@swimmingkiim/api-sdk 0.1.35 → 0.1.36

package/dist/discovery/attestation-signer.d.ts

@@ -0,0 +1,78 @@
+/**
+ * Function signature for VC verification.
+ * Injected by the caller — can be trust-sdk's VCHandler or any custom impl.
+ */
+export type VerifyVCFunction = (vcJwt: string) => Promise<{
+    valid: boolean;
+    did: string;
+}>;
+export interface AttestationSignerOptions {
+    /** Hex-encoded secp256k1 private key of the voucher (any registered agent or bootstrap) */
+    privateKey: `0x${string}`;
+    /** Address of the deployed CredentialVerifier contract */
+    verifierContractAddress: string;
+    /** Chain ID (e.g., 8453 for Base Mainnet) */
+    chainId: number;
+    /** Injected VC verification function */
+    verifyVC: VerifyVCFunction;
+    /** Attestation validity duration in seconds (default: 3600 = 1 hour) */
+    ttlSeconds?: number;
+}
+/**
+ * Structured attestation proof ready for on-chain submission.
+ */
+export interface AttestationProof {
+    /** keccak256 hash of the verified DID */
+    didHash: `0x${string}`;
+    /** Unix timestamp after which the attestation expires */
+    deadline: bigint;
+    /** EIP-712 ECDSA signature */
+    signature: string;
+    /** Encodes the proof as ABI-packed bytes for contract submission */
+    encode: () => `0x${string}`;
+}
+/**
+ * Creates EIP-712 signed attestation proofs for the on-chain CredentialVerifier.
+ *
+ * Web of Trust: Any registered agent (or bootstrap voucher) can sign attestations
+ * to vouch for new agents. No single trusted signer required.
+ *
+ * @example
+ * ```ts
+ * import { AttestationSigner } from '@swimmingkiim/api-sdk'
+ * import { VCHandler } from '@swimmingkiim/trust-sdk'
+ *
+ * const vcHandler = new VCHandler()
+ * // Any registered agent's key can be used as voucher
+ * const signer = new AttestationSigner({
+ *     privateKey: process.env.VOUCHER_KEY as `0x${string}`,
+ *     verifierContractAddress: '0x...',
+ *     chainId: 8453,
+ *     verifyVC: async (jwt) => {
+ *         const valid = await vcHandler.verifyCredential(jwt)
+ *         const payload = JSON.parse(atob(jwt.split('.')[1]))
+ *         return { valid, did: payload.iss }
+ *     },
+ * })
+ *
+ * const proof = await signer.createAttestation(vcJwt, walletAddress)
+ * // proof.encode() → bytes for AgentRegistry.register(meta, units, proof.encode())
+ * ```
+ */
+export declare class AttestationSigner {
+    private readonly account;
+    private readonly verifierContractAddress;
+    private readonly chainId;
+    private readonly verifyVC;
+    private readonly ttlSeconds;
+    constructor(options: AttestationSignerOptions);
+    /**
+     * Verifies a VC JWT and produces a signed attestation proof.
+     *
+     * @param vcJwt - Verifiable Credential JWT string
+     * @param walletAddress - The Ethereum address of the agent being attested
+     * @returns AttestationProof with didHash, deadline, signature, and encode()
+     */
+    createAttestation(vcJwt: string, walletAddress: string): Promise<AttestationProof>;
+}
+//# sourceMappingURL=attestation-signer.d.ts.map

