npm - @verbeth/sdk - Versions diffs - 0.1.4 → 0.1.6 - Mend

@verbeth/sdk 0.1.4 → 0.1.6

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (190) hide show

package/README.md +20 -168
package/dist/esm/src/addresses.d.ts +20 -0
package/dist/esm/src/addresses.d.ts.map +1 -0
package/dist/esm/src/addresses.js +33 -0
package/dist/esm/src/client/HsrTagIndex.d.ts +77 -0
package/dist/esm/src/client/HsrTagIndex.d.ts.map +1 -0
package/dist/esm/src/client/HsrTagIndex.js +157 -0
package/dist/esm/src/client/PendingManager.d.ts +65 -0
package/dist/esm/src/client/PendingManager.d.ts.map +1 -0
package/dist/esm/src/client/PendingManager.js +84 -0
package/dist/esm/src/client/SessionManager.d.ts +65 -0
package/dist/esm/src/client/SessionManager.d.ts.map +1 -0
package/dist/esm/src/client/SessionManager.js +146 -0
package/dist/esm/src/client/VerbethClient.d.ts +153 -99
package/dist/esm/src/client/VerbethClient.d.ts.map +1 -1
package/dist/esm/src/client/VerbethClient.js +429 -123
package/dist/esm/src/client/VerbethClientBuilder.d.ts +105 -0
package/dist/esm/src/client/VerbethClientBuilder.d.ts.map +1 -0
package/dist/esm/src/client/VerbethClientBuilder.js +146 -0
package/dist/esm/src/client/hsrMatcher.d.ts +22 -0
package/dist/esm/src/client/hsrMatcher.d.ts.map +1 -0
package/dist/esm/src/client/hsrMatcher.js +31 -0
package/dist/esm/src/client/index.d.ts +6 -1
package/dist/esm/src/client/index.d.ts.map +1 -1
package/dist/esm/src/client/index.js +2 -0
package/dist/esm/src/client/types.d.ts +151 -10
package/dist/esm/src/client/types.d.ts.map +1 -1
package/dist/esm/src/crypto(old).d.ts +46 -0
package/dist/esm/src/crypto(old).d.ts.map +1 -0
package/dist/esm/src/crypto(old).js +137 -0
package/dist/esm/src/crypto.d.ts +7 -29
package/dist/esm/src/crypto.d.ts.map +1 -1
package/dist/esm/src/crypto.js +36 -72
package/dist/esm/src/executor.d.ts +17 -18
package/dist/esm/src/executor.d.ts.map +1 -1
package/dist/esm/src/executor.js +54 -70
package/dist/esm/src/handshake.d.ts +51 -0
package/dist/esm/src/handshake.d.ts.map +1 -0
package/dist/esm/src/handshake.js +105 -0
package/dist/esm/src/identity.d.ts +24 -18
package/dist/esm/src/identity.d.ts.map +1 -1
package/dist/esm/src/identity.js +126 -31
package/dist/esm/src/index.d.ts +11 -7
package/dist/esm/src/index.d.ts.map +1 -1
package/dist/esm/src/index.js +10 -7
package/dist/esm/src/payload.d.ts +3 -30
package/dist/esm/src/payload.d.ts.map +1 -1
package/dist/esm/src/payload.js +3 -77
package/dist/esm/src/pq/kem.d.ts +33 -0
package/dist/esm/src/pq/kem.d.ts.map +1 -0
package/dist/esm/src/pq/kem.js +40 -0
package/dist/esm/src/ratchet/auth.d.ts +34 -0
package/dist/esm/src/ratchet/auth.d.ts.map +1 -0
package/dist/esm/src/ratchet/auth.js +88 -0
package/dist/esm/src/ratchet/codec.d.ts +52 -0
package/dist/esm/src/ratchet/codec.d.ts.map +1 -0
package/dist/esm/src/ratchet/codec.js +127 -0
package/dist/esm/src/ratchet/decrypt.d.ts +28 -0
package/dist/esm/src/ratchet/decrypt.d.ts.map +1 -0
package/dist/esm/src/ratchet/decrypt.js +255 -0
package/dist/esm/src/ratchet/encrypt.d.ts +17 -0
package/dist/esm/src/ratchet/encrypt.d.ts.map +1 -0
package/dist/esm/src/ratchet/encrypt.js +78 -0
package/dist/esm/src/ratchet/index.d.ts +8 -0
package/dist/esm/src/ratchet/index.d.ts.map +1 -0
package/dist/esm/src/ratchet/index.js +8 -0
package/dist/esm/src/ratchet/kdf.d.ts +60 -0
package/dist/esm/src/ratchet/kdf.d.ts.map +1 -0
package/dist/esm/src/ratchet/kdf.js +91 -0
package/dist/esm/src/ratchet/session.d.ts +43 -0
package/dist/esm/src/ratchet/session.d.ts.map +1 -0
package/dist/esm/src/ratchet/session.js +139 -0
package/dist/esm/src/ratchet/types.d.ts +168 -0
package/dist/esm/src/ratchet/types.d.ts.map +1 -0
package/dist/esm/src/ratchet/types.js +27 -0
package/dist/esm/src/safeSessionSigner.d.ts +35 -0
package/dist/esm/src/safeSessionSigner.d.ts.map +1 -0
package/dist/esm/src/safeSessionSigner.js +59 -0
package/dist/esm/src/send.d.ts +32 -24
package/dist/esm/src/send.d.ts.map +1 -1
package/dist/esm/src/send.js +84 -39
package/dist/esm/src/types.d.ts +8 -13
package/dist/esm/src/types.d.ts.map +1 -1
package/dist/esm/src/utils/safeSessionSigner.d.ts +23 -0
package/dist/esm/src/utils/safeSessionSigner.d.ts.map +1 -0
package/dist/esm/src/utils/safeSessionSigner.js +59 -0
package/dist/esm/src/utils/txQueue.d.ts +12 -0
package/dist/esm/src/utils/txQueue.d.ts.map +1 -0
