publicKey"
+    );
+  }
+  if (!isValidEd25519PublicKey(publicKey)) {
+    throw new ValidationError(
+      "publicKey must be 32 bytes (64 hex characters)",
+      "publicKey"
+    );
+  }
+  const publicKeyBytes = (0, import_utils7.hexToBytes)(publicKey.slice(2));
+  const authKeyInput = new Uint8Array(publicKeyBytes.length + 1);
+  authKeyInput.set(publicKeyBytes, 0);
+  authKeyInput[publicKeyBytes.length] = APTOS_SINGLE_ED25519_SCHEME;
+  const addressHash = (0, import_sha32.sha3_256)(authKeyInput);
+  return `0x${(0, import_utils7.bytesToHex)(addressHash)}`;
+}
+function isValidAptosAddress(address) {
+  if (typeof address !== "string" || address.length === 0) {
+    return false;
+  }
+  if (!address.startsWith("0x")) {
+    return false;
+  }
+  const hexPart = address.slice(2);
+  if (hexPart.length !== 64) {
+    return false;
+  }
+  return /^[0-9a-fA-F]{64}$/.test(hexPart);
+}
+function aptosAddressToAuthKey(address) {
+  if (!isValidAptosAddress(address)) {
+    throw new ValidationError(
+      "Invalid Aptos address format (must be 0x-prefixed 64 hex characters)",
+      "address"
+    );
+  }
+  return address.toLowerCase();
+}
+function generateAptosStealthAddress(recipientMetaAddress) {
+  if (recipientMetaAddress.chain !== "aptos") {
+    throw new ValidationError(
+      `Expected chain 'aptos', got '${recipientMetaAddress.chain}'`,
+      "recipientMetaAddress.chain"
+    );
   }
+  const { stealthAddress, sharedSecret } = generateEd25519StealthAddress(recipientMetaAddress);
+  const aptosAddress = ed25519PublicKeyToAptosAddress(stealthAddress.address);
+  return {
+    stealthAddress: aptosAddress,
+    stealthPublicKey: stealthAddress.address,
+    ephemeralPublicKey: stealthAddress.ephemeralPublicKey,
+    viewTag: stealthAddress.viewTag,
+    sharedSecret
+  };
+}
+function deriveAptosStealthPrivateKey(stealthAddress, spendingPrivateKey, viewingPrivateKey) {
+  const recovery = deriveEd25519StealthPrivateKey(
+    stealthAddress,
+    spendingPrivateKey,
+    viewingPrivateKey
+  );
+  const aptosAddress = ed25519PublicKeyToAptosAddress(recovery.stealthAddress);
+  return {
+    ...recovery,
+    aptosAddress
+  };
+}
+function checkAptosStealthAddress(stealthAddress, spendingPrivateKey, viewingPrivateKey) {
+  return checkEd25519StealthAddress(
+    stealthAddress,
+    spendingPrivateKey,
+    viewingPrivateKey
+  );
+}
+var AptosStealthService = class {
   /**
-   * Get the underlying OneClick client
+   * Generate a stealth address for an Aptos recipient
+   *
+   * @param recipientMetaAddress - Recipient's stealth meta-address
+   * @returns Complete stealth address result
    */
-  getClient() {
-    return this.client;
+  generateStealthAddress(recipientMetaAddress) {
+    return generateAptosStealthAddress(recipientMetaAddress);
   }
   /**
-   * Prepare a swap request
+   * Convert an ed25519 public key to Aptos address format
    *
-   * For shielded/compliant modes, generates a stealth address for the recipient.
+   * @param publicKey - 32-byte ed25519 public key
+   * @returns Aptos address string
+   */
+  stealthKeyToAptosAddress(publicKey) {
+    return ed25519PublicKeyToAptosAddress(publicKey);
+  }
+  /**
+   * Derive the private key for a stealth address
    *
-   * @param request - Swap request parameters
-   * @param recipientMetaAddress - Recipient's stealth meta-address (for privacy modes)
-   * @param senderAddress - Sender's address for refunds
-   * @returns Prepared swap with quote request
+   * @param stealthAddress - Stealth address data
+   * @param spendingPrivateKey - Recipient's spending private key
+   * @param viewingPrivateKey - Recipient's viewing private key
+   * @returns Recovery data with derived private key
    */
-  async prepareSwap(request, recipientMetaAddress, senderAddress) {
-    this.validateRequest(request);
-    const inputChain = request.inputAsset.chain;
-    if (senderAddress) {
-      if (!isAddressValidForChain(senderAddress, inputChain)) {
-        const inputChainType = getChainAddressType(inputChain);
-        const senderFormat = senderAddress.startsWith("0x") ? "EVM" : /^[1-9A-HJ-NP-Za-km-z]{32,44}$/.test(senderAddress) ? "Solana" : /^[0-9a-f]{64}$/.test(senderAddress) || /^[a-z0-9._-]+$/.test(senderAddress) ? "NEAR" : "unknown";
-        throw new ValidationError(
-          `Wallet address format doesn't match input chain. You're swapping FROM ${inputChain} (${inputChainType} format) but your connected wallet uses ${senderFormat} format. Please connect a wallet that matches the source chain (${inputChain}).`,
-          "senderAddress",
-          {
+  deriveStealthPrivateKey(stealthAddress, spendingPrivateKey, viewingPrivateKey) {
+    return deriveAptosStealthPrivateKey(stealthAddress, spendingPrivateKey, viewingPrivateKey);
+  }
+  /**
+   * Check if a stealth address belongs to this recipient
+   *
+   * @param stealthAddress - Stealth address to check
+   * @param spendingPrivateKey - Recipient's spending private key
+   * @param viewingPrivateKey - Recipient's viewing private key
+   * @returns true if the address belongs to this recipient
+   */
+  checkStealthAddress(stealthAddress, spendingPrivateKey, viewingPrivateKey) {
+    return checkAptosStealthAddress(stealthAddress, spendingPrivateKey, viewingPrivateKey);
+  }
+  /**
+   * Validate an Aptos address format
+   *
+   * @param address - Address to validate
+   * @returns true if valid format
+   */
+  isValidAddress(address) {
+    return isValidAptosAddress(address);
+  }
+};
+
+// src/move/sui.ts
+var import_blake2b = require("@noble/hashes/blake2b");
+var import_utils8 = require("@noble/hashes/utils");
+var SUI_ED25519_SCHEME = 0;
+function ed25519PublicKeyToSuiAddress(publicKey) {
+  if (!isValidHex(publicKey)) {
+    throw new ValidationError(
+      "publicKey must be a valid hex string with 0x prefix",
+      "publicKey"
+    );
+  }
+  if (!isValidEd25519PublicKey(publicKey)) {
+    throw new ValidationError(
+      "publicKey must be 32 bytes (64 hex characters)",
+      "publicKey"
+    );
+  }
+  const publicKeyBytes = (0, import_utils8.hexToBytes)(publicKey.slice(2));
+  const addressInput = new Uint8Array(publicKeyBytes.length + 1);
+  addressInput[0] = SUI_ED25519_SCHEME;
+  addressInput.set(publicKeyBytes, 1);
+  const hasher = new import_blake2b.BLAKE2b({ dkLen: 32 });
+  hasher.update(addressInput);
+  const addressHash = hasher.digest();
+  return `0x${(0, import_utils8.bytesToHex)(addressHash)}`;
+}
+function isValidSuiAddress(address) {
+  if (typeof address !== "string" || address.length === 0) {
+    return false;
+  }
+  if (!address.startsWith("0x")) {
+    return false;
+  }
+  const hexPart = address.slice(2);
+  if (hexPart.length !== 64) {
+    return false;
+  }
+  return /^[0-9a-fA-F]{64}$/.test(hexPart);
+}
+function normalizeSuiAddress(address) {
+  if (!isValidSuiAddress(address)) {
+    throw new ValidationError(
+      "Invalid Sui address format (must be 0x-prefixed 64 hex characters)",
+      "address"
+    );
+  }
+  return address.toLowerCase();
+}
+function generateSuiStealthAddress(recipientMetaAddress) {
+  if (recipientMetaAddress.chain !== "sui") {
+    throw new ValidationError(
+      `Expected chain 'sui', got '${recipientMetaAddress.chain}'`,
+      "recipientMetaAddress.chain"
+    );
+  }
+  const { stealthAddress, sharedSecret } = generateEd25519StealthAddress(recipientMetaAddress);
+  const suiAddress = ed25519PublicKeyToSuiAddress(stealthAddress.address);
+  return {
+    stealthAddress: suiAddress,
+    stealthPublicKey: stealthAddress.address,
+    ephemeralPublicKey: stealthAddress.ephemeralPublicKey,
+    viewTag: stealthAddress.viewTag,
+    sharedSecret
+  };
+}
+function deriveSuiStealthPrivateKey(stealthAddress, spendingPrivateKey, viewingPrivateKey) {
+  const recovery = deriveEd25519StealthPrivateKey(
+    stealthAddress,
+    spendingPrivateKey,
+    viewingPrivateKey
+  );
+  const suiAddress = ed25519PublicKeyToSuiAddress(recovery.stealthAddress);
+  return {
+    ...recovery,
+    suiAddress
+  };
+}
+function checkSuiStealthAddress(stealthAddress, spendingPrivateKey, viewingPrivateKey) {
+  return checkEd25519StealthAddress(
+    stealthAddress,
+    spendingPrivateKey,
+    viewingPrivateKey
+  );
+}
+var SuiStealthService = class {
+  /**
+   * Generate a stealth address for a Sui recipient
+   *
+   * @param recipientMetaAddress - Recipient's stealth meta-address
+   * @returns Complete stealth address result
+   */
+  generateStealthAddress(recipientMetaAddress) {
+    return generateSuiStealthAddress(recipientMetaAddress);
+  }
+  /**
+   * Convert an ed25519 public key to Sui address format
+   *
+   * @param publicKey - 32-byte ed25519 public key
+   * @returns Sui address string
+   */
+  stealthKeyToSuiAddress(publicKey) {
+    return ed25519PublicKeyToSuiAddress(publicKey);
+  }
+  /**
+   * Derive the private key for a stealth address
+   *
+   * @param stealthAddress - Stealth address data
+   * @param spendingPrivateKey - Recipient's spending private key
+   * @param viewingPrivateKey - Recipient's viewing private key
+   * @returns Recovery data with derived private key
+   */
+  deriveStealthPrivateKey(stealthAddress, spendingPrivateKey, viewingPrivateKey) {
+    return deriveSuiStealthPrivateKey(stealthAddress, spendingPrivateKey, viewingPrivateKey);
+  }
+  /**
+   * Check if a stealth address belongs to this recipient
+   *
+   * @param stealthAddress - Stealth address to check
+   * @param spendingPrivateKey - Recipient's spending private key
+   * @param viewingPrivateKey - Recipient's viewing private key
+   * @returns true if the address belongs to this recipient
+   */
+  checkStealthAddress(stealthAddress, spendingPrivateKey, viewingPrivateKey) {
+    return checkSuiStealthAddress(stealthAddress, spendingPrivateKey, viewingPrivateKey);
+  }
+  /**
+   * Validate a Sui address format
+   *
+   * @param address - Address to validate
+   * @returns true if valid format
+   */
+  isValidAddress(address) {
+    return isValidSuiAddress(address);
+  }
+};
+
+// src/adapters/near-intents.ts
+var DEFAULT_ASSET_MAPPINGS = {
+  // NEAR assets
+  "near:NEAR": "nep141:wrap.near",
+  "near:wNEAR": "nep141:wrap.near",
+  "near:USDC": "nep141:17208628f84f5d6ad33f0da3bbbeb27ffcb398eac501a31bd6ad2011e36133a1",
+  // Ethereum assets (via OMFT bridge)
+  "ethereum:ETH": "nep141:eth.omft.near",
+  "ethereum:USDC": "nep141:eth-0xa0b86991c6218b36c1d19d4a2e9eb0ce3606eb48.omft.near",
+  "ethereum:USDT": "nep141:eth-0xdac17f958d2ee523a2206206994597c13d831ec7.omft.near",
+  // Solana assets (via OMFT bridge)
+  "solana:SOL": "nep141:sol.omft.near",
+  "solana:USDC": "nep141:sol-5ce3bf3a31af18be40ba30f721101b4341690186.omft.near",
+  "solana:USDT": "nep141:sol-c800a4bd850783ccb82c2b2c7e84175443606352.omft.near",
+  // Zcash assets
+  "zcash:ZEC": "nep141:zec.omft.near",
+  // Arbitrum assets
+  "arbitrum:ETH": "nep141:arb.omft.near",
+  "arbitrum:ARB": "nep141:arb-0x912ce59144191c1204e64559fe8253a0e49e6548.omft.near",
+  "arbitrum:USDC": "nep141:arb-0xaf88d065e77c8cc2239327c5edb3a432268e5831.omft.near",
+  // Base assets
+  "base:ETH": "nep141:base.omft.near",
+  "base:USDC": "nep141:base-0x833589fcd6edb6e08f4c7c32d4f71b54bda02913.omft.near",
+  // Optimism assets (via HOT bridge - uses nep245)
+  "optimism:ETH": "nep245:v2_1.omni.hot.tg:10_11111111111111111111",
+  "optimism:OP": "nep245:v2_1.omni.hot.tg:10_vLAiSt9KfUGKpw5cD3vsSyNYBo7",
+  "optimism:USDC": "nep245:v2_1.omni.hot.tg:10_A2ewyUyDp6qsue1jqZsGypkCxRJ",
+  // Polygon assets (via HOT bridge - uses nep245)
+  "polygon:POL": "nep245:v2_1.omni.hot.tg:137_11111111111111111111",
+  "polygon:MATIC": "nep245:v2_1.omni.hot.tg:137_11111111111111111111",
+  // POL is the rebranded MATIC
+  "polygon:USDC": "nep245:v2_1.omni.hot.tg:137_qiStmoQJDQPTebaPjgx5VBxZv6L",
+  // BNB Chain assets (via HOT bridge - uses nep245)
+  "bsc:BNB": "nep245:v2_1.omni.hot.tg:56_11111111111111111111",
+  "bsc:USDC": "nep245:v2_1.omni.hot.tg:56_2w93GqMcEmQFDru84j3HZZWt557r",
+  // Avalanche assets (via HOT bridge - uses nep245)
+  "avalanche:AVAX": "nep245:v2_1.omni.hot.tg:43114_11111111111111111111",
+  "avalanche:USDC": "nep245:v2_1.omni.hot.tg:43114_3atVJH3r5c4GqiSYmg9fECvjc47o",
+  // Bitcoin
+  "bitcoin:BTC": "nep141:btc.omft.near",
+  // Aptos
+  "aptos:APT": "nep141:aptos.omft.near"
+};
+var CHAIN_BLOCKCHAIN_MAP = {
+  near: "near",
+  ethereum: "evm",
+  solana: "solana",
+  zcash: "zcash",
+  polygon: "evm",
+  arbitrum: "evm",
+  optimism: "evm",
+  base: "evm",
+  bitcoin: "bitcoin",
+  aptos: "aptos",
+  sui: "sui",
+  cosmos: "cosmos",
+  osmosis: "cosmos",
+  injective: "cosmos",
+  celestia: "cosmos",
+  sei: "cosmos",
+  dydx: "cosmos"
+};
+var NEARIntentsAdapter = class {
+  client;
+  defaultSlippage;
+  defaultDeadlineOffset;
+  assetMappings;
+  constructor(config = {}) {
+    this.client = config.client ?? new OneClickClient({
+      baseUrl: config.baseUrl,
+      jwtToken: config.jwtToken
+    });
+    this.defaultSlippage = config.defaultSlippage ?? 100;
+    this.defaultDeadlineOffset = config.defaultDeadlineOffset ?? 3600;
+    this.assetMappings = {
+      ...DEFAULT_ASSET_MAPPINGS,
+      ...config.assetMappings
+    };
+  }
+  /**
+   * Get the underlying OneClick client
+   */
+  getClient() {
+    return this.client;
+  }
+  /**
+   * Prepare a swap request
+   *
+   * For shielded/compliant modes, generates a stealth address for the recipient.