package/dist/discovery/attestation-signer.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"attestation-signer.d.ts","sourceRoot":"","sources":["../../src/discovery/attestation-signer.ts"],"names":[],"mappings":"AAgCA;;;GAGG;AACH,MAAM,MAAM,gBAAgB,GAAG,CAAC,KAAK,EAAE,MAAM,KAAK,OAAO,CAAC;IAAE,KAAK,EAAE,OAAO,CAAC;IAAC,GAAG,EAAE,MAAM,CAAA;CAAE,CAAC,CAAA;AAE1F,MAAM,WAAW,wBAAwB;IACrC,2FAA2F;IAC3F,UAAU,EAAE,KAAK,MAAM,EAAE,CAAA;IACzB,0DAA0D;IAC1D,uBAAuB,EAAE,MAAM,CAAA;IAC/B,6CAA6C;IAC7C,OAAO,EAAE,MAAM,CAAA;IACf,wCAAwC;IACxC,QAAQ,EAAE,gBAAgB,CAAA;IAC1B,wEAAwE;IACxE,UAAU,CAAC,EAAE,MAAM,CAAA;CACtB;AAED;;GAEG;AACH,MAAM,WAAW,gBAAgB;IAC7B,yCAAyC;IACzC,OAAO,EAAE,KAAK,MAAM,EAAE,CAAA;IACtB,yDAAyD;IACzD,QAAQ,EAAE,MAAM,CAAA;IAChB,8BAA8B;IAC9B,SAAS,EAAE,MAAM,CAAA;IACjB,oEAAoE;IACpE,MAAM,EAAE,MAAM,KAAK,MAAM,EAAE,CAAA;CAC9B;AAID;;;;;;;;;;;;;;;;;;;;;;;;;;;GA2BG;AACH,qBAAa,iBAAiB;IAC1B,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAS;IACjC,OAAO,CAAC,QAAQ,CAAC,uBAAuB,CAAe;IACvD,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAQ;IAChC,OAAO,CAAC,QAAQ,CAAC,QAAQ,CAAkB;IAC3C,OAAO,CAAC,QAAQ,CAAC,UAAU,CAAQ;gBAEvB,OAAO,EAAE,wBAAwB;IAU7C;;;;;;OAMG;IACG,iBAAiB,CAAC,KAAK,EAAE,MAAM,EAAE,aAAa,EAAE,MAAM,GAAG,OAAO,CAAC,gBAAgB,CAAC;CAmD3F"}

