@soteria1/sdk 0.1.0

package/dist/shielded/prover.js

@@ -0,0 +1,90 @@
+import { groth16 } from "snarkjs";
+import { keccak_256 } from "@noble/hashes/sha3";
+import { FIELD } from "./keypair.js";
+import { newNote, commitment, nullifier, encryptNoteSecret } from "./note.js";
+// BN254 base field (for negating proof.A).
+const Q = 21888242871839275222246405745257275088696311157297823662689037894645226208583n;
+const LEVELS = 20;
+function be32(v) {
+    let x = BigInt(v);
+    const o = new Array(32).fill(0);
+    for (let i = 31; i >= 0; i--) {
+        o[i] = Number(x & 0xffn);
+        x >>= 8n;
+    }
+    return o;
+}
+// keccak(recipient || relayer || extAmount_le_i64 || fee_le_u64), masked below
+// the field — MUST byte-match the program's ext_data_hash.
+export function extDataHash(recipient, relayer, extAmount, fee) {
+    const buf = new Uint8Array(80);
+    buf.set(recipient.toBytes(), 0);
+    buf.set(relayer.toBytes(), 32);
+    const ea = BigInt.asUintN(64, extAmount);
+    const fe = BigInt.asUintN(64, fee);
+    for (let i = 0; i < 8; i++) {
+        buf[64 + i] = Number((ea >> BigInt(8 * i)) & 0xffn);
+        buf[72 + i] = Number((fe >> BigInt(8 * i)) & 0xffn);
+    }
+    const hsh = keccak_256(buf);
+    hsh[0] &= 0x1f;
+    let v = 0n;
+    for (const b of hsh)
+        v = (v << 8n) | BigInt(b);
+    return v;
+}
+/** publicAmount = (extAmount - fee) mod p. */
+export function publicAmount(extAmount, fee) {
+    let v = extAmount - fee;
+    if (v < 0n)
+        v += FIELD;
+    return v % FIELD;
+}
+const zeros = (n) => Array(n).fill("0");
+/**
+ * Build a hidden-amount transaction proof for the on-chain `transact`
+ * instruction. Caller must ensure Σinputs + extAmount == Σoutputs + fee.
+ */
+export async function buildTransaction(p) {
+    const sk = p.spendKeypair;
+    const inputs = [...p.inputs];
+    while (inputs.length < 2) {
+        inputs.push({ note: newNote(0n, sk.publicKey), pathElements: zeros(LEVELS).map(BigInt), pathIndices: Array(LEVELS).fill(0) });
+    }
+    const outputs = [...p.outputs];
+    while (outputs.length < 2)
+        outputs.push({ note: newNote(0n, sk.publicKey), encPub: sk.encPub });
+    const inNullifiers = await Promise.all(inputs.map((i) => nullifier(i.note, sk.privateKey)));
+    const outCommitments = await Promise.all(outputs.map((o) => commitment(o.note)));
+    const encryptedSecrets = await Promise.all(outputs.map((o) => encryptNoteSecret(o.note, o.encPub)));
+    const witness = {
+        root: p.root.toString(),
+        publicAmount: publicAmount(p.extAmount, p.fee).toString(),
+        extDataHash: extDataHash(p.recipient, p.relayer, p.extAmount, p.fee).toString(),
+        inputNullifier: inNullifiers.map(String),
+        outputCommitment: outCommitments.map(String),
+        inAmount: inputs.map((i) => i.note.amount.toString()),
+        inPrivateKey: inputs.map(() => sk.privateKey.toString()),
+        inBlinding: inputs.map((i) => i.note.blinding.toString()),
+        inPathIndices: inputs.map((i) => i.pathIndices.map(String)),
+        inPathElements: inputs.map((i) => i.pathElements.map(String)),
+        outAmount: outputs.map((o) => o.note.amount.toString()),
+        outPubkey: outputs.map((o) => o.note.pubkey.toString()),
+        outBlinding: outputs.map((o) => o.note.blinding.toString()),
+    };
+    const { proof, publicSignals } = await groth16.fullProve(witness, p.wasmPath, p.zkeyPath);
+    const ax = BigInt(proof.pi_a[0]);
+    const ay = (Q - (BigInt(proof.pi_a[1]) % Q)) % Q;
+    return {
+        proofA: [...be32(ax), ...be32(ay)],
+        proofB: [
+            ...be32(proof.pi_b[0][1]), ...be32(proof.pi_b[0][0]),
+            ...be32(proof.pi_b[1][1]), ...be32(proof.pi_b[1][0]),
+        ],
+        proofC: [...be32(proof.pi_c[0]), ...be32(proof.pi_c[1])],
+        publicInputs: publicSignals.map((s) => be32(s)),
+        nullifiers: inNullifiers,
+        outputCommitments: outCommitments,
+        encryptedSecrets,
+    };
+}

