@tari-project/ootle-wasm 0.30.1 → 0.31.0

package/ootle_wasm.d.ts

@@ -1,6 +1,33 @@
 /* tslint:disable */
 /* eslint-disable */
 
+/**
+ * Decrypted contents of an inbound stealth UTXO.
+ */
+export class DecryptedOutputResult {
+    private constructor();
+    free(): void;
+    [Symbol.dispose](): void;
+    /**
+     * The 32-byte commitment mask scalar.
+     */
+    mask: Uint8Array;
+    /**
+     * JSON-encoded `Memo` (variants: `U256` / `Message` / `Bytes` / `PayRefAndBytes`), or `null` if
+     * the payload carried no memo or `skipMemo` was set.
+     */
+    get memo_json(): string | undefined;
+    /**
+     * JSON-encoded `Memo` (variants: `U256` / `Message` / `Bytes` / `PayRefAndBytes`), or `null` if
+     * the payload carried no memo or `skipMemo` was set.
+     */
+    set memo_json(value: string | null | undefined);
+    /**
+     * The plaintext value (u64).
+     */
+    value: bigint;
+}
+
 /**
  * A generated keypair (raw bytes).
  */
@@ -76,7 +103,8 @@ export class ParsedOotleAddress {
 }
 
 /**
- * Result of a Schnorr signature operation (raw bytes).
+ * Result of a Schnorr signature operation (raw bytes). Also used for balance proof signatures, which
+ * share the `(public_nonce, signature)` shape.
  */
 export class SchnorrSignatureResult {
     private constructor();
@@ -86,6 +114,24 @@ export class SchnorrSignatureResult {
     signature: Uint8Array;
 }
 
+/**
+ * Result of generating a stealth outputs statement.
+ */
+export class StealthOutputsResult {
+    private constructor();
+    free(): void;
+    [Symbol.dispose](): void;
+    /**
+     * Sum of all witness masks, suitable for use as the `aggregated_output_mask` argument to
+     * `generateStealthBalanceProofSignature`.
+     */
+    aggregated_output_mask: Uint8Array;
+    /**
+     * JSON-serialized `StealthOutputsStatement` (the wire-format payload).
+     */
+    statement_json: string;
+}
+
 /**
  * Add a signer to a transaction (unsigned or unsealed JSON).
  *
@@ -94,11 +140,74 @@ export class SchnorrSignatureResult {
  */
 export function addTransactionSigner(tx_json: string, signer_secret_key: Uint8Array, seal_signer_public_key: Uint8Array): string;
 
+/**
+ * Aggregate the commitment masks of stealth inputs into a single 32-byte Ristretto scalar.
+ *
+ * `masks_concat` is the concatenated bytes of all input masks (32 bytes per mask, so the input
+ * length must be a multiple of 32). Pass an empty array to obtain the zero scalar.
+ *
+ * Returns the sum as 32 bytes, suitable as the `aggregated_input_mask` argument to
+ * `generateStealthBalanceProofSignature`. The output side of the same balance proof is aggregated
+ * automatically by `generateStealthOutputsStatement` (returned as `aggregated_output_mask`).
+ */
+export function aggregateInputMasks(masks_concat: Uint8Array): Uint8Array;
+
 /**
  * BOR-encode a Transaction (JSON string) → base64 string (TransactionEnvelope format).
  */
 export function borEncodeTransaction(transaction_json: string): string;
 
+/**
+ * Build a `StealthInputsStatement` JSON from raw input commitments and a revealed amount.
+ *
+ * `input_commitments` is the concatenated bytes of all 32-byte commitments (so the length must be a
+ * multiple of 32). Pass an empty array for a revealed-only statement.
+ *
+ * This is a convenience helper so callers don't need to hand-craft the wire JSON; the result is used
+ * as the `inputs_statement_json` argument to `generateStealthBalanceProofSignature` and friends.
+ */
+export function buildStealthInputsStatement(input_commitments: Uint8Array, revealed_amount_microtari: bigint): string;
+
+/**
+ * Brute-force decrypt an ElGamal viewable-balance proof to recover the bound value.
+ *
+ * Tries each value in `[min_value, max_value]` (inclusive). Returns `null` (via `Option`) if no
+ * candidate matches. Uses an on-the-fly value lookup — there is no precomputed table dependency, so
+ * callers should keep the range tight (large ranges produce proportional CPU cost).
+ *
+ * `commitment` is the Pedersen commitment the proof is bound to. Both the view public key and the
+ * view secret key are required: the public key is used to re-verify the ZK proof (rejecting tampered
+ * proofs before decrypting), the secret key performs the ElGamal decryption itself.
+ */
+export function decryptElgamalViewableBalance(proof_json: string, commitment: Uint8Array, view_public_key: Uint8Array, view_secret_key: Uint8Array, min_value: bigint, max_value: bigint): bigint | undefined;
+
+/**
+ * Derive the AEAD encryption key for `encrypted_data` from a Diffie-Hellman shared secret: `H(DH(s, P))`.
+ * Sender derives it with `(sender_secret_nonce, recipient_view_pub)`; receiver derives the same key
+ * with `(recipient_view_secret, sender_public_nonce)`.
+ */
+export function encryptedDataDhKdfAead(private_key: Uint8Array, public_key: Uint8Array): Uint8Array;
+
+/**
+ * Generate an ElGamal viewable-balance proof: a zero-knowledge proof that `amount` is the value bound
+ * by `commitment`, encrypted to the resource view-key holder.
+ *
+ * Returns the JSON-encoded `ViewableBalanceProof` (8 × 32-byte fields).
+ */
+export function generateElgamalViewableBalanceProof(mask: Uint8Array, amount: bigint, commitment: Uint8Array, view_public_key: Uint8Array): string;
+
+/**
+ * Generate an extended bulletproof aggregating range proofs for a set of output witnesses, proving
+ * each amount is in `[minimum_value_promise, 2^64)`. The number of witnesses is padded to the next
+ * power of two internally.
+ *
+ * `witnesses_json` is a JSON array of "flat" output witnesses (the `witness` field shape from
+ * [`generate_stealth_outputs_statement`] — without the surrounding `spend_condition` / `tag`).
+ *
+ * Returns the raw range proof bytes (may be empty if the input array is empty).
+ */
+export function generateExtendedBulletProof(witnesses_json: string): Uint8Array;
+
 /**
  * Generate a new random Ristretto keypair.
  * Returns { secret_key: Uint8Array, public_key: Uint8Array }.
@@ -119,6 +228,41 @@ export function generateOotleAddress(owner_public_key: Uint8Array, view_public_k
  */
 export function generateOotleSecretKey(): OotleSecretKey;
 
