@twin.org/dlt-iota 0.0.3-next.9 → 0.9.0

package/dist/types/iota.d.ts

@@ -8,6 +8,7 @@ import type { IIotaDryRun } from "./models/IIotaDryRun.js";
 import type { IIotaResponseOptions } from "./models/IIotaResponseOptions.js";
 import type { IIotaTransaction } from "./models/IIotaTransaction.js";
 import type { IIotaTransactionBlockResponse } from "./models/IIotaTransactionBlockResponse.js";
+import { VaultTransactionSigner } from "./vaultTransactionSigner.js";
 /**
  * Class for performing operations on IOTA.
  */
@@ -39,30 +40,55 @@ export declare class Iota {
      * @param config The configuration to populate.
      */
     static populateConfig(config: IIotaConfig): void;
+    /**
+     * Store a mnemonic in the vault, derive and store the seed, and pre-cache the first keypair chunk.
+     * @param vaultConnector The vault connector.
+     * @param config The configuration.
+     * @param identity The identity of the user to access the vault keys.
+     * @param mnemonic The mnemonic to store, if undefined a new one will be generated and returned.
+     * @param accountIndex The account index to pre-cache.
+     * @returns The mnemonic that was stored.
+     */
+    static storeMnemonic(vaultConnector: IVaultConnector, config: IIotaConfig, identity: string, mnemonic: string | undefined, accountIndex: number): Promise<string>;
+    /**
+     * Derive an address from a public key.
+     * @param publicKey The public key to derive the address from.
+     * @returns The derived address.
+     */
+    static publicKeyToAddress(publicKey: Uint8Array): string;
+    /**
+     * Get address for the identity.
+     * @param vaultConnector The vault connector.
+     * @param config The configuration.
+     * @param identity The identity of the user to access the vault keys.
+     * @param accountIndex The account index to get the addresses for.
+     * @param startAddressIndex The start index for the addresses.
+     * @param isInternal Whether the addresses are internal.
+     * @returns The address.
+     */
+    static getAddress(vaultConnector: IVaultConnector, config: Pick<IIotaConfig, "coinType" | "vaultMnemonicId" | "vaultSeedId">, identity: string, accountIndex: number, startAddressIndex: number, isInternal?: boolean): Promise<string>;
     /**
      * Get addresses for the identity.
-     * @param seed The seed to use for generating addresses.
-     * @param coinType The coin type to use.
+     * @param vaultConnector The vault connector.
+     * @param config The configuration.
+     * @param identity The identity of the user to access the vault keys.
      * @param accountIndex The account index to get the addresses for.
      * @param startAddressIndex The start index for the addresses.
      * @param count The number of addresses to generate.
      * @param isInternal Whether the addresses are internal.
      * @returns The list of addresses.
      */
-    static getAddresses(seed: Uint8Array, coinType: number, accountIndex: number, startAddressIndex: number, count: number, isInternal?: boolean): string[];
+    static getAddresses(vaultConnector: IVaultConnector, config: Pick<IIotaConfig, "coinType" | "vaultMnemonicId" | "vaultSeedId">, identity: string, accountIndex: number, startAddressIndex: number, count: number, isInternal?: boolean): Promise<string[]>;
     /**
-     * Get a key pair for the specified index.
-     * @param seed The seed to use for generating the key pair.
-     * @param coinType The coin type to use.
-     * @param accountIndex The account index to get the key pair for.
-     * @param addressIndex The address index to get the key pair for.
-     * @param isInternal Whether the address is internal.
