@unlink-xyz/multisig 0.1.0

package/dist/src/frost/account.d.ts

@@ -0,0 +1,39 @@
+/**
+ * High-level multisig account API.
+ *
+ * Orchestrates DKG and signing through the coordinator,
+ * producing MultisigAccount instances compatible with the
+ * existing Account pattern.
+ */
+import { type Signer } from "@unlink-xyz/core";
+import type { FrostSignature, MultisigAccount, ViewingKeyPair } from "./types.js";
+export declare function createMultisig(params: {
+    threshold: number;
+    totalShares: number;
+    gatewayUrl: string;
+    viewingKeyPair?: ViewingKeyPair;
+}): Promise<{
+    groupId: string;
+    complete: () => Promise<MultisigAccount>;
+}>;
+export declare function joinMultisig(params: {
+    code: string;
+    gatewayUrl: string;
+    viewingKeyPair?: ViewingKeyPair;
+}): Promise<MultisigAccount>;
+export declare function signMultisig(params: {
+    account: MultisigAccount;
+    message: bigint;
+    signingSessionCode: string;
+}): Promise<FrostSignature>;
+/**
+ * Create a reusable Signer from a multisig account for use with transact().
+ *
+ * Each sign() call creates a fresh signing session on the coordinator,
+ * so the signer can be called multiple times without nonce reuse.
+ */
+export declare function createFrostSigner(params: {
+    account: MultisigAccount;
+    participants: number[];
+}): Signer;
+//# sourceMappingURL=account.d.ts.map

package/dist/src/frost/account.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"account.d.ts","sourceRoot":"","sources":["../../../src/frost/account.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,EAIL,KAAK,MAAM,EACZ,MAAM,kBAAkB,CAAC;AAU1B,OAAO,KAAK,EAIV,cAAc,EACd,eAAe,EACf,cAAc,EACf,MAAM,YAAY,CAAC;AAwEpB,wBAAsB,cAAc,CAAC,MAAM,EAAE;IAC3C,SAAS,EAAE,MAAM,CAAC;IAClB,WAAW,EAAE,MAAM,CAAC;IACpB,UAAU,EAAE,MAAM,CAAC;IACnB,cAAc,CAAC,EAAE,cAAc,CAAC;CACjC,GAAG,OAAO,CAAC;IAAE,OAAO,EAAE,MAAM,CAAC;IAAC,QAAQ,EAAE,MAAM,OAAO,CAAC,eAAe,CAAC,CAAA;CAAE,CAAC,CAwDzE;AAED,wBAAsB,YAAY,CAAC,MAAM,EAAE;IACzC,IAAI,EAAE,MAAM,CAAC;IACb,UAAU,EAAE,MAAM,CAAC;IACnB,cAAc,CAAC,EAAE,cAAc,CAAC;CACjC,GAAG,OAAO,CAAC,eAAe,CAAC,CAwC3B;AAED,wBAAsB,YAAY,CAAC,MAAM,EAAE;IACzC,OAAO,EAAE,eAAe,CAAC;IACzB,OAAO,EAAE,MAAM,CAAC;IAChB,kBAAkB,EAAE,MAAM,CAAC;CAC5B,GAAG,OAAO,CAAC,cAAc,CAAC,CAuC1B;AAED;;;;;GAKG;AACH,wBAAgB,iBAAiB,CAAC,MAAM,EAAE;IACxC,OAAO,EAAE,eAAe,CAAC;IACzB,YAAY,EAAE,MAAM,EAAE,CAAC;CACxB,GAAG,MAAM,CAmBT"}