+/**
+ * Sign the balance proof for a stealth transfer.
+ *
+ * `aggregated_input_mask` and `aggregated_output_mask` are the 32-byte sums of all input / output
+ * commitment masks respectively. Returns a `(public_nonce, signature)` pair (each 32 bytes); the pair
+ * may be all-zeros for revealed-only transfers — callers normally omit the balance proof in that case.
+ */
+export function generateStealthBalanceProofSignature(aggregated_input_mask: Uint8Array, aggregated_output_mask: Uint8Array, inputs_statement_json: string, outputs_statement_json: string): SchnorrSignatureResult;
+
+/**
+ * Generate the output side of a stealth transfer: per-output Pedersen commitments and encrypted data,
+ * optional ElGamal viewable-balance proofs (for outputs with a `resource_view_key`), and an aggregated
+ * bulletproof range proof.
+ *
+ * `witnesses_json` is a JSON array of stealth output witnesses. Each entry has the shape:
+ * ```text
+ * {
+ *   "witness": {
+ *     "amount": <u64>,
+ *     "mask": <hex 32 bytes>,
+ *     "sender_public_nonce": <hex 32 bytes>,
+ *     "minimum_value_promise": <u64>,
+ *     "encrypted_data": <hex variable-length>,
+ *     "resource_view_key": <hex 32 bytes | null>
+ *   },
+ *   "spend_condition": <SpendCondition>,
+ *   "tag": <u32>
+ * }
+ * ```
+ *
+ * Returns the serialized statement plus the aggregated output mask, which the sender feeds to
+ * `generateStealthBalanceProofSignature` together with the aggregated input mask.
+ */
+export function generateStealthOutputsStatement(witnesses_json: string, revealed_output_amount_microtari: bigint): StealthOutputsResult;
+
 /**
  * Hash an UnsignedTransactionV1 (JSON string) for signing.
  * Returns the 64-byte signing message that must be Schnorr-signed.
@@ -162,3 +306,43 @@ export function schnorrSign(secret_key: Uint8Array, message: Uint8Array): Schnor
  * Returns the sealed `Transaction` as a JSON string.
  */
 export function sealTransaction(tx_json: string, seal_signer_secret_key: Uint8Array): string;
+
+/**
+ * Derive the recipient's stealth spending scalar `c + k`, where `c = H(network || k.G * r)`. The
+ * receiver runs this with their account secret key (`private_key`) and the sender-provided public
+ * nonce to obtain the one-time secret that controls the stealth output.
+ *
+ * `network` is the network byte (0x00 = MainNet, 0x10 = LocalNet, 0x26 = Esmeralda, ...).
+ */
+export function stealthDhSecret(network: number, private_key: Uint8Array, public_nonce: Uint8Array): Uint8Array;
+
+/**
+ * Decrypt and verify the AEAD payload of an inbound stealth UTXO.
+ *
+ * `output_commitment` is the 32-byte Pedersen commitment; `encrypted_data` is the variable-length
+ * XChaCha20Poly1305-encrypted blob; `encryption_key` is the 32-byte AEAD key derived via
+ * `encryptedDataDhKdfAead`. Setting `skip_memo` to `true` returns no memo even if the payload carries
+ * one (useful when only the value / mask are needed).
+ *
+ * Throws on AEAD failure or on a commitment mismatch — either indicates the payload was not produced
+ * for this view key.
+ */
+export function unblindOutput(output_commitment: Uint8Array, encrypted_data: Uint8Array, encryption_key: Uint8Array, skip_memo: boolean): DecryptedOutputResult;
+
+/**
+ * Pre-flight check that a balance proof signature is cryptographically valid for the given input /
+ * output statements. Returns `false` on a malformed proof or invalid signature; the engine performs
+ * the authoritative check at submission.
+ */
+export function validateBalanceProofSignature(public_nonce: Uint8Array, signature: Uint8Array, inputs_statement_json: string, outputs_statement_json: string): boolean;
+
+/**
+ * Run the same validation the engine performs on a complete `StealthTransferStatement` envelope:
+ * structural sanity, commitment well-formedness, range and balance-proof verification.
+ *
+ * `view_key` is the 32-byte resource view public key, required for resources with a viewable balance
+ * and rejected otherwise. Pass `null` for resources without a view key.
+ *
+ * Throws on a validation failure; returns successfully on a valid statement.
+ */
+export function validateStealthTransfer(transfer_json: string, view_key?: Uint8Array | null): void;

package/ootle_wasm.js

@@ -5,5 +5,5 @@ import { __wbg_set_wasm } from "./ootle_wasm_bg.js";
 __wbg_set_wasm(wasm);
 wasm.__wbindgen_start();
 export {
-    KeypairResult, OotlePublicKey, OotleSecretKey, ParsedOotleAddress, SchnorrSignatureResult, addTransactionSigner, borEncodeTransaction, generateKeypair, generateOotleAddress, generateOotleSecretKey, hashUnsignedTransaction, on_start, ootlePublicKeyFromSecretKey, parseOotleAddress, publicKeyFromSecretKey, schnorrSign, sealTransaction
+    DecryptedOutputResult, KeypairResult, OotlePublicKey, OotleSecretKey, ParsedOotleAddress, SchnorrSignatureResult, StealthOutputsResult, addTransactionSigner, aggregateInputMasks, borEncodeTransaction, buildStealthInputsStatement, decryptElgamalViewableBalance, encryptedDataDhKdfAead, generateElgamalViewableBalanceProof, generateExtendedBulletProof, generateKeypair, generateOotleAddress, generateOotleSecretKey, generateStealthBalanceProofSignature, generateStealthOutputsStatement, hashUnsignedTransaction, on_start, ootlePublicKeyFromSecretKey, parseOotleAddress, publicKeyFromSecretKey, schnorrSign, sealTransaction, stealthDhSecret, unblindOutput, validateBalanceProofSignature, validateStealthTransfer
 } from "./ootle_wasm_bg.js";