-     * @returns The key pair containing private key and public key.
+     * Get a vault-backed transaction signer for the given identity and key indices.
+     * @param vaultConnector The vault connector.
+     * @param config The configuration.
+     * @param identity The identity of the user to access the vault keys.
+     * @param accountIndex The account index.
+     * @param addressIndex The address index within the account.
+     * @returns A VaultTransactionSigner for the specified key.
      */
-    static getKeyPair(seed: Uint8Array, coinType: number, accountIndex: number, addressIndex: number, isInternal?: boolean): {
-        privateKey: Uint8Array;
-        publicKey: Uint8Array;
-    };
+    static getTransactionSigner(vaultConnector: IVaultConnector, config: IIotaConfig, identity: string, accountIndex: number, addressIndex: number): Promise<VaultTransactionSigner>;
     /**
      * Create a new transaction instance.
      * @returns A new transaction instance.
@@ -95,28 +121,6 @@ export declare class Iota {
      * @returns The transaction response.
      */
     static prepareAndPostTransaction(config: IIotaConfig, vaultConnector: IVaultConnector, logging: ILoggingComponent | undefined, identity: string, client: IIotaClient, owner: string, transaction: IIotaTransaction, options?: IIotaResponseOptions): Promise<IIotaTransactionBlockResponse>;
-    /**
-     * Get the seed from the vault.
-     * @param config The configuration to use.
-     * @param vaultConnector The vault connector to use.
-     * @param identity The identity of the user to access the vault keys.
-     * @returns The seed.
-     */
-    static getSeed(config: IIotaConfig, vaultConnector: IVaultConnector, identity: string): Promise<Uint8Array>;
-    /**
-     * Find the address in the seed.
-     * @param maxScanRange The maximum range to scan.
-     * @param coinType The coin type to use.
-     * @param seed The seed to use.
-     * @param address The address to find.
-     * @returns The address key pair.
-     * @throws Error if the address is not found.
-     */
-    static findAddress(maxScanRange: number, coinType: number, seed: Uint8Array, address: string): {
-        address: string;
-        privateKey: Uint8Array;
-        publicKey: Uint8Array;
-    };
     /**
      * Extract error from SDK payload.
      * Errors from the IOTA SDK are usually not JSON strings but objects.
@@ -124,20 +128,6 @@ export declare class Iota {
      * @returns The extracted error.
      */
     static extractPayloadError(error: unknown): IError;
-    /**
-     * Get the key for storing the mnemonic.
-     * @param identity The identity to use.
-     * @param vaultMnemonicId The mnemonic ID to use.
-     * @returns The mnemonic key.
-     */
-    static buildMnemonicKey(identity: string, vaultMnemonicId?: string): string;
-    /**
-     * Get the key for storing the seed.
-     * @param identity The identity to use.
-     * @param vaultSeedId The seed ID to use.
-     * @returns The seed key.
-     */
-    static buildSeedKey(identity: string, vaultSeedId?: string): string;
     /**
      * Check if the package exists on the network.
      * @param client The client to use.
@@ -152,7 +142,7 @@ export declare class Iota {
      * @param txb The transaction to dry run.
      * @param sender The sender address.
      * @param operation The operation to log.
-     * @returns void.
+     * @returns The dry run result including status, costs, events, and object changes.
      */
     static dryRunTransaction(client: IIotaClient, logging: ILoggingComponent | undefined, txb: IIotaTransaction, sender: string, operation: string): Promise<IIotaDryRun>;
     /**
@@ -178,6 +168,12 @@ export declare class Iota {