package/dist/shielded/scan.d.ts

@@ -0,0 +1,21 @@
+import { ShieldedKeypair } from "./keypair.js";
+import { Note } from "./note.js";
+/** One output emitted by `transact`, paired with its encrypted secret. */
+export interface OutputRecord {
+    commitment: bigint;
+    encryptedSecret: string;
+    leafIndex: number;
+}
+export interface OwnedNote extends Note {
+    leafIndex: number;
+    nullifier: bigint;
+}
+/**
+ * Scan emitted outputs for notes owned by `kp`: decrypt each secret, and keep it
+ * if the reconstructed commitment matches and the amount is non-zero. Returns
+ * spendable UTXOs (callers should drop any whose nullifier is already spent
+ * on-chain).
+ */
+export declare function scanOutputs(records: OutputRecord[], kp: ShieldedKeypair): Promise<OwnedNote[]>;
+/** Total spendable balance from a set of owned notes. */
+export declare const balance: (notes: OwnedNote[]) => bigint;

package/dist/shielded/scan.js

@@ -0,0 +1,28 @@
+import { commitment, nullifier, decryptNoteSecret } from "./note.js";
+/**
+ * Scan emitted outputs for notes owned by `kp`: decrypt each secret, and keep it
+ * if the reconstructed commitment matches and the amount is non-zero. Returns
+ * spendable UTXOs (callers should drop any whose nullifier is already spent
+ * on-chain).
+ */
+export async function scanOutputs(records, kp) {
+    const owned = [];
+    for (const r of records) {
+        let secret;
+        try {
+            secret = await decryptNoteSecret(r.encryptedSecret, kp.encPriv);
+        }
+        catch {
+            continue; // not encrypted to us
+        }
+        const note = { amount: secret.amount, pubkey: kp.publicKey, blinding: secret.blinding };
+        if (secret.amount === 0n)
+            continue;
+        if ((await commitment(note)) !== r.commitment)
+            continue;
+        owned.push({ ...note, leafIndex: r.leafIndex, nullifier: await nullifier(note, kp.privateKey) });
+    }
+    return owned;
+}
+/** Total spendable balance from a set of owned notes. */
+export const balance = (notes) => notes.reduce((s, n) => s + n.amount, 0n);

package/dist/stealth/index.d.ts

@@ -0,0 +1,2 @@
+export * from "./stealth.js";
+export * from "./scanner.js";

package/dist/stealth/index.js

@@ -0,0 +1,2 @@
+export * from "./stealth.js";
+export * from "./scanner.js";

package/dist/stealth/scanner.d.ts

@@ -0,0 +1,20 @@
+import { StealthKeys } from "./stealth.js";
+/** One published announcement: the sender's ephemeral key + a view tag. */
+export interface Announcement {
+    ephemeralPub: Uint8Array;
+    viewTag: number;
+    stealthPub?: Uint8Array;
+    slot?: number;
+    signature?: string;
+}
+export interface DetectedPayment {
+    stealthPub: Uint8Array;
+    stealthScalar: bigint;
+    announcement: Announcement;
+}
+/**
+ * Scan a batch of announcements for payments addressed to `keys`.
+ * The view tag lets us reject ~255/256 of non-matching announcements with a
+ * single hash before doing the full point recovery.
+ */
+export declare function scanAnnouncements(keys: StealthKeys, announcements: Announcement[]): DetectedPayment[];

