@unlink-xyz/multisig 0.1.0

package/dist/src/frost/curve.d.ts

@@ -0,0 +1,97 @@
+/**
+ * BabyJubJub curve wrapper for FROST operations.
+ *
+ * FROST requires:
+ * - Generator point (Base8)
+ * - Scalar multiplication
+ * - Point addition
+ * - Field arithmetic (modular inverse, etc.)
+ *
+ * We wrap @zk-kit/baby-jubjub to provide a consistent interface.
+ */
+export type Point = [bigint, bigint];
+/**
+ * BabyJubJub curve operations for FROST.
+ */
+export declare const babyjubjub: {
+    /**
+     * Generator point (Base8 from baby-jubjub).
+     * This is the standard generator for EdDSA on BabyJubJub.
+     */
+    generator: Point;
+    /**
+     * Group order - the order of the subgroup generated by Base8.
+     * All scalars should be reduced modulo this value.
+     */
+    order: bigint;
+    /**
+     * Prime field order (the full curve order).
+     */
+    primeOrder: bigint;
+    /**
+     * Field prime (r) - used for coordinate arithmetic.
+     */
+    fieldPrime: bigint;
+    /**
+     * Identity point (neutral element for addition).
+     * On twisted Edwards curves, this is (0, 1).
+     */
+    identity: Point;
+    /**
+     * Add two points on the curve.
+     */
+    add(p1: Point, p2: Point): Point;
+    /**
+     * Scalar multiplication: base * scalar.
+     */
+    scalarMult(base: Point, scalar: bigint): Point;
+    /**
+     * Multiply generator by scalar: G * scalar.
+     */
+    scalarMultGen(scalar: bigint): Point;
+    /**
+     * Check if a point is on the curve.
+     */
+    isOnCurve(p: Point): boolean;
+    /**
+     * Check if a point is the identity.
+     */
+    isIdentity(p: Point): boolean;
+    /**
+     * Check if two points are equal.
+     */
+    equals(p1: Point, p2: Point): boolean;
+};
+/**
+ * Modular arithmetic helpers for scalars.
+ */
+/**
+ * Modular reduction: a mod n.
+ * Handles negative numbers correctly.
+ */
+export declare function mod(a: bigint, n: bigint): bigint;
+/**
+ * Extended Euclidean Algorithm for modular inverse.
+ * Returns x such that (a * x) mod n = 1.
+ */
+export declare function modInverse(a: bigint, n: bigint): bigint;
+/**
+ * Modular addition: (a + b) mod n.
+ */
+export declare function modAdd(a: bigint, b: bigint, n: bigint): bigint;
+/**
+ * Modular multiplication: (a * b) mod n.
+ */
+export declare function modMul(a: bigint, b: bigint, n: bigint): bigint;
+/**
+ * Modular division: (a / b) mod n = (a * b^-1) mod n.
+ */
+export declare function modDiv(a: bigint, b: bigint, n: bigint): bigint;
+/**
+ * Generate a random scalar in [1, subOrder-1] using rejection sampling.
+ *
+ * subOrder is ~251 bits, so P(reject) ≈ 1 - subOrder/2^256 ≈ 0.003.
+ * Virtually always succeeds on first try.
+ */
+export declare function randomScalar(): bigint;
+//# sourceMappingURL=curve.d.ts.map