package/dist/discovery/attestation-signer.js

@@ -0,0 +1,111 @@
+import { keccak256, toHex, encodeAbiParameters, isAddress, } from 'viem';
+import { privateKeyToAccount } from 'viem/accounts';
+import { z } from 'zod';
+// --- Validation ---
+const EthAddressSchema = z.string().refine((val) => isAddress(val), { message: 'Invalid Ethereum address format' });
+// --- EIP-712 Type Definitions (must match CredentialVerifier.sol) ---
+const EIP712_DOMAIN = {
+    name: 'CredentialVerifier',
+    version: '1',
+};
+const ATTESTATION_TYPES = {
+    Attestation: [
+        { name: 'user', type: 'address' },
+        { name: 'didHash', type: 'bytes32' },
+        { name: 'deadline', type: 'uint256' },
+    ],
+};
+const DEFAULT_TTL_SECONDS = 3600; // 1 hour
+/**
+ * Creates EIP-712 signed attestation proofs for the on-chain CredentialVerifier.
+ *
+ * Web of Trust: Any registered agent (or bootstrap voucher) can sign attestations
+ * to vouch for new agents. No single trusted signer required.
+ *
+ * @example
+ * ```ts
+ * import { AttestationSigner } from '@swimmingkiim/api-sdk'
+ * import { VCHandler } from '@swimmingkiim/trust-sdk'
+ *
+ * const vcHandler = new VCHandler()
+ * // Any registered agent's key can be used as voucher
+ * const signer = new AttestationSigner({
+ *     privateKey: process.env.VOUCHER_KEY as `0x${string}`,
+ *     verifierContractAddress: '0x...',
+ *     chainId: 8453,
+ *     verifyVC: async (jwt) => {
+ *         const valid = await vcHandler.verifyCredential(jwt)
+ *         const payload = JSON.parse(atob(jwt.split('.')[1]))
+ *         return { valid, did: payload.iss }
+ *     },
+ * })
+ *
+ * const proof = await signer.createAttestation(vcJwt, walletAddress)
+ * // proof.encode() → bytes for AgentRegistry.register(meta, units, proof.encode())
+ * ```
+ */
+export class AttestationSigner {
+    account;
+    verifierContractAddress;
+    chainId;
+    verifyVC;
+    ttlSeconds;
+    constructor(options) {
+        EthAddressSchema.parse(options.verifierContractAddress);
+        this.account = privateKeyToAccount(options.privateKey);
+        this.verifierContractAddress = options.verifierContractAddress;
+        this.chainId = options.chainId;
+        this.verifyVC = options.verifyVC;
+        this.ttlSeconds = options.ttlSeconds ?? DEFAULT_TTL_SECONDS;
+    }
+    /**
+     * Verifies a VC JWT and produces a signed attestation proof.
+     *
+     * @param vcJwt - Verifiable Credential JWT string
+     * @param walletAddress - The Ethereum address of the agent being attested
+     * @returns AttestationProof with didHash, deadline, signature, and encode()
+     */
+    async createAttestation(vcJwt, walletAddress) {
+        // 1. Validate wallet address
+        EthAddressSchema.parse(walletAddress);
+        // 2. Verify VC
+        const { valid, did } = await this.verifyVC(vcJwt);
+        if (!valid) {
+            throw new Error('VC verification failed');
+        }
+        // 3. Hash the DID for nullifier
+        const didHash = keccak256(toHex(did));
+        // 4. Calculate deadline
+        const deadline = BigInt(Math.floor(Date.now() / 1000) + this.ttlSeconds);
+        if (!this.account.signTypedData) {
+            throw new Error('Account does not support signTypedData');
+        }
+        // 5. Sign EIP-712 typed data
+        const signature = await this.account.signTypedData({
+            domain: {
+                ...EIP712_DOMAIN,
+                chainId: this.chainId,
+                verifyingContract: this.verifierContractAddress,
+            },
+            types: ATTESTATION_TYPES,
+            primaryType: 'Attestation',
+            message: {
+                user: walletAddress,
+                didHash,
+                deadline,
+            },
+        });
+        // 6. Return structured proof
+        return {
+            didHash,
+            deadline,
+            signature,
+            encode: () => encodeAbiParameters([
+                { name: 'didHash', type: 'bytes32' },
+                { name: 'deadline', type: 'uint256' },
+                { name: 'signature', type: 'bytes' },
+            ], [didHash, deadline, signature]),
+        };
+    }
+}
+//# sourceMappingURL=attestation-signer.js.map