package/dist/src/frost/account.js

@@ -0,0 +1,156 @@
+/**
+ * High-level multisig account API.
+ *
+ * Orchestrates DKG and signing through the coordinator,
+ * producing MultisigAccount instances compatible with the
+ * existing Account pattern.
+ */
+import { computeMasterPublicKey, computeNullifyingKey, encodeAddress, } from "@unlink-xyz/core";
+import { FrostCoordinator } from "./coordinator.js";
+import { babyjubjub, modMul } from "./curve.js";
+import { dkgFinalize, dkgRound1, dkgRound2 } from "./dkg.js";
+import { aggregateSignatures, generateCommitment, generateSignatureShare, } from "./signing.js";
+function frostUrl(gatewayUrl) {
+    return `${gatewayUrl.replace(/\/$/, "")}/frost`;
+}
+/**
+ * Derive a participant's verification share from coefficient commitments.
+ * VS_i = Σ_j Σ_k (C_jk * i^k)
+ */
+function deriveVerificationShare(participantIndex, coefficientCommitments) {
+    const idx = BigInt(participantIndex);
+    let result = babyjubjub.identity;
+    for (const commitments of coefficientCommitments.values()) {
+        let power = 1n;
+        for (const commitment of commitments) {
+            result = babyjubjub.add(result, babyjubjub.scalarMult(commitment, power));
+            power = modMul(power, idx, babyjubjub.order);
+        }
+    }
+    return result;
+}
+function buildMultisigAccount(result, viewingKeyPair, groupId, config, participantIndex, gatewayUrl) {
+    const nullifyingKey = computeNullifyingKey(viewingKeyPair.privateKey);
+    const masterPublicKey = computeMasterPublicKey(result.groupPublicKey, nullifyingKey);
+    const address = encodeAddress({
+        masterPublicKey,
+        viewingPublicKey: viewingKeyPair.pubkey,
+    });
+    return {
+        groupId,
+        config,
+        participantIndex,
+        keyShare: result.keyShare,
+        groupPublicKey: result.groupPublicKey,
+        coefficientCommitments: result.coefficientCommitments,
+        viewingKeyPair,
+        nullifyingKey,
+        masterPublicKey,
+        gatewayUrl,
+        address,
+    };
+}
+/**
+ * Throw if more than one participant distributed a viewing key.
+ * Multiple providers would cause participants to disagree on the key.
+ */
+function assertSingleViewingKeyProvider(allRound2) {
+    const providers = allRound2.filter((pkg) => pkg.encryptedViewingKeys?.length);
+    if (providers.length > 1) {
+        throw new Error(`Multiple participants (${providers.map((p) => p.participantIndex).join(", ")}) provided viewing keys — only one is allowed`);
+    }
+}
+export async function createMultisig(params) {
+    if (params.threshold > params.totalShares) {
+        throw new Error("threshold must not exceed totalShares");
+    }
+    const config = {
+        threshold: params.threshold,
+        totalShares: params.totalShares,
+    };
+    const coordinator = new FrostCoordinator({
+        baseUrl: frostUrl(params.gatewayUrl),
+    });
+    const { code } = await coordinator.createDkgSession(config.threshold, config.totalShares);
+    // Round 1 — generate + submit eagerly so joiners see it
+    const { secret, package: round1Pkg } = dkgRound1(config, 1);
+    await coordinator.submitRound1(code, round1Pkg);
+    return {
+        groupId: code,
+        complete: async () => {
+            const allRound1 = await coordinator.waitForRound1(code);
+            const round2Pkg = dkgRound2(secret, allRound1, params.viewingKeyPair);
+            await coordinator.submitRound2(code, round2Pkg);
+            const allRound2 = await coordinator.waitForRound2(code);
+            assertSingleViewingKeyProvider(allRound2);
+            const result = dkgFinalize(secret, allRound1, allRound2, params.viewingKeyPair);
+            const viewingKeyPair = params.viewingKeyPair ?? result.viewingKeyPair;
+            if (!viewingKeyPair) {
+                throw new Error("No viewing key available after DKG — at least one participant must provide a viewingKeyPair");
+            }
+            return buildMultisigAccount(result, viewingKeyPair, code, config, 1, params.gatewayUrl);
+        },
+    };
+}
+export async function joinMultisig(params) {
+    const coordinator = new FrostCoordinator({
+        baseUrl: frostUrl(params.gatewayUrl),
+    });
+    const { participantIndex, threshold, totalParticipants } = await coordinator.joinDkgSession(params.code);
+    const config = { threshold, totalShares: totalParticipants };
+    const { secret, package: round1Pkg } = dkgRound1(config, participantIndex);
+    await coordinator.submitRound1(params.code, round1Pkg);
+    const allRound1 = await coordinator.waitForRound1(params.code);
+    const round2Pkg = dkgRound2(secret, allRound1, params.viewingKeyPair);
+    await coordinator.submitRound2(params.code, round2Pkg);
+    const allRound2 = await coordinator.waitForRound2(params.code);
+    assertSingleViewingKeyProvider(allRound2);
+    const result = dkgFinalize(secret, allRound1, allRound2, params.viewingKeyPair);
+    const viewingKeyPair = params.viewingKeyPair ?? result.viewingKeyPair;
+    if (!viewingKeyPair) {
+        throw new Error("No viewing key available after DKG — at least one participant must provide a viewingKeyPair");
+    }
+    return buildMultisigAccount(result, viewingKeyPair, params.code, config, participantIndex, params.gatewayUrl);
+}
+export async function signMultisig(params) {
+    const coordinator = new FrostCoordinator({
+        baseUrl: frostUrl(params.account.gatewayUrl),
+    });
+    const { nonces, commitment } = generateCommitment(params.account.participantIndex);
+    await coordinator.submitCommitment(params.signingSessionCode, commitment);
+    const allCommitments = await coordinator.waitForCommitments(params.signingSessionCode);
+    const share = generateSignatureShare(params.account.keyShare, nonces, params.message, allCommitments, params.account.groupPublicKey);
+    await coordinator.submitShare(params.signingSessionCode, share);
+    const allShares = await coordinator.waitForShares(params.signingSessionCode);
+    // Build verification shares from coefficient commitments for per-share verification
+    const verificationShares = new Map();
+    for (const s of allShares) {
+        verificationShares.set(s.participantIndex, deriveVerificationShare(s.participantIndex, params.account.coefficientCommitments));
+    }
+    return aggregateSignatures(allCommitments, allShares, params.message, {
+        verificationShares,
+        groupPublicKey: params.account.groupPublicKey,
+    });
+}
+/**
+ * Create a reusable Signer from a multisig account for use with transact().
+ *
+ * Each sign() call creates a fresh signing session on the coordinator,
+ * so the signer can be called multiple times without nonce reuse.
+ */
+export function createFrostSigner(params) {
+    return {
+        publicKey: params.account.groupPublicKey,
+        sign: async (message) => {
+            const coordinator = new FrostCoordinator({
+                baseUrl: frostUrl(params.account.gatewayUrl),
+            });
+            const { code } = await coordinator.createSigningSession(params.participants, message, params.account.groupId);
+            return signMultisig({
+                account: params.account,
+                message,
+                signingSessionCode: code,
+            });
+        },
+    };
+}