package/dist/src/frost/curve.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"curve.d.ts","sourceRoot":"","sources":["../../../src/frost/curve.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAYH,MAAM,MAAM,KAAK,GAAG,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;AAErC;;GAEG;AACH,eAAO,MAAM,UAAU;IACrB;;;OAGG;eACiB,KAAK;IAEzB;;;OAGG;;IAGH;;OAEG;;IAGH;;OAEG;;IAGH;;;OAGG;cACmB,KAAK;IAE3B;;OAEG;YACK,KAAK,MAAM,KAAK,GAAG,KAAK;IAIhC;;OAEG;qBACc,KAAK,UAAU,MAAM,GAAG,KAAK;IAM9C;;OAEG;0BACmB,MAAM,GAAG,KAAK;IAIpC;;OAEG;iBACU,KAAK,GAAG,OAAO;IAI5B;;OAEG;kBACW,KAAK,GAAG,OAAO;IAI7B;;OAEG;eACQ,KAAK,MAAM,KAAK,GAAG,OAAO;CAGtC,CAAC;AAEF;;GAEG;AAEH;;;GAGG;AACH,wBAAgB,GAAG,CAAC,CAAC,EAAE,MAAM,EAAE,CAAC,EAAE,MAAM,GAAG,MAAM,CAGhD;AAED;;;GAGG;AACH,wBAAgB,UAAU,CAAC,CAAC,EAAE,MAAM,EAAE,CAAC,EAAE,MAAM,GAAG,MAAM,CAevD;AAED;;GAEG;AACH,wBAAgB,MAAM,CAAC,CAAC,EAAE,MAAM,EAAE,CAAC,EAAE,MAAM,EAAE,CAAC,EAAE,MAAM,GAAG,MAAM,CAE9D;AAED;;GAEG;AACH,wBAAgB,MAAM,CAAC,CAAC,EAAE,MAAM,EAAE,CAAC,EAAE,MAAM,EAAE,CAAC,EAAE,MAAM,GAAG,MAAM,CAE9D;AAED;;GAEG;AACH,wBAAgB,MAAM,CAAC,CAAC,EAAE,MAAM,EAAE,CAAC,EAAE,MAAM,EAAE,CAAC,EAAE,MAAM,GAAG,MAAM,CAE9D;AAED;;;;;GAKG;AACH,wBAAgB,YAAY,IAAI,MAAM,CAYrC"}

package/dist/src/frost/curve.js

@@ -0,0 +1,143 @@
+/**
+ * BabyJubJub curve wrapper for FROST operations.
+ *
+ * FROST requires:
+ * - Generator point (Base8)
+ * - Scalar multiplication
+ * - Point addition
+ * - Field arithmetic (modular inverse, etc.)
+ *
+ * We wrap @zk-kit/baby-jubjub to provide a consistent interface.
+ */
+import { addPoint, Base8, inCurve, mulPointEscalar, order, r, subOrder, } from "@zk-kit/baby-jubjub";
+/**
+ * BabyJubJub curve operations for FROST.
+ */
+export const babyjubjub = {
+    /**
+     * Generator point (Base8 from baby-jubjub).
+     * This is the standard generator for EdDSA on BabyJubJub.
+     */
+    generator: Base8,
+    /**
+     * Group order - the order of the subgroup generated by Base8.
+     * All scalars should be reduced modulo this value.
+     */
+    order: subOrder,
+    /**
+     * Prime field order (the full curve order).
+     */
+    primeOrder: order,
+    /**
+     * Field prime (r) - used for coordinate arithmetic.
+     */
+    fieldPrime: r,
+    /**
+     * Identity point (neutral element for addition).
+     * On twisted Edwards curves, this is (0, 1).
+     */
+    identity: [0n, 1n],
+    /**
+     * Add two points on the curve.
+     */
+    add(p1, p2) {
+        return addPoint(p1, p2);
+    },
+    /**
+     * Scalar multiplication: base * scalar.
+     */
+    scalarMult(base, scalar) {
+        // Reduce scalar modulo order
+        const reducedScalar = mod(scalar, subOrder);
+        return mulPointEscalar(base, reducedScalar);
+    },
+    /**
+     * Multiply generator by scalar: G * scalar.
+     */
+    scalarMultGen(scalar) {
+        return this.scalarMult(this.generator, scalar);
+    },
+    /**
+     * Check if a point is on the curve.
+     */
+    isOnCurve(p) {
+        return inCurve(p);
+    },
+    /**
+     * Check if a point is the identity.
+     */
+    isIdentity(p) {
+        return p[0] === 0n && p[1] === 1n;
+    },
+    /**
+     * Check if two points are equal.
+     */
+    equals(p1, p2) {
+        return p1[0] === p2[0] && p1[1] === p2[1];
+    },
+};
+/**
+ * Modular arithmetic helpers for scalars.
+ */
+/**
+ * Modular reduction: a mod n.
+ * Handles negative numbers correctly.
+ */
+export function mod(a, n) {
+    const result = a % n;
+    return result >= 0n ? result : result + n;
+}
+/**
+ * Extended Euclidean Algorithm for modular inverse.
+ * Returns x such that (a * x) mod n = 1.
+ */
+export function modInverse(a, n) {
+    let [oldR, r] = [mod(a, n), n];
+    let [oldS, s] = [1n, 0n];
+    while (r !== 0n) {
+        const quotient = oldR / r;
+        [oldR, r] = [r, oldR - quotient * r];
+        [oldS, s] = [s, oldS - quotient * s];
+    }
+    if (oldR !== 1n) {
+        throw new Error(`Modular inverse does not exist for ${a} mod ${n}`);
+    }
+    return mod(oldS, n);
+}
+/**
+ * Modular addition: (a + b) mod n.
+ */
+export function modAdd(a, b, n) {
+    return mod(a + b, n);
+}
+/**
+ * Modular multiplication: (a * b) mod n.
+ */
+export function modMul(a, b, n) {
+    return mod(a * b, n);
+}
+/**
+ * Modular division: (a / b) mod n = (a * b^-1) mod n.
+ */
+export function modDiv(a, b, n) {
+    return modMul(a, modInverse(b, n), n);
+}
+/**
+ * Generate a random scalar in [1, subOrder-1] using rejection sampling.
+ *
+ * subOrder is ~251 bits, so P(reject) ≈ 1 - subOrder/2^256 ≈ 0.003.
+ * Virtually always succeeds on first try.
+ */
+export function randomScalar() {
+    const bytes = new Uint8Array(32);
+    for (;;) {
+        globalThis.crypto.getRandomValues(bytes);
+        const hex = Array.from(bytes)
+            .map((b) => b.toString(16).padStart(2, "0"))
+            .join("");
+        const scalar = BigInt("0x" + hex);
+        if (scalar > 0n && scalar < subOrder) {
+            return scalar;
+        }
+    }
+}

