@verbeth/sdk 0.1.4 → 0.1.6

package/dist/src/executor.js

@@ -3,7 +3,6 @@ import { Interface, toBeHex, zeroPadValue, } from "ethers";
 function pack128x128(high, low) {
     return (high << 128n) | (low & ((1n << 128n) - 1n));
 }
-// Unpack a packed 256-bit value into two 128-bit values
 export function split128x128(word) {
     const lowMask = (1n << 128n) - 1n;
     return [word >> 128n, word & lowMask];
@@ -47,18 +46,16 @@ export class EOAExecutor {
 }
 // Base Smart Account Executor - Uses wallet_sendCalls for sponsored transactions
 export class BaseSmartAccountExecutor {
-    constructor(baseAccountProvider, logChainAddress, chainId = 8453, // Base mainnet by default
-    paymasterServiceUrl, subAccountAddress) {
+    constructor(baseAccountProvider, verbEthAddress, chainId = 8453, paymasterServiceUrl, subAccountAddress) {
         this.baseAccountProvider = baseAccountProvider;
-        this.logChainAddress = logChainAddress;
+        this.verbEthAddress = verbEthAddress;
         this.paymasterServiceUrl = paymasterServiceUrl;
         this.subAccountAddress = subAccountAddress;
-        this.logChainInterface = new Interface([
+        this.verbEthInterface = new Interface([
             "function sendMessage(bytes calldata ciphertext, bytes32 topic, uint256 timestamp, uint256 nonce)",
             "function initiateHandshake(bytes32 recipientHash, bytes pubKeys, bytes ephemeralPubKey, bytes plaintextPayload)",
             "function respondToHandshake(bytes32 inResponseTo, bytes32 responderEphemeralR, bytes ciphertext)",
         ]);
-        // Convert chainId to hex
         this.chainId =
             chainId === 8453
                 ? "0x2105" // Base mainnet
@@ -67,7 +64,7 @@ export class BaseSmartAccountExecutor {
                     : `0x${chainId.toString(16)}`;
     }
     async sendMessage(ciphertext, topic, timestamp, nonce) {
-        const callData = this.logChainInterface.encodeFunctionData("sendMessage", [
+        const callData = this.verbEthInterface.encodeFunctionData("sendMessage", [
             ciphertext,
             topic,
             timestamp,
@@ -75,27 +72,27 @@ export class BaseSmartAccountExecutor {
         ]);
         return this.executeCalls([
             {
-                to: this.logChainAddress,
+                to: this.verbEthAddress,
                 value: "0x0",
                 data: callData,
             },
         ]);
     }
     async initiateHandshake(recipientHash, pubKeys, ephemeralPubKey, plaintextPayload) {
-        const callData = this.logChainInterface.encodeFunctionData("initiateHandshake", [recipientHash, pubKeys, ephemeralPubKey, plaintextPayload]);
+        const callData = this.verbEthInterface.encodeFunctionData("initiateHandshake", [recipientHash, pubKeys, ephemeralPubKey, plaintextPayload]);
         return this.executeCalls([
             {
-                to: this.logChainAddress,
+                to: this.verbEthAddress,
                 value: "0x0",
                 data: callData,
             },
         ]);
     }
     async respondToHandshake(inResponseTo, responderEphemeralR, ciphertext) {
-        const callData = this.logChainInterface.encodeFunctionData("respondToHandshake", [inResponseTo, responderEphemeralR, ciphertext]);
+        const callData = this.verbEthInterface.encodeFunctionData("respondToHandshake", [inResponseTo, responderEphemeralR, ciphertext]);
         return this.executeCalls([
             {
-                to: this.logChainAddress,
+                to: this.verbEthAddress,
                 value: "0x0",
                 data: callData,
             },
@@ -103,7 +100,6 @@ export class BaseSmartAccountExecutor {
     }
     async executeCalls(calls) {
         try {
-            //console.log("DEBUG: Sub account address:", this.subAccountAddress);
             const requestParams = {
                 version: "1.0",
                 chainId: this.chainId,