package/dist/stealth/scanner.js

@@ -0,0 +1,31 @@
+import { recoverStealth } from "./stealth.js";
+/**
+ * Scan a batch of announcements for payments addressed to `keys`.
+ * The view tag lets us reject ~255/256 of non-matching announcements with a
+ * single hash before doing the full point recovery.
+ */
+export function scanAnnouncements(keys, announcements) {
+    const found = [];
+    for (const ann of announcements) {
+        const res = recoverStealth(keys, ann.ephemeralPub, ann.viewTag);
+        if (!res)
+            continue;
+        // If the registry recorded the destination, confirm it matches ours.
+        if (ann.stealthPub && !equal(ann.stealthPub, res.stealthPub))
+            continue;
+        found.push({
+            stealthPub: res.stealthPub,
+            stealthScalar: res.stealthScalar,
+            announcement: ann,
+        });
+    }
+    return found;
+}
+function equal(a, b) {
+    if (a.length !== b.length)
+        return false;
+    let diff = 0;
+    for (let i = 0; i < a.length; i++)
+        diff |= a[i] ^ b[i];
+    return diff === 0;
+}

package/dist/stealth/stealth.d.ts

@@ -0,0 +1,46 @@
+import { PublicKey } from "@solana/web3.js";
+export interface MetaAddress {
+    spendPub: Uint8Array;
+    viewPub: Uint8Array;
+}
+export interface StealthKeys {
+    spendScalar: bigint;
+    viewScalar: bigint;
+    meta: MetaAddress;
+}
+export interface StealthOutput {
+    stealthPub: Uint8Array;
+    stealthAddress: PublicKey;
+    ephemeralPub: Uint8Array;
+    viewTag: number;
+}
+/** Generate a recipient's stealth key material + shareable meta-address. */
+export declare function generateStealthKeys(): StealthKeys;
+/**
+ * Derive a recipient's stealth keys deterministically from a `seed` — typically
+ * the recipient's signature over a fixed message from their main wallet.
+ *
+ * Because the same seed always yields the same keys, the recipient recovers
+ * their entire stealth identity from their wallet alone: nothing is stored, and
+ * losing local state loses nothing. Spend and view scalars are domain-separated
+ * so the view key (shareable with a scanning service) never leaks the spend key.
+ */
+export declare function deriveStealthKeys(seed: Uint8Array): StealthKeys;
+/**
+ * SENDER: derive a one-time stealth address for a recipient's meta-address.
+ * Publish `ephemeralPub` (R) and `viewTag` so the recipient can detect it.
+ */
+export declare function deriveStealthAddress(meta: MetaAddress): StealthOutput;
+/**
+ * RECIPIENT: given an announced ephemeral key R, recompute the stealth pubkey
+ * and (if it's ours) the one-time signing scalar. Returns null if no match.
+ */
+export declare function recoverStealth(keys: StealthKeys, ephemeralPub: Uint8Array, expectedViewTag?: number): {
+    stealthPub: Uint8Array;
+    stealthScalar: bigint;
+} | null;
+/**
+ * Sign a message with a recovered stealth scalar (raw-scalar ed25519).
+ * Use this in a custom Solana transaction signer to spend from a stealth address.
+ */
+export declare function signWithStealthScalar(message: Uint8Array, stealthScalar: bigint): Uint8Array;