package/dist/src/frost/dkg.d.ts

@@ -0,0 +1,36 @@
+/**
+ * Distributed Key Generation (Feldman's Verifiable Secret Sharing).
+ *
+ * Participants generate key shares cooperatively — no single party
+ * ever holds the full private key.
+ *
+ * Protocol:
+ * 1. Round 1: Generate polynomial, commit to coefficients, prove knowledge
+ * 2. Round 2: Evaluate polynomial at peers, encrypt shares via ECDH
+ * 3. Finalize: Verify shares against commitments, compute key share + group key
+ */
+import type { DkgResult, DkgRound1Package, DkgRound1Secret, DkgRound2Package, FrostConfig, ViewingKeyPair } from "./types.js";
+/**
+ * Round 1: Generate polynomial, coefficient commitments, and Schnorr PoK.
+ */
+export declare function dkgRound1(config: FrostConfig, participantIndex: number): {
+    secret: DkgRound1Secret;
+    package: DkgRound1Package;
+};
+/**
+ * Round 1 from deterministic seed: derive coefficients via HKDF.
+ */
+export declare function dkgRound1FromSeed(config: FrostConfig, participantIndex: number, seed: Uint8Array): {
+    secret: DkgRound1Secret;
+    package: DkgRound1Package;
+};
+/**
+ * Round 2: Verify PoK proofs, evaluate polynomial at peers, encrypt shares.
+ */
+export declare function dkgRound2(secret: DkgRound1Secret, allRound1Packages: DkgRound1Package[], viewingKeyPair?: ViewingKeyPair): DkgRound2Package;
+/**
+ * Finalize DKG: decrypt shares, verify against commitments,
+ * compute secret share and group public key.
+ */
+export declare function dkgFinalize(secret: DkgRound1Secret, allRound1Packages: DkgRound1Package[], allRound2Packages: DkgRound2Package[], viewingKeyPair?: ViewingKeyPair): DkgResult;
+//# sourceMappingURL=dkg.d.ts.map