      * @returns True if the error is an abort error, false otherwise.
      */
     static isAbortError(error: unknown, code: number): boolean;
+    /**
+     * Extracts the abort code from a transaction result if the transaction was aborted.
+     * @param response The transaction result to extract the abort code from.
+     * @returns The abort code if the transaction was aborted, or undefined if it was not an abort error or the code could not be extracted.
+     */
+    static extractAbortCode(response: IIotaTransactionBlockResponse): number | undefined;
     /**
      * Prepare and post a transaction using gas station sponsoring.
      * @param config The configuration.
@@ -193,10 +189,9 @@ export declare class Iota {
     /**
      * Reserve gas from the gas station.
      * @param config The configuration containing gas station settings.
-     * @param gasBudget The gas budget to reserve.
      * @returns The gas reservation result.
      */
-    static reserveGas(config: IIotaConfig, gasBudget: number): Promise<IGasReservationResult>;
+    static reserveGas(config: IIotaConfig): Promise<IGasReservationResult>;
     /**
      * Execute a sponsored transaction through the gas station.
      * @param config The configuration containing gas station settings.
@@ -217,4 +212,38 @@ export declare class Iota {
      * @returns The transaction response (confirmed if waitForConfirmation is true).
      */
     static executeAndConfirmGasStationTransaction(config: IIotaConfig, client: IIotaClient, reservationId: number, transactionBytes: Uint8Array, userSignature: string, options?: IIotaResponseOptions): Promise<IIotaTransactionBlockResponse>;
+    /**
+     * Fund an address with IOTA from the faucet.
+     * @param config The configuration containing endpoint information.
+     * @param faucetUrl The URL of the faucet to request funds from.
+     * @param identity The identity of the user to access the vault keys.
+     * @param address The address to fund.
+     * @param timeoutInSeconds The timeout in seconds to wait for the funding to complete.
+     * @returns The amount funded.
+     */
+    static fundAddress(config: IIotaConfig, faucetUrl: string, identity: string, address: string, timeoutInSeconds?: number): Promise<bigint>;
+    /**
+     * Ensure the balance for the given address is at least the given amount.
+     * @param config The configuration containing endpoint information.
+     * @param faucetUrl The URL of the faucet to request funds from.
+     * @param identity The identity of the user to access the vault keys.
+     * @param address The address to ensure the balance for.
+     * @param ensureBalance The minimum balance to ensure.
+     * @param timeoutInSeconds Optional timeout in seconds, defaults to 10 seconds.
+     * @returns True if the balance is at least the given amount, false otherwise.
+     */
+    static ensureBalance(config: IIotaConfig, faucetUrl: string | undefined, identity: string, address: string, ensureBalance: bigint, timeoutInSeconds?: number): Promise<boolean>;
+    /**
+     * Get the balance for the given address.
+     * @param config The configuration containing endpoint information.
+     * @param address The address to get the balance for.
+     * @returns The balance of the given address.
+     */
+    static getBalance(config: IIotaConfig, address: string): Promise<bigint>;
+    /**
+     * Create a transaction instance from the given bytes.
+     * @param bytes The transaction bytes to create the transaction from.
+     * @returns The transaction instance created from the given bytes.
+     */
+    static transactionFromBytes(bytes: Uint8Array): IIotaTransaction;
 }