package/dist/stealth/stealth.js

@@ -0,0 +1,119 @@
+import { ed25519 } from "@noble/curves/ed25519";
+import { sha512 } from "@noble/hashes/sha512";
+import { bytesToNumberLE, numberToBytesLE } from "@noble/curves/abstract/utils";
+import { PublicKey } from "@solana/web3.js";
+/**
+ * Dual-key stealth addresses for Solana (ERC-5564 style, adapted to ed25519).
+ *
+ * A recipient publishes a META-ADDRESS made of two public keys:
+ *   - spend public key  S = s*G   (controls spending)
+ *   - view public key    V = v*G   (lets the recipient scan cheaply)
+ *
+ * A sender, knowing (S, V), derives a fresh one-time stealth address per payment
+ * and publishes only an ephemeral public key R. Nobody watching the chain can
+ * link the stealth address back to the recipient's meta-address.
+ *
+ * This module hides WHICH wallet receives. It is not a mixer: funds are not
+ * pooled, and there is no deposit/withdraw that breaks the sender->recipient link.
+ *
+ * ── Spending caveat (read this) ──────────────────────────────────────────────
+ * The one-time signing key is a raw scalar `p = (s + tweak) mod L`. Solana's
+ * standard Keypair derives its scalar by hashing a 32-byte seed, so you CANNOT
+ * load `p` into a normal web3.js Keypair and sign. Spending requires raw-scalar
+ * ed25519 signing (Monero-style). `signWithStealthScalar` below does that; wire
+ * it into a custom transaction signer when you build the claim flow.
+ */
+const L = ed25519.CURVE.n; // group order
+const Base = ed25519.ExtendedPoint.BASE;
+function hashToScalar(...chunks) {
+    const h = sha512(concat(chunks));
+    return bytesToNumberLE(h) % L;
+}
+function concat(parts) {
+    const len = parts.reduce((n, p) => n + p.length, 0);
+    const out = new Uint8Array(len);
+    let o = 0;
+    for (const p of parts) {
+        out.set(p, o);
+        o += p.length;
+    }
+    return out;
+}
+/** Generate a recipient's stealth key material + shareable meta-address. */
+export function generateStealthKeys() {
+    const s = bytesToNumberLE(ed25519.utils.randomPrivateKey()) % L;
+    const v = bytesToNumberLE(ed25519.utils.randomPrivateKey()) % L;
+    const spendPub = Base.multiply(s).toRawBytes();
+    const viewPub = Base.multiply(v).toRawBytes();
+    return { spendScalar: s, viewScalar: v, meta: { spendPub, viewPub } };
+}
+/**
+ * Derive a recipient's stealth keys deterministically from a `seed` — typically
+ * the recipient's signature over a fixed message from their main wallet.
+ *
+ * Because the same seed always yields the same keys, the recipient recovers
+ * their entire stealth identity from their wallet alone: nothing is stored, and
+ * losing local state loses nothing. Spend and view scalars are domain-separated
+ * so the view key (shareable with a scanning service) never leaks the spend key.
+ */
+export function deriveStealthKeys(seed) {
+    const enc = new TextEncoder();
+    const s = hashToScalar(enc.encode("soteria:stealth:spend:v1"), seed);
+    const v = hashToScalar(enc.encode("soteria:stealth:view:v1"), seed);
+    const spendPub = Base.multiply(s).toRawBytes();
+    const viewPub = Base.multiply(v).toRawBytes();
+    return { spendScalar: s, viewScalar: v, meta: { spendPub, viewPub } };
+}
+/**
+ * SENDER: derive a one-time stealth address for a recipient's meta-address.
+ * Publish `ephemeralPub` (R) and `viewTag` so the recipient can detect it.
+ */
+export function deriveStealthAddress(meta) {
+    const r = bytesToNumberLE(ed25519.utils.randomPrivateKey()) % L;
+    const R = Base.multiply(r).toRawBytes();
+    const Vpoint = ed25519.ExtendedPoint.fromHex(meta.viewPub);
+    const shared = Vpoint.multiply(r).toRawBytes(); // r*V = (r*v)*G
+    const tweak = hashToScalar(shared); // common secret both sides can compute
+    const Spoint = ed25519.ExtendedPoint.fromHex(meta.spendPub);
+    const stealth = Spoint.add(Base.multiply(tweak)); // P = S + tweak*G
+    const stealthPub = stealth.toRawBytes();
+    const viewTag = sha512(concat([new Uint8Array([0x01]), shared]))[0];
+    return {
+        stealthPub,
+        stealthAddress: new PublicKey(stealthPub),
+        ephemeralPub: R,
+        viewTag,
+    };
+}
+/**
+ * RECIPIENT: given an announced ephemeral key R, recompute the stealth pubkey
+ * and (if it's ours) the one-time signing scalar. Returns null if no match.
+ */
+export function recoverStealth(keys, ephemeralPub, expectedViewTag) {
+    const Rpoint = ed25519.ExtendedPoint.fromHex(ephemeralPub);
+    const shared = Rpoint.multiply(keys.viewScalar).toRawBytes(); // v*R = (r*v)*G
+    if (expectedViewTag !== undefined) {
+        const tag = sha512(concat([new Uint8Array([0x01]), shared]))[0];
+        if (tag !== expectedViewTag)
+            return null; // fast reject
+    }
+    const tweak = hashToScalar(shared);
+    const stealthScalar = (keys.spendScalar + tweak) % L; // p = s + tweak
+    const stealthPub = Base.multiply(stealthScalar).toRawBytes(); // must equal P
+    return { stealthPub, stealthScalar };
+}
+/**
+ * Sign a message with a recovered stealth scalar (raw-scalar ed25519).
+ * Use this in a custom Solana transaction signer to spend from a stealth address.
+ */
+export function signWithStealthScalar(message, stealthScalar) {
+    // Deterministic nonce from a domain-separated hash of (scalar || message).
+    const sBytes = numberToBytesLE(stealthScalar, 32);
+    const nonce = bytesToNumberLE(sha512(concat([sBytes, message]))) % L;
+    const Rpt = Base.multiply(nonce);
+    const Rbytes = Rpt.toRawBytes();
+    const Abytes = Base.multiply(stealthScalar).toRawBytes();
+    const k = bytesToNumberLE(sha512(concat([Rbytes, Abytes, message]))) % L;
+    const S = (nonce + k * stealthScalar) % L;
+    return concat([Rbytes, numberToBytesLE(S, 32)]);
+}