package/dist/discovery/attestation-signer.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"attestation-signer.js","sourceRoot":"","sources":["../../src/discovery/attestation-signer.ts"],"names":[],"mappings":"AAAA,OAAO,EACH,SAAS,EACT,KAAK,EACL,mBAAmB,EACnB,SAAS,GACZ,MAAM,MAAM,CAAA;AACb,OAAO,EAAE,mBAAmB,EAAE,MAAM,eAAe,CAAA;AAEnD,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAA;AAEvB,qBAAqB;AACrB,MAAM,gBAAgB,GAAG,CAAC,CAAC,MAAM,EAAE,CAAC,MAAM,CACtC,CAAC,GAAG,EAAE,EAAE,CAAC,SAAS,CAAC,GAAG,CAAC,EACvB,EAAE,OAAO,EAAE,iCAAiC,EAAE,CACjD,CAAA;AAED,uEAAuE;AACvE,MAAM,aAAa,GAAG;IAClB,IAAI,EAAE,oBAAoB;IAC1B,OAAO,EAAE,GAAG;CACN,CAAA;AAEV,MAAM,iBAAiB,GAAG;IACtB,WAAW,EAAE;QACT,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,SAAS,EAAE;QACjC,EAAE,IAAI,EAAE,SAAS,EAAE,IAAI,EAAE,SAAS,EAAE;QACpC,EAAE,IAAI,EAAE,UAAU,EAAE,IAAI,EAAE,SAAS,EAAE;KACxC;CACK,CAAA;AAqCV,MAAM,mBAAmB,GAAG,IAAI,CAAA,CAAC,SAAS;AAE1C;;;;;;;;;;;;;;;;;;;;;;;;;;;GA2BG;AACH,MAAM,OAAO,iBAAiB;IACT,OAAO,CAAS;IAChB,uBAAuB,CAAe;IACtC,OAAO,CAAQ;IACf,QAAQ,CAAkB;IAC1B,UAAU,CAAQ;IAEnC,YAAY,OAAiC;QACzC,gBAAgB,CAAC,KAAK,CAAC,OAAO,CAAC,uBAAuB,CAAC,CAAA;QAEvD,IAAI,CAAC,OAAO,GAAG,mBAAmB,CAAC,OAAO,CAAC,UAAU,CAAC,CAAA;QACtD,IAAI,CAAC,uBAAuB,GAAG,OAAO,CAAC,uBAAwC,CAAA;QAC/E,IAAI,CAAC,OAAO,GAAG,OAAO,CAAC,OAAO,CAAA;QAC9B,IAAI,CAAC,QAAQ,GAAG,OAAO,CAAC,QAAQ,CAAA;QAChC,IAAI,CAAC,UAAU,GAAG,OAAO,CAAC,UAAU,IAAI,mBAAmB,CAAA;IAC/D,CAAC;IAED;;;;;;OAMG;IACH,KAAK,CAAC,iBAAiB,CAAC,KAAa,EAAE,aAAqB;QACxD,6BAA6B;QAC7B,gBAAgB,CAAC,KAAK,CAAC,aAAa,CAAC,CAAA;QAErC,eAAe;QACf,MAAM,EAAE,KAAK,EAAE,GAAG,EAAE,GAAG,MAAM,IAAI,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAA;QACjD,IAAI,CAAC,KAAK,EAAE,CAAC;YACT,MAAM,IAAI,KAAK,CAAC,wBAAwB,CAAC,CAAA;QAC7C,CAAC;QAED,gCAAgC;QAChC,MAAM,OAAO,GAAG,SAAS,CAAC,KAAK,CAAC,GAAG,CAAC,CAAkB,CAAA;QAEtD,wBAAwB;QACxB,MAAM,QAAQ,GAAG,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,GAAG,IAAI,CAAC,UAAU,CAAC,CAAA;QAExE,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,aAAa,EAAE,CAAC;YAC9B,MAAM,IAAI,KAAK,CAAC,wCAAwC,CAAC,CAAA;QAC7D,CAAC;QAED,6BAA6B;QAC7B,MAAM,SAAS,GAAG,MAAM,IAAI,CAAC,OAAO,CAAC,aAAa,CAAC;YAC/C,MAAM,EAAE;gBACJ,GAAG,aAAa;gBAChB,OAAO,EAAE,IAAI,CAAC,OAAO;gBACrB,iBAAiB,EAAE,IAAI,CAAC,uBAAuB;aAClD;YACD,KAAK,EAAE,iBAAiB;YACxB,WAAW,EAAE,aAAa;YAC1B,OAAO,EAAE;gBACL,IAAI,EAAE,aAA8B;gBACpC,OAAO;gBACP,QAAQ;aACX;SACJ,CAAC,CAAA;QAEF,6BAA6B;QAC7B,OAAO;YACH,OAAO;YACP,QAAQ;YACR,SAAS;YACT,MAAM,EAAE,GAAG,EAAE,CAAC,mBAAmB,CAC7B;gBACI,EAAE,IAAI,EAAE,SAAS,EAAE,IAAI,EAAE,SAAS,EAAE;gBACpC,EAAE,IAAI,EAAE,UAAU,EAAE,IAAI,EAAE,SAAS,EAAE;gBACrC,EAAE,IAAI,EAAE,WAAW,EAAE,IAAI,EAAE,OAAO,EAAE;aACvC,EACD,CAAC,OAAO,EAAE,QAAQ,EAAE,SAA0B,CAAC,CAClD;SACJ,CAAA;IACL,CAAC;CACJ"}