package/ootle_wasm_bg.js

@@ -1,3 +1,85 @@
+/**
+ * Decrypted contents of an inbound stealth UTXO.
+ */
+export class DecryptedOutputResult {
+    static __wrap(ptr) {
+        ptr = ptr >>> 0;
+        const obj = Object.create(DecryptedOutputResult.prototype);
+        obj.__wbg_ptr = ptr;
+        DecryptedOutputResultFinalization.register(obj, obj.__wbg_ptr, obj);
+        return obj;
+    }
+    __destroy_into_raw() {
+        const ptr = this.__wbg_ptr;
+        this.__wbg_ptr = 0;
+        DecryptedOutputResultFinalization.unregister(this);
+        return ptr;
+    }
+    free() {
+        const ptr = this.__destroy_into_raw();
+        wasm.__wbg_decryptedoutputresult_free(ptr, 0);
+    }
+    /**
+     * The 32-byte commitment mask scalar.
+     * @returns {Uint8Array}
+     */
+    get mask() {
+        const ret = wasm.__wbg_get_decryptedoutputresult_mask(this.__wbg_ptr);
+        var v1 = getArrayU8FromWasm0(ret[0], ret[1]).slice();
+        wasm.__wbindgen_free(ret[0], ret[1] * 1, 1);
+        return v1;
+    }
+    /**
+     * JSON-encoded `Memo` (variants: `U256` / `Message` / `Bytes` / `PayRefAndBytes`), or `null` if
+     * the payload carried no memo or `skipMemo` was set.
+     * @returns {string | undefined}
+     */
+    get memo_json() {
+        const ret = wasm.__wbg_get_decryptedoutputresult_memo_json(this.__wbg_ptr);
+        let v1;
+        if (ret[0] !== 0) {
+            v1 = getStringFromWasm0(ret[0], ret[1]).slice();
+            wasm.__wbindgen_free(ret[0], ret[1] * 1, 1);
+        }
+        return v1;
+    }
+    /**
+     * The plaintext value (u64).
+     * @returns {bigint}
+     */
+    get value() {
+        const ret = wasm.__wbg_get_decryptedoutputresult_value(this.__wbg_ptr);
+        return BigInt.asUintN(64, ret);
+    }
+    /**
+     * The 32-byte commitment mask scalar.
+     * @param {Uint8Array} arg0
+     */
+    set mask(arg0) {
+        const ptr0 = passArray8ToWasm0(arg0, wasm.__wbindgen_malloc);
+        const len0 = WASM_VECTOR_LEN;
+        wasm.__wbg_set_decryptedoutputresult_mask(this.__wbg_ptr, ptr0, len0);
+    }
+    /**
+     * JSON-encoded `Memo` (variants: `U256` / `Message` / `Bytes` / `PayRefAndBytes`), or `null` if
+     * the payload carried no memo or `skipMemo` was set.
+     * @param {string | null} [arg0]
+     */
+    set memo_json(arg0) {
+        var ptr0 = isLikeNone(arg0) ? 0 : passStringToWasm0(arg0, wasm.__wbindgen_malloc, wasm.__wbindgen_realloc);
+        var len0 = WASM_VECTOR_LEN;
+        wasm.__wbg_set_decryptedoutputresult_memo_json(this.__wbg_ptr, ptr0, len0);
+    }
+    /**
+     * The plaintext value (u64).
+     * @param {bigint} arg0
+     */
+    set value(arg0) {
+        wasm.__wbg_set_decryptedoutputresult_value(this.__wbg_ptr, arg0);
+    }
+}
+if (Symbol.dispose) DecryptedOutputResult.prototype[Symbol.dispose] = DecryptedOutputResult.prototype.free;
+
 /**
  * A generated keypair (raw bytes).
  */
@@ -280,7 +362,8 @@ export class ParsedOotleAddress {
 if (Symbol.dispose) ParsedOotleAddress.prototype[Symbol.dispose] = ParsedOotleAddress.prototype.free;
 
 /**
- * Result of a Schnorr signature operation (raw bytes).
+ * Result of a Schnorr signature operation (raw bytes). Also used for balance proof signatures, which
+ * share the `(public_nonce, signature)` shape.
  */
 export class SchnorrSignatureResult {
     static __wrap(ptr) {
@@ -337,6 +420,76 @@ export class SchnorrSignatureResult {
 }
 if (Symbol.dispose) SchnorrSignatureResult.prototype[Symbol.dispose] = SchnorrSignatureResult.prototype.free;
 