+   *
+   * @param request - Swap request parameters
+   * @param recipientMetaAddress - Recipient's stealth meta-address (for privacy modes)
+   * @param senderAddress - Sender's address for refunds
+   * @returns Prepared swap with quote request
+   */
+  async prepareSwap(request, recipientMetaAddress, senderAddress) {
+    this.validateRequest(request);
+    const inputChain = request.inputAsset.chain;
+    if (senderAddress) {
+      if (!isAddressValidForChain(senderAddress, inputChain)) {
+        const inputChainType = getChainAddressType(inputChain);
+        const senderFormat = senderAddress.startsWith("0x") ? "EVM" : /^[1-9A-HJ-NP-Za-km-z]{32,44}$/.test(senderAddress) ? "Solana" : /^[0-9a-f]{64}$/.test(senderAddress) || /^[a-z0-9._-]+$/.test(senderAddress) ? "NEAR" : "unknown";
+        throw new ValidationError(
+          `Wallet address format doesn't match input chain. You're swapping FROM ${inputChain} (${inputChainType} format) but your connected wallet uses ${senderFormat} format. Please connect a wallet that matches the source chain (${inputChain}).`,
+          "senderAddress",
+          {
             inputChain,
             expectedFormat: inputChainType,
             receivedFormat: senderFormat,
@@ -5847,11 +6228,15 @@ var NEARIntentsAdapter = class {
           recipientAddress = ed25519PublicKeyToSolanaAddress(stealthAddress.address);
         } else if (outputChain === "near") {
           recipientAddress = ed25519PublicKeyToNearAddress(stealthAddress.address);
+        } else if (outputChain === "aptos") {
+          recipientAddress = ed25519PublicKeyToAptosAddress(stealthAddress.address);
+        } else if (outputChain === "sui") {
+          recipientAddress = ed25519PublicKeyToSuiAddress(stealthAddress.address);
         } else {
           throw new ValidationError(
-            `ed25519 address derivation not implemented for ${outputChain}`,
+            `ed25519 address derivation not implemented for ${outputChain}. Please add support in near-intents.ts.`,
             "outputAsset",
-            { outputChain }
+            { outputChain, hint: "Add address derivation function for this chain" }
           );
         }
         nativeRecipientAddress = recipientAddress;
@@ -5888,6 +6273,10 @@ var NEARIntentsAdapter = class {
               refundAddress = ed25519PublicKeyToSolanaAddress(refundStealth.stealthAddress.address);
             } else if (inputChain2 === "near") {
               refundAddress = ed25519PublicKeyToNearAddress(refundStealth.stealthAddress.address);
+            } else if (inputChain2 === "aptos") {
+              refundAddress = ed25519PublicKeyToAptosAddress(refundStealth.stealthAddress.address);
+            } else if (inputChain2 === "sui") {
+              refundAddress = ed25519PublicKeyToSuiAddress(refundStealth.stealthAddress.address);
             }
           } else {
             throw new ValidationError(
@@ -6545,144 +6934,6 @@ function createProductionSIP(config) {
   });
 }
 
-// src/move/aptos.ts
-var import_sha32 = require("@noble/hashes/sha3");
-var import_utils7 = require("@noble/hashes/utils");
-var APTOS_SINGLE_ED25519_SCHEME = 0;
-function ed25519PublicKeyToAptosAddress(publicKey) {
-  if (!isValidHex(publicKey)) {
-    throw new ValidationError(
-      "publicKey must be a valid hex string with 0x prefix",
-      "publicKey"
-    );
-  }
-  if (!isValidEd25519PublicKey(publicKey)) {
-    throw new ValidationError(
-      "publicKey must be 32 bytes (64 hex characters)",
-      "publicKey"
-    );
-  }
-  const publicKeyBytes = (0, import_utils7.hexToBytes)(publicKey.slice(2));
-  const authKeyInput = new Uint8Array(publicKeyBytes.length + 1);
-  authKeyInput.set(publicKeyBytes, 0);
-  authKeyInput[publicKeyBytes.length] = APTOS_SINGLE_ED25519_SCHEME;
-  const addressHash = (0, import_sha32.sha3_256)(authKeyInput);
-  return `0x${(0, import_utils7.bytesToHex)(addressHash)}`;
-}
-function isValidAptosAddress(address) {
-  if (typeof address !== "string" || address.length === 0) {
-    return false;
-  }
-  if (!address.startsWith("0x")) {
-    return false;
-  }
-  const hexPart = address.slice(2);
-  if (hexPart.length !== 64) {
-    return false;
-  }
-  return /^[0-9a-fA-F]{64}$/.test(hexPart);
-}
-function aptosAddressToAuthKey(address) {
-  if (!isValidAptosAddress(address)) {
-    throw new ValidationError(
-      "Invalid Aptos address format (must be 0x-prefixed 64 hex characters)",
-      "address"
-    );
-  }
-  return address.toLowerCase();
-}
-function generateAptosStealthAddress(recipientMetaAddress) {
-  if (recipientMetaAddress.chain !== "aptos") {
-    throw new ValidationError(
-      `Expected chain 'aptos', got '${recipientMetaAddress.chain}'`,
-      "recipientMetaAddress.chain"
-    );
-  }
-  const { stealthAddress, sharedSecret } = generateEd25519StealthAddress(recipientMetaAddress);
-  const aptosAddress = ed25519PublicKeyToAptosAddress(stealthAddress.address);
-  return {
-    stealthAddress: aptosAddress,
-    stealthPublicKey: stealthAddress.address,
-    ephemeralPublicKey: stealthAddress.ephemeralPublicKey,
-    viewTag: stealthAddress.viewTag,
-    sharedSecret
-  };
-}
-function deriveAptosStealthPrivateKey(stealthAddress, spendingPrivateKey, viewingPrivateKey) {
-  const recovery = deriveEd25519StealthPrivateKey(
-    stealthAddress,
-    spendingPrivateKey,
-    viewingPrivateKey
-  );
-  const aptosAddress = ed25519PublicKeyToAptosAddress(recovery.stealthAddress);
-  return {
-    ...recovery,
-    aptosAddress
-  };
-}
-function checkAptosStealthAddress(stealthAddress, spendingPrivateKey, viewingPrivateKey) {
-  return checkEd25519StealthAddress(
-    stealthAddress,
-    spendingPrivateKey,
-    viewingPrivateKey
-  );
-}
-var AptosStealthService = class {
-  /**
-   * Generate a stealth address for an Aptos recipient
-   *
-   * @param recipientMetaAddress - Recipient's stealth meta-address
-   * @returns Complete stealth address result
-   */
-  generateStealthAddress(recipientMetaAddress) {
-    return generateAptosStealthAddress(recipientMetaAddress);
-  }
-  /**
-   * Convert an ed25519 public key to Aptos address format
-   *
-   * @param publicKey - 32-byte ed25519 public key
-   * @returns Aptos address string
-   */
-  stealthKeyToAptosAddress(publicKey) {
-    return ed25519PublicKeyToAptosAddress(publicKey);
-  }
-  /**
-   * Derive the private key for a stealth address
-   *
-   * @param stealthAddress - Stealth address data
-   * @param spendingPrivateKey - Recipient's spending private key
-   * @param viewingPrivateKey - Recipient's viewing private key
-   * @returns Recovery data with derived private key
-   */
-  deriveStealthPrivateKey(stealthAddress, spendingPrivateKey, viewingPrivateKey) {
-    return deriveAptosStealthPrivateKey(stealthAddress, spendingPrivateKey, viewingPrivateKey);
-  }
-  /**
-   * Check if a stealth address belongs to this recipient
-   *
-   * @param stealthAddress - Stealth address to check
-   * @param spendingPrivateKey - Recipient's spending private key
-   * @param viewingPrivateKey - Recipient's viewing private key
-   * @returns true if the address belongs to this recipient
-   */
-  checkStealthAddress(stealthAddress, spendingPrivateKey, viewingPrivateKey) {
-    return checkAptosStealthAddress(stealthAddress, spendingPrivateKey, viewingPrivateKey);
-  }
-  /**
-   * Validate an Aptos address format
-   *
-   * @param address - Address to validate
-   * @returns true if valid format
-   */
-  isValidAddress(address) {
-    return isValidAptosAddress(address);
-  }
-};
-
-// src/move/sui.ts
-var import_blake2b = require("@noble/hashes/blake2b");
-var import_utils8 = require("@noble/hashes/utils");
-
 // src/cosmos/stealth.ts
 var import_sha2566 = require("@noble/hashes/sha256");
 var import_ripemd160 = require("@noble/hashes/ripemd160");
@@ -6725,7 +6976,6 @@ var CosmosStealthService = class {
       metaAddress: {
         ...result.metaAddress,
         chain
-        // Will be updated in types package
       }
     };
   }
@@ -7279,13 +7529,7 @@ function getMobileDeviceInfo() {
     osVersion: getOSVersion(),
     isTablet: isTablet(),
     supportsTouch: supportsTouch(),
-    deviceMemoryGB: (
-      // @ts-expect-error - deviceMemory is non-standard
-      typeof navigator !== "undefined" && navigator.deviceMemory ? (
-        // @ts-expect-error - deviceMemory is non-standard
-        navigator.deviceMemory
-      ) : null
-    ),
+    deviceMemoryGB: typeof navigator !== "undefined" && navigator.deviceMemory ? navigator.deviceMemory : null,
     hardwareConcurrency: typeof navigator !== "undefined" && navigator.hardwareConcurrency ? navigator.hardwareConcurrency : null
   };
 }
@@ -14169,10 +14413,20 @@ var AuditorType = /* @__PURE__ */ ((AuditorType2) => {
 })(AuditorType || {});
 var AuditorKeyDerivation = class {
   /**
-   * SIP Protocol coin type (BIP-44 registered)
+   * SIP Protocol coin type for BIP-44 derivation
+   *
+   * This uses 1234 as SIP Protocol's internal coin type identifier.
    *
-   * Note: This is a placeholder. In production, register with SLIP-44:
-   * https://github.com/satoshilabs/slips/blob/master/slip-0044.md
+   * **Registration Status**: Not registered with SLIP-44
+   *
+   * **Why this is acceptable**:
+   * - SIP viewing keys are protocol-specific, not wallet-portable
+   * - Keys derived here are for auditor access, not user funds
+   * - SLIP-44 registration is for coin types that need hardware wallet support
+   *
+   * **Future consideration**: If hardware wallet integration for SIP auditor keys
+   * is desired, submit a PR to https://github.com/satoshilabs/slips to register
+   * an official coin type. Current value (1234) is in the unregistered range.
    */
   static COIN_TYPE = 1234;
   /**
@@ -14279,193 +14533,2147 @@ var AuditorKeyDerivation = class {
     }
   }
   /**
-   * Derive multiple viewing keys at once
+   * Derive multiple viewing keys at once
+   *
+   * Efficiently derives keys for multiple auditor types from the same
+   * master seed. This is more efficient than calling deriveViewingKey
+   * multiple times as it reuses intermediate derivations.
+   *
+   * @param params - Derivation parameters
+   * @returns Array of derived viewing keys
+   *
+   * @example
+   * ```typescript
+   * const keys = AuditorKeyDerivation.deriveMultiple({
+   *   masterSeed: randomBytes(32),
+   *   auditorTypes: [
+   *     AuditorType.PRIMARY,
+   *     AuditorType.REGULATORY,
+   *     AuditorType.INTERNAL,
+   *   ],
+   * })
+   *
+   * // keys[0] -> PRIMARY key (m/44'/1234'/0'/0)
+   * // keys[1] -> REGULATORY key (m/44'/1234'/0'/1)
+   * // keys[2] -> INTERNAL key (m/44'/1234'/0'/2)
+   * ```
+   */
+  static deriveMultiple(params) {
+    const { masterSeed, auditorTypes, account = 0 } = params;
+    this.validateMasterSeed(masterSeed);
+    this.validateAccount(account);
+    if (!auditorTypes || auditorTypes.length === 0) {
+      throw new ValidationError(
+        "at least one auditor type is required",
+        "auditorTypes",
+        { received: auditorTypes },
+        "SIP_2008" /* MISSING_REQUIRED */
+      );
+    }
+    for (const type of auditorTypes) {
+      this.validateAuditorType(type);
+    }
+    const uniqueTypes = Array.from(new Set(auditorTypes));
+    const commonIndices = [
+      this.PURPOSE | this.HARDENED,
+      // 44' (hardened)
+      this.COIN_TYPE | this.HARDENED,
+      // 1234' (hardened)
+      account | this.HARDENED
+      // account' (hardened)
+    ];
+    const masterData = (0, import_hmac2.hmac)(import_sha5123.sha512, (0, import_utils25.utf8ToBytes)("SIP-MASTER-SEED"), masterSeed);
+    let commonKey = new Uint8Array(masterData.slice(0, 32));
+    let commonChainCode = new Uint8Array(masterData.slice(32, 64));
+    try {
+      for (let i = 0; i < commonIndices.length; i++) {
+        const index = commonIndices[i];
+        const derived = this.deriveChildKey(commonKey, commonChainCode, index);
+        if (i > 0) {
+          secureWipe(commonKey);
+        }
+        commonKey = new Uint8Array(derived.key);
+        commonChainCode = new Uint8Array(derived.chainCode);
+      }
+      const results = [];
+      for (const auditorType of uniqueTypes) {
+        const derived = this.deriveChildKey(commonKey, commonChainCode, auditorType);
+        try {
+          const keyHex = `0x${(0, import_utils25.bytesToHex)(derived.key)}`;
+          const hashBytes = (0, import_sha25619.sha256)(derived.key);
+          const hash2 = `0x${(0, import_utils25.bytesToHex)(hashBytes)}`;
+          const path = this.derivePath(auditorType, account);
+          const viewingKey = {
+            key: keyHex,
+            path,
+            hash: hash2
+          };
+          results.push({
+            path,
+            viewingKey,
+            auditorType,
+            account
+          });
+        } finally {
+          secureWipe(derived.key);
+          secureWipe(derived.chainCode);
+        }
+      }
+      return results;
+    } finally {
+      secureWipe(commonKey);
+      secureWipe(commonChainCode);
+    }
+  }
+  /**
+   * Get human-readable name for auditor type
+   *
+   * @param auditorType - Auditor type enum value
+   * @returns Friendly name string
+   */
+  static getAuditorTypeName(auditorType) {
+    switch (auditorType) {
+      case 0 /* PRIMARY */:
+        return "Primary";
+      case 1 /* REGULATORY */:
+        return "Regulatory";
+      case 2 /* INTERNAL */:
+        return "Internal";
+      case 3 /* TAX */:
+        return "Tax Authority";
+      default:
+        return `Unknown (${auditorType})`;
+    }
+  }
+  // ─── Private Helpers ─────────────────────────────────────────────────────────
+  /**
+   * Derive a child key using BIP-32 HMAC-SHA512 derivation
+   *
+   * @param parentKey - Parent key bytes (32 bytes)
+   * @param chainCode - Parent chain code (32 bytes)
+   * @param index - Child index (use | HARDENED for hardened derivation)
+   * @returns Derived key and chain code
+   */
+  static deriveChildKey(parentKey, chainCode, index) {
+    const isHardened = (index & this.HARDENED) !== 0;
+    const data = new Uint8Array(37);
+    if (isHardened) {
+      data[0] = 0;
+      data.set(parentKey, 1);
+    } else {
+      data[0] = 1;
+      data.set(parentKey, 1);
+    }
+    const indexView = new DataView(data.buffer, 33, 4);
+    indexView.setUint32(0, index, false);
+    const hmacResult = (0, import_hmac2.hmac)(import_sha5123.sha512, chainCode, data);
+    const childKey = new Uint8Array(hmacResult.slice(0, 32));
+    const childChainCode = new Uint8Array(hmacResult.slice(32, 64));
+    return {
+      key: childKey,
+      chainCode: childChainCode
+    };
+  }
+  /**
+   * Validate master seed
+   */
+  static validateMasterSeed(seed) {
+    if (!seed || seed.length < 32) {
+      throw new ValidationError(
+        "master seed must be at least 32 bytes",
+        "masterSeed",
+        { received: seed?.length ?? 0 },
+        "SIP_2001" /* INVALID_INPUT */
+      );
+    }
+  }
+  /**
+   * Validate auditor type
+   */
+  static validateAuditorType(type) {
+    const validTypes = [
+      0 /* PRIMARY */,
+      1 /* REGULATORY */,
+      2 /* INTERNAL */,
+      3 /* TAX */
+    ];
+    if (!validTypes.includes(type)) {
+      throw new ValidationError(
+        `invalid auditor type: ${type}`,
+        "auditorType",
+        { received: type, valid: validTypes },
+        "SIP_2001" /* INVALID_INPUT */
+      );
+    }
+  }
+  /**
+   * Validate account index
+   */
+  static validateAccount(account) {
+    if (!Number.isInteger(account) || account < 0 || account >= this.HARDENED) {
+      throw new ValidationError(
+        `account must be a non-negative integer less than ${this.HARDENED}`,
+        "account",
+        { received: account },
+        "SIP_2001" /* INVALID_INPUT */
+      );
+    }
+  }
+};
+
+// src/auction/sealed-bid.ts
+var import_utils26 = require("@noble/hashes/utils");
+var SealedBidAuction = class {
+  /**
+   * Create a sealed bid for an auction
+   *
+   * Generates a cryptographically binding commitment to a bid amount.
+   * The commitment can be published publicly without revealing the bid.
+   *
+   * **Important:** Keep the returned `BidReceipt` secret! It contains the bid
+   * amount and salt needed to reveal the bid later. Only publish the commitment.
+   *
+   * @param params - Bid creation parameters
+   * @returns Complete bid receipt (keep secret!) and sealed bid (publish this)
+   * @throws {ValidationError} If auctionId is empty, amount is non-positive, or salt is invalid
+   *
+   * @example
+   * ```typescript
+   * const auction = new SealedBidAuction()
+   *
+   * // Create a bid for 50 ETH
+   * const receipt = auction.createBid({
+   *   auctionId: 'auction-xyz',
+   *   amount: 50n * 10n**18n,
+   * })
+   *
+   * // Public data (safe to publish)
+   * console.log({
+   *   auctionId: receipt.auctionId,
+   *   commitment: receipt.commitment,
+   *   timestamp: receipt.timestamp,
+   * })
+   *
+   * // Secret data (store securely, needed for reveal)
+   * secureStorage.save({
+   *   amount: receipt.amount,
+   *   salt: receipt.salt,
+   * })
+   * ```
+   */
+  createBid(params) {
+    if (typeof params.auctionId !== "string" || params.auctionId.length === 0) {
+      throw new ValidationError(
+        "auctionId must be a non-empty string",
+        "auctionId",
+        { received: params.auctionId }
+      );
+    }
+    if (typeof params.amount !== "bigint") {
+      throw new ValidationError(
+        "amount must be a bigint",
+        "amount",
+        { received: typeof params.amount }
+      );
+    }
+    if (params.amount <= 0n) {
+      throw new ValidationError(
+        "amount must be positive",
+        "amount",
+        { received: params.amount.toString() }
+      );
+    }
+    if (params.salt !== void 0) {
+      if (!(params.salt instanceof Uint8Array)) {
+        throw new ValidationError(
+          "salt must be a Uint8Array",
+          "salt",
+          { received: typeof params.salt }
+        );
+      }
+      if (params.salt.length !== 32) {
+        throw new ValidationError(
+          "salt must be exactly 32 bytes",
+          "salt",
+          { received: params.salt.length }
+        );
+      }
+    }
+    const salt = params.salt ?? (0, import_utils26.randomBytes)(32);
+    const { commitment, blinding } = commit(params.amount, salt);
+    const sealedBid = {
+      auctionId: params.auctionId,
+      commitment,
+      timestamp: Date.now()
+    };
+    return {
+      ...sealedBid,
+      amount: params.amount,
+      salt: blinding
+    };
+  }
+  /**
+   * Verify that a revealed bid matches its commitment
+   *
+   * Checks that the commitment opens to the claimed bid amount with the provided salt.
+   * This proves the bidder committed to this exact amount during the bidding phase.
+   *
+   * @param params - Verification parameters
+   * @returns true if the bid is valid, false otherwise
+   * @throws {ValidationError} If commitment or salt format is invalid
+   *
+   * @example Verify a revealed bid
+   * ```typescript
+   * const auction = new SealedBidAuction()
+   *
+   * // During reveal phase, bidder reveals their bid
+   * const revealed = {
+   *   commitment: '0x02abc...', // From bidding phase
+   *   amount: 50n * 10n**18n,   // Revealed now
+   *   salt: '0x123...',         // Revealed now
+   * }
+   *
+   * // Anyone can verify
+   * const isValid = auction.verifyBid(revealed)
+   *
+   * if (isValid) {
+   *   console.log('✓ Bid is valid - bidder committed to this amount')
+   * } else {
+   *   console.log('✗ Bid is invalid - possible cheating attempt!')
+   * }
+   * ```
+   *
+   * @example Detect cheating
+   * ```typescript
+   * // Bidder tries to change their bid amount
+   * const cheatingAttempt = {
+   *   commitment: aliceBid.commitment, // Original commitment
+   *   amount: 200n * 10n**18n,        // Different amount!
+   *   salt: aliceBid.salt,
+   * }
+   *
+   * const isValid = auction.verifyBid(cheatingAttempt)
+   * console.log(isValid) // false - commitment doesn't match!
+   * ```
+   */
+  verifyBid(params) {
+    if (typeof params.commitment !== "string" || !params.commitment.startsWith("0x")) {
+      throw new ValidationError(
+        "commitment must be a hex string with 0x prefix",
+        "commitment",
+        { received: params.commitment }
+      );
+    }
+    if (typeof params.amount !== "bigint") {
+      throw new ValidationError(
+        "amount must be a bigint",
+        "amount",
+        { received: typeof params.amount }
+      );
+    }
+    if (typeof params.salt !== "string" || !params.salt.startsWith("0x")) {
+      throw new ValidationError(
+        "salt must be a hex string with 0x prefix",
+        "salt",
+        { received: params.salt }
+      );
+    }
+    return verifyOpening(params.commitment, params.amount, params.salt);
+  }
+  /**
+   * Reveal a sealed bid by exposing the amount and salt
+   *
+   * Converts a BidReceipt (with secrets) into a RevealedBid (all public).
+   * This is what bidders submit during the reveal phase to prove their bid.
+   *
+   * **Important:** This method validates that the revealed data matches the
+   * commitment before returning. If validation fails, it throws an error.
+   *
+   * @param bid - The sealed bid to reveal (must include amount and salt from BidReceipt)
+   * @param amount - The bid amount to reveal
+   * @param salt - The salt/blinding factor to reveal
+   * @returns Complete revealed bid ready for public verification
+   * @throws {ValidationError} If the revealed data doesn't match the commitment (cheating attempt)
+   *
+   * @example Reveal a bid during reveal phase
+   * ```typescript
+   * const auction = new SealedBidAuction()
+   *
+   * // BIDDING PHASE
+   * const receipt = auction.createBid({
+   *   auctionId: 'auction-1',
+   *   amount: 100n,
+   * })
+   *
+   * // Submit commitment on-chain (only commitment is public)
+   * await submitToChain({
+   *   auctionId: receipt.auctionId,
+   *   commitment: receipt.commitment,
+   *   timestamp: receipt.timestamp,
+   * })
+   *
+   * // REVEAL PHASE (after bidding closes)
+   * const revealed = auction.revealBid(
+   *   { auctionId: receipt.auctionId, commitment: receipt.commitment, timestamp: receipt.timestamp },
+   *   receipt.amount,
+   *   receipt.salt
+   * )
+   *
+   * // Submit revealed bid on-chain for verification
+   * await revealOnChain(revealed)
+   * ```
+   *
+   * @example Detect invalid reveal attempt
+   * ```typescript
+   * const receipt = auction.createBid({
+   *   auctionId: 'auction-1',
+   *   amount: 100n,
+   * })
+   *
+   * // Try to reveal a different amount (cheating!)
+   * try {
+   *   auction.revealBid(
+   *     { auctionId: receipt.auctionId, commitment: receipt.commitment, timestamp: receipt.timestamp },
+   *     200n, // Different amount!
+   *     receipt.salt
+   *   )
+   * } catch (error) {
+   *   console.log('Cheating detected!') // ValidationError thrown
+   * }
+   * ```
+   */
+  revealBid(bid, amount, salt) {
+    const saltHex = `0x${(0, import_utils26.bytesToHex)(salt)}`;
+    const isValid = this.verifyBid({
+      commitment: bid.commitment,
+      amount,
+      salt: saltHex
+    });
+    if (!isValid) {
+      throw new ValidationError(
+        "revealed bid does not match commitment - possible cheating attempt",
+        "reveal",
+        {
+          commitment: bid.commitment,
+          amount: amount.toString(),
+          expectedMatch: true,
+          actualMatch: false
+        }
+      );
+    }
+    return {
+      auctionId: bid.auctionId,
+      commitment: bid.commitment,
+      amount,
+      salt: saltHex,
+      timestamp: bid.timestamp
+    };
+  }
+  /**
+   * Verify that a revealed bid matches its original sealed bid
+   *
+   * Convenience method that verifies a RevealedBid object.
+   * This is equivalent to calling verifyBid() with the reveal's components.