package/dist/zk/index.d.ts

@@ -0,0 +1,2 @@
+export * from "./merkle.js";
+export * from "./prover.js";

package/dist/zk/index.js

@@ -0,0 +1,2 @@
+export * from "./merkle.js";
+export * from "./prover.js";

package/dist/zk/merkle.d.ts

@@ -0,0 +1,36 @@
+/**
+ * Poseidon Merkle tree whose hashing matches circuits/credential.circom:
+ *   parent = Poseidon(left, right)
+ *   leaf   = Poseidon(secret)   // identity commitment
+ *
+ * Fixed depth; empty slots are filled with a zero subtree so the root is
+ * stable. Keep `depth` in sync with the circuit (default 20).
+ */
+export declare class PoseidonMerkleTree {
+    private poseidon;
+    private F;
+    readonly depth: number;
+    private zeros;
+    private layers;
+    private constructor();
+    static create(depth?: number): Promise<PoseidonMerkleTree>;
+    private toBig;
+    hash1(a: bigint): bigint;
+    hash2(a: bigint, b: bigint): bigint;
+    /** identity commitment for a secret */
+    commitment(secret: bigint): bigint;
+    /** insert a leaf (already a commitment) and return its index */
+    insert(leaf: bigint): number;
+    /**
+     * Insert many leaves and rebuild once — O(n) total instead of O(n²) from
+     * calling insert() in a loop. Use this to load a tree from a commitment list.
+     */
+    insertMany(leaves: bigint[]): void;
+    private rebuild;
+    root(): bigint;
+    /** Merkle proof for the leaf at `index`, formatted for the circuit. */
+    proof(index: number): {
+        pathElements: bigint[];
+        pathIndices: number[];
+    };
+}