package/dist/src/frost/coordinator.d.ts

@@ -0,0 +1,60 @@
+/**
+ * FROST coordinator HTTP client.
+ *
+ * Wraps the frost service API with polling logic,
+ * serialization, and timeout handling.
+ */
+import type { DkgRound1Package, DkgRound2Package, SignatureShare, SigningCommitment } from "./types.js";
+export interface CoordinatorConfig {
+    baseUrl: string;
+    /** Polling interval in ms (default 1000) */
+    pollIntervalMs?: number;
+    /** Timeout in ms (default 60000) */
+    timeoutMs?: number;
+}
+export declare class FrostCoordinator {
+    private baseUrl;
+    private pollIntervalMs;
+    private timeoutMs;
+    constructor(config: CoordinatorConfig);
+    createDkgSession(threshold: number, totalParticipants: number): Promise<{
+        code: string;
+    }>;
+    joinDkgSession(code: string): Promise<{
+        participantIndex: number;
+        threshold: number;
+        totalParticipants: number;
+    }>;
+    submitRound1(code: string, pkg: DkgRound1Package): Promise<void>;
+    waitForRound1(code: string): Promise<DkgRound1Package[]>;
+    submitRound2(code: string, pkg: DkgRound2Package): Promise<void>;
+    waitForRound2(code: string): Promise<DkgRound2Package[]>;
+    createSigningSession(participants: number[], message: bigint, groupId?: string): Promise<{
+        code: string;
+    }>;
+    submitCommitment(code: string, c: SigningCommitment): Promise<void>;
+    waitForCommitments(code: string): Promise<SigningCommitment[]>;
+    submitShare(code: string, share: SignatureShare): Promise<void>;
+    waitForShares(code: string): Promise<SignatureShare[]>;
+    getSigningSessionStatus(code: string): Promise<{
+        message: bigint;
+        status: string;
+    }>;
+    getSigningSession(code: string): Promise<SigningSessionInfo>;
+    listSigningSessions(groupId: string): Promise<SigningSessionInfo[]>;
+    waitForSigningSession(groupId: string, signal?: AbortSignal): Promise<SigningSessionInfo>;
+    private pollRound1;
+    private pollRound2;
+    private pollCommitments;
+    private pollShares;
+    private pollUntilComplete;
+    private toError;
+}
+export type SigningSessionInfo = {
+    code: string;
+    message: bigint;
+    participants: number[];
+    status: string;
+    groupId?: string;
+};
+//# sourceMappingURL=coordinator.d.ts.map