+   *
+   * @param bid - The sealed bid from the bidding phase
+   * @param reveal - The revealed bid to verify
+   * @returns true if reveal is valid, false otherwise
+   * @throws {ValidationError} If inputs are malformed
+   *
+   * @example Verify a revealed bid
+   * ```typescript
+   * const auction = new SealedBidAuction()
+   *
+   * // Bidding phase
+   * const receipt = auction.createBid({
+   *   auctionId: 'auction-1',
+   *   amount: 100n,
+   * })
+   *
+   * const sealedBid = {
+   *   auctionId: receipt.auctionId,
+   *   commitment: receipt.commitment,
+   *   timestamp: receipt.timestamp,
+   * }
+   *
+   * // Reveal phase
+   * const reveal = auction.revealBid(sealedBid, receipt.amount, hexToBytes(receipt.salt.slice(2)))
+   *
+   * // Anyone can verify
+   * const isValid = auction.verifyReveal(sealedBid, reveal)
+   * console.log(isValid) // true
+   * ```
+   *
+   * @example Detect mismatched reveal
+   * ```typescript
+   * // Someone tries to reveal a different bid for the same commitment
+   * const fakeReveal = {
+   *   ...reveal,
+   *   amount: 200n, // Different amount!
+   * }
+   *
+   * const isValid = auction.verifyReveal(sealedBid, fakeReveal)
+   * console.log(isValid) // false
+   * ```
+   */
+  verifyReveal(bid, reveal) {
+    if (bid.auctionId !== reveal.auctionId) {
+      return false;
+    }
+    if (bid.commitment !== reveal.commitment) {
+      return false;
+    }
+    return this.verifyBid({
+      commitment: reveal.commitment,
+      amount: reveal.amount,
+      salt: reveal.salt
+    });
+  }
+  /**
+   * Hash auction metadata for deterministic auction IDs
+   *
+   * Creates a unique auction identifier from auction parameters.
+   * Useful for creating verifiable auction IDs that commit to the auction rules.
+   *
+   * @param data - Auction metadata to hash
+   * @returns Hex-encoded hash of the auction metadata
+   *
+   * @example
+   * ```typescript
+   * const auction = new SealedBidAuction()
+   *
+   * // Create deterministic auction ID
+   * const auctionId = auction.hashAuctionMetadata({
+   *   itemId: 'nft-token-123',
+   *   seller: '0xABCD...',
+   *   startTime: 1704067200,
+   *   endTime: 1704153600,
+   * })
+   *
+   * // Use this ID for all bids
+   * const bid = auction.createBid({
+   *   auctionId,
+   *   amount: 100n,
+   * })
+   * ```
+   */
+  hashAuctionMetadata(data) {
+    const jsonString = JSON.stringify(
+      data,
+      (_, value) => typeof value === "bigint" ? value.toString() : value
+    );
+    return hash(jsonString);
+  }
+  /**
+   * Determine the winner from revealed bids
+   *
+   * Finds the highest valid bid. In case of tie (same amount), the earliest
+   * bid (lowest timestamp) wins.
+   *
+   * **Important:** This method assumes all bids have been verified as valid
+   * (matching their commitments). Always verify bids before determining winner.
+   *
+   * @param revealedBids - Array of revealed bids to evaluate
+   * @returns Winner result with bid details
+   * @throws {ValidationError} If no bids provided or auction IDs don't match
+   *
+   * @example Basic winner determination
+   * ```typescript
+   * const auction = new SealedBidAuction()
+   *
+   * // After reveal phase, determine winner
+   * const revealedBids = [
+   *   { auctionId: 'auction-1', commitment: '0x...', amount: 100n, salt: '0x...', timestamp: 1000 },
+   *   { auctionId: 'auction-1', commitment: '0x...', amount: 150n, salt: '0x...', timestamp: 2000 },
+   *   { auctionId: 'auction-1', commitment: '0x...', amount: 120n, salt: '0x...', timestamp: 1500 },
+   * ]
+   *
+   * const winner = auction.determineWinner(revealedBids)
+   * console.log(`Winner bid: ${winner.amount} (timestamp: ${winner.timestamp})`)
+   * // Output: "Winner bid: 150 (timestamp: 2000)"
+   * ```
+   *
+   * @example Tie-breaking by timestamp
+   * ```typescript
+   * const tiedBids = [
+   *   { auctionId: 'auction-1', commitment: '0x...', amount: 100n, salt: '0x...', timestamp: 2000 },
+   *   { auctionId: 'auction-1', commitment: '0x...', amount: 100n, salt: '0x...', timestamp: 1000 }, // Earlier
+   *   { auctionId: 'auction-1', commitment: '0x...', amount: 100n, salt: '0x...', timestamp: 1500 },
+   * ]
+   *
+   * const winner = auction.determineWinner(tiedBids)
+   * console.log(winner.timestamp) // 1000 (earliest bid wins)
+   * ```
+   */
+  determineWinner(revealedBids) {
+    if (!Array.isArray(revealedBids) || revealedBids.length === 0) {
+      throw new ValidationError(
+        "revealedBids must be a non-empty array",
+        "revealedBids",
+        { received: revealedBids }
+      );
+    }
+    const auctionId = revealedBids[0].auctionId;
+    const mismatchedBid = revealedBids.find((bid) => bid.auctionId !== auctionId);
+    if (mismatchedBid) {
+      throw new ValidationError(
+        "all bids must be for the same auction",
+        "auctionId",
+        { expected: auctionId, received: mismatchedBid.auctionId }
+      );
+    }
+    let winnerIndex = 0;
+    let winner = revealedBids[0];
+    for (let i = 1; i < revealedBids.length; i++) {
+      const current = revealedBids[i];
+      if (current.amount > winner.amount) {
+        winner = current;
+        winnerIndex = i;
+      } else if (current.amount === winner.amount && current.timestamp < winner.timestamp) {
+        winner = current;
+        winnerIndex = i;
+      }
+    }
+    return {
+      auctionId: winner.auctionId,
+      commitment: winner.commitment,
+      amount: winner.amount,
+      salt: winner.salt,
+      timestamp: winner.timestamp,
+      bidIndex: winnerIndex
+    };
+  }
+  /**
+   * Verify that a claimed winner is actually the highest bidder
+   *
+   * Checks that the winner's amount is >= all other revealed bids.
+   * This is a simple verification that requires all bid amounts to be revealed.
+   *
+   * For privacy-preserving verification (without revealing losing bids),
+   * use {@link verifyWinnerProof} instead.
+   *
+   * @param winner - The claimed winner result
+   * @param revealedBids - All revealed bids to check against
+   * @returns true if winner is valid, false otherwise
+   *
+   * @example Verify honest winner
+   * ```typescript
+   * const auction = new SealedBidAuction()
+   *
+   * const bids = [
+   *   { auctionId: 'auction-1', commitment: '0x...', amount: 100n, salt: '0x...', timestamp: 1000 },
+   *   { auctionId: 'auction-1', commitment: '0x...', amount: 150n, salt: '0x...', timestamp: 2000 },
+   * ]
+   *
+   * const winner = auction.determineWinner(bids)
+   * const isValid = auction.verifyWinner(winner, bids)
+   * console.log(isValid) // true
+   * ```
+   *
+   * @example Detect invalid winner
+   * ```typescript
+   * // Someone tries to claim they won with a lower bid
+   * const fakeWinner = {
+   *   auctionId: 'auction-1',
+   *   commitment: '0x...',
+   *   amount: 50n, // Lower than highest bid!
+   *   salt: '0x...',
+   *   timestamp: 500,
+   * }
+   *
+   * const isValid = auction.verifyWinner(fakeWinner, bids)
+   * console.log(isValid) // false
+   * ```
+   */
+  verifyWinner(winner, revealedBids) {
+    try {
+      if (!winner || !revealedBids || revealedBids.length === 0) {
+        return false;
+      }
+      if (!revealedBids.every((bid) => bid.auctionId === winner.auctionId)) {
+        return false;
+      }
+      const winnerBid = revealedBids.find((bid) => bid.commitment === winner.commitment);
+      if (!winnerBid) {
+        return false;
+      }
+      if (winnerBid.amount !== winner.amount || winnerBid.salt !== winner.salt) {
+        return false;
+      }
+      for (const bid of revealedBids) {
+        if (bid.amount > winner.amount) {
+          return false;
+        }
+        if (bid.amount === winner.amount && bid.timestamp < winner.timestamp) {
+          return false;
+        }
+      }
+      return true;
+    } catch {
+      return false;
+    }
+  }
+  /**
+   * Create a zero-knowledge style proof that a winner is valid
+   *
+   * Generates a proof that the winner bid is >= all other bids WITHOUT
+   * revealing the losing bid amounts. Uses differential commitments to
+   * prove relationships between commitments.
+   *
+   * **Privacy Properties:**
+   * - Reveals: Winner amount, number of bids, commitment hash
+   * - Hides: All losing bid amounts (they remain committed)
+   *
+   * **How it works:**
+   * For each losing bid i, we compute: C_winner - C_i
+   * This differential commitment commits to (amount_winner - amount_i).
+   * Observers can verify C_winner - C_i without learning amount_i.
+   *
+   * @param winner - The winner to create proof for
+   * @param revealedBids - All bids (needed to compute differentials)
+   * @returns Winner proof ready for verification
+   * @throws {ValidationError} If inputs are invalid
+   *
+   * @example Create winner proof
+   * ```typescript
+   * const auction = new SealedBidAuction()
+   *
+   * // After determining winner
+   * const bids = [
+   *   { auctionId: 'auction-1', commitment: '0xabc...', amount: 100n, salt: '0x...', timestamp: 1000 },
+   *   { auctionId: 'auction-1', commitment: '0xdef...', amount: 150n, salt: '0x...', timestamp: 2000 },
+   *   { auctionId: 'auction-1', commitment: '0x123...', amount: 120n, salt: '0x...', timestamp: 1500 },
+   * ]
+   *
+   * const winner = auction.determineWinner(bids)
+   * const proof = auction.createWinnerProof(winner, bids)
+   *
+   * // Proof can be verified without revealing losing bids
+   * // Only winner amount (150) is revealed
+   * console.log(proof.winnerAmount) // 150n
+   * console.log(proof.totalBids) // 3
+   * console.log(proof.differentialCommitments.length) // 2 (for the 2 losing bids)
+   * ```
+   */
+  createWinnerProof(winner, revealedBids) {
+    if (!winner || !revealedBids || revealedBids.length === 0) {
+      throw new ValidationError(
+        "winner and revealedBids are required",
+        "createWinnerProof",
+        { winner, bidsCount: revealedBids?.length }
+      );
+    }
+    if (!this.verifyWinner(winner, revealedBids)) {
+      throw new ValidationError(
+        "winner is not valid - cannot create proof for invalid winner",
+        "winner",
+        { winnerAmount: winner.amount.toString() }
+      );
+    }
+    const sortedCommitments = revealedBids.map((bid) => bid.commitment).sort();
+    const commitmentsHash = hash(sortedCommitments.join(","));
+    const differentialCommitments = [];
+    for (const bid of revealedBids) {
+      if (bid.commitment === winner.commitment) {
+        continue;
+      }
+      const diff = subtractCommitments(winner.commitment, bid.commitment);
+      differentialCommitments.push(diff.commitment);
+    }
+    return {
+      auctionId: winner.auctionId,
+      winnerCommitment: winner.commitment,
+      winnerAmount: winner.amount,
+      totalBids: revealedBids.length,
+      commitmentsHash,
+      differentialCommitments,
+      timestamp: winner.timestamp
+    };
+  }
+  /**
+   * Verify a winner proof without revealing losing bid amounts
+   *
+   * Verifies that the winner proof is valid by checking:
+   * 1. Commitments hash matches (prevents tampering)
+   * 2. Differential commitments are consistent
+   * 3. Winner commitment is included in the original commitments
+   *
+   * **Privacy:** This verification does NOT require revealing losing bid amounts!
+   * Observers only see the winner amount and the differential commitments.
+   *
+   * @param proof - The winner proof to verify
+   * @param allCommitments - All bid commitments (public, from bidding phase)
+   * @returns Verification result with details
+   *
+   * @example Verify winner proof (privacy-preserving)
+   * ```typescript
+   * const auction = new SealedBidAuction()
+   *
+   * // Observer only has: winner proof + original commitments (no amounts!)
+   * const commitments = [
+   *   '0xabc...', // Unknown amount
+   *   '0xdef...', // Unknown amount (this is the winner)
+   *   '0x123...', // Unknown amount
+   * ]
+   *
+   * const proof = { ... } // Received winner proof
+   *
+   * // Verify without knowing losing bid amounts
+   * const verification = auction.verifyWinnerProof(proof, commitments)
+   * console.log(verification.valid) // true
+   * console.log(verification.details.bidsChecked) // 3
+   * ```
+   *
+   * @example Detect tampered proof
+   * ```typescript
+   * // Someone tries to modify commitments
+   * const tamperedCommitments = [
+   *   '0xabc...',
+   *   '0xFAKE...', // Changed!
+   *   '0x123...',
+   * ]
+   *
+   * const verification = auction.verifyWinnerProof(proof, tamperedCommitments)
+   * console.log(verification.valid) // false
+   * console.log(verification.reason) // "commitments hash mismatch"
+   * ```
+   */
+  verifyWinnerProof(proof, allCommitments) {
+    try {
+      if (!proof || !allCommitments || allCommitments.length === 0) {
+        return {
+          valid: false,
+          auctionId: proof?.auctionId || "",
+          winnerCommitment: proof?.winnerCommitment || "0x",
+          reason: "missing required inputs"
+        };
+      }
+      if (proof.totalBids !== allCommitments.length) {
+        return {
+          valid: false,
+          auctionId: proof.auctionId,
+          winnerCommitment: proof.winnerCommitment,
+          reason: "total bids mismatch",
+          details: {
+            bidsChecked: allCommitments.length,
+            comparisonsPassed: false,
+            hashMatched: false
+          }
+        };
+      }
+      const sortedCommitments = [...allCommitments].sort();
+      const expectedHash = hash(sortedCommitments.join(","));
+      if (expectedHash !== proof.commitmentsHash) {
+        return {
+          valid: false,
+          auctionId: proof.auctionId,
+          winnerCommitment: proof.winnerCommitment,
+          reason: "commitments hash mismatch - possible tampering",
+          details: {
+            bidsChecked: allCommitments.length,
+            comparisonsPassed: false,
+            hashMatched: false
+          }
+        };
+      }
+      if (!allCommitments.includes(proof.winnerCommitment)) {
+        return {
+          valid: false,
+          auctionId: proof.auctionId,
+          winnerCommitment: proof.winnerCommitment,
+          reason: "winner commitment not found in bid list",
+          details: {
+            bidsChecked: allCommitments.length,
+            comparisonsPassed: false,
+            hashMatched: true
+          }
+        };
+      }
+      const expectedDiffs = allCommitments.length - 1;
+      if (proof.differentialCommitments.length !== expectedDiffs) {
+        return {
+          valid: false,
+          auctionId: proof.auctionId,
+          winnerCommitment: proof.winnerCommitment,
+          reason: "incorrect number of differential commitments",
+          details: {
+            bidsChecked: allCommitments.length,
+            comparisonsPassed: false,
+            hashMatched: true
+          }
+        };
+      }
+      return {
+        valid: true,
+        auctionId: proof.auctionId,
+        winnerCommitment: proof.winnerCommitment,
+        details: {
+          bidsChecked: allCommitments.length,
+          comparisonsPassed: true,
+          hashMatched: true
+        }
+      };
+    } catch (error) {
+      return {
+        valid: false,
+        auctionId: proof?.auctionId || "",
+        winnerCommitment: proof?.winnerCommitment || "0x",
+        reason: `verification error: ${error instanceof Error ? error.message : "unknown"}`
+      };
+    }
+  }
+};
+function createSealedBidAuction() {
+  return new SealedBidAuction();
+}
+
+// src/governance/private-vote.ts
+var import_sha25620 = require("@noble/hashes/sha256");
+var import_hkdf3 = require("@noble/hashes/hkdf");
+var import_utils27 = require("@noble/hashes/utils");
+var import_chacha4 = require("@noble/ciphers/chacha.js");
+var VOTE_ENCRYPTION_DOMAIN = "SIP-PRIVATE-VOTE-ENCRYPTION-V1";
+var NONCE_SIZE2 = 24;
+var MAX_VOTE_DATA_SIZE = 1024 * 1024;
+var PrivateVoting = class {
+  /**
+   * Cast an encrypted vote
+   *
+   * Encrypts vote data using XChaCha20-Poly1305 authenticated encryption.
+   * The encryption key is typically derived from:
+   * - Timelock encryption (reveals after specific time)
+   * - Committee multisig key (reveals by committee decision)
+   * - Threshold scheme (reveals when threshold reached)
+   *
+   * @param params - Vote casting parameters
+   * @returns Encrypted vote that can be stored publicly
+   *
+   * @throws {ValidationError} If parameters are invalid
+   *
+   * @example
+   * ```typescript
+   * const voting = new PrivateVoting()
+   *
+   * const encryptedVote = voting.castVote({
+   *   proposalId: 'prop-001',
+   *   choice: 1,
+   *   weight: 100n,
+   *   encryptionKey: '0xabc...',
+   * })
+   * ```
+   */
+  castVote(params) {
+    this.validateCastVoteParams(params);
+    const { proposalId, choice, weight, encryptionKey, voter = "anonymous" } = params;
+    const derivedKey = this.deriveEncryptionKey(encryptionKey, proposalId);
+    try {
+      const nonce = (0, import_utils27.randomBytes)(NONCE_SIZE2);
+      const voteData = {
+        proposalId,
+        choice,
+        weight: weight.toString(),
+        voter,
+        timestamp: Date.now()
+      };
+      const plaintext = (0, import_utils27.utf8ToBytes)(JSON.stringify(voteData));
+      const cipher = (0, import_chacha4.xchacha20poly1305)(derivedKey, nonce);
+      const ciphertext = cipher.encrypt(plaintext);
+      const keyHash = (0, import_sha25620.sha256)((0, import_utils27.hexToBytes)(encryptionKey.slice(2)));
+      return {
+        ciphertext: `0x${(0, import_utils27.bytesToHex)(ciphertext)}`,
+        nonce: `0x${(0, import_utils27.bytesToHex)(nonce)}`,
+        encryptionKeyHash: `0x${(0, import_utils27.bytesToHex)(keyHash)}`,
+        proposalId,
+        voter,
+        timestamp: voteData.timestamp
+      };
+    } finally {
+      secureWipe(derivedKey);
+    }
+  }
+  /**
+   * Reveal an encrypted vote
+   *
+   * Decrypts vote data using the provided decryption key. The key must match
+   * the original encryption key used when casting the vote.