package/dist/src/frost/dkg.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"dkg.d.ts","sourceRoot":"","sources":["../../../src/frost/dkg.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAuBH,OAAO,KAAK,EACV,SAAS,EACT,gBAAgB,EAChB,eAAe,EACf,gBAAgB,EAEhB,WAAW,EAEX,cAAc,EACf,MAAM,YAAY,CAAC;AAiGpB;;GAEG;AACH,wBAAgB,SAAS,CACvB,MAAM,EAAE,WAAW,EACnB,gBAAgB,EAAE,MAAM,GACvB;IAAE,MAAM,EAAE,eAAe,CAAC;IAAC,OAAO,EAAE,gBAAgB,CAAA;CAAE,CAOxD;AAED;;GAEG;AACH,wBAAgB,iBAAiB,CAC/B,MAAM,EAAE,WAAW,EACnB,gBAAgB,EAAE,MAAM,EACxB,IAAI,EAAE,UAAU,GACf;IAAE,MAAM,EAAE,eAAe,CAAC;IAAC,OAAO,EAAE,gBAAgB,CAAA;CAAE,CASxD;AA4BD;;GAEG;AACH,wBAAgB,SAAS,CACvB,MAAM,EAAE,eAAe,EACvB,iBAAiB,EAAE,gBAAgB,EAAE,EACrC,cAAc,CAAC,EAAE,cAAc,GAC9B,gBAAgB,CA8DlB;AAED;;;GAGG;AACH,wBAAgB,WAAW,CACzB,MAAM,EAAE,eAAe,EACvB,iBAAiB,EAAE,gBAAgB,EAAE,EACrC,iBAAiB,EAAE,gBAAgB,EAAE,EACrC,cAAc,CAAC,EAAE,cAAc,GAC9B,SAAS,CA0GX"}