package/dist/esm/src/utils/txQueue.js +25 -0
package/dist/esm/src/utils.d.ts +2 -3
package/dist/esm/src/utils.d.ts.map +1 -1
package/dist/esm/src/utils.js +5 -5
package/dist/esm/src/verify.d.ts +9 -25
package/dist/esm/src/verify.d.ts.map +1 -1
package/dist/esm/src/verify.js +49 -50
package/dist/src/addresses.d.ts +20 -0
package/dist/src/addresses.d.ts.map +1 -0
package/dist/src/addresses.js +33 -0
package/dist/src/client/HsrTagIndex.d.ts +77 -0
package/dist/src/client/HsrTagIndex.d.ts.map +1 -0
package/dist/src/client/HsrTagIndex.js +157 -0
package/dist/src/client/PendingManager.d.ts +65 -0
package/dist/src/client/PendingManager.d.ts.map +1 -0
package/dist/src/client/PendingManager.js +84 -0
package/dist/src/client/SessionManager.d.ts +65 -0
package/dist/src/client/SessionManager.d.ts.map +1 -0
package/dist/src/client/SessionManager.js +146 -0
package/dist/src/client/VerbethClient.d.ts +153 -99
package/dist/src/client/VerbethClient.d.ts.map +1 -1
package/dist/src/client/VerbethClient.js +429 -123
package/dist/src/client/VerbethClientBuilder.d.ts +105 -0
package/dist/src/client/VerbethClientBuilder.d.ts.map +1 -0
package/dist/src/client/VerbethClientBuilder.js +146 -0
package/dist/src/client/hsrMatcher.d.ts +22 -0
package/dist/src/client/hsrMatcher.d.ts.map +1 -0
package/dist/src/client/hsrMatcher.js +31 -0
package/dist/src/client/index.d.ts +6 -1
package/dist/src/client/index.d.ts.map +1 -1
package/dist/src/client/index.js +2 -0
package/dist/src/client/types.d.ts +151 -10
package/dist/src/client/types.d.ts.map +1 -1
package/dist/src/crypto(old).d.ts +46 -0
package/dist/src/crypto(old).d.ts.map +1 -0
package/dist/src/crypto(old).js +137 -0
package/dist/src/crypto.d.ts +7 -29
package/dist/src/crypto.d.ts.map +1 -1
package/dist/src/crypto.js +36 -72
package/dist/src/executor.d.ts +17 -18
package/dist/src/executor.d.ts.map +1 -1
package/dist/src/executor.js +54 -70
package/dist/src/handshake.d.ts +51 -0
package/dist/src/handshake.d.ts.map +1 -0
package/dist/src/handshake.js +105 -0
package/dist/src/identity.d.ts +24 -18
package/dist/src/identity.d.ts.map +1 -1
package/dist/src/identity.js +126 -31
package/dist/src/index.d.ts +11 -7
package/dist/src/index.d.ts.map +1 -1
package/dist/src/index.js +10 -7
package/dist/src/payload.d.ts +3 -30
package/dist/src/payload.d.ts.map +1 -1
package/dist/src/payload.js +3 -77
package/dist/src/pq/kem.d.ts +33 -0
package/dist/src/pq/kem.d.ts.map +1 -0
package/dist/src/pq/kem.js +40 -0
package/dist/src/ratchet/auth.d.ts +34 -0
package/dist/src/ratchet/auth.d.ts.map +1 -0
package/dist/src/ratchet/auth.js +88 -0
package/dist/src/ratchet/codec.d.ts +52 -0
package/dist/src/ratchet/codec.d.ts.map +1 -0
package/dist/src/ratchet/codec.js +127 -0
package/dist/src/ratchet/decrypt.d.ts +28 -0
package/dist/src/ratchet/decrypt.d.ts.map +1 -0
package/dist/src/ratchet/decrypt.js +255 -0
package/dist/src/ratchet/encrypt.d.ts +17 -0
package/dist/src/ratchet/encrypt.d.ts.map +1 -0
package/dist/src/ratchet/encrypt.js +78 -0
package/dist/src/ratchet/index.d.ts +8 -0
package/dist/src/ratchet/index.d.ts.map +1 -0
package/dist/src/ratchet/index.js +8 -0
package/dist/src/ratchet/kdf.d.ts +60 -0
package/dist/src/ratchet/kdf.d.ts.map +1 -0
package/dist/src/ratchet/kdf.js +91 -0
package/dist/src/ratchet/session.d.ts +43 -0
package/dist/src/ratchet/session.d.ts.map +1 -0
package/dist/src/ratchet/session.js +139 -0
package/dist/src/ratchet/types.d.ts +168 -0
package/dist/src/ratchet/types.d.ts.map +1 -0
package/dist/src/ratchet/types.js +27 -0
package/dist/src/safeSessionSigner.d.ts +35 -0
package/dist/src/safeSessionSigner.d.ts.map +1 -0
package/dist/src/safeSessionSigner.js +59 -0
package/dist/src/send.d.ts +32 -24
package/dist/src/send.d.ts.map +1 -1
package/dist/src/send.js +84 -39
package/dist/src/types.d.ts +8 -13
package/dist/src/types.d.ts.map +1 -1
package/dist/src/utils/safeSessionSigner.d.ts +23 -0
package/dist/src/utils/safeSessionSigner.d.ts.map +1 -0
package/dist/src/utils/safeSessionSigner.js +59 -0
package/dist/src/utils/txQueue.d.ts +12 -0
package/dist/src/utils/txQueue.d.ts.map +1 -0
package/dist/src/utils/txQueue.js +25 -0
package/dist/src/utils.d.ts +2 -3
package/dist/src/utils.d.ts.map +1 -1
package/dist/src/utils.js +5 -5
package/dist/src/verify.d.ts +9 -25
package/dist/src/verify.d.ts.map +1 -1
package/dist/src/verify.js +49 -50
package/package.json +2 -1