package/dist/index.d.ts

@@ -1,5 +1,6 @@
 export * from './mcp-server.js';
 export * from './discovery/llms-reader.js';
 export * from './discovery/registry-reader.js';
+export * from './discovery/attestation-signer.js';
 export * from './types.js';
 //# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,cAAc,iBAAiB,CAAA;AAC/B,cAAc,4BAA4B,CAAA;AAC1C,cAAc,gCAAgC,CAAA;AAC9C,cAAc,YAAY,CAAA"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,cAAc,iBAAiB,CAAA;AAC/B,cAAc,4BAA4B,CAAA;AAC1C,cAAc,gCAAgC,CAAA;AAC9C,cAAc,mCAAmC,CAAA;AACjD,cAAc,YAAY,CAAA"}

package/dist/index.js

@@ -1,5 +1,6 @@
 export * from './mcp-server.js';
 export * from './discovery/llms-reader.js';
 export * from './discovery/registry-reader.js';
+export * from './discovery/attestation-signer.js';
 export * from './types.js';
 //# sourceMappingURL=index.js.map

package/dist/index.js.map

@@ -1 +1 @@
-{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,cAAc,iBAAiB,CAAA;AAC/B,cAAc,4BAA4B,CAAA;AAC1C,cAAc,gCAAgC,CAAA;AAC9C,cAAc,YAAY,CAAA"}
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,cAAc,iBAAiB,CAAA;AAC/B,cAAc,4BAA4B,CAAA;AAC1C,cAAc,gCAAgC,CAAA;AAC9C,cAAc,mCAAmC,CAAA;AACjD,cAAc,YAAY,CAAA"}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@swimmingkiim/api-sdk",
-  "version": "0.1.35",
+  "version": "0.1.36",
   "repository": {
     "type": "git",
     "url": "git+https://github.com/swimmingkiim/a2a-project.git"