package/dist/types/iotaIdentityUtils.d.ts

@@ -1,8 +1,7 @@
 import type { IIotaClient } from "./models/IIotaClient.js";
 import type { IIotaControllerCapInfo } from "./models/IIotaControllerCapInfo.js";
 /**
- * Utility class for resolving IOTA Identity on-chain objects required by
- * the NFT mint_with_identity() Move contract function.
+ * Utility class for resolving IOTA Identity on-chain objects and controller tokens.
  */
 export declare class IotaIdentityUtils {
     /**
@@ -10,8 +9,7 @@ export declare class IotaIdentityUtils {
      */
     static readonly CLASS_NAME: string;
     /**
-     * Resolve the on-chain object IDs for an identity and its controller token.
-     * Returns the IDs needed to call mint_with_identity() on the NFT Move contract.
+     * Resolves the on-chain object IDs for an identity and its controller token.
      * @param identityId The DID of the identity (e.g. "did:iota:testnet:0x...").
      * @param controllerAddress The on-chain address of the controller wallet.
      * @param client The IOTA client instance.

package/dist/types/iotaSmartContractUtils.d.ts

@@ -1,12 +1,10 @@
 import type { IotaClient } from "@iota/iota-sdk/client";
 import type { ILoggingComponent } from "@twin.org/logging-models";
 import type { IVaultConnector } from "@twin.org/vault-models";
-import type { IWalletConnector } from "@twin.org/wallet-models";
 import type { IIotaConfig } from "./models/IIotaConfig.js";
 import type { ISmartContractDeployments } from "./models/ISmartContractDeployments.js";
 /**
  * Utility class providing common smart contract operations for IOTA-based contracts.
- * This class uses composition pattern to provide shared functionality without inheritance complexity.
  */
 export declare class IotaSmartContractUtils {
     /**
@@ -19,7 +17,6 @@ export declare class IotaSmartContractUtils {
      * @param config The IOTA configuration.
      * @param client The IOTA client instance.
      * @param vaultConnector The vault connector for key management.
-     * @param walletConnector The wallet connector for address generation.
      * @param logging Optional logging component.
      * @param gasBudget The gas budget for the transaction.
      * @param identity The identity of the controller with admin privileges.
@@ -27,79 +24,83 @@ export declare class IotaSmartContractUtils {
      * @param namespace The contract namespace (e.g., "nft", "verifiable_storage").
      * @param packageId The deployed package ID for the contract.
      * @param deploymentConfig The deployment configuration containing object IDs.
+     * @param accountAddressIndex Optional account address index for the controller.
      * @param walletAddressIndex Optional wallet address index for the controller.
      * @returns Promise that resolves when migration is complete.
      */
-    static migrateSmartContract(config: IIotaConfig, client: IotaClient, vaultConnector: IVaultConnector, walletConnector: IWalletConnector, logging: ILoggingComponent | undefined, gasBudget: number, identity: string, objectId: string, namespace: string, packageId: string, deploymentConfig: ISmartContractDeployments, walletAddressIndex?: number): Promise<void>;
+    static migrateSmartContract(config: IIotaConfig, client: IotaClient, vaultConnector: IVaultConnector, logging: ILoggingComponent | undefined, gasBudget: number, identity: string, objectId: string, namespace: string, packageId: string, deploymentConfig: ISmartContractDeployments, accountAddressIndex?: number, walletAddressIndex?: number): Promise<void>;
     /**
      * Enable migration operations using admin privileges.
      * @param config The IOTA configuration.
      * @param client The IOTA client instance.
      * @param vaultConnector The vault connector for key management.
-     * @param walletConnector The wallet connector for address generation.
      * @param logging Optional logging component.
      * @param gasBudget The gas budget for the transaction.
      * @param identity The identity of the controller with admin privileges.
      * @param namespace The contract namespace (e.g., "nft", "verifiable_storage").
      * @param packageId The deployed package ID for the contract.
      * @param deploymentConfig The deployment configuration containing object IDs.
+     * @param accountAddressIndex Optional account address index for the controller.
      * @param walletAddressIndex Optional wallet address index for the controller.
      * @returns Promise that resolves when migration is enabled.
      */
-    static enableMigration(config: IIotaConfig, client: IotaClient, vaultConnector: IVaultConnector, walletConnector: IWalletConnector, logging: ILoggingComponent | undefined, gasBudget: number, identity: string, namespace: string, packageId: string, deploymentConfig: ISmartContractDeployments, walletAddressIndex?: number): Promise<void>;
+    static enableMigration(config: IIotaConfig, client: IotaClient, vaultConnector: IVaultConnector, logging: ILoggingComponent | undefined, gasBudget: number, identity: string, namespace: string, packageId: string, deploymentConfig: ISmartContractDeployments, accountAddressIndex?: number, walletAddressIndex?: number): Promise<void>;
     /**
      * Disable migration operations using admin privileges.
      * @param config The IOTA configuration.
      * @param client The IOTA client instance.
      * @param vaultConnector The vault connector for key management.
-     * @param walletConnector The wallet connector for address generation.
      * @param logging Optional logging component.
      * @param gasBudget The gas budget for the transaction.