+/**
+ * Result of generating a stealth outputs statement.
+ */
+export class StealthOutputsResult {
+    static __wrap(ptr) {
+        ptr = ptr >>> 0;
+        const obj = Object.create(StealthOutputsResult.prototype);
+        obj.__wbg_ptr = ptr;
+        StealthOutputsResultFinalization.register(obj, obj.__wbg_ptr, obj);
+        return obj;
+    }
+    __destroy_into_raw() {
+        const ptr = this.__wbg_ptr;
+        this.__wbg_ptr = 0;
+        StealthOutputsResultFinalization.unregister(this);
+        return ptr;
+    }
+    free() {
+        const ptr = this.__destroy_into_raw();
+        wasm.__wbg_stealthoutputsresult_free(ptr, 0);
+    }
+    /**
+     * Sum of all witness masks, suitable for use as the `aggregated_output_mask` argument to
+     * `generateStealthBalanceProofSignature`.
+     * @returns {Uint8Array}
+     */
+    get aggregated_output_mask() {
+        const ret = wasm.__wbg_get_stealthoutputsresult_aggregated_output_mask(this.__wbg_ptr);
+        var v1 = getArrayU8FromWasm0(ret[0], ret[1]).slice();
+        wasm.__wbindgen_free(ret[0], ret[1] * 1, 1);
+        return v1;
+    }
+    /**
+     * JSON-serialized `StealthOutputsStatement` (the wire-format payload).
+     * @returns {string}
+     */
+    get statement_json() {
+        let deferred1_0;
+        let deferred1_1;
+        try {
+            const ret = wasm.__wbg_get_stealthoutputsresult_statement_json(this.__wbg_ptr);
+            deferred1_0 = ret[0];
+            deferred1_1 = ret[1];
+            return getStringFromWasm0(ret[0], ret[1]);
+        } finally {
+            wasm.__wbindgen_free(deferred1_0, deferred1_1, 1);
+        }
+    }
+    /**
+     * Sum of all witness masks, suitable for use as the `aggregated_output_mask` argument to
+     * `generateStealthBalanceProofSignature`.
+     * @param {Uint8Array} arg0
+     */
+    set aggregated_output_mask(arg0) {
+        const ptr0 = passArray8ToWasm0(arg0, wasm.__wbindgen_malloc);
+        const len0 = WASM_VECTOR_LEN;
+        wasm.__wbg_set_keypairresult_public_key(this.__wbg_ptr, ptr0, len0);
+    }
+    /**
+     * JSON-serialized `StealthOutputsStatement` (the wire-format payload).
+     * @param {string} arg0
+     */
+    set statement_json(arg0) {
+        const ptr0 = passStringToWasm0(arg0, wasm.__wbindgen_malloc, wasm.__wbindgen_realloc);
+        const len0 = WASM_VECTOR_LEN;
+        wasm.__wbg_set_keypairresult_secret_key(this.__wbg_ptr, ptr0, len0);
+    }
+}
+if (Symbol.dispose) StealthOutputsResult.prototype[Symbol.dispose] = StealthOutputsResult.prototype.free;
+
 /**
  * Add a signer to a transaction (unsigned or unsealed JSON).
  *
@@ -372,6 +525,30 @@ export function addTransactionSigner(tx_json, signer_secret_key, seal_signer_pub
     }
 }
 
+/**
+ * Aggregate the commitment masks of stealth inputs into a single 32-byte Ristretto scalar.
+ *
+ * `masks_concat` is the concatenated bytes of all input masks (32 bytes per mask, so the input
+ * length must be a multiple of 32). Pass an empty array to obtain the zero scalar.
+ *
+ * Returns the sum as 32 bytes, suitable as the `aggregated_input_mask` argument to
+ * `generateStealthBalanceProofSignature`. The output side of the same balance proof is aggregated
+ * automatically by `generateStealthOutputsStatement` (returned as `aggregated_output_mask`).
+ * @param {Uint8Array} masks_concat
+ * @returns {Uint8Array}
+ */
+export function aggregateInputMasks(masks_concat) {
+    const ptr0 = passArray8ToWasm0(masks_concat, wasm.__wbindgen_malloc);
+    const len0 = WASM_VECTOR_LEN;
+    const ret = wasm.aggregateInputMasks(ptr0, len0);
+    if (ret[3]) {
+        throw takeFromExternrefTable0(ret[2]);
+    }
+    var v2 = getArrayU8FromWasm0(ret[0], ret[1]).slice();
+    wasm.__wbindgen_free(ret[0], ret[1] * 1, 1);
+    return v2;
+}
+
 /**
  * BOR-encode a Transaction (JSON string) → base64 string (TransactionEnvelope format).
  * @param {string} transaction_json
@@ -398,6 +575,155 @@ export function borEncodeTransaction(transaction_json) {
     }
 }
 