package/dist/src/frost/dkg.js

@@ -0,0 +1,242 @@
+/**
+ * Distributed Key Generation (Feldman's Verifiable Secret Sharing).
+ *
+ * Participants generate key shares cooperatively — no single party
+ * ever holds the full private key.
+ *
+ * Protocol:
+ * 1. Round 1: Generate polynomial, commit to coefficients, prove knowledge
+ * 2. Round 2: Evaluate polynomial at peers, encrypt shares via ECDH
+ * 3. Finalize: Verify shares against commitments, compute key share + group key
+ */
+import { hkdf } from "@noble/hashes/hkdf.js";
+import { sha256 } from "@noble/hashes/sha2.js";
+import { poseidon } from "@unlink-xyz/core";
+import { bytesToBigint, decryptBytes, decryptShare, deriveSymmetricKey, ecdhSharedSecret, encryptBytes, encryptShare, } from "./crypto.js";
+import { babyjubjub, mod, modAdd, modMul, randomScalar, } from "./curve.js";
+/**
+ * Evaluate polynomial at x: f(x) = sum(coefficients[k] * x^k).
+ */
+function evaluatePolynomial(coefficients, x) {
+    const n = babyjubjub.order;
+    let result = 0n;
+    let power = 1n;
+    for (const coeff of coefficients) {
+        result = modAdd(result, modMul(coeff, power, n), n);
+        power = modMul(power, x, n);
+    }
+    return result;
+}
+/**
+ * Generate a Schnorr proof of knowledge for secret behind public key.
+ * Proves: "I know x such that X = x*G"
+ */
+function generateSchnorrProof(participantIndex, secret, publicKey) {
+    const k = randomScalar();
+    const R = babyjubjub.scalarMultGen(k);
+    const challenge = mod(poseidon([
+        BigInt(participantIndex),
+        R[0],
+        R[1],
+        publicKey[0],
+        publicKey[1],
+    ]), babyjubjub.order);
+    const response = modAdd(k, modMul(challenge, secret, babyjubjub.order), babyjubjub.order);
+    return { commitment: R, response };
+}
+/**
+ * Verify a Schnorr proof of knowledge: z*G == R + c*PK
+ */
+function verifySchnorrProof(participantIndex, publicKey, proof) {
+    const challenge = mod(poseidon([
+        BigInt(participantIndex),
+        proof.commitment[0],
+        proof.commitment[1],
+        publicKey[0],
+        publicKey[1],
+    ]), babyjubjub.order);
+    const lhs = babyjubjub.scalarMultGen(proof.response);
+    const cPk = babyjubjub.scalarMult(publicKey, challenge);
+    const rhs = babyjubjub.add(proof.commitment, cPk);
+    return babyjubjub.equals(lhs, rhs);
+}
+/**
+ * Verify a share against coefficient commitments.
+ * s*G == sum(C_k * i^k) for k = 0..t-1
+ */
+function verifyShareCommitment(share, senderCommitments, recipientIndex) {
+    const lhs = babyjubjub.scalarMultGen(share);
+    let rhs = babyjubjub.identity;
+    let power = 1n;
+    const idx = BigInt(recipientIndex);
+    for (const commitment of senderCommitments) {
+        const term = babyjubjub.scalarMult(commitment, power);
+        rhs = babyjubjub.add(rhs, term);
+        power = modMul(power, idx, babyjubjub.order);
+    }
+    return babyjubjub.equals(lhs, rhs);
+}
+/**
+ * Round 1: Generate polynomial, coefficient commitments, and Schnorr PoK.
+ */
+export function dkgRound1(config, participantIndex) {
+    const coefficients = [];
+    for (let i = 0; i < config.threshold; i++) {
+        coefficients.push(randomScalar());
+    }
+    return dkgRound1WithCoefficients(config, participantIndex, coefficients);
+}
+/**
+ * Round 1 from deterministic seed: derive coefficients via HKDF.
+ */
+export function dkgRound1FromSeed(config, participantIndex, seed) {
+    const coefficients = [];
+    for (let i = 0; i < config.threshold; i++) {
+        const info = new TextEncoder().encode(`frost-dkg-coeff-${i}`);
+        const derived = hkdf(sha256, seed, undefined, info, 32);
+        coefficients.push(mod(bytesToBigint(derived), babyjubjub.order));
+    }
+    return dkgRound1WithCoefficients(config, participantIndex, coefficients);
+}
+/**
+ * Shared Round 1 logic given coefficients.
+ */
+function dkgRound1WithCoefficients(_config, participantIndex, coefficients) {
+    const commitments = coefficients.map((c) => babyjubjub.scalarMultGen(c));
+    const proof = generateSchnorrProof(participantIndex, coefficients[0], commitments[0]);
+    return {
+        secret: { participantIndex, coefficients },
+        package: {
+            participantIndex,
+            coefficientCommitments: commitments,
+            proof,
+        },
+    };
+}
+/**
+ * Round 2: Verify PoK proofs, evaluate polynomial at peers, encrypt shares.
+ */
+export function dkgRound2(secret, allRound1Packages, viewingKeyPair) {
+    // Verify all PoK proofs
+    for (const pkg of allRound1Packages) {
+        if (pkg.participantIndex === secret.participantIndex)
+            continue;
+        const pk = pkg.coefficientCommitments[0];
+        if (!verifySchnorrProof(pkg.participantIndex, pk, pkg.proof)) {
+            throw new Error(`Invalid proof of knowledge from participant ${pkg.participantIndex}`);
+        }
+    }
+    // Evaluate polynomial at each other participant and encrypt
+    const encryptedShares = [];