@@ -112,7 +108,6 @@ export class BaseSmartAccountExecutor {
             //** WORK IN PROGRESS */
             if (this.subAccountAddress) {
                 requestParams.from = this.subAccountAddress;
-                //console.log("DEBUG: Using sub account for transaction");
             }
             if (this.paymasterServiceUrl) {
                 requestParams.capabilities = {
@@ -120,19 +115,15 @@ export class BaseSmartAccountExecutor {
                         url: this.paymasterServiceUrl,
                     },
                 };
-                //console.log("DEBUG: Using paymaster for gas sponsorship");
             }
-            //console.log("DEBUG: Request params:", requestParams);
             const result = await this.baseAccountProvider.request({
                 method: "wallet_sendCalls",
                 params: [requestParams],
             });
-            // first 32 bytes are the actual userop hash
             if (typeof result === "string" &&
                 result.startsWith("0x") &&
                 result.length > 66) {
-                const actualTxHash = "0x" + result.slice(2, 66); // Extract first 32 bytes
-                //console.log("DEBUG: extracted tx hash:", actualTxHash);
+                const actualTxHash = "0x" + result.slice(2, 66);
                 return { hash: actualTxHash };
             }
             return result;
@@ -145,45 +136,44 @@ export class BaseSmartAccountExecutor {
 }
 // UserOp Executor - Account Abstraction via bundler
 export class UserOpExecutor {
-    constructor(smartAccountAddress, logChainAddress, bundlerClient, smartAccountClient) {
+    constructor(smartAccountAddress, verbEthAddress, bundlerClient, smartAccountClient) {
         this.smartAccountAddress = smartAccountAddress;
-        this.logChainAddress = logChainAddress;
+        this.verbEthAddress = verbEthAddress;
         this.bundlerClient = bundlerClient;
         this.smartAccountClient = smartAccountClient;
-        this.logChainInterface = new Interface([
+        this.verbEthInterface = new Interface([
             "function sendMessage(bytes calldata ciphertext, bytes32 topic, uint256 timestamp, uint256 nonce)",
             "function initiateHandshake(bytes32 recipientHash, bytes pubKeys, bytes ephemeralPubKey, bytes plaintextPayload)",
             "function respondToHandshake(bytes32 inResponseTo, bytes32 responderEphemeralR, bytes ciphertext)",
         ]);
-        // Smart account interface for executing calls to other contracts
         this.smartAccountInterface = new Interface([
             "function execute(address target, uint256 value, bytes calldata data) returns (bytes)",
         ]);
     }
     async sendMessage(ciphertext, topic, timestamp, nonce) {
-        const logChainCallData = this.logChainInterface.encodeFunctionData("sendMessage", [ciphertext, topic, timestamp, nonce]);
+        const verbEthCallData = this.verbEthInterface.encodeFunctionData("sendMessage", [ciphertext, topic, timestamp, nonce]);
         const smartAccountCallData = this.smartAccountInterface.encodeFunctionData("execute", [
-            this.logChainAddress,
-            0, // value
-            logChainCallData,
+            this.verbEthAddress,
+            0,
+            verbEthCallData,
         ]);
         return this.executeUserOp(smartAccountCallData);
     }
     async initiateHandshake(recipientHash, pubKeys, ephemeralPubKey, plaintextPayload) {
-        const logChainCallData = this.logChainInterface.encodeFunctionData("initiateHandshake", [recipientHash, pubKeys, ephemeralPubKey, plaintextPayload]);
+        const verbEthCallData = this.verbEthInterface.encodeFunctionData("initiateHandshake", [recipientHash, pubKeys, ephemeralPubKey, plaintextPayload]);
         const smartAccountCallData = this.smartAccountInterface.encodeFunctionData("execute", [
-            this.logChainAddress,
-            0, // value
-            logChainCallData,