+/**
+ * Build a `StealthInputsStatement` JSON from raw input commitments and a revealed amount.
+ *
+ * `input_commitments` is the concatenated bytes of all 32-byte commitments (so the length must be a
+ * multiple of 32). Pass an empty array for a revealed-only statement.
+ *
+ * This is a convenience helper so callers don't need to hand-craft the wire JSON; the result is used
+ * as the `inputs_statement_json` argument to `generateStealthBalanceProofSignature` and friends.
+ * @param {Uint8Array} input_commitments
+ * @param {bigint} revealed_amount_microtari
+ * @returns {string}
+ */
+export function buildStealthInputsStatement(input_commitments, revealed_amount_microtari) {
+    let deferred3_0;
+    let deferred3_1;
+    try {
+        const ptr0 = passArray8ToWasm0(input_commitments, wasm.__wbindgen_malloc);
+        const len0 = WASM_VECTOR_LEN;
+        const ret = wasm.buildStealthInputsStatement(ptr0, len0, revealed_amount_microtari);
+        var ptr2 = ret[0];
+        var len2 = ret[1];
+        if (ret[3]) {
+            ptr2 = 0; len2 = 0;
+            throw takeFromExternrefTable0(ret[2]);
+        }
+        deferred3_0 = ptr2;
+        deferred3_1 = len2;
+        return getStringFromWasm0(ptr2, len2);
+    } finally {
+        wasm.__wbindgen_free(deferred3_0, deferred3_1, 1);
+    }
+}
+
+/**
+ * Brute-force decrypt an ElGamal viewable-balance proof to recover the bound value.
+ *
+ * Tries each value in `[min_value, max_value]` (inclusive). Returns `null` (via `Option`) if no
+ * candidate matches. Uses an on-the-fly value lookup — there is no precomputed table dependency, so
+ * callers should keep the range tight (large ranges produce proportional CPU cost).
+ *
+ * `commitment` is the Pedersen commitment the proof is bound to. Both the view public key and the
+ * view secret key are required: the public key is used to re-verify the ZK proof (rejecting tampered
+ * proofs before decrypting), the secret key performs the ElGamal decryption itself.
+ * @param {string} proof_json
+ * @param {Uint8Array} commitment
+ * @param {Uint8Array} view_public_key
+ * @param {Uint8Array} view_secret_key
+ * @param {bigint} min_value
+ * @param {bigint} max_value
+ * @returns {bigint | undefined}
+ */
+export function decryptElgamalViewableBalance(proof_json, commitment, view_public_key, view_secret_key, min_value, max_value) {
+    const ptr0 = passStringToWasm0(proof_json, wasm.__wbindgen_malloc, wasm.__wbindgen_realloc);
+    const len0 = WASM_VECTOR_LEN;
+    const ptr1 = passArray8ToWasm0(commitment, wasm.__wbindgen_malloc);
+    const len1 = WASM_VECTOR_LEN;
+    const ptr2 = passArray8ToWasm0(view_public_key, wasm.__wbindgen_malloc);
+    const len2 = WASM_VECTOR_LEN;
+    const ptr3 = passArray8ToWasm0(view_secret_key, wasm.__wbindgen_malloc);
+    const len3 = WASM_VECTOR_LEN;
+    const ret = wasm.decryptElgamalViewableBalance(ptr0, len0, ptr1, len1, ptr2, len2, ptr3, len3, min_value, max_value);
+    if (ret[3]) {
+        throw takeFromExternrefTable0(ret[2]);
+    }
+    return ret[0] === 0 ? undefined : BigInt.asUintN(64, ret[1]);
+}
+
+/**
+ * Derive the AEAD encryption key for `encrypted_data` from a Diffie-Hellman shared secret: `H(DH(s, P))`.
+ * Sender derives it with `(sender_secret_nonce, recipient_view_pub)`; receiver derives the same key
+ * with `(recipient_view_secret, sender_public_nonce)`.
+ * @param {Uint8Array} private_key
+ * @param {Uint8Array} public_key
+ * @returns {Uint8Array}
+ */
+export function encryptedDataDhKdfAead(private_key, public_key) {
+    const ptr0 = passArray8ToWasm0(private_key, wasm.__wbindgen_malloc);
+    const len0 = WASM_VECTOR_LEN;
+    const ptr1 = passArray8ToWasm0(public_key, wasm.__wbindgen_malloc);
+    const len1 = WASM_VECTOR_LEN;
+    const ret = wasm.encryptedDataDhKdfAead(ptr0, len0, ptr1, len1);
+    if (ret[3]) {
+        throw takeFromExternrefTable0(ret[2]);
+    }
+    var v3 = getArrayU8FromWasm0(ret[0], ret[1]).slice();
+    wasm.__wbindgen_free(ret[0], ret[1] * 1, 1);
+    return v3;
+}
+
+/**
+ * Generate an ElGamal viewable-balance proof: a zero-knowledge proof that `amount` is the value bound
+ * by `commitment`, encrypted to the resource view-key holder.
+ *
+ * Returns the JSON-encoded `ViewableBalanceProof` (8 × 32-byte fields).
+ * @param {Uint8Array} mask
+ * @param {bigint} amount
+ * @param {Uint8Array} commitment
+ * @param {Uint8Array} view_public_key
+ * @returns {string}
+ */
+export function generateElgamalViewableBalanceProof(mask, amount, commitment, view_public_key) {
+    let deferred5_0;
+    let deferred5_1;
+    try {
+        const ptr0 = passArray8ToWasm0(mask, wasm.__wbindgen_malloc);
+        const len0 = WASM_VECTOR_LEN;
+        const ptr1 = passArray8ToWasm0(commitment, wasm.__wbindgen_malloc);
+        const len1 = WASM_VECTOR_LEN;
+        const ptr2 = passArray8ToWasm0(view_public_key, wasm.__wbindgen_malloc);
+        const len2 = WASM_VECTOR_LEN;
+        const ret = wasm.generateElgamalViewableBalanceProof(ptr0, len0, amount, ptr1, len1, ptr2, len2);
+        var ptr4 = ret[0];
+        var len4 = ret[1];
+        if (ret[3]) {
+            ptr4 = 0; len4 = 0;
+            throw takeFromExternrefTable0(ret[2]);
+        }
+        deferred5_0 = ptr4;
+        deferred5_1 = len4;
+        return getStringFromWasm0(ptr4, len4);
+    } finally {
+        wasm.__wbindgen_free(deferred5_0, deferred5_1, 1);
+    }
+}
+
+/**
+ * Generate an extended bulletproof aggregating range proofs for a set of output witnesses, proving
+ * each amount is in `[minimum_value_promise, 2^64)`. The number of witnesses is padded to the next
+ * power of two internally.
+ *
+ * `witnesses_json` is a JSON array of "flat" output witnesses (the `witness` field shape from
+ * [`generate_stealth_outputs_statement`] — without the surrounding `spend_condition` / `tag`).
+ *
+ * Returns the raw range proof bytes (may be empty if the input array is empty).
+ * @param {string} witnesses_json
+ * @returns {Uint8Array}
+ */
+export function generateExtendedBulletProof(witnesses_json) {
+    const ptr0 = passStringToWasm0(witnesses_json, wasm.__wbindgen_malloc, wasm.__wbindgen_realloc);
+    const len0 = WASM_VECTOR_LEN;
+    const ret = wasm.generateExtendedBulletProof(ptr0, len0);
+    if (ret[3]) {
+        throw takeFromExternrefTable0(ret[2]);
+    }
+    var v2 = getArrayU8FromWasm0(ret[0], ret[1]).slice();
+    wasm.__wbindgen_free(ret[0], ret[1] * 1, 1);
+    return v2;
+}
+
 /**
  * Generate a new random Ristretto keypair.
  * Returns { secret_key: Uint8Array, public_key: Uint8Array }.
@@ -454,6 +780,71 @@ export function generateOotleSecretKey() {
     return OotleSecretKey.__wrap(ret);
 }
 