      * @param identity The identity of the controller with admin privileges.
      * @param namespace The contract namespace (e.g., "nft", "verifiable_storage").
      * @param packageId The deployed package ID for the contract.
      * @param deploymentConfig The deployment configuration containing object IDs.
+     * @param accountAddressIndex Optional account address index for the controller.
      * @param walletAddressIndex Optional wallet address index for the controller.
      * @returns Promise that resolves when migration is disabled.
      */
-    static disableMigration(config: IIotaConfig, client: IotaClient, vaultConnector: IVaultConnector, walletConnector: IWalletConnector, logging: ILoggingComponent | undefined, gasBudget: number, identity: string, namespace: string, packageId: string, deploymentConfig: ISmartContractDeployments, walletAddressIndex?: number): Promise<void>;
+    static disableMigration(config: IIotaConfig, client: IotaClient, vaultConnector: IVaultConnector, logging: ILoggingComponent | undefined, gasBudget: number, identity: string, namespace: string, packageId: string, deploymentConfig: ISmartContractDeployments, accountAddressIndex?: number, walletAddressIndex?: number): Promise<void>;
     /**
      * Check if migration is currently active for a smart contract.
      * @param config The IOTA configuration.
      * @param client The IOTA client instance.
+     * @param vaultConnector The vault connector for key management.
      * @param namespace The contract namespace (e.g., "nft", "verifiable_storage").
      * @param packageId The deployed package ID for the contract.
      * @param deploymentConfig The deployment configuration containing object IDs.
      * @param identity The identity for MigrationState discovery.
-     * @param walletConnector The wallet connector for address generation.
-     * @param walletAddressIndex Optional wallet address index.
+     * @param accountAddressIndex Optional account address index for the controller.
+     * @param walletAddressIndex Optional wallet address index for the controller.
      * @returns True if migration is enabled, false otherwise.
      */
-    static isMigrationActive(config: IIotaConfig, client: IotaClient, namespace: string, packageId: string, deploymentConfig: ISmartContractDeployments, identity: string, walletConnector: IWalletConnector, walletAddressIndex?: number): Promise<boolean>;
+    static isMigrationActive(config: IIotaConfig, client: IotaClient, vaultConnector: IVaultConnector, namespace: string, packageId: string, deploymentConfig: ISmartContractDeployments, identity: string, accountAddressIndex?: number, walletAddressIndex?: number): Promise<boolean>;
     /**
      * Get the current contract version from the deployed smart contract.
      * @param config The IOTA configuration.
      * @param client The IOTA client instance.
+     * @param vaultConnector The vault connector for key management.
      * @param namespace The contract namespace (e.g., "nft", "verifiable_storage").
      * @param packageId The deployed package ID for the contract.
      * @param identity The identity for package controller address.
-     * @param walletConnector The wallet connector for address generation.
-     * @param walletAddressIndex Optional wallet address index.
+     * @param accountAddressIndex Optional account address index for the controller.
+     * @param walletAddressIndex Optional wallet address index for the controller.
      * @returns The current version number of the contract.
      */
-    static getCurrentContractVersion(config: IIotaConfig, client: IotaClient, namespace: string, packageId: string, identity: string, walletConnector: IWalletConnector, walletAddressIndex?: number): Promise<number>;
+    static getCurrentContractVersion(config: IIotaConfig, client: IotaClient, vaultConnector: IVaultConnector, namespace: string, packageId: string, identity: string, accountAddressIndex?: number, walletAddressIndex?: number): Promise<number>;
     /**
      * Validate that an object version is compatible with the current contract.
      * @param config The IOTA configuration.
      * @param client The IOTA client instance.
+     * @param vaultConnector The vault connector for key management.
      * @param namespace The contract namespace (e.g., "nft", "verifiable_storage").
      * @param packageId The deployed package ID for the contract.
      * @param identity The identity for version checking.
      * @param objectId The object ID to validate.
-     * @param walletConnector The wallet connector for address generation.
      * @param versionExtractor Function to extract version from object content.
-     * @param walletAddressIndex Optional wallet address index.
+     * @param accountAddressIndex Optional account address index for the controller.
+     * @param walletAddressIndex Optional wallet address index for the controller.
      * @returns True if the object version is compatible, false otherwise.
      */
-    static validateObjectVersion<T>(config: IIotaConfig, client: IotaClient, namespace: string, packageId: string, identity: string, objectId: string, walletConnector: IWalletConnector, versionExtractor: (content: T) => number, walletAddressIndex?: number): Promise<boolean>;
+    static validateObjectVersion<T>(config: IIotaConfig, client: IotaClient, vaultConnector: IVaultConnector, namespace: string, packageId: string, identity: string, objectId: string, versionExtractor: (content: T) => number, accountAddressIndex?: number, walletAddressIndex?: number): Promise<boolean>;
 }