+            this.verbEthAddress,
+            0,
+            verbEthCallData,
         ]);
         return this.executeUserOp(smartAccountCallData);
     }
     async respondToHandshake(inResponseTo, responderEphemeralR, ciphertext) {
-        const logChainCallData = this.logChainInterface.encodeFunctionData("respondToHandshake", [inResponseTo, responderEphemeralR, ciphertext]);
+        const verbEthCallData = this.verbEthInterface.encodeFunctionData("respondToHandshake", [inResponseTo, responderEphemeralR, ciphertext]);
         const smartAccountCallData = this.smartAccountInterface.encodeFunctionData("execute", [
-            this.logChainAddress,
-            0, // value
-            logChainCallData,
+            this.verbEthAddress,
+            0,
+            verbEthCallData,
         ]);
         return this.executeUserOp(smartAccountCallData);
     }
@@ -209,19 +199,18 @@ export class UserOpExecutor {
         return receipt;
     }
 }
-// Direct EntryPoint Executor - for local testing (bypasses bundler)
+// Direct EntryPoint Executor (bypasses bundler for local testing)
 export class DirectEntryPointExecutor {
-    constructor(smartAccountAddress, entryPointContract, logChainAddress, smartAccountClient, signer) {
+    constructor(smartAccountAddress, entryPointContract, verbEthAddress, smartAccountClient, signer) {
         this.smartAccountAddress = smartAccountAddress;
-        this.logChainAddress = logChainAddress;
+        this.verbEthAddress = verbEthAddress;
         this.smartAccountClient = smartAccountClient;
         this.signer = signer;
-        this.logChainInterface = new Interface([
+        this.verbEthInterface = new Interface([
             "function sendMessage(bytes calldata ciphertext, bytes32 topic, uint256 timestamp, uint256 nonce)",
             "function initiateHandshake(bytes32 recipientHash, bytes pubKeys, bytes ephemeralPubKey, bytes plaintextPayload)",
             "function respondToHandshake(bytes32 inResponseTo, bytes32 responderEphemeralR, bytes ciphertext)",
         ]);
-        // Smart account interface for executing calls to other contracts
         this.smartAccountInterface = new Interface([
             "function execute(address target, uint256 value, bytes calldata data) returns (bytes)",
         ]);
@@ -229,29 +218,29 @@ export class DirectEntryPointExecutor {
         this.spec = detectSpecVersion(this.entryPointContract.interface);
     }
     async sendMessage(ciphertext, topic, timestamp, nonce) {
-        const logChainCallData = this.logChainInterface.encodeFunctionData("sendMessage", [ciphertext, topic, timestamp, nonce]);
+        const verbEthCallData = this.verbEthInterface.encodeFunctionData("sendMessage", [ciphertext, topic, timestamp, nonce]);
         const smartAccountCallData = this.smartAccountInterface.encodeFunctionData("execute", [
-            this.logChainAddress,
+            this.verbEthAddress,
             0, // value
-            logChainCallData,
+            verbEthCallData,
         ]);
         return this.executeDirectUserOp(smartAccountCallData);
     }
     async initiateHandshake(recipientHash, pubKeys, ephemeralPubKey, plaintextPayload) {
-        const logChainCallData = this.logChainInterface.encodeFunctionData("initiateHandshake", [recipientHash, pubKeys, ephemeralPubKey, plaintextPayload]);
+        const verbEthCallData = this.verbEthInterface.encodeFunctionData("initiateHandshake", [recipientHash, pubKeys, ephemeralPubKey, plaintextPayload]);
         const smartAccountCallData = this.smartAccountInterface.encodeFunctionData("execute", [
-            this.logChainAddress,
-            0, // value
-            logChainCallData,
+            this.verbEthAddress,
+            0,
+            verbEthCallData,
         ]);
         return this.executeDirectUserOp(smartAccountCallData);
     }
     async respondToHandshake(inResponseTo, responderEphemeralR, ciphertext) {