package/src/discovery/attestation-signer.ts

@@ -0,0 +1,171 @@
+import {
+    keccak256,
+    toHex,
+    encodeAbiParameters,
+    isAddress,
+} from 'viem'
+import { privateKeyToAccount } from 'viem/accounts'
+import type { Account } from 'viem'
+import { z } from 'zod'
+
+// --- Validation ---
+const EthAddressSchema = z.string().refine(
+    (val) => isAddress(val),
+    { message: 'Invalid Ethereum address format' }
+)
+
+// --- EIP-712 Type Definitions (must match CredentialVerifier.sol) ---
+const EIP712_DOMAIN = {
+    name: 'CredentialVerifier',
+    version: '1',
+} as const
+
+const ATTESTATION_TYPES = {
+    Attestation: [
+        { name: 'user', type: 'address' },
+        { name: 'didHash', type: 'bytes32' },
+        { name: 'deadline', type: 'uint256' },
+    ],
+} as const
+
+// --- Types ---
+
+/**
+ * Function signature for VC verification.
+ * Injected by the caller — can be trust-sdk's VCHandler or any custom impl.
+ */
+export type VerifyVCFunction = (vcJwt: string) => Promise<{ valid: boolean; did: string }>
+
+export interface AttestationSignerOptions {
+    /** Hex-encoded secp256k1 private key of the voucher (any registered agent or bootstrap) */
+    privateKey: `0x${string}`
+    /** Address of the deployed CredentialVerifier contract */
+    verifierContractAddress: string
+    /** Chain ID (e.g., 8453 for Base Mainnet) */
+    chainId: number
+    /** Injected VC verification function */
+    verifyVC: VerifyVCFunction
+    /** Attestation validity duration in seconds (default: 3600 = 1 hour) */
+    ttlSeconds?: number
+}
+
+/**
+ * Structured attestation proof ready for on-chain submission.
+ */
+export interface AttestationProof {
+    /** keccak256 hash of the verified DID */
+    didHash: `0x${string}`
+    /** Unix timestamp after which the attestation expires */
+    deadline: bigint
+    /** EIP-712 ECDSA signature */
+    signature: string
+    /** Encodes the proof as ABI-packed bytes for contract submission */
+    encode: () => `0x${string}`
+}
+
+const DEFAULT_TTL_SECONDS = 3600 // 1 hour
+
+/**
+ * Creates EIP-712 signed attestation proofs for the on-chain CredentialVerifier.
+ *
+ * Web of Trust: Any registered agent (or bootstrap voucher) can sign attestations
+ * to vouch for new agents. No single trusted signer required.
+ *
+ * @example
+ * ```ts
+ * import { AttestationSigner } from '@swimmingkiim/api-sdk'
+ * import { VCHandler } from '@swimmingkiim/trust-sdk'
+ *
+ * const vcHandler = new VCHandler()
+ * // Any registered agent's key can be used as voucher
+ * const signer = new AttestationSigner({
+ *     privateKey: process.env.VOUCHER_KEY as `0x${string}`,
+ *     verifierContractAddress: '0x...',
+ *     chainId: 8453,
+ *     verifyVC: async (jwt) => {
+ *         const valid = await vcHandler.verifyCredential(jwt)
+ *         const payload = JSON.parse(atob(jwt.split('.')[1]))
+ *         return { valid, did: payload.iss }
+ *     },
+ * })
+ *
+ * const proof = await signer.createAttestation(vcJwt, walletAddress)
+ * // proof.encode() → bytes for AgentRegistry.register(meta, units, proof.encode())
+ * ```
+ */
+export class AttestationSigner {
+    private readonly account: Account
+    private readonly verifierContractAddress: `0x${string}`
+    private readonly chainId: number
+    private readonly verifyVC: VerifyVCFunction
+    private readonly ttlSeconds: number
+
+    constructor(options: AttestationSignerOptions) {
+        EthAddressSchema.parse(options.verifierContractAddress)
+
+        this.account = privateKeyToAccount(options.privateKey)
+        this.verifierContractAddress = options.verifierContractAddress as `0x${string}`
+        this.chainId = options.chainId
+        this.verifyVC = options.verifyVC
+        this.ttlSeconds = options.ttlSeconds ?? DEFAULT_TTL_SECONDS
+    }
+
+    /**
+     * Verifies a VC JWT and produces a signed attestation proof.
+     *
+     * @param vcJwt - Verifiable Credential JWT string
+     * @param walletAddress - The Ethereum address of the agent being attested
+     * @returns AttestationProof with didHash, deadline, signature, and encode()
+     */
+    async createAttestation(vcJwt: string, walletAddress: string): Promise<AttestationProof> {
+        // 1. Validate wallet address
+        EthAddressSchema.parse(walletAddress)
+
+        // 2. Verify VC
+        const { valid, did } = await this.verifyVC(vcJwt)
+        if (!valid) {
+            throw new Error('VC verification failed')
+        }
+
+        // 3. Hash the DID for nullifier
+        const didHash = keccak256(toHex(did)) as `0x${string}`
+
+        // 4. Calculate deadline
+        const deadline = BigInt(Math.floor(Date.now() / 1000) + this.ttlSeconds)
+
+        if (!this.account.signTypedData) {
+            throw new Error('Account does not support signTypedData')
+        }
+
+        // 5. Sign EIP-712 typed data
+        const signature = await this.account.signTypedData({
+            domain: {
+                ...EIP712_DOMAIN,
+                chainId: this.chainId,
+                verifyingContract: this.verifierContractAddress,
+            },
+            types: ATTESTATION_TYPES,
+            primaryType: 'Attestation',
+            message: {
+                user: walletAddress as `0x${string}`,
+                didHash,
+                deadline,
+            },
+        })
+
+        // 6. Return structured proof
+        return {
+            didHash,
+            deadline,
+            signature,
+            encode: () => encodeAbiParameters(
+                [
+                    { name: 'didHash', type: 'bytes32' },
+                    { name: 'deadline', type: 'uint256' },
+                    { name: 'signature', type: 'bytes' },
+                ],
+                [didHash, deadline, signature as `0x${string}`]
+            ),
+        }
+    }
+}