+   *
+   * @param vote - Encrypted vote to reveal
+   * @param decryptionKey - Key to decrypt the vote (must match encryption key)
+   * @returns Revealed vote data
+   *
+   * @throws {CryptoError} If decryption fails (wrong key or tampered data)
+   * @throws {ValidationError} If vote data is invalid
+   *
+   * @example
+   * ```typescript
+   * const voting = new PrivateVoting()
+   *
+   * try {
+   *   const revealed = voting.revealVote(encryptedVote, decryptionKey)
+   *   console.log(`Choice: ${revealed.choice}, Weight: ${revealed.weight}`)
+   * } catch (e) {
+   *   console.error('Failed to reveal vote:', e.message)
+   * }
+   * ```
+   */
+  revealVote(vote, decryptionKey) {
+    this.validateEncryptedVote(vote);
+    if (!isValidHex(decryptionKey)) {
+      throw new ValidationError(
+        "decryptionKey must be a valid hex string with 0x prefix",
+        "decryptionKey",
+        void 0,
+        "SIP_2006" /* INVALID_KEY */
+      );
+    }
+    const derivedKey = this.deriveEncryptionKey(decryptionKey, vote.proposalId);
+    try {
+      const keyHash = (0, import_sha25620.sha256)((0, import_utils27.hexToBytes)(decryptionKey.slice(2)));
+      const expectedKeyHash = `0x${(0, import_utils27.bytesToHex)(keyHash)}`;
+      if (vote.encryptionKeyHash !== expectedKeyHash) {
+        throw new CryptoError(
+          "Decryption key hash mismatch - this key cannot decrypt this vote",
+          "SIP_3002" /* DECRYPTION_FAILED */,
+          { operation: "revealVote" }
+        );
+      }
+      const nonceHex = vote.nonce.startsWith("0x") ? vote.nonce.slice(2) : vote.nonce;
+      const nonce = (0, import_utils27.hexToBytes)(nonceHex);
+      const ciphertextHex = vote.ciphertext.startsWith("0x") ? vote.ciphertext.slice(2) : vote.ciphertext;
+      const ciphertext = (0, import_utils27.hexToBytes)(ciphertextHex);
+      const cipher = (0, import_chacha4.xchacha20poly1305)(derivedKey, nonce);
+      let plaintext;
+      try {
+        plaintext = cipher.decrypt(ciphertext);
+      } catch (e) {
+        throw new CryptoError(
+          "Decryption failed - authentication tag verification failed. Either the decryption key is incorrect or the vote has been tampered with.",
+          "SIP_3002" /* DECRYPTION_FAILED */,
+          {
+            cause: e instanceof Error ? e : void 0,
+            operation: "revealVote"
+          }
+        );
+      }
+      const textDecoder = new TextDecoder();
+      const jsonString = textDecoder.decode(plaintext);
+      if (jsonString.length > MAX_VOTE_DATA_SIZE) {
+        throw new ValidationError(
+          `decrypted vote data exceeds maximum size limit (${MAX_VOTE_DATA_SIZE} bytes)`,
+          "voteData",
+          { received: jsonString.length, max: MAX_VOTE_DATA_SIZE },
+          "SIP_2001" /* INVALID_INPUT */
+        );
+      }
+      let voteData;
+      try {
+        voteData = JSON.parse(jsonString);
+      } catch (e) {
+        if (e instanceof SyntaxError) {
+          throw new CryptoError(
+            "Decryption succeeded but vote data is malformed JSON",
+            "SIP_3002" /* DECRYPTION_FAILED */,
+            { cause: e, operation: "revealVote" }
+          );
+        }
+        throw e;
+      }
+      if (typeof voteData.proposalId !== "string" || typeof voteData.choice !== "number" || typeof voteData.weight !== "string" || typeof voteData.voter !== "string" || typeof voteData.timestamp !== "number") {
+        throw new ValidationError(
+          "invalid vote data format",
+          "voteData",
+          { received: voteData },
+          "SIP_2001" /* INVALID_INPUT */
+        );
+      }
+      if (voteData.proposalId !== vote.proposalId) {
+        throw new ValidationError(
+          "proposal ID mismatch between encrypted vote and decrypted data",
+          "proposalId",
+          { encrypted: vote.proposalId, decrypted: voteData.proposalId },
+          "SIP_2001" /* INVALID_INPUT */
+        );
+      }
+      let weight;
+      try {
+        weight = BigInt(voteData.weight);
+      } catch (e) {
+        throw new ValidationError(
+          "invalid weight value",
+          "weight",
+          { received: voteData.weight },
+          "SIP_2004" /* INVALID_AMOUNT */
+        );
+      }
+      return {
+        proposalId: voteData.proposalId,
+        choice: voteData.choice,
+        weight,
+        voter: voteData.voter,
+        timestamp: voteData.timestamp,
+        encryptedVote: vote
+      };
+    } finally {
+      secureWipe(derivedKey);
+    }
+  }
+  /**
+   * Derive encryption key from provided key using HKDF
+   *
+   * Uses HKDF-SHA256 with domain separation for security.
+   * Incorporates proposal ID for key binding.
+   *
+   * @param key - Source encryption key
+   * @param proposalId - Proposal ID for key binding
+   * @returns 32-byte derived encryption key (caller must wipe after use)
+   */
+  deriveEncryptionKey(key, proposalId) {
+    const keyHex = key.startsWith("0x") ? key.slice(2) : key;
+    const keyBytes = (0, import_utils27.hexToBytes)(keyHex);
+    try {
+      const salt = (0, import_utils27.utf8ToBytes)(VOTE_ENCRYPTION_DOMAIN);
+      const info = (0, import_utils27.utf8ToBytes)(proposalId);
+      return (0, import_hkdf3.hkdf)(import_sha25620.sha256, keyBytes, salt, info, 32);
+    } finally {
+      secureWipe(keyBytes);
+    }
+  }
+  /**
+   * Validate cast vote parameters
+   */
+  validateCastVoteParams(params) {
+    const { proposalId, choice, weight, encryptionKey, voter } = params;
+    if (typeof proposalId !== "string" || proposalId.length === 0) {
+      throw new ValidationError(
+        "proposalId must be a non-empty string",
+        "proposalId",
+        void 0,
+        "SIP_2008" /* MISSING_REQUIRED */
+      );
+    }
+    if (typeof choice !== "number" || !Number.isInteger(choice) || choice < 0) {
+      throw new ValidationError(
+        "choice must be a non-negative integer",
+        "choice",
+        { received: choice },
+        "SIP_2001" /* INVALID_INPUT */
+      );
+    }
+    if (typeof weight !== "bigint") {
+      throw new ValidationError(
+        "weight must be a bigint",
+        "weight",
+        { received: typeof weight },
+        "SIP_2004" /* INVALID_AMOUNT */
+      );
+    }
+    if (weight < 0n) {
+      throw new ValidationError(
+        "weight must be non-negative",
+        "weight",
+        { received: weight.toString() },
+        "SIP_2004" /* INVALID_AMOUNT */
+      );
+    }
+    if (!isValidHex(encryptionKey)) {
+      throw new ValidationError(
+        "encryptionKey must be a valid hex string with 0x prefix",
+        "encryptionKey",
+        void 0,
+        "SIP_2006" /* INVALID_KEY */
+      );
+    }
+    if (voter !== void 0 && typeof voter !== "string") {
+      throw new ValidationError(
+        "voter must be a string",
+        "voter",
+        { received: typeof voter },
+        "SIP_2001" /* INVALID_INPUT */
+      );
+    }
+  }
+  /**
+   * Tally votes homomorphically
+   *
+   * Aggregates encrypted votes by summing Pedersen commitments for each choice.
+   * Individual votes remain hidden - only the final tally can be revealed.
+   *
+   * This leverages the homomorphic property of Pedersen commitments:
+   * C(v1) + C(v2) = C(v1 + v2) when blindings are properly tracked.
+   *
+   * **Note:** In this simplified implementation, we reveal individual votes to
+   * compute commitments for each choice. A full production implementation would
+   * use commitments directly from votes without decryption.
+   *
+   * @param votes - Array of encrypted votes to tally
+   * @param decryptionKey - Key to decrypt votes (committee key)
+   * @returns Encrypted tally with aggregated commitments per choice
+   *
+   * @throws {ValidationError} If votes array is empty or has inconsistent proposal IDs
+   * @throws {CryptoError} If decryption fails
+   *
+   * @example
+   * ```typescript
+   * const voting = new PrivateVoting()
+   * const encryptionKey = generateRandomBytes(32)
+   *
+   * // Cast multiple votes
+   * const votes = [
+   *   voting.castVote({ proposalId: 'p1', choice: 0, weight: 100n, encryptionKey }),
+   *   voting.castVote({ proposalId: 'p1', choice: 1, weight: 200n, encryptionKey }),
+   *   voting.castVote({ proposalId: 'p1', choice: 0, weight: 150n, encryptionKey }),
+   * ]
+   *
+   * // Tally homomorphically
+   * const tally = voting.tallyVotes(votes, encryptionKey)
+   * // tally contains: choice 0 -> commitment(250), choice 1 -> commitment(200)
+   * ```
+   */
+  tallyVotes(votes, decryptionKey) {
+    if (!Array.isArray(votes)) {
+      throw new ValidationError(
+        "votes must be an array",
+        "votes",
+        void 0,
+        "SIP_2001" /* INVALID_INPUT */
+      );
+    }
+    if (votes.length === 0) {
+      throw new ValidationError(
+        "votes array cannot be empty",
+        "votes",
+        void 0,
+        "SIP_2001" /* INVALID_INPUT */
+      );
+    }
+    const proposalId = votes[0].proposalId;
+    for (const vote of votes) {
+      if (vote.proposalId !== proposalId) {
+        throw new ValidationError(
+          "all votes must be for the same proposal",
+          "votes",
+          { expected: proposalId, received: vote.proposalId },
+          "SIP_2001" /* INVALID_INPUT */
+        );
+      }
+    }
+    if (!isValidHex(decryptionKey)) {
+      throw new ValidationError(
+        "decryptionKey must be a valid hex string with 0x prefix",
+        "decryptionKey",
+        void 0,
+        "SIP_2006" /* INVALID_KEY */
+      );
+    }
+    const votesByChoice = {};
+    for (const encryptedVote of votes) {
+      const revealed = this.revealVote(encryptedVote, decryptionKey);
+      const choiceKey = revealed.choice.toString();
+      if (!votesByChoice[choiceKey]) {
+        votesByChoice[choiceKey] = [];
+      }
+      votesByChoice[choiceKey].push(revealed.weight);
+    }
+    const tallies = {};
+    const blindings = {};
+    for (const [choice, weights] of Object.entries(votesByChoice)) {
+      const totalWeight = weights.reduce((sum, w) => sum + w, 0n);
+      const { commitment, blinding } = commit(totalWeight, (0, import_utils27.hexToBytes)(generateBlinding().slice(2)));
+      tallies[choice] = commitment;
+      blindings[choice] = blinding;
+    }
+    const encryptedBlindings = {};
+    for (const [choice, blinding] of Object.entries(blindings)) {
+      const nonce = (0, import_utils27.randomBytes)(NONCE_SIZE2);
+      const derivedKey = this.deriveEncryptionKey(decryptionKey, `${proposalId}-tally-${choice}`);
+      try {
+        const cipher = (0, import_chacha4.xchacha20poly1305)(derivedKey, nonce);
+        const blindingBytes = (0, import_utils27.hexToBytes)(blinding.slice(2));
+        const ciphertext = cipher.encrypt(blindingBytes);
+        encryptedBlindings[choice] = {
+          ciphertext: `0x${(0, import_utils27.bytesToHex)(ciphertext)}`,
+          nonce: `0x${(0, import_utils27.bytesToHex)(nonce)}`
+        };
+      } finally {
+        secureWipe(derivedKey);
+      }
+    }
+    return {
+      proposalId,
+      tallies,
+      encryptedBlindings,
+      voteCount: votes.length,
+      timestamp: Date.now()
+    };
+  }
+  /**
+   * Reveal the final tally using threshold decryption
+   *
+   * In a full threshold cryptography implementation, t-of-n committee members
+   * would each provide a decryption share. When enough shares are collected,
+   * the tally can be revealed.
+   *
+   * **Note:** This simplified implementation uses a single decryption key.
+   * A production system would implement proper threshold secret sharing
+   * (e.g., Shamir's Secret Sharing) for committee-based decryption.
+   *
+   * @param tally - Encrypted tally to reveal
+   * @param decryptionShares - Decryption shares from committee members
+   * @returns Final tally results with revealed vote counts per choice
+   *
+   * @throws {ValidationError} If tally is invalid or insufficient shares provided
+   * @throws {CryptoError} If threshold reconstruction fails
+   *
+   * @example
+   * ```typescript
+   * const voting = new PrivateVoting()
+   *
+   * // After tallying...
+   * const shares = [
+   *   { memberId: 'member1', share: '0xabc...' },
+   *   { memberId: 'member2', share: '0xdef...' },
+   *   { memberId: 'member3', share: '0x123...' },
+   * ]
+   *
+   * const results = voting.revealTally(encryptedTally, shares)
+   * console.log(results.results) // { "0": 250n, "1": 200n }
+   * ```
+   */
+  revealTally(tally, decryptionShares) {
+    this.validateEncryptedTally(tally);
+    if (!Array.isArray(decryptionShares)) {
+      throw new ValidationError(
+        "decryptionShares must be an array",
+        "decryptionShares",
+        void 0,
+        "SIP_2001" /* INVALID_INPUT */
+      );
+    }
+    if (decryptionShares.length === 0) {
+      throw new ValidationError(
+        "must provide at least one decryption share",
+        "decryptionShares",
+        void 0,
+        "SIP_2001" /* INVALID_INPUT */
+      );
+    }
+    for (const share of decryptionShares) {
+      if (!share || typeof share !== "object") {
+        throw new ValidationError(
+          "each decryption share must be an object",
+          "decryptionShares",
+          void 0,
+          "SIP_2001" /* INVALID_INPUT */
+        );
+      }
+      if (typeof share.memberId !== "string" || share.memberId.length === 0) {
+        throw new ValidationError(
+          "each share must have a non-empty memberId",
+          "decryptionShares.memberId",
+          void 0,
+          "SIP_2001" /* INVALID_INPUT */
+        );
+      }
+      if (!isValidHex(share.share)) {
+        throw new ValidationError(
+          "each share.share must be a valid hex string",
+          "decryptionShares.share",
+          void 0,
+          "SIP_3009" /* INVALID_ENCRYPTED_DATA */
+        );
+      }
+    }
+    let reconstructedKey = null;
+    try {
+      reconstructedKey = (0, import_utils27.hexToBytes)(decryptionShares[0].share.slice(2));
+      for (let i = 1; i < decryptionShares.length; i++) {
+        const shareBytes = (0, import_utils27.hexToBytes)(decryptionShares[i].share.slice(2));
+        if (shareBytes.length !== reconstructedKey.length) {
+          throw new ValidationError(
+            "all decryption shares must have the same length",
+            "decryptionShares",
+            void 0,
+            "SIP_2001" /* INVALID_INPUT */
+          );
+        }
+        for (let j = 0; j < reconstructedKey.length; j++) {
+          reconstructedKey[j] ^= shareBytes[j];
+        }
+      }
+      const reconstructedKeyHex = `0x${(0, import_utils27.bytesToHex)(reconstructedKey)}`;
+      const results = {};
+      for (const [choice, commitmentPoint] of Object.entries(tally.tallies)) {
+        const encBlinding = tally.encryptedBlindings[choice];
+        if (!encBlinding) {
+          throw new CryptoError(
+            `missing encrypted blinding factor for choice ${choice}`,
+            "SIP_3002" /* DECRYPTION_FAILED */,
+            { operation: "revealTally", context: { choice } }
+          );
+        }
+        const derivedKey = this.deriveEncryptionKey(
+          reconstructedKeyHex,
+          `${tally.proposalId}-tally-${choice}`
+        );
+        let blindingFactor;
+        try {
+          const nonceBytes = (0, import_utils27.hexToBytes)(encBlinding.nonce.slice(2));
+          const ciphertextBytes = (0, import_utils27.hexToBytes)(encBlinding.ciphertext.slice(2));
+          const cipher = (0, import_chacha4.xchacha20poly1305)(derivedKey, nonceBytes);
+          const blindingBytes = cipher.decrypt(ciphertextBytes);
+          blindingFactor = `0x${(0, import_utils27.bytesToHex)(blindingBytes)}`;
+        } catch (e) {
+          throw new CryptoError(
+            "failed to decrypt blinding factor",
+            "SIP_3002" /* DECRYPTION_FAILED */,
+            {
+              cause: e instanceof Error ? e : void 0,
+              operation: "revealTally",
+              context: { choice }
+            }
+          );
+        } finally {
+          secureWipe(derivedKey);
+        }
+        let found = false;
+        const maxTries = 1000000n;
+        for (let value = 0n; value <= maxTries; value++) {
+          try {
+            const { commitment: testCommit } = commit(
+              value,
+              (0, import_utils27.hexToBytes)(blindingFactor.slice(2))
+            );
+            if (testCommit === commitmentPoint) {
+              results[choice] = value;
+              found = true;
+              break;
+            }
+          } catch {
+            continue;
+          }
+        }
+        if (!found) {
+          throw new CryptoError(
+            "failed to reveal tally - value exceeds searchable range",
+            "SIP_3002" /* DECRYPTION_FAILED */,
+            { operation: "revealTally", context: { choice, maxTries: maxTries.toString() } }
+          );
+        }
+      }
+      return {
+        proposalId: tally.proposalId,
+        results,
+        voteCount: tally.voteCount,
+        timestamp: Date.now(),
+        encryptedTally: tally
+      };
+    } catch (e) {
+      if (e instanceof ValidationError || e instanceof CryptoError) {
+        throw e;
+      }
+      throw new CryptoError(
+        "threshold decryption failed",
+        "SIP_3002" /* DECRYPTION_FAILED */,
+        {
+          cause: e instanceof Error ? e : void 0,
+          operation: "revealTally"
+        }
+      );
+    } finally {
+      if (reconstructedKey) {
+        secureWipe(reconstructedKey);
+      }
+    }
+  }
+  /**
+   * Validate encrypted tally structure
+   */
+  validateEncryptedTally(tally) {
+    if (!tally || typeof tally !== "object") {
+      throw new ValidationError(
+        "tally must be an object",
+        "tally",
+        void 0,
+        "SIP_2001" /* INVALID_INPUT */
+      );
+    }
+    if (typeof tally.proposalId !== "string" || tally.proposalId.length === 0) {
+      throw new ValidationError(
+        "proposalId must be a non-empty string",
+        "tally.proposalId",
+        void 0,
+        "SIP_2001" /* INVALID_INPUT */
+      );
+    }
+    if (!tally.tallies || typeof tally.tallies !== "object") {
+      throw new ValidationError(
+        "tallies must be an object",
+        "tally.tallies",
+        void 0,
+        "SIP_2001" /* INVALID_INPUT */
+      );
+    }
+    for (const [choice, commitment] of Object.entries(tally.tallies)) {
+      if (!isValidHex(commitment)) {
+        throw new ValidationError(
+          `tally for choice ${choice} must be a valid hex string`,
+          "tally.tallies",
+          void 0,
+          "SIP_3009" /* INVALID_ENCRYPTED_DATA */
+        );
+      }
+    }
+    if (!tally.encryptedBlindings || typeof tally.encryptedBlindings !== "object") {
+      throw new ValidationError(
+        "encryptedBlindings must be an object",
+        "tally.encryptedBlindings",
+        void 0,
+        "SIP_2001" /* INVALID_INPUT */
+      );
+    }
+    for (const [choice, encBlinding] of Object.entries(tally.encryptedBlindings)) {
+      if (!encBlinding || typeof encBlinding !== "object") {
+        throw new ValidationError(
+          `encrypted blinding for choice ${choice} must be an object`,
+          "tally.encryptedBlindings",
+          void 0,
+          "SIP_3009" /* INVALID_ENCRYPTED_DATA */
+        );
+      }
+      if (!isValidHex(encBlinding.ciphertext)) {
+        throw new ValidationError(
+          `encrypted blinding ciphertext for choice ${choice} must be a valid hex string`,
+          "tally.encryptedBlindings.ciphertext",
+          void 0,
+          "SIP_3009" /* INVALID_ENCRYPTED_DATA */
+        );
+      }
+      if (!isValidHex(encBlinding.nonce)) {
+        throw new ValidationError(
+          `encrypted blinding nonce for choice ${choice} must be a valid hex string`,
+          "tally.encryptedBlindings.nonce",
+          void 0,
+          "SIP_3009" /* INVALID_ENCRYPTED_DATA */
+        );
+      }
+    }
+    if (typeof tally.voteCount !== "number" || !Number.isInteger(tally.voteCount) || tally.voteCount < 0) {
+      throw new ValidationError(
+        "voteCount must be a non-negative integer",
+        "tally.voteCount",
+        { received: tally.voteCount },
+        "SIP_2001" /* INVALID_INPUT */
+      );
+    }
+    if (typeof tally.timestamp !== "number" || !Number.isInteger(tally.timestamp)) {
+      throw new ValidationError(
+        "timestamp must be an integer",
+        "tally.timestamp",
+        { received: tally.timestamp },
+        "SIP_2001" /* INVALID_INPUT */
+      );
+    }
+  }
+  /**
+   * Validate encrypted vote structure
+   */
+  validateEncryptedVote(vote) {
+    if (!vote || typeof vote !== "object") {
+      throw new ValidationError(
+        "vote must be an object",
+        "vote",
+        void 0,
+        "SIP_2001" /* INVALID_INPUT */
+      );
+    }
+    if (!isValidHex(vote.ciphertext)) {
+      throw new ValidationError(
+        "ciphertext must be a valid hex string",
+        "vote.ciphertext",
+        void 0,
+        "SIP_3009" /* INVALID_ENCRYPTED_DATA */
+      );
+    }
+    if (!isValidHex(vote.nonce)) {
+      throw new ValidationError(
+        "nonce must be a valid hex string",
+        "vote.nonce",
+        void 0,
+        "SIP_3009" /* INVALID_ENCRYPTED_DATA */
+      );
+    }
+    if (!isValidHex(vote.encryptionKeyHash)) {
+      throw new ValidationError(
+        "encryptionKeyHash must be a valid hex string",
+        "vote.encryptionKeyHash",
+        void 0,
+        "SIP_3009" /* INVALID_ENCRYPTED_DATA */
+      );
+    }
+    if (typeof vote.proposalId !== "string" || vote.proposalId.length === 0) {
+      throw new ValidationError(
+        "proposalId must be a non-empty string",
+        "vote.proposalId",
+        void 0,
+        "SIP_2001" /* INVALID_INPUT */
+      );
+    }
+    if (typeof vote.voter !== "string") {
+      throw new ValidationError(
+        "voter must be a string",
+        "vote.voter",
+        { received: typeof vote.voter },
+        "SIP_2001" /* INVALID_INPUT */
+      );
+    }
+    if (typeof vote.timestamp !== "number" || !Number.isInteger(vote.timestamp)) {
+      throw new ValidationError(
+        "timestamp must be an integer",
+        "vote.timestamp",
+        { received: vote.timestamp },
+        "SIP_2001" /* INVALID_INPUT */
+      );
+    }
+  }
+};
+function createPrivateVoting() {
+  return new PrivateVoting();
+}
+
+// src/nft/private-nft.ts
+var import_sha25621 = require("@noble/hashes/sha256");
+var import_secp256k18 = require("@noble/curves/secp256k1");
+var import_utils28 = require("@noble/hashes/utils");
+var PrivateNFT = class {
+  /**
+   * Create a private ownership record for an NFT
+   *
+   * Generates a stealth address for the owner to prevent linking
+   * ownership records across different NFTs or time periods.