-        const logChainCallData = this.logChainInterface.encodeFunctionData("respondToHandshake", [inResponseTo, responderEphemeralR, ciphertext]);
+        const verbEthCallData = this.verbEthInterface.encodeFunctionData("respondToHandshake", [inResponseTo, responderEphemeralR, ciphertext]);
         const smartAccountCallData = this.smartAccountInterface.encodeFunctionData("execute", [
-            this.logChainAddress,
-            0, // value
-            logChainCallData,
+            this.verbEthAddress,
+            0,
+            verbEthCallData,
         ]);
         return this.executeDirectUserOp(smartAccountCallData);
     }
@@ -290,11 +279,8 @@ export class DirectEntryPointExecutor {
                 signature: "0x",
             };
         }
-        // Pad bigints, bytes32 before signing
         const paddedUserOp = padBigints(userOp);
-        //console.log("Padded UserOp:", paddedUserOp);
         const signed = await this.smartAccountClient.signUserOperation(paddedUserOp);
-        // Direct submit to EntryPoint
         const tx = await this.entryPointContract.handleOps([signed], await this.signer.getAddress());
         return tx;
     }
@@ -303,33 +289,32 @@ export class ExecutorFactory {
     static createEOA(contract) {
         return new EOAExecutor(contract);
     }
-    static createBaseSmartAccount(baseAccountProvider, logChainAddress, chainId = 8453, paymasterServiceUrl, subAccountAddress) {
-        return new BaseSmartAccountExecutor(baseAccountProvider, logChainAddress, chainId, paymasterServiceUrl, subAccountAddress);
+    static createBaseSmartAccount(baseAccountProvider, verbEthAddress, chainId = 8453, paymasterServiceUrl, subAccountAddress) {
+        return new BaseSmartAccountExecutor(baseAccountProvider, verbEthAddress, chainId, paymasterServiceUrl, subAccountAddress);
     }
-    static createUserOp(smartAccountAddress, _entryPointAddress, logChainAddress, bundlerClient, smartAccountClient) {
-        return new UserOpExecutor(smartAccountAddress, logChainAddress, bundlerClient, smartAccountClient);
+    static createUserOp(smartAccountAddress, _entryPointAddress, verbEthAddress, bundlerClient, smartAccountClient) {
+        return new UserOpExecutor(smartAccountAddress, verbEthAddress, bundlerClient, smartAccountClient);
     }
-    static createDirectEntryPoint(smartAccountAddress, entryPointContract, logChainAddress, smartAccountClient, signer) {
-        return new DirectEntryPointExecutor(smartAccountAddress, entryPointContract, logChainAddress, smartAccountClient, signer);
+    static createDirectEntryPoint(smartAccountAddress, entryPointContract, verbEthAddress, smartAccountClient, signer) {
+        return new DirectEntryPointExecutor(smartAccountAddress, entryPointContract, verbEthAddress, smartAccountClient, signer);
     }
     // Auto-detect executor based on environment and signer type
     static async createAuto(signerOrAccount, contract, options) {
-        if (options?.baseAccountProvider && options?.logChainAddress) {
-            return new BaseSmartAccountExecutor(options.baseAccountProvider, options.logChainAddress, options.chainId || 8453);
+        if (options?.baseAccountProvider && options?.verbEthAddress) {
+            return new BaseSmartAccountExecutor(options.baseAccountProvider, options.verbEthAddress, options.chainId || 8453);
         }
         try {
             const provider = signerOrAccount?.provider || signerOrAccount;
             if (provider && typeof provider.request === "function") {
-                // test if provider supports wallet_sendCalls
                 const capabilities = await provider
                     .request({
                     method: "wallet_getCapabilities",
                     params: [],
                 })
                     .catch(() => null);
-                if (capabilities && options?.logChainAddress) {
+                if (capabilities && options?.verbEthAddress) {