+/**
+ * Sign the balance proof for a stealth transfer.
+ *
+ * `aggregated_input_mask` and `aggregated_output_mask` are the 32-byte sums of all input / output
+ * commitment masks respectively. Returns a `(public_nonce, signature)` pair (each 32 bytes); the pair
+ * may be all-zeros for revealed-only transfers — callers normally omit the balance proof in that case.
+ * @param {Uint8Array} aggregated_input_mask
+ * @param {Uint8Array} aggregated_output_mask
+ * @param {string} inputs_statement_json
+ * @param {string} outputs_statement_json
+ * @returns {SchnorrSignatureResult}
+ */
+export function generateStealthBalanceProofSignature(aggregated_input_mask, aggregated_output_mask, inputs_statement_json, outputs_statement_json) {
+    const ptr0 = passArray8ToWasm0(aggregated_input_mask, wasm.__wbindgen_malloc);
+    const len0 = WASM_VECTOR_LEN;
+    const ptr1 = passArray8ToWasm0(aggregated_output_mask, wasm.__wbindgen_malloc);
+    const len1 = WASM_VECTOR_LEN;
+    const ptr2 = passStringToWasm0(inputs_statement_json, wasm.__wbindgen_malloc, wasm.__wbindgen_realloc);
+    const len2 = WASM_VECTOR_LEN;
+    const ptr3 = passStringToWasm0(outputs_statement_json, wasm.__wbindgen_malloc, wasm.__wbindgen_realloc);
+    const len3 = WASM_VECTOR_LEN;
+    const ret = wasm.generateStealthBalanceProofSignature(ptr0, len0, ptr1, len1, ptr2, len2, ptr3, len3);
+    if (ret[2]) {
+        throw takeFromExternrefTable0(ret[1]);
+    }
+    return SchnorrSignatureResult.__wrap(ret[0]);
+}
+
+/**
+ * Generate the output side of a stealth transfer: per-output Pedersen commitments and encrypted data,
+ * optional ElGamal viewable-balance proofs (for outputs with a `resource_view_key`), and an aggregated
+ * bulletproof range proof.
+ *
+ * `witnesses_json` is a JSON array of stealth output witnesses. Each entry has the shape:
+ * ```text
+ * {
+ *   "witness": {
+ *     "amount": <u64>,
+ *     "mask": <hex 32 bytes>,
+ *     "sender_public_nonce": <hex 32 bytes>,
+ *     "minimum_value_promise": <u64>,
+ *     "encrypted_data": <hex variable-length>,
+ *     "resource_view_key": <hex 32 bytes | null>
+ *   },
+ *   "spend_condition": <SpendCondition>,
+ *   "tag": <u32>
+ * }
+ * ```
+ *
+ * Returns the serialized statement plus the aggregated output mask, which the sender feeds to
+ * `generateStealthBalanceProofSignature` together with the aggregated input mask.
+ * @param {string} witnesses_json
+ * @param {bigint} revealed_output_amount_microtari
+ * @returns {StealthOutputsResult}
+ */
+export function generateStealthOutputsStatement(witnesses_json, revealed_output_amount_microtari) {
+    const ptr0 = passStringToWasm0(witnesses_json, wasm.__wbindgen_malloc, wasm.__wbindgen_realloc);
+    const len0 = WASM_VECTOR_LEN;
+    const ret = wasm.generateStealthOutputsStatement(ptr0, len0, revealed_output_amount_microtari);
+    if (ret[2]) {
+        throw takeFromExternrefTable0(ret[1]);
+    }
+    return StealthOutputsResult.__wrap(ret[0]);
+}
+
 /**
  * Hash an UnsignedTransactionV1 (JSON string) for signing.
  * Returns the 64-byte signing message that must be Schnorr-signed.
@@ -586,113 +977,119 @@ export function sealTransaction(tx_json, seal_signer_secret_key) {
         wasm.__wbindgen_free(deferred4_0, deferred4_1, 1);
     }
 }
-export function __wbg_Error_8c4e43fe74559d73(arg0, arg1) {
-    const ret = Error(getStringFromWasm0(arg0, arg1));
-    return ret;
+
+/**
+ * Derive the recipient's stealth spending scalar `c + k`, where `c = H(network || k.G * r)`. The
+ * receiver runs this with their account secret key (`private_key`) and the sender-provided public
+ * nonce to obtain the one-time secret that controls the stealth output.
+ *
+ * `network` is the network byte (0x00 = MainNet, 0x10 = LocalNet, 0x26 = Esmeralda, ...).
+ * @param {number} network
+ * @param {Uint8Array} private_key
+ * @param {Uint8Array} public_nonce
+ * @returns {Uint8Array}
+ */
+export function stealthDhSecret(network, private_key, public_nonce) {
+    const ptr0 = passArray8ToWasm0(private_key, wasm.__wbindgen_malloc);
+    const len0 = WASM_VECTOR_LEN;
+    const ptr1 = passArray8ToWasm0(public_nonce, wasm.__wbindgen_malloc);
+    const len1 = WASM_VECTOR_LEN;
+    const ret = wasm.stealthDhSecret(network, ptr0, len0, ptr1, len1);
+    if (ret[3]) {
+        throw takeFromExternrefTable0(ret[2]);
+    }
+    var v3 = getArrayU8FromWasm0(ret[0], ret[1]).slice();
+    wasm.__wbindgen_free(ret[0], ret[1] * 1, 1);
+    return v3;
 }
-export function __wbg___wbindgen_is_function_0095a73b8b156f76(arg0) {
-    const ret = typeof(arg0) === 'function';
-    return ret;
+
+/**
+ * Decrypt and verify the AEAD payload of an inbound stealth UTXO.
+ *
+ * `output_commitment` is the 32-byte Pedersen commitment; `encrypted_data` is the variable-length
+ * XChaCha20Poly1305-encrypted blob; `encryption_key` is the 32-byte AEAD key derived via
+ * `encryptedDataDhKdfAead`. Setting `skip_memo` to `true` returns no memo even if the payload carries
+ * one (useful when only the value / mask are needed).
+ *
+ * Throws on AEAD failure or on a commitment mismatch — either indicates the payload was not produced
+ * for this view key.
+ * @param {Uint8Array} output_commitment
+ * @param {Uint8Array} encrypted_data
+ * @param {Uint8Array} encryption_key
+ * @param {boolean} skip_memo
+ * @returns {DecryptedOutputResult}
+ */
+export function unblindOutput(output_commitment, encrypted_data, encryption_key, skip_memo) {
+    const ptr0 = passArray8ToWasm0(output_commitment, wasm.__wbindgen_malloc);
+    const len0 = WASM_VECTOR_LEN;
+    const ptr1 = passArray8ToWasm0(encrypted_data, wasm.__wbindgen_malloc);
+    const len1 = WASM_VECTOR_LEN;
+    const ptr2 = passArray8ToWasm0(encryption_key, wasm.__wbindgen_malloc);
+    const len2 = WASM_VECTOR_LEN;
+    const ret = wasm.unblindOutput(ptr0, len0, ptr1, len1, ptr2, len2, skip_memo);
+    if (ret[2]) {
+        throw takeFromExternrefTable0(ret[1]);
+    }
+    return DecryptedOutputResult.__wrap(ret[0]);
 }
-export function __wbg___wbindgen_is_object_5ae8e5880f2c1fbd(arg0) {
-    const val = arg0;
-    const ret = typeof(val) === 'object' && val !== null;
-    return ret;
+
+/**
+ * Pre-flight check that a balance proof signature is cryptographically valid for the given input /
+ * output statements. Returns `false` on a malformed proof or invalid signature; the engine performs
+ * the authoritative check at submission.
+ * @param {Uint8Array} public_nonce
+ * @param {Uint8Array} signature
+ * @param {string} inputs_statement_json
+ * @param {string} outputs_statement_json
+ * @returns {boolean}
+ */
+export function validateBalanceProofSignature(public_nonce, signature, inputs_statement_json, outputs_statement_json) {
+    const ptr0 = passArray8ToWasm0(public_nonce, wasm.__wbindgen_malloc);