package/dist/types/models/IAdminCapFields.d.ts

@@ -3,11 +3,11 @@
  */
 export interface IAdminCapFields {
     /**
-     * The ID of the AdminCap object.
+     * The UID wrapper of the AdminCap object.
      */
     id: {
         /**
-         * The ID of the AdminCap object.
+         * The hex string ID of the AdminCap object.
          */
         id: string;
     };

package/dist/types/models/IGasStationExecuteResponse.d.ts

@@ -4,12 +4,10 @@
 export interface IGasStationExecuteResponse {
     /**
      * The transaction effects from the IOTA network.
-     * This contains the full IOTA transaction effects object.
      */
     effects: {
         /**
-         * Additional effects data from the IOTA network.
-         * This includes messageVersion, status, executedEpoch, gasUsed, etc.
+         * Additional fields from the IOTA network effects object.
          */
         [key: string]: unknown;
         /**

package/dist/types/models/IIotaConfig.d.ts

@@ -47,6 +47,11 @@ export interface IIotaConfig {
      * @default 50000000
      */
     gasBudget?: number;
+    /**
+     * The default gas reservation duration in seconds for all transactions (including sponsored and direct).
+     * @default 60
+     */
+    gasReservationDuration?: number;
     /**
      * Enable cost logging for transactions.
      * @default false

package/dist/types/models/IIotaControllerCapInfo.d.ts

@@ -1,16 +1,13 @@
 /**
- * On-chain object IDs needed to call mint_with_identity() on the NFT Move contract.
+ * On-chain object IDs for an identity and its associated controller token.
  */
 export interface IIotaControllerCapInfo {
     /**
-     * The on-chain Object ID of the Identity Move object (hex string, e.g. "0x...").
-     * Used as the Identity argument in mint_with_identity().
+     * The on-chain object ID of the Identity Move object (hex string, e.g. "0x...").
      */
     identityObjectId: string;
     /**
-     * The on-chain Object ID of the ControllerToken Move object (hex string, e.g. "0x...").
-     * Proves that the controller address controls identityObjectId.
-     * Used as the ControllerCap argument in mint_with_identity().
+     * The on-chain object ID of the ControllerToken Move object (hex string, e.g. "0x...").
      */
     controllerCapObjectId: string;
 }

package/dist/types/models/IIotaResponseOptions.d.ts

@@ -1,6 +1,6 @@
 import type { IotaTransactionBlockResponseOptions } from "@iota/iota-sdk/client";
 /**
- * Configuration for IOTA.
+ * Options for controlling transaction execution and response behaviour.
  */
 export interface IIotaResponseOptions extends IotaTransactionBlockResponseOptions {
     /**

package/dist/types/models/IMigrationStateFields.d.ts

@@ -3,11 +3,11 @@
  */
 export interface IMigrationStateFields {
     /**
-     * The ID of the MigrationState object.
+     * The UID wrapper of the MigrationState object.
      */
     id: {
         /**
-         * The ID of the MigrationState object.
+         * The hex string ID of the MigrationState object.
          */
         id: string;
     };

package/dist/types/models/ISmartContractObject.d.ts

@@ -3,11 +3,11 @@
  */
 export interface ISmartContractObject {
     /**
-     * The ID of the smart contract object.
+     * The UID wrapper of the smart contract object.
      */
     id: {
         /**
-         * The ID of the smart contract object.
+         * The hex string ID of the smart contract object.
          */
         id: string;
     };