+    let encryptedViewingKeys;
+    // If viewingKeyPair provided, prepare the 64-byte payload
+    let vkPayload;
+    if (viewingKeyPair) {
+        vkPayload = new Uint8Array(64);
+        vkPayload.set(viewingKeyPair.privateKey, 0);
+        vkPayload.set(viewingKeyPair.pubkey, 32);
+        encryptedViewingKeys = [];
+    }
+    for (const pkg of allRound1Packages) {
+        if (pkg.participantIndex === secret.participantIndex)
+            continue;
+        const shareValue = evaluatePolynomial(secret.coefficients, BigInt(pkg.participantIndex));
+        // ECDH: use own a_i0 as private key, recipient's C_j0 as public key
+        const recipientPk = pkg.coefficientCommitments[0];
+        const sharedPoint = ecdhSharedSecret(secret.coefficients[0], recipientPk);
+        const symKey = deriveSymmetricKey(sharedPoint);
+        const { ciphertext, nonce } = encryptShare(shareValue, symKey);
+        encryptedShares.push({
+            fromIndex: secret.participantIndex,
+            toIndex: pkg.participantIndex,
+            ciphertext,
+            nonce,
+        });
+        // Encrypt viewing key for this peer using the same ECDH channel
+        if (vkPayload && encryptedViewingKeys) {
+            const evk = encryptBytes(vkPayload, symKey);
+            encryptedViewingKeys.push({
+                toIndex: pkg.participantIndex,
+                ciphertext: evk.ciphertext,
+                nonce: evk.nonce,
+            });
+        }
+    }
+    return {
+        participantIndex: secret.participantIndex,
+        encryptedShares,
+        encryptedViewingKeys,
+    };
+}
+/**
+ * Finalize DKG: decrypt shares, verify against commitments,
+ * compute secret share and group public key.
+ */
+export function dkgFinalize(secret, allRound1Packages, allRound2Packages, viewingKeyPair) {
+    const n = babyjubjub.order;
+    const myIndex = secret.participantIndex;
+    // Start with own polynomial evaluation at own index
+    let secretShare = evaluatePolynomial(secret.coefficients, BigInt(myIndex));
+    // Track decrypted viewing key from creator's round 2 package
+    let decryptedViewingKeyPair = viewingKeyPair;
+    // Decrypt and verify shares from each other participant
+    for (const round2Pkg of allRound2Packages) {
+        if (round2Pkg.participantIndex === myIndex)
+            continue;
+        const encShare = round2Pkg.encryptedShares.find((s) => s.toIndex === myIndex);
+        if (!encShare) {
+            throw new Error(`No share from participant ${round2Pkg.participantIndex} for participant ${myIndex}`);
+        }
+        // Decrypt using ECDH: own a_i0 as private, sender's C_j0 as public
+        const senderPkg = allRound1Packages.find((p) => p.participantIndex === round2Pkg.participantIndex);
+        const senderPk = senderPkg.coefficientCommitments[0];
+        const sharedPoint = ecdhSharedSecret(secret.coefficients[0], senderPk);
+        const symKey = deriveSymmetricKey(sharedPoint);
+        let decryptedShare;
+        try {
+            decryptedShare = decryptShare(encShare.ciphertext, encShare.nonce, symKey);
+        }
+        catch {
+            throw new Error(`Failed to decrypt share from participant ${round2Pkg.participantIndex}`);
+        }
+        // Verify against commitments: s*G == sum(C_k * i^k)
+        if (!verifyShareCommitment(decryptedShare, senderPkg.coefficientCommitments, myIndex)) {
+            throw new Error(`Invalid share from participant ${round2Pkg.participantIndex}: commitment verification failed`);
+        }
+        // Accumulate into secret share
+        secretShare = modAdd(secretShare, decryptedShare, n);
+        // Decrypt viewing key if present in this round 2 package
+        if (!decryptedViewingKeyPair && round2Pkg.encryptedViewingKeys) {
+            const evk = round2Pkg.encryptedViewingKeys.find((k) => k.toIndex === myIndex);
+            if (evk) {
+                const payload = decryptBytes(evk.ciphertext, evk.nonce, symKey);
+                decryptedViewingKeyPair = {
+                    privateKey: payload.slice(0, 32),
+                    pubkey: payload.slice(32, 64),
+                };
+            }
+        }
+    }
+    // Compute verification share
+    const verificationShare = babyjubjub.scalarMultGen(secretShare);
+    // Compute group public key: Y = sum(C_j0) for all j
+    let groupPublicKey = babyjubjub.identity;
+    for (const pkg of allRound1Packages) {
+        groupPublicKey = babyjubjub.add(groupPublicKey, pkg.coefficientCommitments[0]);
+    }
+    // Collect coefficient commitments
+    const coefficientCommitments = new Map();
+    for (const pkg of allRound1Packages) {
+        coefficientCommitments.set(pkg.participantIndex, pkg.coefficientCommitments);
+    }
+    return {
+        keyShare: {
+            participantIndex: myIndex,
+            secretShare,
+            verificationShare,
+        },
+        groupPublicKey,
+        coefficientCommitments,
+        viewingKeyPair: decryptedViewingKeyPair,
+    };
+}