package/src/index.ts

@@ -1,4 +1,5 @@
 export * from './mcp-server.js'
 export * from './discovery/llms-reader.js'
 export * from './discovery/registry-reader.js'
+export * from './discovery/attestation-signer.js'
 export * from './types.js'

package/test/attestation-signer.test.ts

@@ -0,0 +1,162 @@
+import { describe, it, expect, vi, beforeEach } from 'vitest'
+import { privateKeyToAccount, generatePrivateKey } from 'viem/accounts'
+import { hashTypedData, recoverAddress, decodeAbiParameters } from 'viem'
+
+// We'll import AttestationSigner after creating it
+import { AttestationSigner } from '../src/discovery/attestation-signer.js'
+import type { AttestationProof } from '../src/discovery/attestation-signer.js'
+
+const TEST_CHAIN_ID = 8453 // Base Mainnet
+const TEST_VERIFIER_ADDRESS = '0x1234567890123456789012345678901234567890'
+const TEST_WALLET = '0xaabbccddee11223344556677889900aabbccddee'
+const TEST_VC_JWT = 'eyJhbGciOiJFZERTQSJ9.eyJzdWIiOiJkaWQ6a2V5Onp0ZXN0In0.c2lnbmF0dXJl'
+const TEST_DID = 'did:key:zTestDID123456789'
+
+describe('AttestationSigner', () => {
+    let signerKey: `0x${string}`
+    let attestationSigner: AttestationSigner
+
+    // Mock VC verifier that always succeeds and returns DID
+    const mockVerifyVC = vi.fn<(vcJwt: string) => Promise<{ valid: boolean; did: string }>>()
+
+    beforeEach(() => {
+        vi.clearAllMocks()
+        signerKey = generatePrivateKey()
+
+        attestationSigner = new AttestationSigner({
+            privateKey: signerKey,
+            verifierContractAddress: TEST_VERIFIER_ADDRESS,
+            chainId: TEST_CHAIN_ID,
+            verifyVC: mockVerifyVC,
+        })
+    })
+
+    describe('createAttestation', () => {
+        it('should produce a valid EIP-712 signed proof', async () => {
+            mockVerifyVC.mockResolvedValueOnce({ valid: true, did: TEST_DID })
+
+            const proof = await attestationSigner.createAttestation(TEST_VC_JWT, TEST_WALLET)
+
+            // Proof should contain didHash, deadline, and signature
+            expect(proof.didHash).toBeDefined()
+            expect(proof.deadline).toBeGreaterThan(BigInt(Math.floor(Date.now() / 1000)))
+            expect(proof.signature).toBeDefined()
+            expect(proof.signature).toMatch(/^0x[0-9a-f]+$/i)
+        })
+
+        it('should produce a proof whose signer recovers to the correct address', async () => {
+            mockVerifyVC.mockResolvedValueOnce({ valid: true, did: TEST_DID })
+
+            const proof = await attestationSigner.createAttestation(TEST_VC_JWT, TEST_WALLET)
+            const signerAccount = privateKeyToAccount(signerKey)
+
+            // Reconstruct EIP-712 digest and recover
+            const digest = hashTypedData({
+                domain: {
+                    name: 'CredentialVerifier',
+                    version: '1',
+                    chainId: TEST_CHAIN_ID,
+                    verifyingContract: TEST_VERIFIER_ADDRESS as `0x${string}`,
+                },
+                types: {
+                    Attestation: [
+                        { name: 'user', type: 'address' },
+                        { name: 'didHash', type: 'bytes32' },
+                        { name: 'deadline', type: 'uint256' },
+                    ],
+                },
+                primaryType: 'Attestation',
+                message: {
+                    user: TEST_WALLET as `0x${string}`,
+                    didHash: proof.didHash,
+                    deadline: proof.deadline,