package/dist/src/frost/coordinator.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"coordinator.d.ts","sourceRoot":"","sources":["../../../src/frost/coordinator.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAcH,OAAO,KAAK,EACV,gBAAgB,EAChB,gBAAgB,EAChB,cAAc,EACd,iBAAiB,EAClB,MAAM,YAAY,CAAC;AAEpB,MAAM,WAAW,iBAAiB;IAChC,OAAO,EAAE,MAAM,CAAC;IAChB,4CAA4C;IAC5C,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,oCAAoC;IACpC,SAAS,CAAC,EAAE,MAAM,CAAC;CACpB;AAED,qBAAa,gBAAgB;IAC3B,OAAO,CAAC,OAAO,CAAS;IACxB,OAAO,CAAC,cAAc,CAAS;IAC/B,OAAO,CAAC,SAAS,CAAS;gBAEd,MAAM,EAAE,iBAAiB;IAQ/B,gBAAgB,CACpB,SAAS,EAAE,MAAM,EACjB,iBAAiB,EAAE,MAAM,GACxB,OAAO,CAAC;QAAE,IAAI,EAAE,MAAM,CAAA;KAAE,CAAC;IActB,cAAc,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC;QAC1C,gBAAgB,EAAE,MAAM,CAAC;QACzB,SAAS,EAAE,MAAM,CAAC;QAClB,iBAAiB,EAAE,MAAM,CAAC;KAC3B,CAAC;IAiBI,YAAY,CAAC,IAAI,EAAE,MAAM,EAAE,GAAG,EAAE,gBAAgB,GAAG,OAAO,CAAC,IAAI,CAAC;IAYhE,aAAa,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC,gBAAgB,EAAE,CAAC;IAOxD,YAAY,CAAC,IAAI,EAAE,MAAM,EAAE,GAAG,EAAE,gBAAgB,GAAG,OAAO,CAAC,IAAI,CAAC;IAYhE,aAAa,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC,gBAAgB,EAAE,CAAC;IASxD,oBAAoB,CACxB,YAAY,EAAE,MAAM,EAAE,EACtB,OAAO,EAAE,MAAM,EACf,OAAO,CAAC,EAAE,MAAM,GACf,OAAO,CAAC;QAAE,IAAI,EAAE,MAAM,CAAA;KAAE,CAAC;IAkBtB,gBAAgB,CAAC,IAAI,EAAE,MAAM,EAAE,CAAC,EAAE,iBAAiB,GAAG,OAAO,CAAC,IAAI,CAAC;IAenE,kBAAkB,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC,iBAAiB,EAAE,CAAC;IAO9D,WAAW,CAAC,IAAI,EAAE,MAAM,EAAE,KAAK,EAAE,cAAc,GAAG,OAAO,CAAC,IAAI,CAAC;IAY/D,aAAa,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC,cAAc,EAAE,CAAC;IAOtD,uBAAuB,CAC3B,IAAI,EAAE,MAAM,GACX,OAAO,CAAC;QAAE,OAAO,EAAE,MAAM,CAAC;QAAC,MAAM,EAAE,MAAM,CAAA;KAAE,CAAC;IAOzC,iBAAiB,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC,kBAAkB,CAAC;IAO5D,mBAAmB,CAAC,OAAO,EAAE,MAAM,GAAG,OAAO,CAAC,kBAAkB,EAAE,CAAC;IASnE,qBAAqB,CACzB,OAAO,EAAE,MAAM,EACf,MAAM,CAAC,EAAE,WAAW,GACnB,OAAO,CAAC,kBAAkB,CAAC;YAiBhB,UAAU;YAQV,UAAU;YAQV,eAAe;YAUf,UAAU;YAQV,iBAAiB;YAejB,OAAO;CAItB;AAED,MAAM,MAAM,kBAAkB,GAAG;IAC/B,IAAI,EAAE,MAAM,CAAC;IACb,OAAO,EAAE,MAAM,CAAC;IAChB,YAAY,EAAE,MAAM,EAAE,CAAC;IACvB,MAAM,EAAE,MAAM,CAAC;IACf,OAAO,CAAC,EAAE,MAAM,CAAC;CAClB,CAAC"}

