@sip-protocol/sdk 0.6.25 → 0.7.0

package/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2025 RECTOR Labs
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/dist/browser.js

@@ -4036,6 +4036,9 @@ function generateStealthMetaAddress(chain, label) {
       "chain"
     );
   }
+  if (isEd25519Chain(chain)) {
+    return generateEd25519StealthMetaAddress(chain, label);
+  }
   const spendingPrivateKey = (0, import_utils2.randomBytes)(32);
   const viewingPrivateKey = (0, import_utils2.randomBytes)(32);
   try {
@@ -4097,6 +4100,9 @@ function validateStealthMetaAddress(metaAddress, field = "recipientMetaAddress")
 }
 function generateStealthAddress(recipientMetaAddress) {
   validateStealthMetaAddress(recipientMetaAddress);
+  if (isEd25519Chain(recipientMetaAddress.chain)) {
+    return generateEd25519StealthAddress(recipientMetaAddress);
+  }
   const ephemeralPrivateKey = (0, import_utils2.randomBytes)(32);
   try {
     const ephemeralPublicKey = import_secp256k1.secp256k1.getPublicKey(ephemeralPrivateKey, true);
@@ -5430,6 +5436,12 @@ async function createShieldedIntent(params, options) {
       const cleanHex = hex.startsWith("0x") ? hex.slice(2) : hex;
       return (0, import_utils6.hexToBytes)(cleanHex);
     };
+    if (allowPlaceholders && typeof process !== "undefined" && process.env?.NODE_ENV === "production") {
+      throw new ValidationError(
+        "allowPlaceholders cannot be used in production environment. Provide valid senderSecret and signatures for production use.",
+        "options.allowPlaceholders"
+      );
+    }
     const effectiveSenderSecret = senderSecret ?? (0, import_utils6.randomBytes)(32);
     const rawIntentHashBytes = (0, import_sha2565.sha256)(new TextEncoder().encode(intentId));
     const intentHashHex = hash(intentId);
@@ -5651,8 +5663,8 @@ var OneClickClient = class {
       params.set("depositMemo", depositMemo);
     }
     const rawStatus = await this.get(`/v0/status?${params.toString()}`);
-    const settlementTxHash = rawStatus.settlementTxHash ?? rawStatus.destinationChainTxHashes?.[0]?.hash;
-    const depositTxHash = rawStatus.depositTxHash ?? rawStatus.originChainTxHashes?.[0]?.hash;
+    const settlementTxHash = rawStatus.settlementTxHash ?? rawStatus.swapDetails?.destinationChainTxHashes?.[0]?.hash ?? rawStatus.destinationChainTxHashes?.[0]?.hash;
+    const depositTxHash = rawStatus.depositTxHash ?? rawStatus.swapDetails?.originChainTxHashes?.[0]?.hash ?? rawStatus.originChainTxHashes?.[0]?.hash;
     return {
       ...rawStatus,
       settlementTxHash,

package/dist/browser.mjs

@@ -263,7 +263,7 @@ import {
   walletRegistry,
   withSecureBuffer,
   withSecureBufferSync
-} from "./chunk-EMOAOF5P.mjs";
+} from "./chunk-3OVABDRH.mjs";
 import {
   fulfillment_proof_default,
   funding_proof_default,

package/dist/{chunk-EMOAOF5P.mjs → chunk-3OVABDRH.mjs}

@@ -379,6 +379,9 @@ function generateStealthMetaAddress(chain, label) {
       "chain"
     );
   }
+  if (isEd25519Chain(chain)) {
+    return generateEd25519StealthMetaAddress(chain, label);
+  }
   const spendingPrivateKey = randomBytes2(32);
   const viewingPrivateKey = randomBytes2(32);
   try {
@@ -440,6 +443,9 @@ function validateStealthMetaAddress(metaAddress, field = "recipientMetaAddress")
 }
 function generateStealthAddress(recipientMetaAddress) {
   validateStealthMetaAddress(recipientMetaAddress);
+  if (isEd25519Chain(recipientMetaAddress.chain)) {
+    return generateEd25519StealthAddress(recipientMetaAddress);
+  }
   const ephemeralPrivateKey = randomBytes2(32);
   try {
     const ephemeralPublicKey = secp256k1.getPublicKey(ephemeralPrivateKey, true);
@@ -1773,6 +1779,12 @@ async function createShieldedIntent(params, options) {
       const cleanHex = hex.startsWith("0x") ? hex.slice(2) : hex;
       return hexToBytes4(cleanHex);
     };
+    if (allowPlaceholders && typeof process !== "undefined" && process.env?.NODE_ENV === "production") {
+      throw new ValidationError(
+        "allowPlaceholders cannot be used in production environment. Provide valid senderSecret and signatures for production use.",
+        "options.allowPlaceholders"
+      );
+    }
     const effectiveSenderSecret = senderSecret ?? randomBytes6(32);
     const rawIntentHashBytes = sha2565(new TextEncoder().encode(intentId));
     const intentHashHex = hash(intentId);
@@ -1997,8 +2009,8 @@ var OneClickClient = class {
       params.set("depositMemo", depositMemo);
     }
     const rawStatus = await this.get(`/v0/status?${params.toString()}`);
-    const settlementTxHash = rawStatus.settlementTxHash ?? rawStatus.destinationChainTxHashes?.[0]?.hash;
-    const depositTxHash = rawStatus.depositTxHash ?? rawStatus.originChainTxHashes?.[0]?.hash;
+    const settlementTxHash = rawStatus.settlementTxHash ?? rawStatus.swapDetails?.destinationChainTxHashes?.[0]?.hash ?? rawStatus.destinationChainTxHashes?.[0]?.hash;
+    const depositTxHash = rawStatus.depositTxHash ?? rawStatus.swapDetails?.originChainTxHashes?.[0]?.hash ?? rawStatus.originChainTxHashes?.[0]?.hash;
     return {
       ...rawStatus,
       settlementTxHash,