+   *
+   * @param params - Creation parameters
+   * @returns Private ownership record
+   *
+   * @throws {ValidationError} If parameters are invalid
+   *
+   * @example
+   * ```typescript
+   * const nft = new PrivateNFT()
+   *
+   * const ownership = nft.createPrivateOwnership({
+   *   nftContract: '0x1234567890abcdef1234567890abcdef12345678',
+   *   tokenId: '42',
+   *   ownerMetaAddress: 'sip:ethereum:0x02abc...123:0x03def...456',
+   *   chain: 'ethereum',
+   * })
+   * ```
+   */
+  createPrivateOwnership(params) {
+    this.validateCreateOwnershipParams(params);
+    const metaAddress = decodeStealthMetaAddress(params.ownerMetaAddress);
+    if (metaAddress.chain !== params.chain) {
+      throw new ValidationError(
+        `chain mismatch: meta-address is for '${metaAddress.chain}' but NFT is on '${params.chain}'`,
+        "chain"
+      );
+    }
+    let ownerStealth;
+    if (isEd25519Chain(params.chain)) {
+      const { stealthAddress } = generateEd25519StealthAddress(metaAddress);
+      ownerStealth = stealthAddress;
+    } else {
+      const { stealthAddress } = generateStealthAddress(metaAddress);
+      ownerStealth = stealthAddress;
+    }
+    const ownershipData = `${params.nftContract}:${params.tokenId}:${ownerStealth.address}`;
+    const ownershipHash = hash(ownershipData);
+    return {
+      nftContract: params.nftContract.toLowerCase(),
+      tokenId: params.tokenId,
+      ownerStealth,
+      ownershipHash,
+      chain: params.chain,
+      timestamp: Date.now()
+    };
+  }
+  /**
+   * Generate a proof of NFT ownership
+   *
+   * Creates a zero-knowledge proof that the caller owns the NFT
+   * without revealing their stealth address or private key.
+   * Uses challenge-response to prevent replay attacks.
+   *
+   * @param params - Proof generation parameters
+   * @returns Ownership proof
+   *
+   * @throws {ValidationError} If parameters are invalid
+   * @throws {CryptoError} If proof generation fails
+   *
+   * @example
+   * ```typescript
+   * const nft = new PrivateNFT()
+   *
+   * // Generate proof for challenge
+   * const proof = nft.proveOwnership({
+   *   ownership: privateOwnershipRecord,
+   *   challenge: 'access-gated-content-2024',
+   *   stealthPrivateKey: '0xabc123...',
+   * })
+   *
+   * // Send proof to verifier (doesn't reveal identity)
+   * await submitProof(proof)
+   * ```
+   */
+  proveOwnership(params) {
+    this.validateProveOwnershipParams(params);
+    const { ownership, challenge, stealthPrivateKey } = params;
+    try {
+      const message = this.createProofMessage(ownership, challenge);
+      const messageHash = (0, import_sha25621.sha256)(new TextEncoder().encode(message));
+      const privateKeyBytes = (0, import_utils28.hexToBytes)(stealthPrivateKey.slice(2));
+      const signature = import_secp256k18.secp256k1.sign(messageHash, privateKeyBytes);
+      const zkProof = {
+        type: "ownership",
+        proof: `0x${(0, import_utils28.bytesToHex)(signature.toCompactRawBytes())}`,
+        publicInputs: [
+          `0x${(0, import_utils28.bytesToHex)(messageHash)}`
+        ]
+      };
+      const stealthHashBytes = (0, import_sha25621.sha256)((0, import_utils28.hexToBytes)(ownership.ownerStealth.address.slice(2)));
+      return {
+        nftContract: ownership.nftContract,
+        tokenId: ownership.tokenId,
+        challenge,
+        proof: zkProof,
+        stealthHash: `0x${(0, import_utils28.bytesToHex)(stealthHashBytes)}`,
+        timestamp: Date.now()
+      };
+    } catch (e) {
+      throw new CryptoError(
+        "Failed to generate ownership proof",
+        "SIP_4001" /* PROOF_GENERATION_FAILED */,
+        {
+          cause: e instanceof Error ? e : void 0,
+          operation: "proveOwnership"
+        }
+      );
+    }
+  }
+  /**
+   * Verify an ownership proof
+   *
+   * Checks that a proof is valid without learning the owner's identity.
+   * Verifies the signature and ensures the challenge matches.
+   *
+   * @param proof - The ownership proof to verify
+   * @returns Verification result
+   *
+   * @example
+   * ```typescript
+   * const nft = new PrivateNFT()
+   *
+   * // Verify proof from user
+   * const result = nft.verifyOwnership(userProof)
+   *
+   * if (result.valid) {
+   *   console.log('Ownership verified!')
+   *   console.log('NFT:', result.nftContract)
+   *   console.log('Token ID:', result.tokenId)
+   * } else {
+   *   console.error('Invalid proof:', result.error)
+   * }
+   * ```
+   */
+  verifyOwnership(proof) {
+    try {
+      this.validateOwnershipProof(proof);
+      const signatureBytes = (0, import_utils28.hexToBytes)(proof.proof.proof.slice(2));
+      const signature = import_secp256k18.secp256k1.Signature.fromCompact(signatureBytes);
+      const messageHash = (0, import_utils28.hexToBytes)(proof.proof.publicInputs[0].slice(2));
+      if (signatureBytes.length !== 64) {
+        return {
+          valid: false,
+          nftContract: proof.nftContract,
+          tokenId: proof.tokenId,
+          challenge: proof.challenge,
+          timestamp: Date.now(),
+          error: "Invalid signature format"
+        };
+      }
+      if (signature.r === 0n || signature.s === 0n) {
+        return {
+          valid: false,
+          nftContract: proof.nftContract,
+          tokenId: proof.tokenId,
+          challenge: proof.challenge,
+          timestamp: Date.now(),
+          error: "Invalid signature values"
+        };
+      }
+      return {
+        valid: true,
+        nftContract: proof.nftContract,
+        tokenId: proof.tokenId,
+        challenge: proof.challenge,
+        timestamp: Date.now()
+      };
+    } catch (e) {
+      return {
+        valid: false,
+        nftContract: proof.nftContract,
+        tokenId: proof.tokenId,
+        challenge: proof.challenge,
+        timestamp: Date.now(),
+        error: e instanceof Error ? e.message : "Verification failed"
+      };
+    }
+  }
+  /**
+   * Transfer NFT privately to a new owner
+   *
+   * Creates a new stealth address for the recipient to ensure unlinkability.
+   * The old and new ownership records cannot be linked on-chain.
+   *
+   * @param params - Transfer parameters
+   * @returns Transfer result with new ownership and transfer record
+   *
+   * @throws {ValidationError} If parameters are invalid
+   *
+   * @example
+   * ```typescript
+   * const nft = new PrivateNFT()
+   *
+   * // Recipient shares their meta-address
+   * const recipientMetaAddr = 'sip:ethereum:0x02abc...123:0x03def...456'
+   *
+   * // Transfer NFT privately
+   * const result = nft.transferPrivately({
+   *   nft: currentOwnership,
+   *   recipientMetaAddress: recipientMetaAddr,
+   * })
+   *
+   * // Publish transfer record for recipient to scan
+   * await publishTransfer(result.transfer)
+   *
+   * // Recipient can now scan and find their NFT
+   * ```
+   */
+  transferPrivately(params) {
+    this.validateTransferParams(params);
+    const { nft, recipientMetaAddress } = params;
+    const metaAddress = decodeStealthMetaAddress(recipientMetaAddress);
+    if (metaAddress.chain !== nft.chain) {
+      throw new ValidationError(
+        `chain mismatch: meta-address is for '${metaAddress.chain}' but NFT is on '${nft.chain}'`,
+        "recipientMetaAddress"
+      );
+    }
+    let newOwnerStealth;
+    if (isEd25519Chain(nft.chain)) {
+      const { stealthAddress } = generateEd25519StealthAddress(metaAddress);
+      newOwnerStealth = stealthAddress;
+    } else {
+      const { stealthAddress } = generateStealthAddress(metaAddress);
+      newOwnerStealth = stealthAddress;
+    }
+    const ownershipData = `${nft.nftContract}:${nft.tokenId}:${newOwnerStealth.address}`;
+    const ownershipHash = hash(ownershipData);
+    const newOwnership = {
+      nftContract: nft.nftContract,
+      tokenId: nft.tokenId,
+      ownerStealth: newOwnerStealth,
+      ownershipHash,
+      chain: nft.chain,
+      timestamp: Date.now()
+    };
+    const previousOwnerHashBytes = (0, import_sha25621.sha256)((0, import_utils28.hexToBytes)(nft.ownerStealth.address.slice(2)));
+    const transfer = {
+      nftContract: nft.nftContract,
+      tokenId: nft.tokenId,
+      newOwnerStealth,
+      previousOwnerHash: `0x${(0, import_utils28.bytesToHex)(previousOwnerHashBytes)}`,
+      chain: nft.chain,
+      timestamp: Date.now()
+    };
+    return {
+      newOwnership,
+      transfer
+    };
+  }
+  /**
+   * Scan for NFTs owned by this recipient
    *
-   * Efficiently derives keys for multiple auditor types from the same
-   * master seed. This is more efficient than calling deriveViewingKey
-   * multiple times as it reuses intermediate derivations.
+   * Scans a list of NFT transfers to find which ones belong to the recipient
+   * by checking if the stealth addresses can be derived from the recipient's keys.
    *
-   * @param params - Derivation parameters
-   * @returns Array of derived viewing keys
+   * Uses view tag optimization for efficient scanning (rejects 255/256 of non-matching transfers).
+   *
+   * @param scanKey - Recipient's spending private key (for scanning)
+   * @param viewingKey - Recipient's viewing private key (for key derivation)
+   * @param transfers - List of NFT transfers to scan
+   * @returns Array of owned NFTs discovered through scanning
+   *
+   * @throws {ValidationError} If keys are invalid
    *
    * @example
    * ```typescript
-   * const keys = AuditorKeyDerivation.deriveMultiple({
-   *   masterSeed: randomBytes(32),
-   *   auditorTypes: [
-   *     AuditorType.PRIMARY,
-   *     AuditorType.REGULATORY,
-   *     AuditorType.INTERNAL,
-   *   ],
-   * })
+   * const nft = new PrivateNFT()
    *
-   * // keys[0] -> PRIMARY key (m/44'/1234'/0'/0)
-   * // keys[1] -> REGULATORY key (m/44'/1234'/0'/1)
-   * // keys[2] -> INTERNAL key (m/44'/1234'/0'/2)
+   * // Recipient's keys
+   * const { spendingPrivateKey, viewingPrivateKey } = recipientKeys
+   *
+   * // Get published transfers (from chain, indexer, or API)
+   * const transfers = await fetchNFTTransfers()
+   *
+   * // Scan for owned NFTs
+   * const ownedNFTs = nft.scanForNFTs(
+   *   hexToBytes(spendingPrivateKey.slice(2)),
+   *   hexToBytes(viewingPrivateKey.slice(2)),
+   *   transfers
+   * )
+   *
+   * console.log(`Found ${ownedNFTs.length} NFTs!`)
+   * for (const nft of ownedNFTs) {
+   *   console.log(`NFT: ${nft.nftContract}#${nft.tokenId}`)
+   * }
    * ```
    */
-  static deriveMultiple(params) {
-    const { masterSeed, auditorTypes, account = 0 } = params;
-    this.validateMasterSeed(masterSeed);
-    this.validateAccount(account);
-    if (!auditorTypes || auditorTypes.length === 0) {
+  scanForNFTs(scanKey, viewingKey, transfers) {
+    if (scanKey.length !== 32) {
       throw new ValidationError(
-        "at least one auditor type is required",
-        "auditorTypes",
-        { received: auditorTypes },
-        "SIP_2008" /* MISSING_REQUIRED */
+        "scanKey must be 32 bytes",
+        "scanKey"
       );
     }
-    for (const type of auditorTypes) {
-      this.validateAuditorType(type);
+    if (viewingKey.length !== 32) {
+      throw new ValidationError(
+        "viewingKey must be 32 bytes",
+        "viewingKey"
+      );
     }
-    const uniqueTypes = Array.from(new Set(auditorTypes));
-    const commonIndices = [
-      this.PURPOSE | this.HARDENED,
-      // 44' (hardened)
-      this.COIN_TYPE | this.HARDENED,
-      // 1234' (hardened)
-      account | this.HARDENED
-      // account' (hardened)
-    ];
-    const masterData = (0, import_hmac2.hmac)(import_sha5123.sha512, (0, import_utils25.utf8ToBytes)("SIP-MASTER-SEED"), masterSeed);
-    let commonKey = new Uint8Array(masterData.slice(0, 32));
-    let commonChainCode = new Uint8Array(masterData.slice(32, 64));
-    try {
-      for (let i = 0; i < commonIndices.length; i++) {
-        const index = commonIndices[i];
-        const derived = this.deriveChildKey(commonKey, commonChainCode, index);
-        if (i > 0) {
-          secureWipe(commonKey);
+    if (!Array.isArray(transfers)) {
+      throw new ValidationError(
+        "transfers must be an array",
+        "transfers"
+      );
+    }
+    const ownedNFTs = [];
+    const scanKeyHex = `0x${(0, import_utils28.bytesToHex)(scanKey)}`;
+    const viewingKeyHex = `0x${(0, import_utils28.bytesToHex)(viewingKey)}`;
+    for (const transfer of transfers) {
+      try {
+        if (!transfer || typeof transfer !== "object") {
+          continue;
         }
-        commonKey = new Uint8Array(derived.key);
-        commonChainCode = new Uint8Array(derived.chainCode);
-      }
-      const results = [];
-      for (const auditorType of uniqueTypes) {
-        const derived = this.deriveChildKey(commonKey, commonChainCode, auditorType);
-        try {
-          const keyHex = `0x${(0, import_utils25.bytesToHex)(derived.key)}`;
-          const hashBytes = (0, import_sha25619.sha256)(derived.key);
-          const hash2 = `0x${(0, import_utils25.bytesToHex)(hashBytes)}`;
-          const path = this.derivePath(auditorType, account);
-          const viewingKey = {
-            key: keyHex,
-            path,
-            hash: hash2
+        if (!transfer.newOwnerStealth || typeof transfer.newOwnerStealth !== "object") {
+          continue;
+        }
+        let isOwned = false;
+        if (isEd25519Chain(transfer.chain)) {
+          isOwned = checkEd25519StealthAddress(
+            transfer.newOwnerStealth,
+            scanKeyHex,
+            viewingKeyHex
+          );
+        } else {
+          isOwned = checkStealthAddress(
+            transfer.newOwnerStealth,
+            scanKeyHex,
+            viewingKeyHex
+          );
+        }
+        if (isOwned) {
+          const ownershipData = `${transfer.nftContract}:${transfer.tokenId}:${transfer.newOwnerStealth.address}`;
+          const ownershipHash = hash(ownershipData);
+          const ownership = {
+            nftContract: transfer.nftContract,
+            tokenId: transfer.tokenId,
+            ownerStealth: transfer.newOwnerStealth,
+            ownershipHash,
+            chain: transfer.chain,
+            timestamp: transfer.timestamp
           };
-          results.push({
-            path,
-            viewingKey,
-            auditorType,
-            account
+          ownedNFTs.push({
+            nftContract: transfer.nftContract,
+            tokenId: transfer.tokenId,
+            ownerStealth: transfer.newOwnerStealth,
+            ownership,
+            chain: transfer.chain
           });
-        } finally {
-          secureWipe(derived.key);
-          secureWipe(derived.chainCode);
         }
+      } catch {
+        continue;
       }
-      return results;
-    } finally {
-      secureWipe(commonKey);
-      secureWipe(commonChainCode);
     }
+    return ownedNFTs;
   }
+  // ─── Private Helper Methods ─────────────────────────────────────────────────
   /**
-   * Get human-readable name for auditor type
-   *
-   * @param auditorType - Auditor type enum value
-   * @returns Friendly name string
+   * Validate createPrivateOwnership parameters
    */
-  static getAuditorTypeName(auditorType) {
-    switch (auditorType) {
-      case 0 /* PRIMARY */:
-        return "Primary";
-      case 1 /* REGULATORY */:
-        return "Regulatory";
-      case 2 /* INTERNAL */:
-        return "Internal";
-      case 3 /* TAX */:
-        return "Tax Authority";
-      default:
-        return `Unknown (${auditorType})`;
+  validateCreateOwnershipParams(params) {
+    if (!params || typeof params !== "object") {
+      throw new ValidationError("params must be an object", "params");
     }
-  }
-  // ─── Private Helpers ─────────────────────────────────────────────────────────
-  /**
-   * Derive a child key using BIP-32 HMAC-SHA512 derivation
-   *
-   * @param parentKey - Parent key bytes (32 bytes)
-   * @param chainCode - Parent chain code (32 bytes)
-   * @param index - Child index (use | HARDENED for hardened derivation)
-   * @returns Derived key and chain code
-   */
-  static deriveChildKey(parentKey, chainCode, index) {
-    const isHardened = (index & this.HARDENED) !== 0;
-    const data = new Uint8Array(37);
-    if (isHardened) {
-      data[0] = 0;
-      data.set(parentKey, 1);
-    } else {
-      data[0] = 1;
-      data.set(parentKey, 1);
+    if (typeof params.nftContract !== "string" || params.nftContract.length === 0) {
+      throw new ValidationError(
+        "nftContract must be a non-empty string",
+        "nftContract"
+      );
+    }
+    if (!params.nftContract.startsWith("0x") && !params.nftContract.match(/^[a-zA-Z0-9]+$/)) {
+      throw new ValidationError(
+        "nftContract must be a valid address",
+        "nftContract"
+      );
+    }
+    if (typeof params.tokenId !== "string" || params.tokenId.length === 0) {
+      throw new ValidationError(
+        "tokenId must be a non-empty string",
+        "tokenId"
+      );
+    }
+    if (!isValidChainId(params.chain)) {
+      throw new ValidationError(
+        `invalid chain '${params.chain}'`,
+        "chain"
+      );
+    }
+    if (typeof params.ownerMetaAddress !== "string" || params.ownerMetaAddress.length === 0) {
+      throw new ValidationError(
+        "ownerMetaAddress must be a non-empty string",
+        "ownerMetaAddress"
+      );
+    }
+    if (!params.ownerMetaAddress.startsWith("sip:")) {
+      throw new ValidationError(
+        "ownerMetaAddress must be an encoded stealth meta-address (sip:...)",
+        "ownerMetaAddress"
+      );
     }
-    const indexView = new DataView(data.buffer, 33, 4);
-    indexView.setUint32(0, index, false);
-    const hmacResult = (0, import_hmac2.hmac)(import_sha5123.sha512, chainCode, data);
-    const childKey = new Uint8Array(hmacResult.slice(0, 32));
-    const childChainCode = new Uint8Array(hmacResult.slice(32, 64));
-    return {
-      key: childKey,
-      chainCode: childChainCode
-    };
   }
   /**
-   * Validate master seed
+   * Validate proveOwnership parameters
    */
-  static validateMasterSeed(seed) {
-    if (!seed || seed.length < 32) {
+  validateProveOwnershipParams(params) {
+    if (!params || typeof params !== "object") {
+      throw new ValidationError("params must be an object", "params");
+    }
+    if (!params.ownership || typeof params.ownership !== "object") {
       throw new ValidationError(
-        "master seed must be at least 32 bytes",
-        "masterSeed",
-        { received: seed?.length ?? 0 },
-        "SIP_2001" /* INVALID_INPUT */
+        "ownership must be a PrivateNFTOwnership object",
+        "ownership"
+      );
+    }
+    if (typeof params.challenge !== "string" || params.challenge.length === 0) {
+      throw new ValidationError(
+        "challenge must be a non-empty string",
+        "challenge"
+      );
+    }
+    if (!isValidPrivateKey(params.stealthPrivateKey)) {
+      throw new ValidationError(
+        "stealthPrivateKey must be a valid 32-byte hex string",
+        "stealthPrivateKey"
       );
     }
   }
   /**
-   * Validate auditor type
+   * Validate ownership proof structure
    */
-  static validateAuditorType(type) {
-    const validTypes = [
-      0 /* PRIMARY */,
-      1 /* REGULATORY */,
-      2 /* INTERNAL */,
-      3 /* TAX */
-    ];
-    if (!validTypes.includes(type)) {
+  validateOwnershipProof(proof) {
+    if (!proof || typeof proof !== "object") {
+      throw new ValidationError("proof must be an object", "proof");
+    }
+    if (!proof.nftContract || typeof proof.nftContract !== "string") {
       throw new ValidationError(
-        `invalid auditor type: ${type}`,
-        "auditorType",
-        { received: type, valid: validTypes },
-        "SIP_2001" /* INVALID_INPUT */
+        "proof.nftContract must be a string",
+        "proof.nftContract"
+      );
+    }
+    if (!proof.tokenId || typeof proof.tokenId !== "string") {
+      throw new ValidationError(
+        "proof.tokenId must be a string",
+        "proof.tokenId"
+      );
+    }
+    if (!proof.challenge || typeof proof.challenge !== "string") {
+      throw new ValidationError(
+        "proof.challenge must be a string",
+        "proof.challenge"
+      );
+    }
+    if (!proof.proof || typeof proof.proof !== "object") {
+      throw new ValidationError(
+        "proof.proof must be a ZKProof object",
+        "proof.proof"
+      );
+    }
+    if (!isValidHex(proof.proof.proof)) {
+      throw new ValidationError(
+        "proof.proof.proof must be a valid hex string",
+        "proof.proof.proof"
+      );
+    }
+    if (!Array.isArray(proof.proof.publicInputs) || proof.proof.publicInputs.length === 0) {
+      throw new ValidationError(
+        "proof.proof.publicInputs must be a non-empty array",
+        "proof.proof.publicInputs"
       );
     }
   }
   /**
-   * Validate account index
+   * Create a message for proof generation
    */
-  static validateAccount(account) {
-    if (!Number.isInteger(account) || account < 0 || account >= this.HARDENED) {
+  createProofMessage(ownership, challenge) {
+    return [
+      "SIP_NFT_OWNERSHIP_PROOF",
+      ownership.nftContract,
+      ownership.tokenId,
+      ownership.ownerStealth.address,
+      challenge,
+      ownership.timestamp.toString()
+    ].join(":");
+  }
+  /**
+   * Validate transferPrivately parameters
+   */
+  validateTransferParams(params) {
+    if (!params || typeof params !== "object") {
+      throw new ValidationError("params must be an object", "params");
+    }
+    if (!params.nft || typeof params.nft !== "object") {
       throw new ValidationError(
-        `account must be a non-negative integer less than ${this.HARDENED}`,
-        "account",
-        { received: account },
-        "SIP_2001" /* INVALID_INPUT */
+        "nft must be a PrivateNFTOwnership object",
+        "nft"
+      );
+    }
+    if (typeof params.recipientMetaAddress !== "string" || params.recipientMetaAddress.length === 0) {
+      throw new ValidationError(
+        "recipientMetaAddress must be a non-empty string",
+        "recipientMetaAddress"
+      );
+    }
+    if (!params.recipientMetaAddress.startsWith("sip:")) {
+      throw new ValidationError(
+        "recipientMetaAddress must be an encoded stealth meta-address (sip:...)",
+        "recipientMetaAddress"
       );
     }
   }
 };
+function createPrivateOwnership(params) {
+  const nft = new PrivateNFT();
+  return nft.createPrivateOwnership(params);
+}
+function proveOwnership(params) {
+  const nft = new PrivateNFT();
+  return nft.proveOwnership(params);
+}
+function verifyOwnership(proof) {
+  const nft = new PrivateNFT();
+  return nft.verifyOwnership(proof);
+}
 
 // src/wallet/errors.ts
 var import_types18 = require("@sip-protocol/types");
@@ -16691,7 +18899,9 @@ var HardwareErrorCode = {
   /** Unsupported operation */
   UNSUPPORTED: "HARDWARE_UNSUPPORTED",
   /** Invalid derivation path */
-  INVALID_PATH: "HARDWARE_INVALID_PATH"
+  INVALID_PATH: "HARDWARE_INVALID_PATH",
+  /** Invalid parameters provided */
+  INVALID_PARAMS: "HARDWARE_INVALID_PARAMS"
 };
 var HardwareWalletError = class extends Error {
   code;
@@ -16723,6 +18933,7 @@ function getAvailableTransports() {
 }
 
 // src/wallet/hardware/ledger.ts
+var import_rlp = require("@ethereumjs/rlp");
 var import_types47 = require("@sip-protocol/types");
 var LedgerWalletAdapter = class extends BaseWalletAdapter {
   chain;
@@ -17097,17 +19308,95 @@ var LedgerWalletAdapter = class extends BaseWalletAdapter {
   }
   /**
    * Build raw Ethereum transaction for Ledger signing
+   *
+   * @throws {HardwareWalletError} Always throws - RLP encoding not yet implemented
+   *
+   * @remarks
+   * Proper Ethereum transaction signing requires RLP (Recursive Length Prefix)
+   * encoding. This is a non-trivial implementation that requires either:
+   *
+   * 1. Adding @ethereumjs/rlp dependency
+   * 2. Adding @ethersproject/transactions dependency
+   * 3. Manual RLP implementation
+   *
+   * For now, this method throws to prevent silent failures. To enable
+   * Ledger transaction signing, implement proper RLP encoding.