package/dist/esm/src/send.js CHANGED Viewed

@@ -1,33 +1,26 @@
 // packages/sdk/src/send.ts
 import { keccak256, toUtf8Bytes, hexlify, getBytes } from "ethers";
 import nacl from 'tweetnacl';
-import { getNextNonce } from './utils/nonce.js';
-import { encryptMessage, encryptStructuredPayload, deriveDuplexTopics } from './crypto.js';
+import { encryptStructuredPayload } from './crypto.js';
 import { serializeHandshakeContent, encodeUnifiedPubKeys, createHandshakeResponseContent, } from './payload.js';
-import { computeTagFromResponder } from './crypto.js';
-/**
- * Sends an encrypted message assuming recipient's keys were already obtained via handshake.
- * Executor-agnostic: works with EOA, UserOp, and Direct EntryPoint (for tests)
- */
-export async function sendEncryptedMessage({ executor, topic, message, recipientPubKey, senderAddress, senderSignKeyPair, timestamp }) {
-    if (!executor) {
-        throw new Error("Executor must be provided");
-    }
-    const ephemeralKeyPair = nacl.box.keyPair();
-    const ciphertext = encryptMessage(message, recipientPubKey, // X25519 for encryption
-    ephemeralKeyPair.secretKey, ephemeralKeyPair.publicKey, senderSignKeyPair.secretKey, // Ed25519 for signing
-    senderSignKeyPair.publicKey);
-    const nonce = getNextNonce(senderAddress, topic);
-    return executor.sendMessage(toUtf8Bytes(ciphertext), topic, timestamp, nonce);
-}
+import { computeHybridTagFromResponder } from './crypto.js';
+import { kem } from './pq/kem.js';
 /**
  * Initiates an on-chain handshake with unified keys and mandatory identity proof.
  * Executor-agnostic: works with EOA, UserOp, and Direct EntryPoint (for tests)
+ *
+ * Includes ML-KEM-768 public key for post-quantum hybrid key exchange.
+ *
+ * @returns Transaction, ephemeral keypair, and KEM keypair (MUST be persisted for session init)
  */
-export async function initiateHandshake({ executor, recipientAddress, identityKeyPair, ephemeralPubKey, plaintextPayload, identityProof, signer }) {
+export async function initiateHandshake({ executor, recipientAddress, identityKeyPair, plaintextPayload, identityProof, }) {
     if (!executor) {
         throw new Error("Executor must be provided");
     }
+    // Generate ephemeral keypair for this handshake
+    const ephemeralKeyPair = nacl.box.keyPair();
+    // Generate ML-KEM-768 keypair for PQ-hybrid key exchange
+    const kemKeyPair = kem.generateKeyPair();
     const recipientHash = keccak256(toUtf8Bytes('contact:' + recipientAddress.toLowerCase()));
     const handshakeContent = {
         plaintextPayload,
@@ -38,38 +31,90 @@ export async function initiateHandshake({ executor, recipientAddress, identityKe
     const unifiedPubKeys = encodeUnifiedPubKeys(identityKeyPair.publicKey, // X25519 for encryption
     identityKeyPair.signingPublicKey // Ed25519 for signing
     );
-    return await executor.initiateHandshake(recipientHash, hexlify(unifiedPubKeys), hexlify(ephemeralPubKey), toUtf8Bytes(serializedPayload));
+    // Ephemeral public key now includes KEM public key (32 + 1184 = 1216 bytes)
+    const ephemeralWithKem = new Uint8Array(32 + kem.publicKeyBytes);
+    ephemeralWithKem.set(ephemeralKeyPair.publicKey, 0);
+    ephemeralWithKem.set(kemKeyPair.publicKey, 32);
+    const tx = await executor.initiateHandshake(recipientHash, hexlify(unifiedPubKeys), hexlify(ephemeralWithKem), toUtf8Bytes(serializedPayload));
+    return {
+        tx,
+        ephemeralKeyPair, // Caller MUST persist secretKey for ratchet session init
+        kemKeyPair, // Caller MUST also persist secretKey for KEM decapsulation
+    };
 }
 /**
  * Responds to a handshake with unified keys and mandatory identity proof.
  * Executor-agnostic: works with EOA, UserOp, and Direct EntryPoint (for tests)
+ *
+ * Supports PQ-hybrid handshake: if initiator includes KEM public key,
+ * encapsulates a shared secret and includes ciphertext in response.
+ *
+ * @returns Transaction, tag, salt, ephemeral keys, and KEM secret
  */
-export async function respondToHandshake({ executor, initiatorPubKey, // X25519 key from initiator (ephemeral)
-responderIdentityKeyPair, responderEphemeralKeyPair, note, identityProof, signer, initiatorIdentityPubKey, }) {
+export async function respondToHandshake({ executor, initiatorEphemeralPubKey, responderIdentityKeyPair, note, identityProof, }) {
     if (!executor) {
         throw new Error("Executor must be provided");
     }
-    const ephemeralKeyPair = responderEphemeralKeyPair || nacl.box.keyPair();
-    // Generate a separate ephemeral key (R,r) just for the tag
+    // =========================================================================
+    // TWO SEPARATE KEYPAIRS for unlinkability:
+    //
+    // 1. tagKeyPair (R, r): ONLY for tag computation
+    //    - R goes on-chain as responderEphemeralR
+    //    - Used by Alice to verify the tag
+    //    - NOT used for ratchet
+    //
+    // 2. ratchetKeyPair: For post-handshake encryption and first DH ratchet key
+    //    - Public key goes INSIDE encrypted payload (not on-chain)
+    //    - Becomes dhMySecretKey/dhMyPublicKey in ratchet session
+    //
+    // Why this matters: With a single keypair, the on-chain R would equal the
+    // first message's DH header, allowing observers to link HandshakeResponse
+    // to subsequent conversation. With two keypairs, there's no on-chain link.
+    // =========================================================================
+    // Keypair for tag computation - R goes on-chain
     const tagKeyPair = nacl.box.keyPair();
-    const inResponseTo = computeTagFromResponder(tagKeyPair.secretKey, initiatorPubKey);
-    const salt = getBytes(inResponseTo); // for topics HKDF
-    let topicInfo = undefined;
-    if (initiatorIdentityPubKey) {
-        const { topicOut, topicIn, checksum } = deriveDuplexTopics(responderIdentityKeyPair.secretKey, initiatorIdentityPubKey, salt);
-        topicInfo = { out: topicOut, in: topicIn, chk: checksum };
+    // Keypair for ratchet - public key is HIDDEN inside encrypted payload
+    const ratchetKeyPair = nacl.box.keyPair();
+    // Check if initiator included KEM public key (extended format: 32 + 1184 = 1216 bytes)
+    const hasKem = initiatorEphemeralPubKey.length === 32 + kem.publicKeyBytes;
+    // Extract X25519 ephemeral key (first 32 bytes)
+    const initiatorX25519Pub = hasKem
+        ? initiatorEphemeralPubKey.slice(0, 32)
+        : initiatorEphemeralPubKey;
+    // KEM encapsulation FIRST (needed for hybrid tag)
+    let kemCiphertext;
+    let kemSharedSecret;
+    if (hasKem) {
+        const initiatorKemPub = initiatorEphemeralPubKey.slice(32, 32 + kem.publicKeyBytes);
+        const { ciphertext, sharedSecret } = kem.encapsulate(initiatorKemPub);
+        kemCiphertext = ciphertext;
+        kemSharedSecret = sharedSecret;
+    }
+    if (!kemSharedSecret) {
+        throw new Error("KEM is required for PQ-secure handshake");
     }
-    const responseContent = createHandshakeResponseContent(responderIdentityKeyPair.publicKey, // X25519
-    responderIdentityKeyPair.signingPublicKey, // Ed25519
-    ephemeralKeyPair.publicKey, note, identityProof, topicInfo);
-    // Encrypt the response for the initiator
-    const payload = encryptStructuredPayload(responseContent, initiatorPubKey, // Encrypt to initiator's X25519 (ephemeral) key
-    ephemeralKeyPair.secretKey, ephemeralKeyPair.publicKey);
-    // Execute the transaction
-    const tx = await executor.respondToHandshake(inResponseTo, hexlify(tagKeyPair.publicKey), toUtf8Bytes(payload));
+    // Hybrid tag: combines ECDH(r, viewPubA) + kemSecret
+    const inResponseTo = computeHybridTagFromResponder(tagKeyPair.secretKey, initiatorX25519Pub, kemSharedSecret);
+    const salt = getBytes(inResponseTo);
+    // Response content includes ratchetKeyPair.publicKey (hidden inside encrypted payload)
+    // and includes kemCiphertext for PQ-hybrid handshake
+    const responseContent = createHandshakeResponseContent(responderIdentityKeyPair.publicKey, // X25519 identity
+    responderIdentityKeyPair.signingPublicKey, // Ed25519 signing
+    ratchetKeyPair.publicKey, // First DH ratchet key (INSIDE payload)
+    note, identityProof, kemCiphertext);
+    // Encrypt using ratchetKeyPair (the epk in encrypted payload = ratchetKeyPair.publicKey)
+    const payload = encryptStructuredPayload(responseContent, initiatorX25519Pub, ratchetKeyPair.secretKey, ratchetKeyPair.publicKey);
+    // Execute transaction - tagKeyPair.publicKey goes on-chain (NOT ratchetKeyPair)
+    const tx = await executor.respondToHandshake(inResponseTo, hexlify(tagKeyPair.publicKey), // Tag key on-chain for tag verification
+    toUtf8Bytes(payload));
     return {
         tx,
         salt,
-        tag: inResponseTo
+        tag: inResponseTo,
+        // Return RATCHET keys (not tag keys) for session initialization
+        // These are DIFFERENT from the on-chain responderEphemeralR
+        responderEphemeralSecret: ratchetKeyPair.secretKey,
+        responderEphemeralPublic: ratchetKeyPair.publicKey,
+        kemSharedSecret,
     };
 }