package/dist/index.js

@@ -4023,6 +4023,9 @@ function generateStealthMetaAddress(chain, label) {
       "chain"
     );
   }
+  if (isEd25519Chain(chain)) {
+    return generateEd25519StealthMetaAddress(chain, label);
+  }
   const spendingPrivateKey = (0, import_utils2.randomBytes)(32);
   const viewingPrivateKey = (0, import_utils2.randomBytes)(32);
   try {
@@ -4084,6 +4087,9 @@ function validateStealthMetaAddress(metaAddress, field = "recipientMetaAddress")
 }
 function generateStealthAddress(recipientMetaAddress) {
   validateStealthMetaAddress(recipientMetaAddress);
+  if (isEd25519Chain(recipientMetaAddress.chain)) {
+    return generateEd25519StealthAddress(recipientMetaAddress);
+  }
   const ephemeralPrivateKey = (0, import_utils2.randomBytes)(32);
   try {
     const ephemeralPublicKey = import_secp256k1.secp256k1.getPublicKey(ephemeralPrivateKey, true);
@@ -5417,6 +5423,12 @@ async function createShieldedIntent(params, options) {
       const cleanHex = hex.startsWith("0x") ? hex.slice(2) : hex;
       return (0, import_utils6.hexToBytes)(cleanHex);
     };
+    if (allowPlaceholders && typeof process !== "undefined" && process.env?.NODE_ENV === "production") {
+      throw new ValidationError(
+        "allowPlaceholders cannot be used in production environment. Provide valid senderSecret and signatures for production use.",
+        "options.allowPlaceholders"
+      );
+    }
     const effectiveSenderSecret = senderSecret ?? (0, import_utils6.randomBytes)(32);
     const rawIntentHashBytes = (0, import_sha2565.sha256)(new TextEncoder().encode(intentId));
     const intentHashHex = hash(intentId);
@@ -5638,8 +5650,8 @@ var OneClickClient = class {
       params.set("depositMemo", depositMemo);
     }
     const rawStatus = await this.get(`/v0/status?${params.toString()}`);
-    const settlementTxHash = rawStatus.settlementTxHash ?? rawStatus.destinationChainTxHashes?.[0]?.hash;
-    const depositTxHash = rawStatus.depositTxHash ?? rawStatus.originChainTxHashes?.[0]?.hash;
+    const settlementTxHash = rawStatus.settlementTxHash ?? rawStatus.swapDetails?.destinationChainTxHashes?.[0]?.hash ?? rawStatus.destinationChainTxHashes?.[0]?.hash;
+    const depositTxHash = rawStatus.depositTxHash ?? rawStatus.swapDetails?.originChainTxHashes?.[0]?.hash ?? rawStatus.originChainTxHashes?.[0]?.hash;
     return {
       ...rawStatus,
       settlementTxHash,

package/dist/index.mjs

@@ -253,7 +253,7 @@ import {
   walletRegistry,
   withSecureBuffer,
   withSecureBufferSync
-} from "./chunk-EMOAOF5P.mjs";
+} from "./chunk-3OVABDRH.mjs";
 import {
   CryptoError,
   EncryptionNotImplementedError,