package/dist/types/models/ITransactionSigner.d.ts

@@ -0,0 +1,27 @@
+import type { PublicKey } from "@iota/iota-sdk/cryptography";
+/**
+ * Interface for a transaction signer backed by a secure key store.
+ */
+export interface ITransactionSigner {
+    /**
+     * Sign the BCS-encoded transaction data and return a serialized IOTA signature string.
+     * @param txDataBcs The raw transaction bytes to sign.
+     * @returns The serialized signature string (scheme flag + signature + public key, base64-encoded).
+     */
+    sign(txDataBcs: Uint8Array): Promise<string>;
+    /**
+     * Get the public key for this signer.
+     * @returns The public key.
+     */
+    publicKey(): Promise<PublicKey>;
+    /**
+     * Get the IOTA-formatted public key bytes (scheme flag byte followed by the raw key bytes).
+     * @returns The IOTA public key bytes.
+     */
+    iotaPublicKeyBytes(): Promise<Uint8Array>;
+    /**
+     * Get the key identifier for this signer.
+     * @returns The key identifier.
+     */
+    keyId(): string;
+}

package/dist/types/vaultJwkStorage.d.ts

@@ -0,0 +1,50 @@
+import type { Jwk, JwkStorage, JwsAlgorithm } from "@iota/identity-wasm/node/index.js";
+import type { IVaultConnector } from "@twin.org/vault-models";
+/**
+ * JwkStorage implementation that delegates the sign operation to the vault connector,
+ * keeping the private key inside the vault at all times.
+ */
+export declare class VaultJwkStorage implements JwkStorage {
+    /**
+     * Runtime name for the class.
+     */
+    static readonly CLASS_NAME: string;
+    /**
+     * Create a new VaultJwkStorage.
+     * @param vaultConnector The vault connector used to perform signing operations.
+     * @param keyName The name of the key in the vault to use for signing.
+     */
+    constructor(vaultConnector: IVaultConnector, keyName: string);
+    /**
+     * Sign data by delegating to the vault connector.
+     * @param keyId The key identifier (unused; the vault key name is used directly).
+     * @param data The data to sign.
+     * @param publicKey The public key JWK (unused; the vault connector handles key lookup).
+     * @returns The raw signature bytes.
+     */
+    sign(keyId: string, data: Uint8Array, publicKey: Jwk): Promise<Uint8Array>;
+    /**
+     * Accept a JWK entry and return the vault key name as the stable key identifier.
+     * @param jwk The JWK to register.
+     * @returns The key identifier.
+     */
+    insert(jwk: Jwk): Promise<string>;
+    /**
+     * Check whether the given key identifier is managed by this storage.
+     * @param keyId The key identifier to check.
+     * @returns True if the key exists in this storage.
+     */
+    exists(keyId: string): Promise<boolean>;
+    /**
+     * Key generation is not supported; keys are managed entirely by the vault.
+     * @param keyType The key type requested.
+     * @param algorithm The JWS algorithm requested.
+     * @returns Never returns.
+     */
+    generate(keyType: string, algorithm: JwsAlgorithm): Promise<never>;
+    /**
+     * Deletion is a no-op; keys are managed by the vault.
+     * @param keyId The key identifier to delete.
+     */
+    delete(keyId: string): Promise<void>;
+}