package/dist/esm/src/types.d.ts CHANGED Viewed

@@ -18,25 +18,20 @@ export interface HandshakeResponseLog {
     responderEphemeralR: string;
     ciphertext: string;
 }
-export interface DuplexTopics {
-    /** Initiator → Responder */
-    topicOut: `0x${string}`;
-    /** Responder → Initiator */
-    topicIn: `0x${string}`;
-}
-/** Formato compatto per invio via HSR cifrata */
-export interface TopicInfoWire {
-    out: `0x${string}`;
-    in: `0x${string}`;
-    /** checksum corto per conferma (8 byte, hex) */
-    chk: `0x${string}`;
-}
 export interface IdentityKeyPair {
     publicKey: Uint8Array;
     secretKey: Uint8Array;
     signingPublicKey: Uint8Array;
     signingSecretKey: Uint8Array;
 }
+/**
+ * Context used to domain separate identity derivation and proof verification.
+ * rpId should be the dapp origin host (eg example.com) or a stable app id.
+ */
+export interface IdentityContext {
+    chainId?: number;
+    rpId?: string;
+}
 export interface IdentityProof {
     message: string;
     signature: string;

package/dist/esm/src/types.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../../src/types.ts"],"names":[],"mappings":"AAEA,MAAM,WAAW,UAAU;IACzB,MAAM,EAAE,MAAM,CAAC;IACf,UAAU,EAAE,MAAM,CAAC;IACnB,SAAS,EAAE,MAAM,CAAC;IAClB,KAAK,EAAE,MAAM,CAAC;IACd,KAAK,EAAE,MAAM,CAAC;CACf;AAED,MAAM,WAAW,YAAY;IAC3B,aAAa,EAAE,MAAM,CAAC;IACtB,MAAM,EAAE,MAAM,CAAC;IACf,OAAO,EAAE,MAAM,CAAC;IAChB,eAAe,EAAE,MAAM,CAAC;IACxB,gBAAgB,EAAE,MAAM,CAAC;CAC1B;AAED,MAAM,WAAW,oBAAoB;IACnC,YAAY,EAAE,MAAM,CAAC;IACrB,SAAS,EAAE,MAAM,CAAC;IAClB,mBAAmB,EAAE,MAAM,CAAC;IAC5B,UAAU,EAAE,MAAM,CAAC;CACpB;~~AAGD~~,MAAM,WAAW,~~YAAY~~;~~IAC3B~~,~~4BAA4B;IAC5B~~,~~QAAQ,~~EAAE,~~KAAK~~,~~MAAM,EAAE,~~CAAC;~~IACxB~~,~~4BAA4B;IAC5B~~,~~OAAO,~~EAAE,~~KAAK~~,~~MAAM,EAAE,~~CAAC;~~CACxB;AAED~~,~~iDAAiD;AACjD~~,~~MAAM,WAAW,aAAa;IAC5B,GAAG,~~EAAE,~~KAAK~~,~~MAAM,EAAE,~~CAAC;~~IACnB~~,~~EAAE~~,EAAE,~~KAAK~~,~~MAAM,EAAE,~~CAAC;~~IAClB,gDAAgD~~;~~IAChD,GAAG,EAAE,KAAK,MAAM,EAAE,CAAC~~;~~CACpB;AAGD~~,MAAM,WAAW,eAAe;~~IAE9B~~,~~SAAS~~,~~EAAE,UAAU,~~CAAC~~;IACtB~~,~~SAAS,~~EAAE,~~UAAU~~,CAAC;~~IAEtB~~,~~gBAAgB~~,~~EAAE,UAAU,~~CAAC~~;IAC7B~~,~~gBAAgB,~~EAAE,~~UAAU~~,CAAC;~~CAC9B~~;~~AAGD~~,MAAM,WAAW,aAAa;IAC5B,OAAO,EAAE,MAAM,CAAC;IAChB,SAAS,EAAE,MAAM,CAAC;IAClB,aAAa,CAAC,EAAE,KAAK,MAAM,EAAE,CAAC;CAC/B;AAED,MAAM,MAAM,mBAAmB,GAAG,OAAO,kBAAkB,SAAS,MAAM,GACtE,SAAS,GACT,SAAS,CAAC;AAEd,MAAM,WAAW,UAAU;IACzB,MAAM,EAAE,MAAM,CAAC;IACf,KAAK,EAAE,MAAM,CAAC;IACd,QAAQ,EAAE,MAAM,CAAC;IACjB,QAAQ,EAAE,MAAM,CAAC;IACjB,kBAAkB,EAAE,MAAM,CAAC;IAC3B,gBAAgB,EAAE,MAAM,CAAC;IACzB,SAAS,EAAE,MAAM,CAAC;CACnB;AAED,MAAM,WAAW,SAAU,SAAQ,UAAU;IAC3C,YAAY,EAAE,MAAM,CAAC;IACrB,oBAAoB,EAAE,MAAM,CAAC;IAC7B,YAAY,EAAE,MAAM,CAAC;IACrB,oBAAoB,EAAE,MAAM,CAAC;CAC9B;AAED,MAAM,WAAW,SAAU,SAAQ,UAAU;IAC3C;;OAEG;IACH,gBAAgB,EAAE,MAAM,CAAC;IACzB;;OAEG;IACH,OAAO,EAAE,MAAM,CAAC;CACjB;AAED,MAAM,MAAM,aAAa,GAAG,MAAM,GAAG,MAAM,CAAC;AAC5C,eAAO,MAAM,kBAAkB,EAAE,aAAsB,CAAC"}
1	+ {"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../../src/types.ts"],"names":[],"mappings":"AAEA,MAAM,WAAW,UAAU;IACzB,MAAM,EAAE,MAAM,CAAC;IACf,UAAU,EAAE,MAAM,CAAC;IACnB,SAAS,EAAE,MAAM,CAAC;IAClB,KAAK,EAAE,MAAM,CAAC;IACd,KAAK,EAAE,MAAM,CAAC;CACf;AAED,MAAM,WAAW,YAAY;IAC3B,aAAa,EAAE,MAAM,CAAC;IACtB,MAAM,EAAE,MAAM,CAAC;IACf,OAAO,EAAE,MAAM,CAAC;IAChB,eAAe,EAAE,MAAM,CAAC;IACxB,gBAAgB,EAAE,MAAM,CAAC;CAC1B;AAED,MAAM,WAAW,oBAAoB;IACnC,YAAY,EAAE,MAAM,CAAC;IACrB,SAAS,EAAE,MAAM,CAAC;IAClB,mBAAmB,EAAE,MAAM,CAAC;IAC5B,UAAU,EAAE,MAAM,CAAC;CACpB;AAED,MAAM,WAAW,eAAe;IAE9B,SAAS,EAAE,UAAU,CAAC;IACtB,SAAS,EAAE,UAAU,CAAC;IAEtB,gBAAgB,EAAE,UAAU,CAAC;IAC7B,gBAAgB,EAAE,UAAU,CAAC;CAC9B;AAED;;;GAGG;AACH,MAAM,WAAW,eAAe;IAC9B,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,IAAI,CAAC,EAAE,MAAM,CAAC;CACf;AAED,MAAM,WAAW,aAAa;IAC5B,OAAO,EAAE,MAAM,CAAC;IAChB,SAAS,EAAE,MAAM,CAAC;IAClB,aAAa,CAAC,EAAE,KAAK,MAAM,EAAE,CAAC;CAC/B;AAED,MAAM,MAAM,mBAAmB,GAAG,OAAO,kBAAkB,SAAS,MAAM,GACtE,SAAS,GACT,SAAS,CAAC;AAEd,MAAM,WAAW,UAAU;IACzB,MAAM,EAAE,MAAM,CAAC;IACf,KAAK,EAAE,MAAM,CAAC;IACd,QAAQ,EAAE,MAAM,CAAC;IACjB,QAAQ,EAAE,MAAM,CAAC;IACjB,kBAAkB,EAAE,MAAM,CAAC;IAC3B,gBAAgB,EAAE,MAAM,CAAC;IACzB,SAAS,EAAE,MAAM,CAAC;CACnB;AAED,MAAM,WAAW,SAAU,SAAQ,UAAU;IAC3C,YAAY,EAAE,MAAM,CAAC;IACrB,oBAAoB,EAAE,MAAM,CAAC;IAC7B,YAAY,EAAE,MAAM,CAAC;IACrB,oBAAoB,EAAE,MAAM,CAAC;CAC9B;AAED,MAAM,WAAW,SAAU,SAAQ,UAAU;IAC3C;;OAEG;IACH,gBAAgB,EAAE,MAAM,CAAC;IACzB;;OAEG;IACH,OAAO,EAAE,MAAM,CAAC;CACjB;AAED,MAAM,MAAM,aAAa,GAAG,MAAM,GAAG,MAAM,CAAC;AAC5C,eAAO,MAAM,kBAAkB,EAAE,aAAsB,CAAC"}