package/dist/src/frost/coordinator.js

@@ -0,0 +1,211 @@
+/**
+ * FROST coordinator HTTP client.
+ *
+ * Wraps the frost service API with polling logic,
+ * serialization, and timeout handling.
+ */
+import { deserializeBigint, deserializeDkgRound1Package, deserializeDkgRound2Package, deserializeSignatureShare, deserializeSigningCommitment, serializeBigint, serializeDkgRound1Package, serializeDkgRound2Package, serializeSignatureShare, serializeSigningCommitment, } from "./serialization.js";
+export class FrostCoordinator {
+    baseUrl;
+    pollIntervalMs;
+    timeoutMs;
+    constructor(config) {
+        this.baseUrl = config.baseUrl.replace(/\/$/, "");
+        this.pollIntervalMs = config.pollIntervalMs ?? 1000;
+        this.timeoutMs = config.timeoutMs ?? 120000;
+    }
+    // === DKG ===
+    async createDkgSession(threshold, totalParticipants) {
+        const resp = await fetch(`${this.baseUrl}/dkg/groups`, {
+            method: "POST",
+            headers: { "Content-Type": "application/json" },
+            body: JSON.stringify({
+                threshold,
+                total_participants: totalParticipants,
+            }),
+        });
+        if (!resp.ok)
+            throw await this.toError(resp);
+        const body = (await resp.json());
+        return { code: body.code };
+    }
+    async joinDkgSession(code) {
+        const resp = await fetch(`${this.baseUrl}/dkg/groups/${code}/join`, {
+            method: "POST",
+        });
+        if (!resp.ok)
+            throw await this.toError(resp);
+        const body = (await resp.json());
+        return {
+            participantIndex: body.participant_index,
+            threshold: body.threshold,
+            totalParticipants: body.total_participants,
+        };
+    }
+    async submitRound1(code, pkg) {
+        const resp = await fetch(`${this.baseUrl}/dkg/groups/${code}/round1`, {
+            method: "POST",
+            headers: { "Content-Type": "application/json" },
+            body: JSON.stringify({
+                participant_index: pkg.participantIndex,
+                data: serializeDkgRound1Package(pkg),
+            }),
+        });
+        if (!resp.ok)
+            throw await this.toError(resp);
+    }
+    async waitForRound1(code) {
+        return this.pollUntilComplete(() => this.pollRound1(code), deserializeDkgRound1Package);
+    }
+    async submitRound2(code, pkg) {
+        const resp = await fetch(`${this.baseUrl}/dkg/groups/${code}/round2`, {
+            method: "POST",
+            headers: { "Content-Type": "application/json" },
+            body: JSON.stringify({
+                participant_index: pkg.participantIndex,
+                data: serializeDkgRound2Package(pkg),
+            }),
+        });
+        if (!resp.ok)
+            throw await this.toError(resp);
+    }
+    async waitForRound2(code) {
+        return this.pollUntilComplete(() => this.pollRound2(code), deserializeDkgRound2Package);
+    }
+    // === Signing ===
+    async createSigningSession(participants, message, groupId) {
+        const body = {
+            participants,
+            message: serializeBigint(message),
+        };
+        if (groupId !== undefined) {
+            body.group_id = groupId;
+        }
+        const resp = await fetch(`${this.baseUrl}/sign/sessions`, {
+            method: "POST",
+            headers: { "Content-Type": "application/json" },
+            body: JSON.stringify(body),
+        });
+        if (!resp.ok)
+            throw await this.toError(resp);
+        const result = (await resp.json());
+        return { code: result.code };
+    }
+    async submitCommitment(code, c) {
+        const resp = await fetch(`${this.baseUrl}/sign/sessions/${code}/commitments`, {
+            method: "POST",
+            headers: { "Content-Type": "application/json" },
+            body: JSON.stringify({
+                participant_index: c.participantIndex,
+                data: serializeSigningCommitment(c),
+            }),
+        });
+        if (!resp.ok)
+            throw await this.toError(resp);