package/dist/zk/merkle.js

@@ -0,0 +1,92 @@
+import { buildPoseidon } from "circomlibjs";
+/**
+ * Poseidon Merkle tree whose hashing matches circuits/credential.circom:
+ *   parent = Poseidon(left, right)
+ *   leaf   = Poseidon(secret)   // identity commitment
+ *
+ * Fixed depth; empty slots are filled with a zero subtree so the root is
+ * stable. Keep `depth` in sync with the circuit (default 20).
+ */
+export class PoseidonMerkleTree {
+    constructor(poseidon, depth) {
+        this.zeros = [];
+        this.layers = [];
+        this.poseidon = poseidon;
+        this.F = poseidon.F;
+        this.depth = depth;
+    }
+    static async create(depth = 20) {
+        const poseidon = await buildPoseidon();
+        const t = new PoseidonMerkleTree(poseidon, depth);
+        // precompute zero subtree roots per level
+        let cur = 0n;
+        t.zeros.push(cur);
+        for (let i = 0; i < depth; i++) {
+            cur = t.hash2(cur, cur);
+            t.zeros.push(cur);
+        }
+        t.layers = [[]];
+        return t;
+    }
+    toBig(x) {
+        return BigInt(this.F.toString(x));
+    }
+    hash1(a) {
+        return this.toBig(this.poseidon([a]));
+    }
+    hash2(a, b) {
+        return this.toBig(this.poseidon([a, b]));
+    }
+    /** identity commitment for a secret */
+    commitment(secret) {
+        return this.hash1(secret);
+    }
+    /** insert a leaf (already a commitment) and return its index */
+    insert(leaf) {
+        const index = this.layers[0].length;
+        this.layers[0].push(leaf);
+        this.rebuild();
+        return index;
+    }
+    /**
+     * Insert many leaves and rebuild once — O(n) total instead of O(n²) from
+     * calling insert() in a loop. Use this to load a tree from a commitment list.
+     */
+    insertMany(leaves) {
+        for (const leaf of leaves)
+            this.layers[0].push(leaf);
+        this.rebuild();
+    }
+    rebuild() {
+        for (let level = 0; level < this.depth; level++) {
+            const cur = this.layers[level];
+            const next = [];
+            for (let i = 0; i < cur.length; i += 2) {
+                const left = cur[i];
+                const right = i + 1 < cur.length ? cur[i + 1] : this.zeros[level];
+                next.push(this.hash2(left, right));
+            }
+            this.layers[level + 1] = next;
+        }
+    }
+    root() {
+        const top = this.layers[this.depth];
+        return top && top.length ? top[0] : this.zeros[this.depth];
+    }
+    /** Merkle proof for the leaf at `index`, formatted for the circuit. */
+    proof(index) {
+        const pathElements = [];
+        const pathIndices = [];
+        let idx = index;
+        for (let level = 0; level < this.depth; level++) {
+            const cur = this.layers[level] ?? [];
+            const isRight = idx % 2;
+            const siblingIdx = isRight ? idx - 1 : idx + 1;
+            const sibling = siblingIdx < cur.length ? cur[siblingIdx] : this.zeros[level];
+            pathElements.push(sibling);
+            pathIndices.push(isRight);
+            idx = Math.floor(idx / 2);
+        }
+        return { pathElements, pathIndices };
+    }
+}

package/dist/zk/prover.d.ts

@@ -0,0 +1,50 @@
+import { PublicKey } from "@solana/web3.js";
+import { PoseidonMerkleTree } from "./merkle.js";
+export interface CredentialInputs {
+    secret: bigint;
+    tree: PoseidonMerkleTree;
+    leafIndex: number;
+    externalNullifier: bigint;
+    signalHash: bigint;
+}
+export interface FormattedProof {
+    proofA: number[];
+    proofB: number[];
+    proofC: number[];
+    publicInputs: number[][];
+}
+export interface RawProof {
+    proof: {
+        pi_a: string[];
+        pi_b: string[][];
+        pi_c: string[];
+    };
+    publicSignals: string[];
+}
+/**
+ * Generate the raw snarkjs proof + public signals. Use this when submitting via
+ * the relay, which formats the bytes server-side. Requires the trusted-setup
+ * artifacts (see README).
+ */
+export declare function proveCredentialRaw(inputs: CredentialInputs, wasmPath: string, zkeyPath: string): Promise<RawProof>;
+/**
+ * Generate a selective-disclosure proof and format it for the on-chain verifier
+ * (direct submission). For the relay path, use proveCredentialRaw.
+ */
+export declare function proveCredential(inputs: CredentialInputs, wasmPath: string, zkeyPath: string): Promise<FormattedProof>;
+export declare function groupPda(groupId: bigint | number): [PublicKey, number];
+export declare function nullifierPda(groupId: bigint | number, nullifierHash: number[]): [PublicKey, number];
+/**
+ * Account set for `verify_proof`, ordered to match the on-chain context.
+ * Call as verifyProof(externalNullifier, proofA, proofB, proofC, publicInputs)
+ * via @coral-xyz/anchor's IDL client; externalNullifier must equal
+ * publicInputs[PI_EXTERNAL_NULLIFIER] or the program rejects with ScopeMismatch.
+ */
+export declare function buildVerifyAccounts(payer: PublicKey, groupId: bigint | number, proof: FormattedProof): {
+    programId: PublicKey;
+    keys: {
+        pubkey: PublicKey;
+        isSigner: boolean;
+        isWritable: boolean;
+    }[];
+};