package/dist/esm/src/utils/safeSessionSigner.d.ts ADDED Viewed

@@ -0,0 +1,23 @@
+import { AbstractSigner, type Provider, type Signer, type TransactionRequest, type TransactionResponse, type TypedDataDomain, type TypedDataField } from "ethers";
+export interface SafeSessionSignerOptions {
+    provider: Provider;
+    safeAddress: string;
+    moduleAddress: string;
+    verbEthAddress: string;
+    sessionSigner: Signer;
+}
+export declare class SafeSessionSigner extends AbstractSigner {
+    private module;
+    private opts;
+    constructor(opts: SafeSessionSignerOptions);
+    getAddress(): Promise<string>;
+    getSessionSignerAddress(): Promise<string>;
+    isSessionValid(): Promise<boolean>;
+    isTargetAllowed(): Promise<boolean>;
+    signMessage(message: string | Uint8Array): Promise<string>;
+    signTransaction(_tx: TransactionRequest): Promise<string>;
+    signTypedData(domain: TypedDataDomain, types: Record<string, Array<TypedDataField>>, value: Record<string, any>): Promise<string>;
+    sendTransaction(tx: TransactionRequest): Promise<TransactionResponse>;
+    connect(provider: Provider): SafeSessionSigner;
+}
+//# sourceMappingURL=safeSessionSigner.d.ts.map

package/dist/esm/src/utils/safeSessionSigner.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"safeSessionSigner.d.ts","sourceRoot":"","sources":["../../../../src/utils/safeSessionSigner.ts"],"names":[],"mappings":"AACA,OAAO,EACL,cAAc,EAEd,KAAK,QAAQ,EACb,KAAK,MAAM,EACX,KAAK,kBAAkB,EACvB,KAAK,mBAAmB,EACxB,KAAK,eAAe,EACpB,KAAK,cAAc,EACpB,MAAM,QAAQ,CAAC;AAEhB,MAAM,WAAW,wBAAwB;IACvC,QAAQ,EAAE,QAAQ,CAAC;IACnB,WAAW,EAAE,MAAM,CAAC;IACpB,aAAa,EAAE,MAAM,CAAC;IACtB,cAAc,EAAE,MAAM,CAAC;IACvB,aAAa,EAAE,MAAM,CAAC;CACvB;AASD,qBAAa,iBAAkB,SAAQ,cAAc;IACnD,OAAO,CAAC,MAAM,CAAW;IACzB,OAAO,CAAC,IAAI,CAA2B;gBAE3B,IAAI,EAAE,wBAAwB;IAiB3B,UAAU,IAAI,OAAO,CAAC,MAAM,CAAC;IAItC,uBAAuB,IAAI,OAAO,CAAC,MAAM,CAAC;IAI1C,cAAc,IAAI,OAAO,CAAC,OAAO,CAAC;IAKlC,eAAe,IAAI,OAAO,CAAC,OAAO,CAAC;IAI1B,WAAW,CAAC,OAAO,EAAE,MAAM,GAAG,UAAU,GAAG,OAAO,CAAC,MAAM,CAAC;IAI1D,eAAe,CAAC,GAAG,EAAE,kBAAkB,GAAG,OAAO,CAAC,MAAM,CAAC;IAIzD,aAAa,CAC1B,MAAM,EAAE,eAAe,EACvB,KAAK,EAAE,MAAM,CAAC,MAAM,EAAE,KAAK,CAAC,cAAc,CAAC,CAAC,EAC5C,KAAK,EAAE,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,GACzB,OAAO,CAAC,MAAM,CAAC;IAQH,eAAe,CAAC,EAAE,EAAE,kBAAkB,GAAG,OAAO,CAAC,mBAAmB,CAAC;IAsB3E,OAAO,CAAC,QAAQ,EAAE,QAAQ,GAAG,iBAAiB;CAGxD"}

package/dist/esm/src/utils/safeSessionSigner.js ADDED Viewed

@@ -0,0 +1,59 @@
+// packages/sdk/src/utils/safeSessionSigner.ts
+import { AbstractSigner, Contract, } from "ethers";
+const MODULE_ABI = [
+    "function execute(address safe, address to, uint256 value, bytes data, uint8 operation) returns (bool)",
+    "function isValidSession(address safe, address signer) view returns (bool)",
+    "function sessionExpiry(address safe, address signer) view returns (uint256)",
+    "function isAllowedTarget(address safe, address target) view returns (bool)",
+];
+export class SafeSessionSigner extends AbstractSigner {
+    constructor(opts) {
+        super(opts.provider);
+        this.opts = opts;
+        if (!opts.sessionSigner.provider) {
+            throw new Error("SafeSessionSigner: sessionSigner must be connected to a Provider.");
+        }
+        this.module = new Contract(opts.moduleAddress, MODULE_ABI, opts.sessionSigner);
+    }
+    async getAddress() {
+        return this.opts.safeAddress;
+    }
+    async getSessionSignerAddress() {
+        return this.opts.sessionSigner.getAddress();
+    }
+    async isSessionValid() {
+        const signerAddr = await this.opts.sessionSigner.getAddress();
+        return this.module.isValidSession(this.opts.safeAddress, signerAddr);
+    }
+    async isTargetAllowed() {
+        return this.module.isAllowedTarget(this.opts.safeAddress, this.opts.verbEthAddress);
+    }
+    async signMessage(message) {
+        return this.opts.sessionSigner.signMessage(message);
+    }
+    async signTransaction(_tx) {
+        throw new Error("SafeSessionSigner: use sendTransaction() instead.");
+    }
+    async signTypedData(domain, types, value) {
+        const anySigner = this.opts.sessionSigner;
+        if (typeof anySigner.signTypedData === "function") {
+            return anySigner.signTypedData(domain, types, value);
+        }
+        throw new Error("SafeSessionSigner: signTypedData not supported.");
+    }
+    async sendTransaction(tx) {
+        if (!tx.to)
+            throw new Error("SafeSessionSigner: tx.to required");
+        const to = String(tx.to).toLowerCase();
+        const verbEth = this.opts.verbEthAddress.toLowerCase();
+        if (to !== verbEth) {
+            throw new Error(`SafeSessionSigner: only verbEth txs allowed. Got ${tx.to}`);
+        }
+        const data = tx.data ?? "0x";
+        // execute(safe, to, value, data, operation)
+        return this.module.execute(this.opts.safeAddress, this.opts.verbEthAddress, 0n, data, 0);
+    }
+    connect(provider) {
+        return new SafeSessionSigner({ ...this.opts, provider });
+    }
+}