+    }
+    async waitForCommitments(code) {
+        return this.pollUntilComplete(() => this.pollCommitments(code), deserializeSigningCommitment);
+    }
+    async submitShare(code, share) {
+        const resp = await fetch(`${this.baseUrl}/sign/sessions/${code}/shares`, {
+            method: "POST",
+            headers: { "Content-Type": "application/json" },
+            body: JSON.stringify({
+                participant_index: share.participantIndex,
+                data: serializeSignatureShare(share),
+            }),
+        });
+        if (!resp.ok)
+            throw await this.toError(resp);
+    }
+    async waitForShares(code) {
+        return this.pollUntilComplete(() => this.pollShares(code), deserializeSignatureShare);
+    }
+    async getSigningSessionStatus(code) {
+        const resp = await fetch(`${this.baseUrl}/sign/sessions/${code}/status`);
+        if (!resp.ok)
+            throw await this.toError(resp);
+        const body = (await resp.json());
+        return { ...body, message: deserializeBigint(body.message) };
+    }
+    async getSigningSession(code) {
+        const resp = await fetch(`${this.baseUrl}/sign/sessions/${code}`);
+        if (!resp.ok)
+            throw await this.toError(resp);
+        const body = (await resp.json());
+        return deserializeSessionInfo(body);
+    }
+    async listSigningSessions(groupId) {
+        const resp = await fetch(`${this.baseUrl}/sign/sessions?group_id=${encodeURIComponent(groupId)}`);
+        if (!resp.ok)
+            throw await this.toError(resp);
+        const body = (await resp.json());
+        return body.sessions.map(deserializeSessionInfo);
+    }
+    async waitForSigningSession(groupId, signal) {
+        const deadline = Date.now() + this.timeoutMs;
+        while (Date.now() < deadline) {
+            if (signal?.aborted) {
+                throw new Error("Aborted");
+            }
+            const sessions = await this.listSigningSessions(groupId);
+            if (sessions.length > 0) {
+                return sessions[0];
+            }
+            await sleep(this.pollIntervalMs);
+        }
+        throw new Error("Coordinator polling timeout");
+    }
+    // === Internal ===
+    async pollRound1(code) {
+        const resp = await fetch(`${this.baseUrl}/dkg/groups/${code}/round1`);
+        if (!resp.ok)
+            throw await this.toError(resp);
+        return (await resp.json());
+    }
+    async pollRound2(code) {
+        const resp = await fetch(`${this.baseUrl}/dkg/groups/${code}/round2`);
+        if (!resp.ok)
+            throw await this.toError(resp);
+        return (await resp.json());
+    }
+    async pollCommitments(code) {
+        const resp = await fetch(`${this.baseUrl}/sign/sessions/${code}/commitments`);
+        if (!resp.ok)
+            throw await this.toError(resp);
+        return (await resp.json());
+    }
+    async pollShares(code) {
+        const resp = await fetch(`${this.baseUrl}/sign/sessions/${code}/shares`);
+        if (!resp.ok)
+            throw await this.toError(resp);
+        return (await resp.json());
+    }
+    async pollUntilComplete(pollFn, deserializeFn) {
+        const deadline = Date.now() + this.timeoutMs;
+        while (Date.now() < deadline) {
+            const result = await pollFn();
+            if (result.complete) {
+                return result.packages.map((p) => deserializeFn(p));
+            }
+            await sleep(this.pollIntervalMs);
+        }
+        throw new Error("Coordinator polling timeout");
+    }
+    async toError(resp) {
+        const body = await resp.text();
+        return new Error(`Coordinator error ${resp.status}: ${body}`);
+    }
+}
+function deserializeSessionInfo(raw) {
+    return {
+        code: raw.code,
+        message: deserializeBigint(raw.message),
+        participants: raw.participants,
+        status: raw.status,
+        groupId: raw.group_id ?? undefined,
+    };
+}
+function sleep(ms) {
+    return new Promise((resolve) => setTimeout(resolve, ms));
+}