package/dist/src/frost/index.d.ts

@@ -0,0 +1,16 @@
+/**
+ * FROST threshold signatures for BabyJubJub EdDSA.
+ *
+ * This module provides m-of-n threshold signing using the FROST protocol
+ * (RFC 9591) adapted for BabyJubJub curve with Poseidon hash.
+ */
+export * from "./types.js";
+export * from "./curve.js";
+export * from "./crypto.js";
+export * from "./dkg.js";
+export * from "./signing.js";
+export * from "./serialization.js";
+export * from "./coordinator.js";
+export * from "./account.js";
+export * from "./listener.js";
+//# sourceMappingURL=index.d.ts.map

package/dist/src/frost/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/frost/index.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,cAAc,YAAY,CAAC;AAC3B,cAAc,YAAY,CAAC;AAC3B,cAAc,aAAa,CAAC;AAC5B,cAAc,UAAU,CAAC;AACzB,cAAc,cAAc,CAAC;AAC7B,cAAc,oBAAoB,CAAC;AACnC,cAAc,kBAAkB,CAAC;AACjC,cAAc,cAAc,CAAC;AAC7B,cAAc,eAAe,CAAC"}

package/dist/src/frost/index.js

@@ -0,0 +1,15 @@
+/**
+ * FROST threshold signatures for BabyJubJub EdDSA.
+ *
+ * This module provides m-of-n threshold signing using the FROST protocol
+ * (RFC 9591) adapted for BabyJubJub curve with Poseidon hash.
+ */
+export * from "./types.js";
+export * from "./curve.js";
+export * from "./crypto.js";
+export * from "./dkg.js";
+export * from "./signing.js";
+export * from "./serialization.js";
+export * from "./coordinator.js";
+export * from "./account.js";
+export * from "./listener.js";

package/dist/src/frost/listener.d.ts

@@ -0,0 +1,31 @@
+/**
+ * Signing listener — polls for new signing sessions and auto-joins them.
+ *
+ * Co-signers run this to automatically participate in FROST signing
+ * sessions created by the initiator's reusable signer.
+ */
+import type { MultisigAccount } from "./types.js";
+export type SigningListenerParams = {
+    account: MultisigAccount;
+    /** Abort to stop the listener loop. */
+    signal?: AbortSignal;
+    /** Called when a new session is discovered. */
+    onSession?: (session: {
+        code: string;
+        message: bigint;
+    }) => void;
+    /** Called when signing a session fails. Return true to continue, false to stop. */
+    onError?: (error: unknown, session: {
+        code: string;
+        message: bigint;
+    }) => boolean;
+    /** Polling interval in ms (default 1000). */
+    pollIntervalMs?: number;
+};
+/**
+ * Poll for signing sessions targeting this account's group and co-sign them.
+ *
+ * Runs until the AbortSignal fires or an unrecoverable error occurs.
+ */
+export declare function runSigningListener(params: SigningListenerParams): Promise<void>;
+//# sourceMappingURL=listener.d.ts.map