package/dist/esm/src/utils/txQueue.d.ts ADDED Viewed

@@ -0,0 +1,12 @@
+/**
+ * Execute a transaction function with queue serialization.
+ *
+ * Ensures transactions from the same sender are submitted sequentially,
+ * preventing "replacement transaction underpriced" and "nonce too low" errors.
+ *
+ * @param senderAddress - The sender's address (queue key)
+ * @param txFn - Function that submits the transaction
+ * @returns The transaction result
+ */
+export declare function withTxQueue<T>(senderAddress: string, txFn: () => Promise<T>): Promise<T>;
+//# sourceMappingURL=txQueue.d.ts.map

package/dist/esm/src/utils/txQueue.d.ts.map ADDED Viewed

	@@ -0,0 +1 @@
1	+ {"version":3,"file":"txQueue.d.ts","sourceRoot":"","sources":["../../../../src/utils/txQueue.ts"],"names":[],"mappings":"AASA;;;;;;;;;GASG;AACH,wBAAsB,WAAW,CAAC,CAAC,EACjC,aAAa,EAAE,MAAM,EACrB,IAAI,EAAE,MAAM,OAAO,CAAC,CAAC,CAAC,GACrB,OAAO,CAAC,CAAC,CAAC,CAWZ"}

package/dist/esm/src/utils/txQueue.js ADDED Viewed

@@ -0,0 +1,25 @@
+// packages/sdk/src/utils/txQueue.ts
+/**
+ * Transaction queue for serializing blockchain transactions per sender.
+ * Prevents nonce conflicts when multiple txs are submitted in rapid succession.
+ */
+const txQueues = new Map();
+/**
+ * Execute a transaction function with queue serialization.
+ *
+ * Ensures transactions from the same sender are submitted sequentially,
+ * preventing "replacement transaction underpriced" and "nonce too low" errors.
+ *
+ * @param senderAddress - The sender's address (queue key)
+ * @param txFn - Function that submits the transaction
+ * @returns The transaction result
+ */
+export async function withTxQueue(senderAddress, txFn) {
+    const previousTx = txQueues.get(senderAddress) ?? Promise.resolve();
+    const currentTx = previousTx
+        .catch(() => { }) // Don't block on previous errors
+        .then(() => txFn());
+    // Store the chain (ignore errors for queue tracking)
+    txQueues.set(senderAddress, currentTx.catch(() => { }));
+    return currentTx;
+}

package/dist/esm/src/utils.d.ts CHANGED Viewed

@@ -1,11 +1,11 @@
 import { JsonRpcProvider } from "ethers";
 import { type PublicClient } from "viem";
-import { DuplexTopics } from "./types.js";
 export declare function parseBindingMessage(message: string): {
     header?: string;
     address?: string;
     pkEd25519?: `0x${string}`;
     pkX25519?: `0x${string}`;
+    executorSafeAddress?: string;
     context?: string;
     version?: string;
     chainId?: number;
@@ -22,8 +22,7 @@ export declare const ERC6492_SUFFIX = "0x649264926492649264926492649264926492649
 export declare function hasERC6492Suffix(sigHex: string): boolean;
 /**
  * Checks if an address is a smart contract that supports EIP-1271 signature verification
- * Returns true if the address has deployed code AND implements isValidSignature function
+ * Returns true if the address has deployed code and implements isValidSignature function
  */
 export declare function isSmartContract1271(address: string, provider: JsonRpcProvider): Promise<boolean>;
-export declare function pickOutboundTopic(isInitiator: boolean, t: DuplexTopics): `0x${string}`;
 //# sourceMappingURL=utils.d.ts.map

package/dist/esm/src/utils.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"utils.d.ts","sourceRoot":"","sources":["../../../src/utils.ts"],"names":[],"mappings":"AAEA,OAAO,EAEL,eAAe,EAGhB,MAAM,QAAQ,CAAC;AAGhB,OAAO,EAIL,KAAK,YAAY,EAClB,MAAM,MAAM,CAAC;~~AACd~~,~~OAAO,EAAE,YAAY,EAAE,MAAM,YAAY,CAAC;AAG1C,~~wBAAgB,mBAAmB,CAAC,OAAO,EAAE,MAAM,GAAG;IACpD,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,SAAS,CAAC,EAAE,KAAK,MAAM,EAAE,CAAC;IAC1B,QAAQ,CAAC,EAAE,KAAK,MAAM,EAAE,CAAC;IACzB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,IAAI,CAAC,EAAE,MAAM,CAAC;CACf,~~CAyBA~~;AAED,MAAM,MAAM,MAAM,GACd,OAAO,QAAQ,EAAE,eAAe,GAChC,OAAO,QAAQ,EAAE,eAAe,GAChC;IAAE,OAAO,EAAE,CAAC,IAAI,EAAE;QAAE,MAAM,EAAE,MAAM,CAAC;QAAC,MAAM,CAAC,EAAE,GAAG,EAAE,CAAA;KAAE,KAAK,OAAO,CAAC,GAAG,CAAC,CAAA;CAAE,CAAC;AAe5E,wBAAsB,oBAAoB,CACxC,QAAQ,EAAE,MAAM,GACf,OAAO,CAAC,YAAY,CAAC,CAmBvB;AAED,eAAO,MAAM,cAAc,uEAC2C,CAAC;AAEvE,wBAAgB,gBAAgB,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAIxD;AAED;;;GAGG;AACH,wBAAsB,mBAAmB,CACvC,OAAO,EAAE,MAAM,EACf,QAAQ,EAAE,eAAe,GACxB,OAAO,CAAC,OAAO,CAAC,CA+DlB~~;AAGD,wBAAgB,iBAAiB,CAAC,WAAW,EAAE,OAAO,EAAE,CAAC,EAAE,YAAY,GAAG,KAAK,MAAM,EAAE,CAEtF~~"}
1	+ {"version":3,"file":"utils.d.ts","sourceRoot":"","sources":["../../../src/utils.ts"],"names":[],"mappings":"AAEA,OAAO,EAEL,eAAe,EAGhB,MAAM,QAAQ,CAAC;AAGhB,OAAO,EAIL,KAAK,YAAY,EAClB,MAAM,MAAM,CAAC;AAGd,wBAAgB,mBAAmB,CAAC,OAAO,EAAE,MAAM,GAAG;IACpD,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,SAAS,CAAC,EAAE,KAAK,MAAM,EAAE,CAAC;IAC1B,QAAQ,CAAC,EAAE,KAAK,MAAM,EAAE,CAAC;IACzB,mBAAmB,CAAC,EAAE,MAAM,CAAC;IAC7B,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,IAAI,CAAC,EAAE,MAAM,CAAC;CACf,CA4BA;AAED,MAAM,MAAM,MAAM,GACd,OAAO,QAAQ,EAAE,eAAe,GAChC,OAAO,QAAQ,EAAE,eAAe,GAChC;IAAE,OAAO,EAAE,CAAC,IAAI,EAAE;QAAE,MAAM,EAAE,MAAM,CAAC;QAAC,MAAM,CAAC,EAAE,GAAG,EAAE,CAAA;KAAE,KAAK,OAAO,CAAC,GAAG,CAAC,CAAA;CAAE,CAAC;AAe5E,wBAAsB,oBAAoB,CACxC,QAAQ,EAAE,MAAM,GACf,OAAO,CAAC,YAAY,CAAC,CAmBvB;AAED,eAAO,MAAM,cAAc,uEAC2C,CAAC;AAEvE,wBAAgB,gBAAgB,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAIxD;AAED;;;GAGG;AACH,wBAAsB,mBAAmB,CACvC,OAAO,EAAE,MAAM,EACf,QAAQ,EAAE,eAAe,GACxB,OAAO,CAAC,OAAO,CAAC,CA+DlB"}