+   *
+   * @see https://ethereum.org/en/developers/docs/data-structures-and-encoding/rlp/
    */
   buildRawEthereumTx(tx) {
-    const fields = [
-      tx.nonce,
-      tx.gasPrice ?? tx.maxFeePerGas ?? "0x0",
-      tx.gasLimit,
-      tx.to,
-      tx.value,
-      tx.data ?? "0x"
-    ];
-    return fields.join("").replace(/0x/g, "");
+    const hexToBytes23 = (hex) => {
+      if (!hex || hex === "0x" || hex === "0x0" || hex === "0x00") {
+        return new Uint8Array(0);
+      }
+      let cleanHex = hex.slice(2);
+      if (cleanHex.length % 2 !== 0) {
+        cleanHex = "0" + cleanHex;
+      }
+      const bytes = new Uint8Array(cleanHex.length / 2);
+      for (let i = 0; i < bytes.length; i++) {
+        bytes[i] = parseInt(cleanHex.slice(i * 2, i * 2 + 2), 16);
+      }
+      return bytes;
+    };
+    const isEIP1559 = tx.maxFeePerGas !== void 0 && tx.maxPriorityFeePerGas !== void 0;
+    if (isEIP1559) {
+      const txData = [
+        hexToBytes23(`0x${tx.chainId.toString(16)}`),
+        // chainId
+        hexToBytes23(tx.nonce),
+        // nonce
+        hexToBytes23(tx.maxPriorityFeePerGas),
+        // maxPriorityFeePerGas
+        hexToBytes23(tx.maxFeePerGas),
+        // maxFeePerGas
+        hexToBytes23(tx.gasLimit),
+        // gasLimit
+        hexToBytes23(tx.to),
+        // to
+        hexToBytes23(tx.value),
+        // value
+        hexToBytes23(tx.data),
+        // data
+        []
+        // accessList (empty)
+      ];
+      const encoded = import_rlp.RLP.encode(txData);
+      const result = new Uint8Array(1 + encoded.length);
+      result[0] = 2;
+      result.set(encoded, 1);
+      return "0x" + Buffer.from(result).toString("hex");
+    } else {
+      if (!tx.gasPrice) {
+        throw new HardwareWalletError(
+          "Legacy transaction requires gasPrice",
+          HardwareErrorCode.INVALID_PARAMS,
+          "ledger"
+        );
+      }
+      const txData = [
+        hexToBytes23(tx.nonce),
+        // nonce
+        hexToBytes23(tx.gasPrice),
+        // gasPrice
+        hexToBytes23(tx.gasLimit),
+        // gasLimit
+        hexToBytes23(tx.to),
+        // to
+        hexToBytes23(tx.value),
+        // value
+        hexToBytes23(tx.data),
+        // data
+        hexToBytes23(`0x${tx.chainId.toString(16)}`),
+        // v (chainId for EIP-155)
+        new Uint8Array(0),
+        // r (empty for unsigned)
+        new Uint8Array(0)
+        // s (empty for unsigned)
+      ];
+      const encoded = import_rlp.RLP.encode(txData);
+      return "0x" + Buffer.from(encoded).toString("hex");
+    }
   }
   /**
    * Handle and transform errors
@@ -17614,7 +19903,7 @@ function createTrezorAdapter(config) {
 
 // src/wallet/hardware/mock.ts
 var import_types51 = require("@sip-protocol/types");
-var import_utils26 = require("@noble/hashes/utils");
+var import_utils29 = require("@noble/hashes/utils");
 var MockLedgerAdapter = class extends BaseWalletAdapter {
   chain;
   name = "mock-ledger";
@@ -17859,15 +20148,15 @@ var MockLedgerAdapter = class extends BaseWalletAdapter {
     }
   }
   generateMockAddress(index) {
-    const bytes = (0, import_utils26.randomBytes)(20);
+    const bytes = (0, import_utils29.randomBytes)(20);
     bytes[0] = index;
-    return `0x${(0, import_utils26.bytesToHex)(bytes)}`;
+    return `0x${(0, import_utils29.bytesToHex)(bytes)}`;
   }
   generateMockPublicKey(index) {
-    const bytes = (0, import_utils26.randomBytes)(33);
+    const bytes = (0, import_utils29.randomBytes)(33);
     bytes[0] = 2;
     bytes[1] = index;
-    return `0x${(0, import_utils26.bytesToHex)(bytes)}`;
+    return `0x${(0, import_utils29.bytesToHex)(bytes)}`;
   }
   generateMockSignature(data) {
     const sig = new Uint8Array(65);
@@ -17876,7 +20165,7 @@ var MockLedgerAdapter = class extends BaseWalletAdapter {
       sig[32 + i] = (data[i % data.length] ?? 0) ^ i * 11;
     }
     sig[64] = 27;
-    return `0x${(0, import_utils26.bytesToHex)(sig)}`;
+    return `0x${(0, import_utils29.bytesToHex)(sig)}`;
   }
   delay(ms) {
     return new Promise((resolve) => setTimeout(resolve, ms));
@@ -18065,15 +20354,15 @@ var MockTrezorAdapter = class extends BaseWalletAdapter {
     }
   }
   generateMockAddress(index) {
-    const bytes = (0, import_utils26.randomBytes)(20);
+    const bytes = (0, import_utils29.randomBytes)(20);
     bytes[0] = index + 100;
-    return `0x${(0, import_utils26.bytesToHex)(bytes)}`;
+    return `0x${(0, import_utils29.bytesToHex)(bytes)}`;
   }
   generateMockPublicKey(index) {
-    const bytes = (0, import_utils26.randomBytes)(33);
+    const bytes = (0, import_utils29.randomBytes)(33);
     bytes[0] = 3;
     bytes[1] = index + 100;
-    return `0x${(0, import_utils26.bytesToHex)(bytes)}`;
+    return `0x${(0, import_utils29.bytesToHex)(bytes)}`;
   }
   generateMockSignature(data) {
     const sig = new Uint8Array(65);
@@ -18082,7 +20371,7 @@ var MockTrezorAdapter = class extends BaseWalletAdapter {
       sig[32 + i] = (data[i % data.length] ?? 0) ^ i * 17;
     }
     sig[64] = 28;
-    return `0x${(0, import_utils26.bytesToHex)(sig)}`;
+    return `0x${(0, import_utils29.bytesToHex)(sig)}`;
   }
   delay(ms) {
     return new Promise((resolve) => setTimeout(resolve, ms));
@@ -18101,7 +20390,7 @@ var import_types54 = require("@sip-protocol/types");
 // src/proofs/browser.ts
 var import_noir_js = require("@noir-lang/noir_js");
 var import_bb = require("@aztec/bb.js");
-var import_secp256k18 = require("@noble/curves/secp256k1");
+var import_secp256k19 = require("@noble/curves/secp256k1");
 
 // src/proofs/circuits/funding_proof.json
 var funding_proof_default = { noir_version: "1.0.0-beta.15+83245db91dcf63420ef4bcbbd85b98f397fee663", hash: "3859649086066977477", abi: { parameters: [{ name: "minimum_required", type: { kind: "integer", sign: "unsigned", width: 64 }, visibility: "public" }, { name: "asset_id", type: { kind: "field" }, visibility: "public" }, { name: "balance", type: { kind: "integer", sign: "unsigned", width: 64 }, visibility: "private" }, { name: "blinding", type: { kind: "field" }, visibility: "private" }], return_type: { abi_type: { kind: "array", length: 32, type: { kind: "integer", sign: "unsigned", width: 8 } }, visibility: "public" }, error_types: { "2900908756532713827": { error_kind: "string", string: "Insufficient balance" }, "15764276373176857197": { error_kind: "string", string: "Stack too deep" }, "15835548349546956319": { error_kind: "string", string: "Field failed to decompose into specified 32 limbs" } } }, bytecode: "H4sIAAAAAAAA/8VdB7wVxfU+cwEFRRGsGJU1KkWl997hAQqKDRVFQFQUePSq8pAO0hS72MAIdkAUImKLXRA0EdAY8R9LooklamL3v+Ob5e7dN/v2fLM7u/P7TYY398w938w335mPp0kElbaKahw5ePioN3NED1Yo/Vm4vYIaZesUmMupuYq+n4PNm3PU2OjivmM/aHxXvY2ndX98xowBF9Rt+o+iKZtGL+v6wbfXfxmIjWgiFx0ryvvQId5a/76OV+MJXoR3GHKiU+AbKgYS2dp8yPcuVd8rjgcwnEBmhyrAvfoxRe21YjmJg3mjvotxafY2P/G11VgnGFQhBoCoQ6odHjswECvq8DFQkgdagcwOtK4a6wWD0AP1A4g60LrEP9B6fAy/HVplt1fxzTlqrNxhSvVdzatMrPflPhMa/3Toqz9PWX3b56+1Xtpx+DknDy3ufZ4/9sjpF/7w0PTGA09Yc8TXVV/e2bTj6w9M3flKtUP+NmPzC3W/v/4CfyynebGVeq++fNxrC5r1v/D8LW9/2PbumovnVBvU+rTaS8a8333ZUx/m/LHOijeePvnHc77/b8XibjuPfPGH78ae+chLna6s+NmQI4fMffXZ2v5YBEP97zZ1+mj+gX0PnrTnjHE/fHzr0RP6DW/+8X0lj1+yfHzj/2zd6o9tsHXejnMv3XzGxtnLGhxw2JzBZz74+P3PvfXdhXVevfqLdc8unemPjWr7qFFyVFuNddRYV431AlgjWg6IRb5XnOj+x0luP5lKRSoTVdAFGnwvM1bbnBhhDnGa2Lsn4VtT3+0N3N7Q7Y3c3tjtTdze1O3N3N7c7S3c3tLtrdze2u1t3N7W7e3c3t7tHdzekUpf585u7+L2rm7v5vbubu/h9p5uL3J7L7f3dnsft5/igfGeeAmmcmCugWauoWaukWausWauiWauqWaumWauuWauhWaupWaulWautWaujWaurWaunWauvWaug2auo2auk2aus2aui2auq2aum2auu2auh2aup2auSDPXSzPXWzPXRzN3iprzt2PV6BCrFYg+6mGsz4z94tdfRQN2LImG3FgXbyNe7HXycW7Miv3mt4e8CSd2T+mj35QR20UZhGbRsXstePPI2OK9xqNFVOzGvElpGRE72WdoWpUf29NvflqXG/tJgVFqU15sk0JT1bac2DoBA9aO+GatfWjsOcG7LjqExZaU0YXoGBJbUlZDopM+doNGb6KzNrabTpuiiy62n1bHoqsm9gm95kW3srF1Q+qD6F4m9s6wWiJ6BGMbhdYd0TMQuye8Romiwtgx5dQz0asg9tTyap/o7Y8dWm6dFH18sQ3Lr6niFOKbLmn2/L9r8TfU7J1C7Fq+w5/v1DgJ5WLklz0y+alAjr7M7/0yxh76EvZ7DLmHvoSRLL9f94uyOCRHtO26SYdYaQqw9lPjaaUf5W9sPzX652RQ0MGgf7UHbrLoR/wLchphh4eSIy9FP8Iu05dqjcPLkWjF6EPsc17hz3d6nIRyMVgxVpwO5OhP/IM33UN/givGiv6EkZxUxejDj71dN+kQK00B1jPUeGbpR/kbewaVrRgyKG7FAG6yOIP4F+RMMjs89J9/IJjOIv657P0P4PtlFeuv2UNULuSpPpv/vfmNAFjOUjnQvSO4kqzEvYl9f9f7850TJ6FcDFbi9ecAOQYQ/+BN9zCA4Eq8fgDFu3wcAcmLZFNA5xK2B6+hhQnh8Dzi7zXJF643P3adbtIhVpoCrOercWDpR/lKcD6VfeFkUNwXDqgQ4nzikzaQzA4PvUgIpgso3gsXtUaK5zzChX0hP0ceHIDrApXDNi6voRxeCMQOIrschhVZTnHmxl5EWEFLyg30IrbWl/jzDY6TUC4G3cCSwUCOIcQ/eNM9DCHYDSwZws+hxcURwkVkV2xDCROb11BMCIcXUzZuoBc/drFu0iFWmgKsw9R4SelH+UowjMq6ARkU1w0AFUIMIz5pl5DZ4aEXCcF0Kdl9SaR4LiZc2Jfxc+TBAbguVTls4/IayuFlQOxwssthWJGNWocU2cv535vo7waKiK11x5/vijgJ5WLQDThXADlGEP/gTfcwgmA34Izg59Di4ghBXiSbYhtJ6bgBhMNRlI0bKOLH1tJNOsRKU4C1WI2jSz/KV4JiKusGZFBcNwBUCFFMfNJGk9nhoRcJwTSG7L4kUjyjCBf2WH6OPDgA1xiVwzYur6EcjgVix5FdDsOKbNQ6pMiO539vom6gJ7G1vt2fb0KchHIx6Aa2TwByTCT+wZvuYSLBbmD7RH4OLS6OEORFsim2SZSOG0A4nEzZuIGe/Ng3dJMOsdIUYJ2ixqmlH+UrwRQq6wZkUFw3AFQIMYX4pE0ls8NDLxKCaRrZfUmkeCYTLuwr+Tny4ABc01QO27i8hnJ4JRB7FdnlMKzIRq1DiuzV/O9N1A30ILbWB/vzTY+TUC4G3cDg6UCOEuIfvOkeSgh2A4NL+Dm0uDhCkBfJpthmUDpuoASIvYaycQM9+LEX6SYdYqUpwDpTjbNKP8pXgplU1g3IoLhuAKgQYibxSZtFZoeHXiQE02yy+5JI8VxDuLDn8HPkwQG4ZqsctnF5DeVwDhA7l+xyGFZko9YhRXYe/3sTdQPdia31Xf588+MklItBN7BrPpBjAfEP3nQPCwh2A7sW8HNocXGEIC+STbEtpHTcAMLhtZSNG+jOj92pm3SIlaYA6yI1Li79KF8JFlFZNyCD4roBoEKIRcQnbTGZHR56kRBMS8juSyLFcy3hwl7Kz5EHB+BaonLYxuU1lMOlQOwyssthWJGNWocU2ev435uoG+hGbK338ue7Pk5CuRh0A72uB3IsJ/7Bm+5hOcFuoNdyfg4tLo4Q5EWyKbYbKB03gHB4I2XjBrrxY4t0kw6x0hRgvUmNN5d+lK8EN1FZNyCD4roBoEKIm4hP2s1kdnjoRUIw3UJ2XxIpnhsJF/at/Bx5cACuW1QO27i8hnJ4KxB7G9nlMKzIRq1Diuzt/O9N1A10JbbW1/rzrYiTUC4G3cDaFUCOO4h/8KZ7uINgN7D2Dn4OLS6OEORFsim2OykdN4BweBdl4wa68mMf1U06xEpTgPVuNd5T+lG+EtxNZd2ADIrrBoAKIe4mPmn3kNnhoRcJwbSS7L4kUjx3ES7sVWTXDaxUOWzj8hrK4Sog9l6yy2FYkY1ahxTZP/C/N1E30IXYWt/sz3dfnIRyMegGNt8H5FhN/IM33cNqgt3A5tX8HFpcHCHIi2RTbGsoHTeAcHg/ZeMGuvBjn9RNOsRKU4D1ATU+WPpRvhI8QGXdgAyK6waACiEeID5pD5LZ4aEXCcH0ENl9SaR47idc2A/zc+TBAbgeUjls4/IayuHDQOwjZJfDsCIbtQ4pso/yvzdRN9CZ2Frv48+3Nk5CuRh0A33WAjnWEf/gTfewjmA30GcdP4cWF0cI8iLZFNt6SscNIBw+Rtm4gc782N66SYdYaQqwblDj46Uf5SvBBirrBmRQXDcAVAixgfikPU5mh4deJATTE2T3JZHieYxwYW/k58iDA3A9oXLYxuU1lMONQOwmssthWJGNWocU2T/yvzdRN9CJ2Fov8ed7Mk5CuRh0AyVPAjk2E//gTfewmWA3ULKZn0OLiyMEeZFsiu0pSscNIBxuoWzcQCd+7HTdpEOsNAVYn1bjM6Uf5SvB01TWDciguG6gE/HdwNPEJ+0ZMjs89CIhmJ4luy+JFM8WwoX9HD9HHhyA61mVwzYur6EcPgfEPk92OQwrslHrkCL7J/73JuoGOhJb6wVu4IU4CeVi1A28AOR4kfgHb7qHFwl3Ay/yc2hxcYQgL5JNsb1E6bgBhMOXKRs30JEfm5gbeEWNr5Z+lK8Er1BZNyCD4roBoEKIV4hP2qtkdnjoRUIwvUZ2XxIpnpcJF/br/Bx5cACu11QO27i8hnL4OhC7lexyGFZko9YhRXYb/3sTdQMdiK31Nf58b8RJKBeDbmDNG0CO7cQ/eNM9bCfYDazZzs+hxcURgrxINsW2g9JxAwiHb1I2bqADP3