package/dist/src/frost/crypto.d.ts

@@ -0,0 +1,48 @@
+/**
+ * ECDH key agreement + authenticated encryption for DKG share transport.
+ *
+ * ECDH on BabyJubJub: sharedSecret = myPrivate * theirPublicPoint
+ * Symmetric key derived via HKDF-SHA256 from shared secret coordinates.
+ * Encryption: ChaCha20-Poly1305 (from @noble/ciphers).
+ */
+import { type Point } from "./curve.js";
+/**
+ * Convert a bigint to 32-byte big-endian Uint8Array.
+ */
+export declare function bigintToBytes(n: bigint): Uint8Array;
+/**
+ * Convert a 32-byte big-endian Uint8Array to bigint.
+ */
+export declare function bytesToBigint(bytes: Uint8Array): bigint;
+/**
+ * Compute ECDH shared secret: mySecret * theirPublicKey.
+ */
+export declare function ecdhSharedSecret(mySecret: bigint, theirPublicKey: Point): Point;
+/**
+ * Derive a 32-byte symmetric key from an ECDH shared point.
+ * Uses HKDF-SHA256 with domain-separated info.
+ */
+export declare function deriveSymmetricKey(sharedPoint: Point): Uint8Array;
+/**
+ * Encrypt arbitrary bytes for transport (ChaCha20-Poly1305, random 12-byte nonce).
+ */
+export declare function encryptBytes(plaintext: Uint8Array, symmetricKey: Uint8Array): {
+    ciphertext: Uint8Array;
+    nonce: Uint8Array;
+};
+/**
+ * Decrypt arbitrary bytes from transport.
+ */
+export declare function decryptBytes(ciphertext: Uint8Array, nonce: Uint8Array, symmetricKey: Uint8Array): Uint8Array;
+/**
+ * Encrypt a bigint share for transport.
+ */
+export declare function encryptShare(share: bigint, symmetricKey: Uint8Array): {
+    ciphertext: Uint8Array;
+    nonce: Uint8Array;
+};
+/**
+ * Decrypt a share from transport.
+ */
+export declare function decryptShare(ciphertext: Uint8Array, nonce: Uint8Array, symmetricKey: Uint8Array): bigint;
+//# sourceMappingURL=crypto.d.ts.map

package/dist/src/frost/crypto.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"crypto.d.ts","sourceRoot":"","sources":["../../../src/frost/crypto.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAMH,OAAO,EAAc,KAAK,KAAK,EAAE,MAAM,YAAY,CAAC;AAIpD;;GAEG;AACH,wBAAgB,aAAa,CAAC,CAAC,EAAE,MAAM,GAAG,UAAU,CAQnD;AAED;;GAEG;AACH,wBAAgB,aAAa,CAAC,KAAK,EAAE,UAAU,GAAG,MAAM,CAMvD;AAED;;GAEG;AACH,wBAAgB,gBAAgB,CAC9B,QAAQ,EAAE,MAAM,EAChB,cAAc,EAAE,KAAK,GACpB,KAAK,CAEP;AAED;;;GAGG;AACH,wBAAgB,kBAAkB,CAAC,WAAW,EAAE,KAAK,GAAG,UAAU,CAKjE;AAED;;GAEG;AACH,wBAAgB,YAAY,CAC1B,SAAS,EAAE,UAAU,EACrB,YAAY,EAAE,UAAU,GACvB;IAAE,UAAU,EAAE,UAAU,CAAC;IAAC,KAAK,EAAE,UAAU,CAAA;CAAE,CAM/C;AAED;;GAEG;AACH,wBAAgB,YAAY,CAC1B,UAAU,EAAE,UAAU,EACtB,KAAK,EAAE,UAAU,EACjB,YAAY,EAAE,UAAU,GACvB,UAAU,CAGZ;AAED;;GAEG;AACH,wBAAgB,YAAY,CAC1B,KAAK,EAAE,MAAM,EACb,YAAY,EAAE,UAAU,GACvB;IAAE,UAAU,EAAE,UAAU,CAAC;IAAC,KAAK,EAAE,UAAU,CAAA;CAAE,CAE/C;AAED;;GAEG;AACH,wBAAgB,YAAY,CAC1B,UAAU,EAAE,UAAU,EACtB,KAAK,EAAE,UAAU,EACjB,YAAY,EAAE,UAAU,GACvB,MAAM,CAER"}