package/dist/esm/src/utils.js CHANGED Viewed

@@ -23,6 +23,10 @@ export function parseBindingMessage(message) {
         if (key === "pkx25519") {
             out.pkX25519 = hexlify(val);
         }
+        if (key === "executorsafeaddress" || key === "executorsafe") {
+            if (val)
+                out.executorSafeAddress = getAddress(val);
+        }
         if (key === "context")
             out.context = val;
         if (key === "version")
@@ -70,7 +74,7 @@ export function hasERC6492Suffix(sigHex) {
 }
 /**
  * Checks if an address is a smart contract that supports EIP-1271 signature verification
- * Returns true if the address has deployed code AND implements isValidSignature function
+ * Returns true if the address has deployed code and implements isValidSignature function
  */
 export async function isSmartContract1271(address, provider) {
     try {
@@ -117,7 +121,3 @@ export async function isSmartContract1271(address, provider) {
         return false;
     }
 }
-// picks the correct outbound topic from a DuplexTopics structure
-export function pickOutboundTopic(isInitiator, t) {
-    return isInitiator ? t.topicOut : t.topicIn;
-}

package/dist/esm/src/verify.d.ts CHANGED Viewed

@@ -1,54 +1,38 @@
 import { JsonRpcProvider } from "ethers";
-import { HandshakeLog, HandshakeResponseLog, IdentityProof, TopicInfoWire, DuplexTopics } from "./types.js";
+import { HandshakeLog, HandshakeResponseLog, IdentityProof, IdentityContext } from "./types.js";
 import { Rpcish } from "./utils.js";
 /**
  * handshake verification with mandatory identity proof
  */
-export declare function verifyHandshakeIdentity(handshakeEvent: HandshakeLog, provider: JsonRpcProvider): Promise<boolean>;
+export declare function verifyHandshakeIdentity(handshakeEvent: HandshakeLog, provider: JsonRpcProvider, ctx?: IdentityContext): Promise<boolean>;
 /**
  * handshake response verification with mandatory identity proof
  */
-export declare function verifyHandshakeResponseIdentity(responseEvent: HandshakeResponseLog, responderIdentityPubKey: Uint8Array, initiatorEphemeralSecretKey: Uint8Array, provider: JsonRpcProvider): Promise<boolean>;
+export declare function verifyHandshakeResponseIdentity(responseEvent: HandshakeResponseLog, responderIdentityPubKey: Uint8Array, initiatorEphemeralSecretKey: Uint8Array, provider: JsonRpcProvider, ctx?: IdentityContext): Promise<boolean>;
 /**
- * Verify "IdentityProof" for EOAs and smart accounts.
+ * Verify IdentityProof for EOAs and smart accounts.
  * - Verifies the signature with viem (EOA / ERC-1271 / ERC-6492).
  * - Parses and checks the expected address and public key against the message content.
  */
-export declare function verifyIdentityProof(identityProof: IdentityProof, smartAccountAddress: string, expectedUnifiedKeys: {
+export declare function verifyIdentityProof(identityProof: IdentityProof, address: string, expectedUnifiedKeys: {
     identityPubKey: Uint8Array;
     signingPubKey: Uint8Array;
-}, provider: Rpcish): Promise<boolean>;
-export declare function verifyAndExtractHandshakeKeys(handshakeEvent: HandshakeLog, provider: JsonRpcProvider): Promise<{
+}, provider: Rpcish, ctx?: IdentityContext): Promise<boolean>;
+export declare function verifyAndExtractHandshakeKeys(handshakeEvent: HandshakeLog, provider: JsonRpcProvider, ctx?: IdentityContext): Promise<{
     isValid: boolean;
     keys?: {
         identityPubKey: Uint8Array;
         signingPubKey: Uint8Array;
     };
 }>;
-export declare function verifyAndExtractHandshakeResponseKeys(responseEvent: HandshakeResponseLog, initiatorEphemeralSecretKey: Uint8Array, provider: JsonRpcProvider): Promise<{
+export declare function verifyAndExtractHandshakeResponseKeys(responseEvent: HandshakeResponseLog, initiatorEphemeralSecretKey: Uint8Array, initiatorKemSecretKey: Uint8Array, provider: JsonRpcProvider, ctx?: IdentityContext): Promise<{
     isValid: boolean;
     keys?: {
         identityPubKey: Uint8Array;
         signingPubKey: Uint8Array;
         ephemeralPubKey: Uint8Array;
+        kemCiphertext?: Uint8Array;
         note?: string;
     };
 }>;
-/**
- * Verify and derive duplex topics from a long-term DH secret.
- * - Accepts either `tag` (inResponseTo) or a raw salt as KDF input.
- * - Recomputes topicOut/topicIn deterministically from the identity DH.
- * - If topicInfo is provided (from HSR), also verify the checksum.
- * - Used by the initiator after decrypting a HandshakeResponse to confirm responder’s topics.
- */
-export declare function verifyDerivedDuplexTopics({ myIdentitySecretKey, theirIdentityPubKey, tag, salt, topicInfo }: {
-    myIdentitySecretKey: Uint8Array;
-    theirIdentityPubKey: Uint8Array;
-    tag?: `0x${string}`;
-    salt?: Uint8Array;
-    topicInfo?: TopicInfoWire;
-}): {
-    topics: DuplexTopics;
-    ok?: boolean;
-};
 //# sourceMappingURL=verify.d.ts.map