+    const len0 = WASM_VECTOR_LEN;
+    const ptr1 = passArray8ToWasm0(signature, wasm.__wbindgen_malloc);
+    const len1 = WASM_VECTOR_LEN;
+    const ptr2 = passStringToWasm0(inputs_statement_json, wasm.__wbindgen_malloc, wasm.__wbindgen_realloc);
+    const len2 = WASM_VECTOR_LEN;
+    const ptr3 = passStringToWasm0(outputs_statement_json, wasm.__wbindgen_malloc, wasm.__wbindgen_realloc);
+    const len3 = WASM_VECTOR_LEN;
+    const ret = wasm.validateBalanceProofSignature(ptr0, len0, ptr1, len1, ptr2, len2, ptr3, len3);
+    if (ret[2]) {
+        throw takeFromExternrefTable0(ret[1]);
+    }
+    return ret[0] !== 0;
 }
-export function __wbg___wbindgen_is_string_cd444516edc5b180(arg0) {
-    const ret = typeof(arg0) === 'string';
-    return ret;
+
+/**
+ * Run the same validation the engine performs on a complete `StealthTransferStatement` envelope:
+ * structural sanity, commitment well-formedness, range and balance-proof verification.
+ *
+ * `view_key` is the 32-byte resource view public key, required for resources with a viewable balance
+ * and rejected otherwise. Pass `null` for resources without a view key.
+ *
+ * Throws on a validation failure; returns successfully on a valid statement.
+ * @param {string} transfer_json
+ * @param {Uint8Array | null} [view_key]
+ */
+export function validateStealthTransfer(transfer_json, view_key) {
+    const ptr0 = passStringToWasm0(transfer_json, wasm.__wbindgen_malloc, wasm.__wbindgen_realloc);
+    const len0 = WASM_VECTOR_LEN;
+    var ptr1 = isLikeNone(view_key) ? 0 : passArray8ToWasm0(view_key, wasm.__wbindgen_malloc);
+    var len1 = WASM_VECTOR_LEN;
+    const ret = wasm.validateStealthTransfer(ptr0, len0, ptr1, len1);
+    if (ret[1]) {
+        throw takeFromExternrefTable0(ret[0]);
+    }
 }
-export function __wbg___wbindgen_is_undefined_9e4d92534c42d778(arg0) {
-    const ret = arg0 === undefined;
+export function __wbg_Error_8c4e43fe74559d73(arg0, arg1) {
+    const ret = Error(getStringFromWasm0(arg0, arg1));
     return ret;
 }
 export function __wbg___wbindgen_throw_be289d5034ed271b(arg0, arg1) {
     throw new Error(getStringFromWasm0(arg0, arg1));
 }
-export function __wbg_call_389efe28435a9388() { return handleError(function (arg0, arg1) {
-    const ret = arg0.call(arg1);
-    return ret;
-}, arguments); }
-export function __wbg_call_4708e0c13bdc8e95() { return handleError(function (arg0, arg1, arg2) {
-    const ret = arg0.call(arg1, arg2);
-    return ret;
-}, arguments); }
-export function __wbg_crypto_86f2631e91b51511(arg0) {
-    const ret = arg0.crypto;
-    return ret;
-}
-export function __wbg_getRandomValues_b3f15fcbfabb0f8b() { return handleError(function (arg0, arg1) {
-    arg0.getRandomValues(arg1);
-}, arguments); }
-export function __wbg_length_32ed9a279acd054c(arg0) {
-    const ret = arg0.length;
-    return ret;
-}
-export function __wbg_msCrypto_d562bbe83e0d4b91(arg0) {
-    const ret = arg0.msCrypto;
-    return ret;
-}
-export function __wbg_new_no_args_1c7c842f08d00ebb(arg0, arg1) {
-    const ret = new Function(getStringFromWasm0(arg0, arg1));
-    return ret;
-}
-export function __wbg_new_with_length_a2c39cbe88fd8ff1(arg0) {
-    const ret = new Uint8Array(arg0 >>> 0);
-    return ret;
-}
-export function __wbg_node_e1f24f89a7336c2e(arg0) {
-    const ret = arg0.node;
-    return ret;
-}
-export function __wbg_process_3975fd6c72f520aa(arg0) {
-    const ret = arg0.process;
-    return ret;
-}
-export function __wbg_prototypesetcall_bdcdcc5842e4d77d(arg0, arg1, arg2) {
-    Uint8Array.prototype.set.call(getArrayU8FromWasm0(arg0, arg1), arg2);
-}
-export function __wbg_randomFillSync_f8c153b79f285817() { return handleError(function (arg0, arg1) {
-    arg0.randomFillSync(arg1);
+export function __wbg_getRandomValues_e9de607763a970bd() { return handleError(function (arg0, arg1) {
+    globalThis.crypto.getRandomValues(getArrayU8FromWasm0(arg0, arg1));
 }, arguments); }
-export function __wbg_require_b74f47fc2d022fd6() { return handleError(function () {
-    const ret = module.require;
-    return ret;
-}, arguments); }
-export function __wbg_static_accessor_GLOBAL_12837167ad935116() {
-    const ret = typeof global === 'undefined' ? null : global;
-    return isLikeNone(ret) ? 0 : addToExternrefTable0(ret);
-}
-export function __wbg_static_accessor_GLOBAL_THIS_e628e89ab3b1c95f() {
-    const ret = typeof globalThis === 'undefined' ? null : globalThis;
-    return isLikeNone(ret) ? 0 : addToExternrefTable0(ret);
-}
-export function __wbg_static_accessor_SELF_a621d3dfbb60d0ce() {
-    const ret = typeof self === 'undefined' ? null : self;
-    return isLikeNone(ret) ? 0 : addToExternrefTable0(ret);
-}
-export function __wbg_static_accessor_WINDOW_f8727f0cf888e0bd() {
-    const ret = typeof window === 'undefined' ? null : window;
-    return isLikeNone(ret) ? 0 : addToExternrefTable0(ret);
-}
-export function __wbg_subarray_a96e1fef17ed23cb(arg0, arg1, arg2) {
-    const ret = arg0.subarray(arg1 >>> 0, arg2 >>> 0);
-    return ret;
-}
-export function __wbg_versions_4e31226f5e8dc909(arg0) {
-    const ret = arg0.versions;
-    return ret;
-}
-export function __wbindgen_cast_0000000000000001(arg0, arg1) {
-    // Cast intrinsic for `Ref(Slice(U8)) -> NamedExternref("Uint8Array")`.
-    const ret = getArrayU8FromWasm0(arg0, arg1);
-    return ret;
-}
-export function __wbindgen_cast_0000000000000002(arg0, arg1) {
-    // Cast intrinsic for `Ref(String) -> Externref`.
-    const ret = getStringFromWasm0(arg0, arg1);
-    return ret;
-}
 export function __wbindgen_init_externref_table() {
     const table = wasm.__wbindgen_externrefs;
     const offset = table.grow(4);
@@ -702,6 +1099,9 @@ export function __wbindgen_init_externref_table() {
     table.set(offset + 2, true);
     table.set(offset + 3, false);
 }
+const DecryptedOutputResultFinalization = (typeof FinalizationRegistry === 'undefined')
+    ? { register: () => {}, unregister: () => {} }
+    : new FinalizationRegistry(ptr => wasm.__wbg_decryptedoutputresult_free(ptr >>> 0, 1));
 const KeypairResultFinalization = (typeof FinalizationRegistry === 'undefined')
     ? { register: () => {}, unregister: () => {} }
     : new FinalizationRegistry(ptr => wasm.__wbg_keypairresult_free(ptr >>> 0, 1));
@@ -717,6 +1117,9 @@ const ParsedOotleAddressFinalization = (typeof FinalizationRegistry === 'undefin
 const SchnorrSignatureResultFinalization = (typeof FinalizationRegistry === 'undefined')
     ? { register: () => {}, unregister: () => {} }
     : new FinalizationRegistry(ptr => wasm.__wbg_schnorrsignatureresult_free(ptr >>> 0, 1));
+const StealthOutputsResultFinalization = (typeof FinalizationRegistry === 'undefined')
+    ? { register: () => {}, unregister: () => {} }
+    : new FinalizationRegistry(ptr => wasm.__wbg_stealthoutputsresult_free(ptr >>> 0, 1));
 