package/dist/types/vaultJwtSigner.d.ts

@@ -0,0 +1,26 @@
+import { StorageSigner } from "@iota/identity-wasm/node/index.js";
+import type { IVaultConnector } from "@twin.org/vault-models";
+import type { IIotaConfig } from "./models/IIotaConfig.js";
+/**
+ * Factory that creates a vault-backed StorageSigner for IOTA Identity operations.
+ * The private key never leaves the vault — only the raw signing operation is delegated.
+ *
+ * The returned StorageSigner is a genuine WASM object, satisfying the internal validation
+ * that IdentityClient.create() performs on the signer's iotaPublicKeyBytes() path.
+ */
+export declare class VaultJwtSigner {
+    /**
+     * Runtime name for the class.
+     */
+    static readonly CLASS_NAME: string;
+    /**
+     * Create a StorageSigner whose cryptographic operations are backed by the vault connector.
+     * @param vaultConnector The vault connector.
+     * @param config The configuration.
+     * @param identity The identity of the user to access the vault keys.
+     * @param accountIndex The account index.
+     * @param addressIndex The address index within the account.
+     * @returns A StorageSigner backed by the vault for the specified key.
+     */
+    static create(vaultConnector: IVaultConnector, config: IIotaConfig, identity: string, accountIndex: number, addressIndex: number): Promise<StorageSigner>;
+}

package/dist/types/vaultSigner.d.ts

@@ -0,0 +1,32 @@
+import { Signer, type SignatureScheme } from "@iota/iota-sdk/cryptography";
+import { Ed25519PublicKey } from "@iota/iota-sdk/keypairs/ed25519";
+import type { IVaultConnector } from "@twin.org/vault-models";
+/**
+ * A signer that delegates all signing to the vault connector, ensuring the private key
+ * is never exposed to application code.
+ */
+export declare class VaultSigner extends Signer {
+    /**
+     * Create a new VaultSigner.
+     * @param vaultConnector The vault connector used to perform signing operations.
+     * @param keyName The name of the key in the vault to use for signing.
+     * @param publicKey The public key bytes corresponding to the vault key.
+     */
+    constructor(vaultConnector: IVaultConnector, keyName: string, publicKey: Uint8Array);
+    /**
+     * Get the key scheme.
+     * @returns The signature scheme.
+     */
+    getKeyScheme(): SignatureScheme;
+    /**
+     * Get the public key.
+     * @returns The Ed25519 public key.
+     */
+    getPublicKey(): Ed25519PublicKey;
+    /**
+     * Sign the provided bytes via the vault connector.
+     * @param bytes The bytes to sign.
+     * @returns The raw Ed25519 signature bytes.
+     */
+    sign(bytes: Uint8Array): Promise<Uint8Array>;
+}

package/dist/types/vaultTransactionSigner.d.ts

@@ -0,0 +1,39 @@
+import { type PublicKey } from "@iota/iota-sdk/cryptography";
+import type { IVaultConnector } from "@twin.org/vault-models";
+import type { ITransactionSigner } from "./models/ITransactionSigner.js";
+/**
+ * A transaction signer that delegates all signing operations to the vault connector,
+ * ensuring the private key is never exposed to application code.
+ */
+export declare class VaultTransactionSigner implements ITransactionSigner {
+    /**
+     * Create a new VaultTransactionSigner.
+     * @param vaultConnector The vault connector used to perform signing operations.
+     * @param keyName The name of the key in the vault to use for signing.
+     * @param publicKey The public key bytes corresponding to the vault key.
+     */
+    constructor(vaultConnector: IVaultConnector, keyName: string, publicKey: Uint8Array);
+    /**
+     * Sign the BCS-encoded transaction data.
+     * Applies the TransactionData intent, hashes the result, signs via the vault,
+     * and returns a serialized IOTA signature string.
+     * @param txDataBcs The raw transaction bytes to sign.
+     * @returns The serialized signature string.
+     */
+    sign(txDataBcs: Uint8Array): Promise<string>;
+    /**
+     * Get the public key for this signer.
+     * @returns The Ed25519 public key.
+     */
+    publicKey(): Promise<PublicKey>;
+    /**
+     * Get the IOTA-formatted public key bytes (scheme flag byte followed by the raw key bytes).
+     * @returns The IOTA public key bytes.
+     */
+    iotaPublicKeyBytes(): Promise<Uint8Array>;
+    /**
+     * Get the vault key name used by this signer.
+     * @returns The key name.
+     */
+    keyId(): string;
+}