package/dist/esm/src/verify.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"verify.d.ts","sourceRoot":"","sources":["../../../src/verify.ts"],"names":[],"mappings":"~~AACA~~,OAAO,EAAE,eAAe,EAAiC,MAAM,QAAQ,CAAC;~~AAExE~~,OAAO,EAAE,YAAY,EAAE,oBAAoB,EAAE,aAAa,EAAE,~~aAAa~~,EAAE,~~YAAY,EAAE,~~MAAM,YAAY,CAAC;~~AAE5G~~,OAAO,EACL,MAAM,EAGP,MAAM,YAAY,CAAC;AAIpB;;GAEG;AACH,wBAAsB,uBAAuB,CAC3C,cAAc,EAAE,YAAY,EAC5B,QAAQ,EAAE,eAAe,~~GACxB~~,OAAO,CAAC,OAAO,CAAC,~~CA6ClB~~;AAID;;GAEG;AACH,wBAAsB,+BAA+B,CACnD,aAAa,EAAE,oBAAoB,EACnC,uBAAuB,EAAE,UAAU,EACnC,2BAA2B,EAAE,UAAU,EACvC,QAAQ,EAAE,eAAe,~~GACxB~~,OAAO,CAAC,OAAO,CAAC,~~CAgDlB~~;AAED;;;;GAIG;AACH,wBAAsB,mBAAmB,CACvC,aAAa,EAAE,aAAa,EAC5B,~~mBAAmB~~,EAAE,MAAM,~~EAC3B~~,mBAAmB,EAAE;IACnB,cAAc,EAAE,UAAU,CAAC;IAC3B,aAAa,EAAE,UAAU,CAAC;CAC3B,EACD,QAAQ,EAAE,MAAM,~~GACf~~,OAAO,CAAC,OAAO,CAAC,~~CA+DlB~~;AAID,wBAAsB,6BAA6B,CACjD,cAAc,EAAE,YAAY,EAC5B,QAAQ,EAAE,eAAe,~~GACxB~~,OAAO,CAAC;IACT,OAAO,EAAE,OAAO,CAAC;IACjB,IAAI,CAAC,EAAE;QACL,cAAc,EAAE,UAAU,CAAC;QAC3B,aAAa,EAAE,UAAU,CAAC;KAC3B,CAAC;CACH,CAAC,CAgBD;AAED,wBAAsB,qCAAqC,CACzD,aAAa,EAAE,oBAAoB,EACnC,2BAA2B,EAAE,UAAU,EACvC,QAAQ,EAAE,eAAe,~~GACxB~~,OAAO,CAAC;IACT,OAAO,EAAE,OAAO,CAAC;IACjB,IAAI,CAAC,EAAE;QACL,cAAc,EAAE,UAAU,CAAC;QAC3B,aAAa,EAAE,UAAU,CAAC;QAC1B,eAAe,EAAE,UAAU,CAAC;QAC5B,~~IAAI~~,CAAC,EAAE,~~MAAM~~,CAAC;~~KACf~~,~~CAAC;CACH,CAAC,CAwCD;AAED;;;;;;GAMG;AACH,wBAAgB,yBAAyB,CAAC,EACxC,mBAAmB,EACnB,mBAAmB,EACnB,GAAG,EACH,~~IAAI,~~EACJ,SAAS,EACV,EAAE;IACD,mBAAmB,EAAE,UAAU,~~CAAC~~;IAChC~~,~~mBAAmB,~~EAAE,~~UAAU,CAAC;IAChC,GAAG,CAAC,EAAE,KAAK,~~MAAM,~~EAAE,~~CAAC;~~IACpB~~,~~IAAI,~~CAAC~~,EAAE,UAAU,CAAC~~;~~IAClB~~,~~SAAS,~~CAAC,~~EAAE,aAAa,CAAC;CAC3B,GAAG;IAAE,MAAM,EAAE,YAAY,CAAC;IAAC,EAAE,CAAC,EAAE,OAAO,CAAA;CAAE,CAYzC~~"}
1	+ {"version":3,"file":"verify.d.ts","sourceRoot":"","sources":["../../../src/verify.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,eAAe,EAAiC,MAAM,QAAQ,CAAC;AAGxE,OAAO,EAAE,YAAY,EAAE,oBAAoB,EAAE,aAAa,EAAE,eAAe,EAAE,MAAM,YAAY,CAAC;AAEhG,OAAO,EACL,MAAM,EAGP,MAAM,YAAY,CAAC;AAIpB;;GAEG;AACH,wBAAsB,uBAAuB,CAC3C,cAAc,EAAE,YAAY,EAC5B,QAAQ,EAAE,eAAe,EACzB,GAAG,CAAC,EAAE,eAAe,GACpB,OAAO,CAAC,OAAO,CAAC,CAsClB;AAID;;GAEG;AACH,wBAAsB,+BAA+B,CACnD,aAAa,EAAE,oBAAoB,EACnC,uBAAuB,EAAE,UAAU,EACnC,2BAA2B,EAAE,UAAU,EACvC,QAAQ,EAAE,eAAe,EACzB,GAAG,CAAC,EAAE,eAAe,GACpB,OAAO,CAAC,OAAO,CAAC,CA2ClB;AAED;;;;GAIG;AACH,wBAAsB,mBAAmB,CACvC,aAAa,EAAE,aAAa,EAC5B,OAAO,EAAE,MAAM,EACf,mBAAmB,EAAE;IACnB,cAAc,EAAE,UAAU,CAAC;IAC3B,aAAa,EAAE,UAAU,CAAC;CAC3B,EACD,QAAQ,EAAE,MAAM,EAChB,GAAG,CAAC,EAAE,eAAe,GACpB,OAAO,CAAC,OAAO,CAAC,CAgFlB;AAID,wBAAsB,6BAA6B,CACjD,cAAc,EAAE,YAAY,EAC5B,QAAQ,EAAE,eAAe,EACzB,GAAG,CAAC,EAAE,eAAe,GACpB,OAAO,CAAC;IACT,OAAO,EAAE,OAAO,CAAC;IACjB,IAAI,CAAC,EAAE;QACL,cAAc,EAAE,UAAU,CAAC;QAC3B,aAAa,EAAE,UAAU,CAAC;KAC3B,CAAC;CACH,CAAC,CAgBD;AAED,wBAAsB,qCAAqC,CACzD,aAAa,EAAE,oBAAoB,EACnC,2BAA2B,EAAE,UAAU,EACvC,qBAAqB,EAAE,UAAU,EACjC,QAAQ,EAAE,eAAe,EACzB,GAAG,CAAC,EAAE,eAAe,GACpB,OAAO,CAAC;IACT,OAAO,EAAE,OAAO,CAAC;IACjB,IAAI,CAAC,EAAE;QACL,cAAc,EAAE,UAAU,CAAC;QAC3B,aAAa,EAAE,UAAU,CAAC;QAC1B,eAAe,EAAE,UAAU,CAAC;QAC5B,aAAa,CAAC,EAAE,UAAU,CAAC;QAC3B,IAAI,CAAC,EAAE,MAAM,CAAC;KACf,CAAC;CACH,CAAC,CAkDD"}