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@sip-protocol/sdk",
-  "version": "0.6.25",
+  "version": "0.7.0",
   "description": "Core SDK for Shielded Intents Protocol - Privacy layer for cross-chain transactions",
   "author": "SIP Protocol <hello@sip-protocol.org>",
   "homepage": "https://sip-protocol.org",
@@ -36,18 +36,6 @@
     "dist",
     "src"
   ],
-  "scripts": {
-    "build": "tsup src/index.ts src/browser.ts src/proofs/noir.ts --format cjs,esm --dts",
-    "dev": "tsup src/index.ts src/browser.ts src/proofs/noir.ts --format cjs,esm --dts --watch",
-    "lint": "eslint --ext .ts src/",
-    "typecheck": "tsc --noEmit",
-    "clean": "rm -rf dist",
-    "test": "vitest",
-    "test:coverage": "vitest run --coverage",
-    "bench": "vitest bench --config vitest.bench.config.ts",
-    "bench:json": "vitest bench --config vitest.bench.config.ts --outputJson benchmarks/results.json",
-    "demo:auction": "tsx examples/auction-demo.ts"
-  },
   "dependencies": {
     "@aztec/bb.js": "3.0.0-nightly.20251104",
     "@ethereumjs/rlp": "^10.1.0",
@@ -57,7 +45,7 @@
     "@noir-lang/noir_js": "1.0.0-beta.15",
     "@noir-lang/types": "1.0.0-beta.15",
     "@scure/base": "^2.0.0",
-    "@sip-protocol/types": "^0.2.0"
+    "@sip-protocol/types": "0.2.1"
   },
   "devDependencies": {
     "@vitest/coverage-v8": "1.6.1",
@@ -74,5 +62,17 @@
     "stealth-addresses",
     "zcash"
   ],
-  "license": "MIT"
-}
+  "license": "MIT",
+  "scripts": {
+    "build": "tsup src/index.ts src/browser.ts src/proofs/noir.ts --format cjs,esm --dts",
+    "dev": "tsup src/index.ts src/browser.ts src/proofs/noir.ts --format cjs,esm --dts --watch",
+    "lint": "eslint --ext .ts src/",
+    "typecheck": "tsc --noEmit",
+    "clean": "rm -rf dist",
+    "test": "vitest",
+    "test:coverage": "vitest run --coverage",
+    "bench": "vitest bench --config vitest.bench.config.ts",
+    "bench:json": "vitest bench --config vitest.bench.config.ts --outputJson benchmarks/results.json",
+    "demo:auction": "tsx examples/auction-demo.ts"
+  }
+}

package/src/adapters/oneclick-client.ts

@@ -173,16 +173,27 @@ export class OneClickClient {
       params.set('depositMemo', depositMemo)
     }
 
-    const rawStatus = await this.get<OneClickStatusResponse>(`/v0/status?${params.toString()}`)
+    // Type for raw API response with nested swapDetails
+    interface RawStatusResponse extends OneClickStatusResponse {
+      swapDetails?: {
+        destinationChainTxHashes?: { hash: string; explorerUrl: string }[]
+        originChainTxHashes?: { hash: string; explorerUrl: string }[]
+        nearTxHashes?: string[]
+      }
+    }
+
+    const rawStatus = await this.get<RawStatusResponse>(`/v0/status?${params.toString()}`)
 
-    // Normalize response: extract settlement tx hash from destinationChainTxHashes if available
-    // The 1Click API returns destinationChainTxHashes array with {hash, explorerUrl} objects
+    // Normalize response: extract settlement tx hash from swapDetails.destinationChainTxHashes
+    // The 1Click API returns tx hashes nested inside swapDetails object
     const settlementTxHash = rawStatus.settlementTxHash
-      ?? rawStatus.destinationChainTxHashes?.[0]?.hash
+      ?? rawStatus.swapDetails?.destinationChainTxHashes?.[0]?.hash
+      ?? rawStatus.destinationChainTxHashes?.[0]?.hash // fallback for flat response
 
-    // Extract deposit tx hash from originChainTxHashes if not already present
+    // Extract deposit tx hash from swapDetails.originChainTxHashes if not already present
     const depositTxHash = rawStatus.depositTxHash
-      ?? rawStatus.originChainTxHashes?.[0]?.hash
+      ?? rawStatus.swapDetails?.originChainTxHashes?.[0]?.hash
+      ?? rawStatus.originChainTxHashes?.[0]?.hash // fallback for flat response
 
     return {
       ...rawStatus,

package/src/intent.ts

@@ -554,6 +554,16 @@ export async function createShieldedIntent(
       return hexToBytes(cleanHex)
     }
 
+    // SECURITY: Prevent placeholder mode in production environments
+    // Placeholder signatures are NOT cryptographically valid and must never be used in production
+    if (allowPlaceholders && typeof process !== 'undefined' && process.env?.NODE_ENV === 'production') {
+      throw new ValidationError(
+        'allowPlaceholders cannot be used in production environment. ' +
+        'Provide valid senderSecret and signatures for production use.',
+        'options.allowPlaceholders'
+      )
+    }
+
     // Use provided signatures or generate them from senderSecret
     // IMPORTANT: senderSecret must be random even for placeholders, as secp256k1
     // rejects all-zero private keys. randomBytes generates cryptographically secure random values.

package/src/stealth.ts

@@ -113,7 +113,12 @@ export function generateStealthMetaAddress(
     )
   }
 
-  // Generate random private keys
+  // Dispatch to curve-specific implementation
+  if (isEd25519Chain(chain)) {
+    return generateEd25519StealthMetaAddress(chain, label)
+  }
+
+  // secp256k1 implementation for EVM chains
   const spendingPrivateKey = randomBytes(32)
   const viewingPrivateKey = randomBytes(32)
 
@@ -269,7 +274,12 @@ export function generateStealthAddress(
   // Validate input
   validateStealthMetaAddress(recipientMetaAddress)
 
-  // Generate ephemeral keypair
+  // Dispatch to curve-specific implementation based on chain
+  if (isEd25519Chain(recipientMetaAddress.chain)) {
+    return generateEd25519StealthAddress(recipientMetaAddress)
+  }
+
+  // secp256k1 implementation for EVM chains
   const ephemeralPrivateKey = randomBytes(32)
 
   try {