package/dist/src/frost/listener.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"listener.d.ts","sourceRoot":"","sources":["../../../src/frost/listener.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAIH,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,YAAY,CAAC;AAElD,MAAM,MAAM,qBAAqB,GAAG;IAClC,OAAO,EAAE,eAAe,CAAC;IACzB,uCAAuC;IACvC,MAAM,CAAC,EAAE,WAAW,CAAC;IACrB,+CAA+C;IAC/C,SAAS,CAAC,EAAE,CAAC,OAAO,EAAE;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,OAAO,EAAE,MAAM,CAAA;KAAE,KAAK,IAAI,CAAC;IACjE,mFAAmF;IACnF,OAAO,CAAC,EAAE,CACR,KAAK,EAAE,OAAO,EACd,OAAO,EAAE;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,OAAO,EAAE,MAAM,CAAA;KAAE,KACvC,OAAO,CAAC;IACb,6CAA6C;IAC7C,cAAc,CAAC,EAAE,MAAM,CAAC;CACzB,CAAC;AAEF;;;;GAIG;AACH,wBAAsB,kBAAkB,CACtC,MAAM,EAAE,qBAAqB,GAC5B,OAAO,CAAC,IAAI,CAAC,CAqDf"}

package/dist/src/frost/listener.js

@@ -0,0 +1,65 @@
+/**
+ * Signing listener — polls for new signing sessions and auto-joins them.
+ *
+ * Co-signers run this to automatically participate in FROST signing
+ * sessions created by the initiator's reusable signer.
+ */
+import { signMultisig } from "./account.js";
+import { FrostCoordinator } from "./coordinator.js";
+/**
+ * Poll for signing sessions targeting this account's group and co-sign them.
+ *
+ * Runs until the AbortSignal fires or an unrecoverable error occurs.
+ */
+export async function runSigningListener(params) {
+    const { account, signal, onSession, onError } = params;
+    const pollIntervalMs = params.pollIntervalMs ?? 1000;
+    const coordinator = new FrostCoordinator({
+        baseUrl: `${account.gatewayUrl.replace(/\/$/, "")}/frost`,
+        pollIntervalMs,
+    });
+    const seen = new Set();
+    while (!signal?.aborted) {
+        try {
+            const sessions = await coordinator.listSigningSessions(account.groupId);
+            const ordered = [...sessions].reverse();
+            for (const session of ordered) {
+                if (seen.has(session.code))
+                    continue;
+                if (!session.participants.includes(account.participantIndex))
+                    continue;
+                if (session.status !== "waiting_for_commitments") {
+                    // Signing is non-idempotent and resumability is not supported.
+                    // Skip stale phases to avoid repeatedly attempting hopeless sessions.
+                    seen.add(session.code);
+                    continue;
+                }
+                // Mark as seen BEFORE signing — FROST signing is non-idempotent
+                // (nonce published on submitCommitment), so retrying is never safe.
+                seen.add(session.code);
+                const info = { code: session.code, message: session.message };
+                onSession?.(info);
+                try {
+                    await signMultisig({
+                        account,
+                        message: session.message,
+                        signingSessionCode: session.code,
+                    });
+                }
+                catch (err) {
+                    const shouldContinue = onError?.(err, info) ?? true;
+                    if (!shouldContinue)
+                        return;
+                }
+            }
+        }
+        catch (err) {
+            // Poll-level errors (e.g. coordinator unreachable) should not kill
+            // the listener — report via onError and continue the loop.
+            const shouldContinue = onError?.(err, { code: "", message: 0n }) ?? true;
+            if (!shouldContinue)
+                return;
+        }
+        await new Promise((resolve) => setTimeout(resolve, pollIntervalMs));
+    }
+}

package/dist/src/frost/mock-coordinator.d.ts

@@ -0,0 +1,11 @@
+/**
+ * In-memory mock of the frost HTTP server for tests.
+ *
+ * Implements the same state machine as `backend/frost/src/state.rs`
+ * without requiring a Rust toolchain.
+ */
+export declare function startMockCoordinator(): Promise<{
+    url: string;
+    close: () => Promise<void>;
+}>;
+//# sourceMappingURL=mock-coordinator.d.ts.map

package/dist/src/frost/mock-coordinator.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"mock-coordinator.d.ts","sourceRoot":"","sources":["../../../src/frost/mock-coordinator.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAmDH,wBAAsB,oBAAoB,IAAI,OAAO,CAAC;IACpD,GAAG,EAAE,MAAM,CAAC;IACZ,KAAK,EAAE,MAAM,OAAO,CAAC,IAAI,CAAC,CAAC;CAC5B,CAAC,CAiRD"}