package/dist/src/frost/crypto.js

@@ -0,0 +1,79 @@
+/**
+ * ECDH key agreement + authenticated encryption for DKG share transport.
+ *
+ * ECDH on BabyJubJub: sharedSecret = myPrivate * theirPublicPoint
+ * Symmetric key derived via HKDF-SHA256 from shared secret coordinates.
+ * Encryption: ChaCha20-Poly1305 (from @noble/ciphers).
+ */
+import { chacha20poly1305 } from "@noble/ciphers/chacha";
+import { hkdf } from "@noble/hashes/hkdf.js";
+import { sha256 } from "@noble/hashes/sha2.js";
+import { babyjubjub } from "./curve.js";
+const DKG_ENCRYPTION_CONTEXT = new TextEncoder().encode("frost-dkg-share-v1");
+/**
+ * Convert a bigint to 32-byte big-endian Uint8Array.
+ */
+export function bigintToBytes(n) {
+    const bytes = new Uint8Array(32);
+    let val = n;
+    for (let i = 31; i >= 0; i--) {
+        bytes[i] = Number(val & 0xffn);
+        val >>= 8n;
+    }
+    return bytes;
+}
+/**
+ * Convert a 32-byte big-endian Uint8Array to bigint.
+ */
+export function bytesToBigint(bytes) {
+    let result = 0n;
+    for (let i = 0; i < bytes.length; i++) {
+        result = (result << 8n) | BigInt(bytes[i]);
+    }
+    return result;
+}
+/**
+ * Compute ECDH shared secret: mySecret * theirPublicKey.
+ */
+export function ecdhSharedSecret(mySecret, theirPublicKey) {
+    return babyjubjub.scalarMult(theirPublicKey, mySecret);
+}
+/**
+ * Derive a 32-byte symmetric key from an ECDH shared point.
+ * Uses HKDF-SHA256 with domain-separated info.
+ */
+export function deriveSymmetricKey(sharedPoint) {
+    const ikm = new Uint8Array(64);
+    ikm.set(bigintToBytes(sharedPoint[0]), 0);
+    ikm.set(bigintToBytes(sharedPoint[1]), 32);
+    return hkdf(sha256, ikm, undefined, DKG_ENCRYPTION_CONTEXT, 32);
+}
+/**
+ * Encrypt arbitrary bytes for transport (ChaCha20-Poly1305, random 12-byte nonce).
+ */
+export function encryptBytes(plaintext, symmetricKey) {
+    const nonce = new Uint8Array(12);
+    globalThis.crypto.getRandomValues(nonce);
+    const cipher = chacha20poly1305(symmetricKey, nonce);
+    const ciphertext = cipher.encrypt(plaintext);
+    return { ciphertext, nonce };
+}
+/**
+ * Decrypt arbitrary bytes from transport.
+ */
+export function decryptBytes(ciphertext, nonce, symmetricKey) {
+    const cipher = chacha20poly1305(symmetricKey, nonce);
+    return cipher.decrypt(ciphertext);
+}
+/**
+ * Encrypt a bigint share for transport.
+ */
+export function encryptShare(share, symmetricKey) {
+    return encryptBytes(bigintToBytes(share), symmetricKey);
+}
+/**
+ * Decrypt a share from transport.
+ */
+export function decryptShare(ciphertext, nonce, symmetricKey) {
+    return bytesToBigint(decryptBytes(ciphertext, nonce, symmetricKey));
+}