 function addToExternrefTable0(obj) {
     const idx = wasm.__externref_table_alloc();

package/package.json

@@ -5,7 +5,7 @@
     "The Tari Development Community"
   ],
   "description": "WASM bindings for Tari Ootle client-side crypto — thin wasm-bindgen shell over ootle-wasm-core",
-  "version": "0.30.1",
+  "version": "0.31.0",
   "license": "BSD-3-Clause",
   "repository": {
     "type": "git",
@@ -27,4 +27,4 @@
   "publishConfig": {
     "access": "public"
   }
-}
+}

package/LICENSE

@@ -1,29 +0,0 @@
-BSD 3-Clause License
-
-Copyright (c) 2019, The Tari Developer Community
-All rights reserved.
-
-Redistribution and use in source and binary forms, with or without
-modification, are permitted provided that the following conditions are met:
-
-1. Redistributions of source code must retain the above copyright notice, this
-   list of conditions and the following disclaimer.
-
-2. Redistributions in binary form must reproduce the above copyright notice,
-   this list of conditions and the following disclaimer in the documentation
-   and/or other materials provided with the distribution.
-
-3. Neither the name of the copyright holder nor the names of its
-   contributors may be used to endorse or promote products derived from
-   this software without specific prior written permission.
-
-THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
-AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
-DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
-FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
-DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
-SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
-CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
-OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
-OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.