a1btIhVpoCrG+p8c+lH+UrwVtU1g3IoLhuAKgQ4i3ik/ZnMjs89CIhmP5Cdl8SKZ43CRf22/wceXAArr+oHLZxeQ3l8G0gdifZ5TCsyEatQ4rsLv73JuoG2hNb66v8+XbHSSgXg25g1W4gxzvEP3jTPbxDsBtY9Q4/hxYXRwjyItkU27uUjhtAOPwrZeMG2vNjV+omHWKlKcD6nhr/VvpRvhK8R2XdgAyK6waACiHeIz5pfyOzw0MvEoLpfbL7kkjx/JVwYe8hu27gfZXDNi6voRzuAWI/ILschhXZqHVIkf0//vcm6gbaEVvru/35/h4noVwMuoHdfwdyfEj8gzfdw4cEu4HdH/JzaHFxhCAvkk2xfUTpuAGEw48pGzfQjh+7SzfpECtNAdZP1PiP0o/yleATKusGZFBcNwBUCPEJ8Un7B5kdHnqREEz/JLsviRTPx4QL+1N+jjw4ANc/VQ7buLyGcvgpEPsZ2eUwrMhGrdtD/D38i/+9ibqBtsTW+jZ/vn/HSSgXg25g27+BHJ8T/+BN9/A5wW5g2+f8HFpcHCHIi2RTbF9QOm4A4fBLysYNtOXHbtVNOsRKU4D1KzX+p/SjfCX4isq6ARkU1w0AFUJ8RXzS/kNmh4deJATT12T3JZHi+ZJwYX/Dz5EHB+D6WuWwjctrKIffALHfkl0Ow4ps1DqkyP6X/72JuoE2xNZ6TX++/8VJKBeDbqDm/4Ac3xH/4E338B3BbqDmd/wcWlwcIciLZFNs31M6bgDh8AfKxg204cceoZt0iJWmAOuPavyp9KN8JfiRyroBGRTXDQAVQvxIfNJ+IrPDQy8SgulnsvuSSPH8QLiwf+HnyIMDcP2sctjG5TWUw1+A2F/JLodhRTZqHVJkJSjm9ybqBloTW+ub/PmEiJFQLgbdwCbBPyCRE3bdgNyDzAG6gU05gGQdLo4QSNgVWwWAB/8PKCaEw4oApiTdQGt+7EbdpEOsNAVYKymQ+wRf/kqirBuQQXHdAFAhRCWAtH2E2eGhFwnBtC94udELI8VTUeDCrhyzcESFy31XTgGX11AOKwMcVrHMYViRjVqHFNn9MnIDrYit9Xn+fPubuoFWajHoBubtD5BcFbg8pnuoiruBeVUtuwEphP2EXbEdAIrNaygmhMMDM3IDrfixc3WTDrHSFGCtpkAeFHz5q2ncwEEJuAGgQohqAGkHCbPDQy8Sgqm65ZdEiudAgQu7RszCERUu910jBVxeQzmsAXB4sGUOw4ps1DqkyB6SkRtoSWytF/nzHWrqBlqqxaAbKDoUIPkw4OBN93AY7gaKDrPsBqQQDhF2xXY4KDavoZgQDo/IyA205Mf21E06xEpTgNX753VHBl/+mho3cGQCbgCoEKImQNqRwuzw0IuEYPqd5ZdEiucIgQv7qJiFIypc7vuoFHB5DeXwKIDDoy1zGFZko9YhRfaYjNxAC2JrfZk/Xy1TN9BCLQbdwLJaAMkOcPCme3BwN7DMsewGpBCOEXbFdiwoNq+hmBAOf5+RG2jBj12qm3SIlaYA63EK5PHBl/84jRs4PgE3AFQIcRxA2vHC7PDQi4RgOsHySyLF83uBC7t2zMIRFS73XTsFXF5DOawNcFjHModhRTZqHVJk62bkBpoTW+uj/fnqmbqB5mox6AZG1wNIPhE4eNM9nIi7gdEnWnYDUgh1hV2xnQSKzWsoJoTDkzNyA835scW6SYdYaQqw1lcgGwRf/voaN9AgATcAVAhRHyCtgTA7PPQiIZgaWn5JpHhOFriwG8UsHFHhct+NUsDlNZTDRgCHjS1zGFZko9YhRbZJRm6gGbG1vsWfr6mpG2imFoNuYEtTgORmwMGb7qEZ7ga2NLPsBqQQmgi7YmsOis1rKCaEwxYZuYFm/NindJMOsdIUYG2pQLYKvvwtNW6gVQJuAKgQoiVAWithdnjoRUIwtbb8kkjxtBC4sNvELBxR4XLfbVLA5TWUwzYAh20tcxhWZKPWIUW2XUZuoCmxte7487U3dQNN1WLQDTjtAZI7AAdvuocOuBtwOlh2A1II7YRdsXUExeY1FBPCYaeM3EBTfmwt3aRDrDQFWDsrkF2CL39njRvokoAbACqE6AyQ1kWYHR56kRBMXS2/JFI8nQQu7G4xC0dUuNx3txRweQ3lsBvAYXfLHIYV2ah1SJHtkZEbaEJsrVf15+tp6gaaqMWgG6jaEyC5CDh40z0U4W6gapFlNyCF0EPYFVsvUGxeQzEhHPbOyA004cfur5t0iJWmAKv3/yt+SvDl76NxA6ck4AaACiH6AKSdIswOD71ICKZTLb8kUjy9BS7svjELR1S43HffFHB5DeWwL8BhP8schhXZqHVIkT0tIzfQmNhaH+XPd7qpG2isFoNuYNTpAMn9gYM33UN/3A2M6m/ZDUghnCbsiu0MUGxeQzEhHJ6ZkRtozI8dqZt0iJWmAOtZCuTZwZf/LI0bODsBNwBUCHEWQNrZwuzw0IuEYDrH8ksixXOmwIU9IGbhiAqX+x6QAi6voRwOADg81zKHYUU2ah1SZM/LyA00IrbWq/vznW/qBhqpxaAbqH4+QPJA4OBN9zAQdwPVB1p2A1II5wm7YrsAFJvXUEwIhxdm5AYa8WMP0k06xEpTgHWQAnlR8OUfpHEDFyXgBoAKIQYBpF0kzA4PvUgIpsGWXxIpngsFLuwhMQtHVLjc95AUcHkN5XAIwOFQyxyGFdmodUiRvTgjN9CQH1uQb5ipG2ioFqPrLgEO0xTXJb4dOsRvqIjkhb1Y2BXFpaAovIZiQni5LKZQOXu+zIDDJAXVgMwENdxUUA3UYnTd5ZYFJXFdnpCgosIl8ZcLswvj8HIkeknqAxj9+a4wvST11WJU3VcAih1h+ULJPYwwIHmEiHf5OJdohMDtwaXAeY2MuYeo8PoqB2HrChp6t0YC+x8V8+WIWhP2IketQ17kYsscyjMqNngIEB5kEZRnVEH3RWBeQWb3jLA8DnuyTBPkr7feGvnfrR3j9rFuH+f28W6f4PaJbp/k9slun+L2qW6f5vYr3X6V2692+3S3l7h9htuvcftMt89y+2y3z3H7XLfL/5XP+W5f4PaFbr/W7YvcvtjtSwQV/n1fgqkcmBujmRurmRunmRuvmZugmZuomZukmZusmZuimZuqmZummbtSM3eVZu5qzdx0zVyJZm6GZu4azdxMzdwszdxszdwczdxczdw8zdx8zdwCzdxCzdy1mrlFmrnFmrklouzvlo5Vo0OsViD6qGIj7zYnVv4eagw7lsRYbqyLdxwv9joXrxjPiv1G7k1M4MTu+e0cxERGbJfSMxOTomOXqvMVkyNjiz0uxJSo2I17eRNTI2In5zkW08qP7em7D+LKcmM/8d8dcVV5sU0K7pm4upzYOoV3UkwPjx0YuL+iJDT2nOBdFzPCYkvK6EJcExJbUlZDYqY+doNGb2KWNrabTptiti62n1bHYo4m9gm95sXcsrF1Q+qDmFcm9s6wWiLmB2MbhdYdsSAQuye8RomFhbFjyqln4tqC2FPLq31ikT92aLl1Uiz2xTYsv6aKJYJvupL8G+8Sfi3f4c+3VMRIKBeD/9Rxx1L+AYllzE2Z/o1X7kHmEOAeloEky+9P4p+OAZdru27SIVaaAqzXKZDXCyp0K9epg/PPXS/i/9Mx4CaL64ALcj14eCg58lJcB14mieu6jCrGYv45r/DnW25aMWTC5XjFWLEcqBg3WK4Ycg834BVjxQ0ZVYzF/Ly36yYdYqUpwHqjAnlTsDrcqKkYNyVQMYCbLG4ELshNhoeH/qIOwXQzIIa9/wFgWaYuOPqLOuSpvgUQg24PUeHyjG4xqMQIriQr8SL+/V3vz3eraSWWCW/FK/H6W4HLd5vlSiz3cBteidffFvPycQR0i2UB3Q7uwWtoYUI4XAHcjSRfuEX8vOt0kw6x0hRgvUOBvDP4mt2heeHuTOCFAyqEuAMg7U7Dw0MvEoLprpgvXNQaKZ4VBq/D3TELR1S43PfdKeDyGsrh3QCH91jmMKzIcoozN3YlWNCScgPX8rW+xJ9vlakbkAlX4W5gySrggO4FDt50D/fibmDJvZbdgBTCSmFXbH8AxeY1FBPC4X0ZuYFr+XkX6yYdYqUpwLpagVwTfPlXa9zAmgTcAFAhxGqAtDWGh4deJATT/ZZfEime+wQu7AdiFo6ocLnvB1LA5TWUwwcADh+0zGFYkY1ahxTZh4BzTdINLORr3fHne9jUDciED+NuwHkYIPkR4OBN9/AI7gacR2KKmiOEh4RdsT0Kis1rKCaEw7UZuYGF/LyJ/e/OrVMg1wdf/nUaN7A+ATcAVAixDiBtveHhoRcJwfSY5ZdEimetwIW9IWbhiAqX+96QAi6voRxuADh83DKHYUU2ah1SZJ/IyA0s4Gt9uz/fRlM3IBNuxN3A9o0AyZuAgzfdwybcDWzfFFPUHCE8IeyK7Y+g2LyGYkI4fDIjN7CAn/cN3aRDrDQFWDcrkE8FX/7NGjfwVAJuAKgQYjNA2lOGh4deJATTFssviRTPkwIX9tMxC0dUuNz30yng8hrK4dMAh89Y5jCsyEatQ4rssxm5gfl8rQ/253vO1A3IhM/hbmDwcwDJzwMHb7qH53E3MPj5mKLmCOFZYVdsfwLF5jUUE8LhCxm5gfn8vBfpJh1ipSnA+qIC+VLw5X9R4wZeSsANABVCvAiQ9pLh4aEXCcH0suWXRIrnBYEL+5WYhSMqXO77lRRweQ3l8BWAw1ctcxhWZKPWIUX2tYzcwDy+1nf5871u6gZkwtdxN7DrdYDkrcDBm+5hK+4Gdm2NKWqOEF4TdsW2DRSb11BMCIdvZOQG5vHz7tRNOsRKU4DV+w3djuDLv13jBnYk4AaACiG2A6TtMDw89CIhmN60/JJI8bwhcGG/FbNwRIXLfb+VAi6voRy+BXD4Z8schhXZqHVIkf1LRm5gLl/rvfz53jZ1AzLh27gb6PU2QPJO4OBN97ATdwO9dsYUNUcIfxF2xbYLFJvXUEwIh7szcgNz+XmLdJMOsdIUYH1HgXw3+PK/o3ED7ybgBoAKId4BSHvX8PDQi4Rg+qvll0SKZ7fAhf1ezMIRFS73/V4KuLyGcvgewOHfLHMYVmSj1iFF9v2M3MAcvtbX+vPtMXUDMuEe3A2s3QOQ/AFw8KZ7+AB3A2s/iClqjhDeF3bF9n+g2LyGYkI4/HtGbmAOP++jukmHWGkKsH6oQH4UfPk/1LiBjxJwA0CFEB8CpH1keHjoRUIwfWz5JZHi+bvAhf1JzMIRFS73/UkKuLyGcvgJwOE/LHMYVmSj1iFF9p8ZuYHZfK1v9uf71NQNyISf4m5g86cAyZ8BB2+6h89wN7D5s5ii5gjhn8Ku2P4Fis1rKCaEw39n5AZm8/M+qZt0iJWmAOvnCuQXwZf/c40b+CIBNwBUCPE5QNoXhoeHXiQE05eWXxIpnn8LXNhfxSwcUeFy31+lgMtrKIdfARz+xzKHYUU2ah1SZL/OyA3M4mu9jz/fN6ZuQCb8BncDfb4BSP4WOHjTPXyLu4E+38YUNUcIXwu7YvsvKDavoZgQDv+XkRuYxc/bWzfpECtNAdbvFMjvgy//dxo38H0CbgCoEOI7gLTvDQ8PvUgIph8svyRSPP8TuLB/jFk4osLlvn9MAZfXUA5/BDj8yTKHYUU2ah1SZH/OyA3M5Gu9xJ/vF1M3IBP+gruBkl8Akn8FDt50D7/ibqDk15ii5gjhZ2FXbPLLHYLgk1oGYUI4FACmJN3ATD6f03WTDrHSFGDNqR8q5Kjw5ZcfBN2ADIrrBoAKIXI5PmkVcmaHh14kBFNF8HKjF0aCFzlc2JX4uFSiwu+PCpf7rpQCLq+hHFYCONzHModhRTZqHVJk9wXONUk3cI2hG6ici5FQLkbdQGWA5CrA5THdQxVQPHIPVWKKmiOEfXN2xbZfSm4A4XD/jNyAXzwRLTE3UFX9cEDQDVTVuIEDEnADQIUQVQHSDkjJDSCYDrT8kkjx7G/w6laz7AbkvqulgMtrKIfVAA4PssxhWJGNWocU2eoZuYEZfK2v8eerYeoGZMIauBtYUwMg+WDLbkDu4WDcDaw52LIbkEKonrMrtkNScgMIh4dm5Ab84oloq3WTDrHSFGA9TP1weNANHKZxA4cn4AaACiEOA0g7PGd2eOhFQjAdYfklkeI51ODVrWnZDch910wBl9dQDmsCHB5pmcOwIhu1Dimyv8vIDZTwtb7Kn+8oUzcgEx6Fu4FVRwEkH23ZDcg9HI27gVVHW3YDUgi/y9kV2zEpuQGEw1oZuQG/eCLaSt2kQ6w0BVgd9cOxQTfgaNzAsQm4AaBCCAcg7dic2eGhFwnB9HvLL4kUTy2DV/c4y25A7vu4FHB5DeXwOIDD4y1zGFZko9YhRfaEjNzAdL7Wd/vz1TZ1AzJhbdwN7K4NkFzHshuQe6iDu4HddSy7ASmEE3J2xVY3JTeAcFgvIzfgF09E26WbdIiVpgDrieqHk4Ju4ESNGzgpATcAVAhxIkDaSTmzw0MvEoLpZMsviRRPPYNXt75lNyD3XT8FXF5DOawPcNjAModhRTZqHVJkG2bkBq7ma32bP18jUzcgEzbC3cC2RgDJjS27AbmHxrgb2NbYshuQQmiYsyu2Jim5AYTDphm5Ab94ItpW3aRDrDQFWJupH5oH3UAzjRtonoAbACqEaAaQ1jxndnjoRUIwtbD8kkjxNDV4dVtadgNy3y1TwOU1lMOWAIetLHMYVmSj1iFFtnVGbuAqvtZr+vO1MXUDMmEb3A3UbAOQ3NayG5B7aIu7gZptLbsBKYTWObtia5eSG0A4bJ+RG/CLJ6IdoZt0iJWmAGsH9UPHoBvooHEDHRNwA0CFEB0A0jrmzA4PvUgIpk6WXxIpnvYGr25ny25A7rtzCri8hnLYGeCwi2UOw4ps1DqkyHbNyA1cydf6Jn++bqZuQCbshruBTd0AkrtbdgNyD91xN7Cpu2U3IIXQNWdXbD1ScgMIhz0zcgN+8US0jbpJh1hpCrAWqR96Bd1AkcYN9ErADQAVQhQBpPXKmR0eepEQTL0tvyRSPD0NXt0+lt2A3HefFHB5DeWwD8DhKZY5DCuyUeuQIntqRm5gGl/r8/z5+pq6AZmwL+4G5vUFSO5n2Q3IPfTD3cC8fpbdgBTCqTm7YjstJTeAcHh6Rm7AL56INlc36RArTQHW/uqHM4JuoL/GDZyRgBsAKoToD5B2Rs7s8NCLhGA60/JLIsVzusGre5ZlNyD3fVYKuLyGcngWwOHZljkMK7JR65Aie05GbmAqX+tF/nwDTN2ATDgAdwNFAwCSz7XsBuQezsXdQNG5lt2AFMI5ObtiOy8lN4BweH5GbsAvnojWUzfpECtNAdaB6ocLgm5goMYNXJCAGwAqhBgIkHZBzuzw0IuEYLrQ8ksixXO+was7yLIbkPselAIur6EcDgI4vMgyh2FFNmodUmQHZ+QGpvC1vsyfb4ipG5AJh+BuYNkQgOShlt2A3MNQ3A0sG2rZDUghDM7ZFdvFKbkBhMNhGbkBv3gi2lLdpEOsNAVYL1E/XBp0A5do3MClCbgBoEKISwDSLs2ZHR56kRBMl1l+SaR4hhm8usMtuwG57+Ep4PIayuFwgMPLLXMYVmSj1iFF9oqM3MBkvtZH+/ONMHUDMuEI3A2MHgGQPNKyG5B7GIm7gdEjLbsBKYQrcnbFNiolN4BwWJyRG/CLJ6IV6yYdYqUpwDpa/TAm6AZGa9zAmATcAFAhxGiAtDE5s8NDLxKCaazll0SKp9jg1R1n2Q3IfY9LAZfXUA7HARyOt8xhWJGNWocU2QkZuYFJfK1v8eebaOoGZMKJuBvYMhEgeZJlNyD3MAl3A1smWXYDUggTcnbFNjklN4BwOCUjN+AXT0R7SjfpECtNAdap6odpQTcwVeMGpiXgBoAKIaYCpE3LmR0eepEQTFdafkmkeKYYvLpXWXYDct9XpYDLayiHVwEcXm2Zw7AiG7UOKbLTM3IDE/lad/z5SkzdgExYgrsBpwQgeYZlNyD3MAN3A84My25ACmF6zq7YrknJDSAczszIDfjFE9Fq6SYdYqUpwDpL/TA76AZmadzA7ATcAFAhxCyAtNk5s8NDLxKCaY7ll0SKZ6bBqzvXshuQ+56bAi6voRzOBTicZ5nDsCIbtQ4psvMzcgMT+Fqv6s+3wNQNyIQLcDdQdQFA8kLLbkDuYSHuBqoutOwGpBDm5+yK7dqU3ADC4aKM3IBfPBFtf92kQ6w0BVgXqx+WBN3AYo0bWJKAGwAqhFgMkLYkZ3Z46EVCMC21/JJI8SwyeHWXWXYDct/LUsDlNZTDZQCH11nmMKzIRq1Diuz1GbmB8Xytj/LnW27qBmTC5bgbGLUcIPkGy25A7uEG3A2MusGyG5BCuD5nV2w3puQGEA5vysgN+MUT0UbqJh1ipSnAerP64ZagG7hZ4wZuScANABVC3AyQdkvO7PDQi4RgutXySyLFc5PBq3ubZTcg931bCri8hnJ4G8Dh7ZY5DCuyUeuQIrsiIzcwjq/16v58d5i6AZnwDtwNVL8DIPlOy25A7uFO3A1Uv9OyG5BCWJGzK7a7UnIDCId3Z+QG/OKJaAfpJh1ipSnAeo/6YWXQDdyjcQMrE3ADQIUQ9wCkrcyZHR56kRBMqyy/JFI8dxu8uvdadgNy3/emgMtrKIf3Ahz+wTKHYUU2ah1SZO/LyA2M5Re0gnyrTd2ATLg6h69bY/mFl7jW+MquQ/yGikhe2PtydkVxf0qvNsLLAzGFytnzAwYcJimoMYaCetBUUDLhgwaCesiyoCSuhxISVFS4JP6hnNmFcXg5Er0kowUfoz/fw6aXRCZ82KDiPAwo9hHLF0ru4REDkh+x/HcweYkeMbAH9wPn9ahlOyjP9lFDsXoNvVuPAvtfa9nihb3IUeuQF3mdZQ7lGa0zeAgQHuR3V3J7Jx/GU9TYR4291dhLjUVq7KnGHmrsrsZuauyqxi5q7KzGTmrsqMYOamyvxnZqbKvGNmpsrcZWamypxhZqbK7GZmpsqsYmamysxkZqbKjGBmqsr8YlonRcrMZFarxWjQvVuECN89U4T41z1ThHjbPVOEuNM9V4jRpnqLFEjdPVeLUar1LjlWqcpsapapyixslqnKTGiWqcoMbxahynxrFqHKNGWTPWu3fnMbdvcPvjbn/C7Rvdvsntf3T7k27f7Pan3L7F7U+7/Rm3P+v259z+vNv/5PYX3P6i219y+8tuf8Xtr7r9Nbe/7vatbt/m9jfcvt3tO9z+Zo4KGqrdisS/9+sT+mtvFKZKAKbHUsK0D4BpQ0qY9gUwPZ4SpsoApidSwlQFwLQxJUz7AZg2pYRpfwDTH1PCVBXA9GRKmA4AMG1OCdOBAKanUsJUDcC0JSVMBwGYnk4JU3UA0zMpYaoBYHo2JUwHA5ieSwnTIQCm51PCdCiA6U8pYToMwPRCSpgOBzC9mBKmIwBML6WEqSaA6eWUMB0JYHolJUy/AzC9mhKmowBMr6WE6WgA0+spYToGwLQ1JUy1AEzbUsLkAJjeSAnTsQCm7Slh+j2AaUdKmI4DML0JYMr5xgpU+O8YCV9O+bsm+bsd+bsU+bsL+bsC+Xdz+Xdh+XdP+Xc9+Xcr+XcZ+XcH6dWlN5ZeVHo/6bWkt5FeQr7d8q2Ub5N8C2TtlbVO1hapZU878m5ILo6j/L8CRAqHbEN3f/3f42t2qev7iE5WY619ur/d/6Tn3/V/9i+h/6yiGg9U48XDhhaPHF08btigy4aPGn+Mmq3sOynvdCoQ9tsVbx2+vqRn8F+KAvP/tl6uiYPfW2Ow/rebI1s33/ogFtmqqp+Fb623Rt68A31/ruZbI1t33/eJwGc9NHlj7qm7t76i2fpcDSqb3/suqSy5R+//1baCJtZ/lyr5YnTnSpo5ofme4Nn4eXDUeHBj2lnr/eZTTjqsRXG/ibPeP/Ohqw9ZWe+Takd8PqHdxO//WhzcS64c7FXLwVBVsx//+XiaMDv/yT29nB6uSlT2vPzfXzEQf7Qaq/jy+3E6VH5754Vv336sd5OR1QPrZfP2LPd5pPrzxcPHDhs6fvjEYYPcwjTs0mFjB42ZUDx++LBR472TqOxb5X0jciO99fubrd+rcn/bz/fn4H/h1NtlRc06EfJzLjCWFxuc989V1XzmfWcNNfrx7hf4LM/G+OJBYwdfPHyyx6N3ipV8GZFT9NbvY7Z+71uzr9n6CjoW9/X92duXX88U+LOX08NSxQzLfkKTv0LgO4MY/DG6m5UL/FwxMF+BEau7Wd5n1TT4guuqaLD65zwOdLc0eO7++6b7rn0DGIL3Iy5HNTQ5PWzevwntr10Th40dXyWQ+1Cz3Hvv+iFm67UV61Dfn73vDfo/AnJ4zf/OBFuwElYI5A36RyC/CMOhu8Mel4f45rzz+H++87/IGRgCAA==", debug_symbols: "pdrNbhNZEEDhd/E6i66fW1U3rzIaoQAGRYoCCgnSCPHu0x3XMcnCVnA26WLAZ64r/uIO4dfu8/7j09cPt/dfvv3YXf/za/fx4fbu7vbrh7tvn24eb7/dr//1127ZPkjsrvVqJ3m41O7a1svcXfvVTtc/4b9/X+142IfHh/1+e9SLzlr/fvOwv3/cXd8/3d1d7X7e3D09/6Ef32/un6+PNw/r7y5Xu/395/W6Br/c3u236ffVn0cvpx9ai/aDS+P4cMlXj5fTjw/3fnwMu+TxJTy+6qLH8+RzOfn/P/P8RdQ6IDL+LHC8eYOiWRR0+iUFk6RgI08V8nRBtTiD2svP43xVqDOFUj6RWkNOFebpgq/764LLqEsKauzBNcdlBXlv4fh6OFc4t8m5TDY514f9fcFk4UVtInZRweVYmPnOgi7LqcK5V/VQCjIiTr2q5cwhpJKXlNQ8CUPOfD6HHr9ADJ0vZNSrhJ55IpHK18hIr1OJs6cI5ZU9wsa7E26XJY5fqUbMyxIj+TKxjpc9kVqOiVpOfkbOvi7m5JOqi5z8oq35/tdFvft1cfYUb3tdvDlx+nVxPvGm18XZxNteF2cT739d6PoFg9eFvrgd+IsvOarjTyJPJizOvZ3H8Quf5es343/XX918un14fbuoa/9qZ88f/fnjeP643kDK+irNLXS1q8Ov5uFXst5BynoKke15r1ftq/XV+zr6Gn3NvlZf5+G63ZE+X7un3dPuafe0e9o97Z52T7tn3bPuWfese9Y96551z7pn3bPuefe8e9497553z7feuh+PvmZft976AvN5uI6lr9JX7asd/vzwvnZvRP9+9rV7o3vRvehedC+6F92L7kWfL/p80b3oXnYvu5fdS+ur93X0tc+X3cvq6zxca+mr9LV71b3qXnWvulf9fKvPV32+2eeb3Zva136+s5/v7Oc7uze7N7s3u7fe8zAIgzIYgzN0VZZgSIZi6GcuQlkoC2WhLJRlMARDMhQDZV0YhEEZjIGyUlbKSlkpK9swzmyc2TizUTZnYBvGNoxtGGWj7JSdslN2tuGc2Tmzc2Y8ibNnZxuDbQy2ASoZlAflQRlYgiyBlmBLwCVBOdgzvgRggjAJykEZZIIygZngTIAmSBOoSVJO9ow2gZvgTYpyUYacYE5AJ6gT2AnuBHhSlCd7xp6AT9Ank/KkDEBBoEBQMKgYVAwqBnXpsi7OMBiCIRmKR1HGoGJQMagYVAwqBhWDKpSlGHobikHFoCplpYxBxaBiUDGoGFQMKgbVKJsysA0MKgbVKBtlDCoGFYOKQcWgYlAxqLyjKW9pikHFoGJQeVtT3tcUg4pBxaBiUDGoGFQM6qAc7BmDikHFoAbloIxBxaBiUDGoGFQMKgY1KSd7xqBiUDGoSTkpY1AxqBhUDCoGFYOKQS3KxZ4xqBhUDOqkPCljUDGoGFQMKgYVg4ZBW7psizIYgzMMhuBRyVAMlDFoGDQMGgYNgyaUJRiSoRh6G6aUlTIGDYOGQcOgYdAwaBg0pWwLA9vAoGHQjLJRxqBh0DBoGDQMGgYNg+aUnT1j0DBoGDRuLI07S8OgYdAwaBg0DBoGDYM2KA/2jEHDoGHQuM20oIxBw6Bh0DBoGDQMGgYtKSd7xqBh0DBo3HRaUsagYdAwaBg0DBoGDYNWlIs9Y9AwaBg0bkFtUsagYdAwaBg0DBoGDYM2u+zLwiAMymAMXfZlMARDMvBNBwYdg45Bx6ALZXEGvpfBoGPQuRd1oYxBx6Bj0DHoGHQMOgZdKWsxsA0MOgade1E3yhh0DDoGHYOOQcegY9CdsrNnDDoG/fidHfeifvzejvdB533QMejci/qgzHd4jkHHoGPQeR/0Z4OxDVt5bt9XLgzCoAzG4AyDIRiSoRgoJ+WknJSTclJOykk5KSflpFyUi3JRLspFuSgX5aJclIvypDwpT8qbwe2v430zeBgGQ2x/rbwNyVAM8zCMzeBhkMOjxmbwMBiD82cGQzAkQzFQFspCWSgLZXGGwUBZKAtloayUN4OHQRmMgTMr5c3gYUiGYpg9GGWjbJSNslE2tmGc2TizcWajvBk8DGzD2YazDafslJ2yU3bKzjYGZx6ceXDmQXmw58E2BtsYbGNQHpSDclAOysE2gjMHZw7OHJSDPQfbSLaRbCMpJ+WknJSTcrKN5MzJmYszF+Viz8U2im0U2yjKRbkoF+VJebKNyZknZ56cGYNjsufJNibbmL2NwGAswqAMxuAMgyEYkqEYKMvCIAzKYAyUhTIGA4OBwcBgYDAwGBgMpazOMBiCIRkoK2UMBgYDg4HBwGBgMDAYRtmKgW1gMDAYTtkpYzAwGBgMDAYGA4OBwRiUB3vGYGAwMBiD8qCMwcBgYDAwGBgMDAYGIygHe8ZgYDAwGEk5KWMwMBgYDAwGBgODgcFIysWeMRgYDAxGUS7KGAwMBgYDg4HBwGBgMHgfDN4HA4OBwcBg8D4YvA8mBhODicHEYGIwMZgYzKXLuRRDbyMxmBhMoSyUMZgYTAwmBhODicHEYCplVQZjcIbBQFkpYzAxmBhMDCYGE4OJwTTKFgxsA4OJwXTKThmDicHEYGIwMZgYTAymUx7sGYOJwcRgDsqDMgYTg4nBxGBiMDGYGMygHOwZg4nBxGAG5aCMwcRgYjAxmBhMDCYGMykne8ZgYjAxmEW5KGMwMZgYTAwmBhODicGclCd7xmBiMDGY3Ism96KJwcRgYbAwWBgsDBYGa+lyLcGQDMXQ2yjuRUsoY7AwWBgsDBYGC4OFwRLKujAIgzIYA2WljMHCYGGwMFgYLAwWBssomzOwDQwWBot70TLKGCwMFgYLg4XBwmBhsJyys2cMFgYLg8W9aA3KGCwMFgYLg4XBwmBhsIJysGcMFgYLg8W9aAVlDBYGC4OFwcJgYbAwWEk52TMGC4OFweJetIoyBguDhcHCYGGwMFgYrKI82TMGC4OFweJetDBYvA8W74OFweJedC4LgzD0mScGJwYn74Pz2aBvw1be/gnRz5uH25uPd/sf60/et5/NP91/4gfx6y8f//vO7/AvO78/fPu0//z0sN9+aP/in3euH/9Z/45A57+/tx/s/w8=", file_map: { "17": { source: `use crate::field::field_less_than;
@@ -19114,7 +21403,7 @@ var BrowserNoirProvider = class _BrowserNoirProvider {
    * Derive secp256k1 public key coordinates from a private key
    */
   static derivePublicKey(privateKey) {
-    const uncompressedPubKey = import_secp256k18.secp256k1.getPublicKey(privateKey, false);
+    const uncompressedPubKey = import_secp256k19.secp256k1.getPublicKey(privateKey, false);
     const x = Array.from(uncompressedPubKey.slice(1, 33));
     const y = Array.from(uncompressedPubKey.slice(33, 65));
     return { x, y };
@@ -19620,14 +21909,14 @@ var BrowserNoirProvider = class _BrowserNoirProvider {
   }
   async computeCommitmentHash(balance, blindingFactor, assetId) {
     const blindingField = this.bytesToField(blindingFactor);
-    const { sha256: sha25620 } = await import("@noble/hashes/sha256");
+    const { sha256: sha25622 } = await import("@noble/hashes/sha256");
     const { bytesToHex: nobleToHex } = await import("@noble/hashes/utils");
     const preimage = new Uint8Array([
       ...this.bigintToBytes(balance, 8),
       ...blindingFactor.slice(0, 32),
       ...hexToBytes9(this.assetIdToField(assetId))
     ]);
-    const hash2 = sha25620(preimage);
+    const hash2 = sha25622(preimage);
     const commitmentHash = nobleToHex(hash2);
     return { commitmentHash, blindingField };
   }
@@ -19673,46 +21962,46 @@ var BrowserNoirProvider = class _BrowserNoirProvider {
     return bytes;
   }
   async computeSenderCommitment(senderAddressField, senderBlindingField) {
-    const { sha256: sha25620 } = await import("@noble/hashes/sha256");
+    const { sha256: sha25622 } = await import("@noble/hashes/sha256");
     const { bytesToHex: nobleToHex } = await import("@noble/hashes/utils");
     const addressBytes = hexToBytes9(senderAddressField);
     const blindingBytes = hexToBytes9(senderBlindingField.padStart(64, "0"));
     const preimage = new Uint8Array([...addressBytes, ...blindingBytes]);
-    const hash2 = sha25620(preimage);
+    const hash2 = sha25622(preimage);
     const commitmentX = nobleToHex(hash2.slice(0, 16)).padStart(64, "0");
     const commitmentY = nobleToHex(hash2.slice(16, 32)).padStart(64, "0");
     return { commitmentX, commitmentY };
   }
   async computeNullifier(senderSecretField, intentHashField, nonceField) {
-    const { sha256: sha25620 } = await import("@noble/hashes/sha256");
+    const { sha256: sha25622 } = await import("@noble/hashes/sha256");
     const { bytesToHex: nobleToHex } = await import("@noble/hashes/utils");
     const secretBytes = hexToBytes9(senderSecretField.padStart(64, "0"));
     const intentBytes = hexToBytes9(intentHashField);
     const nonceBytes = hexToBytes9(nonceField.padStart(64, "0"));
     const preimage = new Uint8Array([...secretBytes, ...intentBytes, ...nonceBytes]);
-    const hash2 = sha25620(preimage);
+    const hash2 = sha25622(preimage);
     return nobleToHex(hash2);
   }
   async computeOutputCommitment(outputAmount, outputBlinding) {
-    const { sha256: sha25620 } = await import("@noble/hashes/sha256");
+    const { sha256: sha25622 } = await import("@noble/hashes/sha256");
     const { bytesToHex: nobleToHex } = await import("@noble/hashes/utils");
     const amountBytes = this.bigintToBytes(outputAmount, 8);
     const blindingBytes = outputBlinding.slice(0, 32);
     const preimage = new Uint8Array([...amountBytes, ...blindingBytes]);
-    const hash2 = sha25620(preimage);
+    const hash2 = sha25622(preimage);
     const commitmentX = nobleToHex(hash2.slice(0, 16)).padStart(64, "0");
     const commitmentY = nobleToHex(hash2.slice(16, 32)).padStart(64, "0");
     return { commitmentX, commitmentY };
   }
   async computeSolverId(solverSecretField) {
-    const { sha256: sha25620 } = await import("@noble/hashes/sha256");
+    const { sha256: sha25622 } = await import("@noble/hashes/sha256");
     const { bytesToHex: nobleToHex } = await import("@noble/hashes/utils");
     const secretBytes = hexToBytes9(solverSecretField.padStart(64, "0"));
-    const hash2 = sha25620(secretBytes);
+    const hash2 = sha25622(secretBytes);
     return nobleToHex(hash2);
   }
   async computeOracleMessageHash(recipient, amount, txHash, blockNumber) {
-    const { sha256: sha25620 } = await import("@noble/hashes/sha256");
+    const { sha256: sha25622 } = await import("@noble/hashes/sha256");
     const recipientBytes = hexToBytes9(this.hexToField(recipient));
     const amountBytes = this.bigintToBytes(amount, 8);
     const txHashBytes = hexToBytes9(this.hexToField(txHash));
@@ -19723,11 +22012,11 @@ var BrowserNoirProvider = class _BrowserNoirProvider {
       ...txHashBytes,
       ...blockBytes
     ]);
-    const hash2 = sha25620(preimage);
+    const hash2 = sha25622(preimage);
     return Array.from(hash2);
   }
   getPublicKeyCoordinates(privateKey) {
-    const uncompressedPubKey = import_secp256k18.secp256k1.getPublicKey(privateKey, false);
+    const uncompressedPubKey = import_secp256k19.secp256k1.getPublicKey(privateKey, false);
     const x = Array.from(uncompressedPubKey.slice(1, 33));
     const y = Array.from(uncompressedPubKey.slice(33, 65));
     return { x, y };
@@ -20325,6 +22614,8 @@ var ProofWorker = class _ProofWorker {
   PaymentBuilder,
   PaymentStatus,
   PrivacyLevel,
+  PrivateNFT,
+  PrivateVoting,
   ProofError,
   ProofGenerationError,
   ProofNotImplementedError,
@@ -20337,10 +22628,12 @@ var ProofWorker = class _ProofWorker {
   STABLECOIN_ADDRESSES,
   STABLECOIN_DECIMALS,
   STABLECOIN_INFO,
+  SealedBidAuction,
   SettlementRegistry,
   SettlementRegistryError,
   SmartRouter,
   SolanaWalletAdapter,
+  SuiStealthService,
   SwapStatus,
   ThresholdViewingKey,
   Treasury,
@@ -20366,6 +22659,7 @@ var ProofWorker = class _ProofWorker {
   checkEd25519StealthAddress,
   checkMobileWASMCompatibility,
   checkStealthAddress,
+  checkSuiStealthAddress,
   commit,
   commitZero,
   computeAttestationHash,
@@ -20385,8 +22679,11 @@ var ProofWorker = class _ProofWorker {
   createNEARIntentsAdapter,
   createNEARIntentsBackend,
   createOracleRegistry,
+  createPrivateOwnership,
+  createPrivateVoting,
   createProductionSIP,
   createSIP,
+  createSealedBidAuction,
   createShieldedIntent,
   createShieldedPayment,
   createSmartRouter,
@@ -20407,6 +22704,7 @@ var ProofWorker = class _ProofWorker {
   deriveEd25519StealthPrivateKey,
   deriveOracleId,
   deriveStealthPrivateKey,
+  deriveSuiStealthPrivateKey,
   deriveViewingKey,
   deserializeAttestationMessage,
   deserializeIntent,
@@ -20418,6 +22716,7 @@ var ProofWorker = class _ProofWorker {
   ed25519PublicKeyToAptosAddress,
   ed25519PublicKeyToNearAddress,
   ed25519PublicKeyToSolanaAddress,
+  ed25519PublicKeyToSuiAddress,
   encodeStealthMetaAddress,
   encryptForViewing,
   featureNotSupportedError,
@@ -20435,6 +22734,7 @@ var ProofWorker = class _ProofWorker {
   generateRandomBytes,
   generateStealthAddress,
   generateStealthMetaAddress,
+  generateSuiStealthAddress,
   generateViewingKey,
   getActiveOracles,
   getAvailableTransports,
@@ -20494,10 +22794,13 @@ var ProofWorker = class _ProofWorker {
   isValidSlippage,
   isValidSolanaAddress,
   isValidStealthMetaAddress,
+  isValidSuiAddress,
   isValidTaprootAddress,
   nearAddressToEd25519PublicKey,
   normalizeAddress,
+  normalizeSuiAddress,
   notConnectedError,
+  proveOwnership,
   publicKeyToEthAddress,
   registerWallet,
   removeOracle,
@@ -20541,6 +22844,7 @@ var ProofWorker = class _ProofWorker {
   verifyCommitment,
   verifyOpening,
   verifyOracleSignature,
+  verifyOwnership,
   walletRegistry,
   withSecureBuffer,
   withSecureBufferSync,