+                },
+            })
+
+            const recovered = await recoverAddress({
+                hash: digest,
+                signature: proof.signature as `0x${string}`,
+            })
+
+            expect(recovered.toLowerCase()).toBe(signerAccount.address.toLowerCase())
+        })
+
+        it('should produce a deterministic didHash from the DID', async () => {
+            mockVerifyVC.mockResolvedValueOnce({ valid: true, did: TEST_DID })
+            const proof1 = await attestationSigner.createAttestation(TEST_VC_JWT, TEST_WALLET)
+
+            mockVerifyVC.mockResolvedValueOnce({ valid: true, did: TEST_DID })
+            const proof2 = await attestationSigner.createAttestation(TEST_VC_JWT, TEST_WALLET)
+
+            // Same DID → same didHash
+            expect(proof1.didHash).toBe(proof2.didHash)
+        })
+
+        it('should encode proof as ABI-packed bytes', async () => {
+            mockVerifyVC.mockResolvedValueOnce({ valid: true, did: TEST_DID })
+
+            const proof = await attestationSigner.createAttestation(TEST_VC_JWT, TEST_WALLET)
+            const encoded = proof.encode()
+
+            // Should be decodable
+            const [didHash, deadline, signature] = decodeAbiParameters(
+                [
+                    { name: 'didHash', type: 'bytes32' },
+                    { name: 'deadline', type: 'uint256' },
+                    { name: 'signature', type: 'bytes' },
+                ],
+                encoded
+            )
+
+            expect(didHash).toBe(proof.didHash)
+            expect(deadline).toBe(proof.deadline)
+            expect(signature).toBe(proof.signature)
+        })
+    })
+
+    describe('VC Verification Failure', () => {
+        it('should throw if VC verification fails', async () => {
+            mockVerifyVC.mockResolvedValueOnce({ valid: false, did: '' })
+
+            await expect(
+                attestationSigner.createAttestation(TEST_VC_JWT, TEST_WALLET)
+            ).rejects.toThrow('VC verification failed')
+        })
+
+        it('should throw if VC verifier throws', async () => {
+            mockVerifyVC.mockRejectedValueOnce(new Error('Network error'))
+
+            await expect(
+                attestationSigner.createAttestation(TEST_VC_JWT, TEST_WALLET)
+            ).rejects.toThrow('Network error')
+        })
+    })
+
+    describe('Input Validation', () => {
+        it('should reject an invalid wallet address', async () => {
+            await expect(
+                attestationSigner.createAttestation(TEST_VC_JWT, 'not-an-address')
+            ).rejects.toThrow()
+        })
+    })
+
+    describe('Custom TTL', () => {
+        it('should respect custom ttlSeconds', async () => {
+            const customSigner = new AttestationSigner({
+                privateKey: signerKey,
+                verifierContractAddress: TEST_VERIFIER_ADDRESS,
+                chainId: TEST_CHAIN_ID,
+                verifyVC: mockVerifyVC,
+                ttlSeconds: 60, // 1 minute
+            })
+
+            mockVerifyVC.mockResolvedValueOnce({ valid: true, did: TEST_DID })
+            const proof = await customSigner.createAttestation(TEST_VC_JWT, TEST_WALLET)
+
+            const now = BigInt(Math.floor(Date.now() / 1000))
+            // Deadline should be within 60-65 seconds from now (some tolerance)
+            expect(proof.deadline - now).toBeLessThanOrEqual(65n)
+            expect(proof.deadline - now).toBeGreaterThanOrEqual(55n)
+        })
+    })
+})