package/dist/zk/prover.js

@@ -0,0 +1,87 @@
+import { groth16 } from "snarkjs";
+import { PublicKey, SystemProgram, } from "@solana/web3.js";
+// BN254 base field prime (for negating proof.A, per groth16-solana convention).
+const Q = 21888242871839275222246405745257275088696311157297823662689037894645226208583n;
+const VERIFIER_PROGRAM_ID = new PublicKey("9HNLpUVFX61pX759oy1vuMMwQaQaGnK9KgMyhTrDrRGs");
+function toBE32(dec) {
+    let v = BigInt(dec);
+    const out = new Array(32).fill(0);
+    for (let i = 31; i >= 0; i--) {
+        out[i] = Number(v & 0xffn);
+        v >>= 8n;
+    }
+    return out;
+}
+/**
+ * Generate the raw snarkjs proof + public signals. Use this when submitting via
+ * the relay, which formats the bytes server-side. Requires the trusted-setup
+ * artifacts (see README).
+ */
+export async function proveCredentialRaw(inputs, wasmPath, zkeyPath) {
+    const { secret, tree, leafIndex, externalNullifier, signalHash } = inputs;
+    const { pathElements, pathIndices } = tree.proof(leafIndex);
+    const witness = {
+        secret: secret.toString(),
+        pathElements: pathElements.map((x) => x.toString()),
+        pathIndices: pathIndices.map((x) => x.toString()),
+        merkleRoot: tree.root().toString(),
+        externalNullifier: externalNullifier.toString(),
+        signalHash: signalHash.toString(),
+    };
+    const { proof, publicSignals } = await groth16.fullProve(witness, wasmPath, zkeyPath);
+    return { proof, publicSignals };
+}
+/**
+ * Generate a selective-disclosure proof and format it for the on-chain verifier
+ * (direct submission). For the relay path, use proveCredentialRaw.
+ */
+export async function proveCredential(inputs, wasmPath, zkeyPath) {
+    const { proof, publicSignals } = await proveCredentialRaw(inputs, wasmPath, zkeyPath);
+    // --- proof.A : negate y, then x||y big-endian (groth16-solana wants -A) ---
+    const ax = BigInt(proof.pi_a[0]);
+    const ay = (Q - (BigInt(proof.pi_a[1]) % Q)) % Q;
+    const proofA = [...toBE32(ax), ...toBE32(ay)];
+    // --- proof.B : G2, swap the c0/c1 ordering snarkjs emits ---
+    const proofB = [
+        ...toBE32(proof.pi_b[0][1]),
+        ...toBE32(proof.pi_b[0][0]),
+        ...toBE32(proof.pi_b[1][1]),
+        ...toBE32(proof.pi_b[1][0]),
+    ];
+    // --- proof.C : x||y big-endian ---
+    const proofC = [...toBE32(proof.pi_c[0]), ...toBE32(proof.pi_c[1])];
+    // publicSignals order = [outputs..., publicInputs...]
+    //   = [nullifierHash, merkleRoot, externalNullifier, signalHash]
+    const publicInputs = publicSignals.map((s) => toBE32(s));
+    return { proofA, proofB, proofC, publicInputs };
+}
+function u64le(n) {
+    const b = Buffer.alloc(8);
+    b.writeBigUInt64LE(BigInt(n));
+    return b;
+}
+export function groupPda(groupId) {
+    return PublicKey.findProgramAddressSync([Buffer.from("group"), u64le(groupId)], VERIFIER_PROGRAM_ID);
+}
+export function nullifierPda(groupId, nullifierHash) {
+    return PublicKey.findProgramAddressSync([Buffer.from("nullifier"), u64le(groupId), Buffer.from(nullifierHash)], VERIFIER_PROGRAM_ID);
+}
+/**
+ * Account set for `verify_proof`, ordered to match the on-chain context.
+ * Call as verifyProof(externalNullifier, proofA, proofB, proofC, publicInputs)
+ * via @coral-xyz/anchor's IDL client; externalNullifier must equal
+ * publicInputs[PI_EXTERNAL_NULLIFIER] or the program rejects with ScopeMismatch.
+ */
+export function buildVerifyAccounts(payer, groupId, proof) {
+    const [group] = groupPda(groupId);
+    const [nullifier] = nullifierPda(groupId, proof.publicInputs[0]);
+    return {
+        programId: VERIFIER_PROGRAM_ID,
+        keys: [
+            { pubkey: payer, isSigner: true, isWritable: true },
+            { pubkey: group, isSigner: false, isWritable: false },
+            { pubkey: nullifier, isSigner: false, isWritable: true },
+            { pubkey: SystemProgram.programId, isSigner: false, isWritable: false },
+        ],
+    };
+}