                     // if wallet supports capabilities, it's likely a Base Smart Account
-                    return new BaseSmartAccountExecutor(provider, options.logChainAddress, options.chainId || 8453);
+                    return new BaseSmartAccountExecutor(provider, options.verbEthAddress, options.chainId || 8453);
                 }
             }
         }
@@ -338,16 +323,15 @@ export class ExecutorFactory {
             (options?.bundlerClient || options?.entryPointContract)) {
             if (options.isTestEnvironment &&
                 options.entryPointContract &&
-                options.logChainAddress) {
-                return new DirectEntryPointExecutor(signerOrAccount.address, options.entryPointContract, options.logChainAddress, signerOrAccount, signerOrAccount.signer || signerOrAccount);
+                options.verbEthAddress) {
+                return new DirectEntryPointExecutor(signerOrAccount.address, options.entryPointContract, options.verbEthAddress, signerOrAccount, signerOrAccount.signer || signerOrAccount);
             }
             if (options.bundlerClient &&
                 options.entryPointAddress &&
-                options.logChainAddress) {
-                return new UserOpExecutor(signerOrAccount.address, options.logChainAddress, options.bundlerClient, signerOrAccount);
+                options.verbEthAddress) {
+                return new UserOpExecutor(signerOrAccount.address, options.verbEthAddress, options.bundlerClient, signerOrAccount);
             }
         }
-        // default to EOA executor
         return new EOAExecutor(contract);
     }
 }

package/dist/src/handshake.d.ts

@@ -0,0 +1,51 @@
+import { Signer } from "ethers";
+import nacl from 'tweetnacl';
+import { IdentityKeyPair, IdentityProof } from './types.js';
+import { IExecutor } from './executor.js';
+export interface KemKeyPair {
+    publicKey: Uint8Array;
+    secretKey: Uint8Array;
+}
+/**
+ * Initiates an on-chain handshake with unified keys and mandatory identity proof.
+ * Executor-agnostic: works with EOA, UserOp, and Direct EntryPoint
+ *
+ * @returns Transaction, ephemeral keypair, and KEM keypair (must be persisted for session init)
+ */
+export declare function initiateHandshake({ executor, recipientAddress, identityKeyPair, plaintextPayload, identityProof, }: {
+    executor: IExecutor;
+    recipientAddress: string;
+    identityKeyPair: IdentityKeyPair;
+    plaintextPayload: string;
+    identityProof: IdentityProof;
+    signer?: Signer;
+}): Promise<{
+    tx: any;
+    ephemeralKeyPair: nacl.BoxKeyPair;
+    kemKeyPair: KemKeyPair;
+}>;
+/**
+ * Responds to a handshake with unified keys and mandatory identity proof.
+ * Executor-agnostic: works with EOA, UserOp, and Direct EntryPoint
+ *
+ * If initiator includes KEM public key, encapsulates a shared secret and includes ciphertext in response.
+ *
+ * @returns Transaction, tag, salt, ephemeral keys, and KEM secret
+ */
+export declare function respondToHandshake({ executor, initiatorEphemeralPubKey, responderIdentityKeyPair, note, identityProof, }: {
+    executor: IExecutor;
+    /** Initiator's ephemeral key (32 bytes X25519) OR extended key (1216 bytes: X25519 + ML-KEM) */
+    initiatorEphemeralPubKey: Uint8Array;
+    responderIdentityKeyPair: IdentityKeyPair;
+    note?: string;
+    identityProof: IdentityProof;
+    signer?: Signer;
+}): Promise<{
+    tx: any;
+    salt: Uint8Array;
+    tag: `0x${string}`;
+    responderEphemeralSecret: Uint8Array;
+    responderEphemeralPublic: Uint8Array;
+    kemSharedSecret?: Uint8Array;
+}>;
+//# sourceMappingURL=handshake.d.ts.map

package/dist/src/handshake.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"handshake.d.ts","sourceRoot":"","sources":["../../src/handshake.ts"],"names":[],"mappings":"AAEA,OAAO,EAIL,MAAM,EAEP,MAAM,QAAQ,CAAC;AAChB,OAAO,IAAI,MAAM,WAAW,CAAC;AAQ7B,OAAO,EAAE,eAAe,EAAE,aAAa,EAAE,MAAM,YAAY,CAAC;AAC5D,OAAO,EAAE,SAAS,EAAE,MAAM,eAAe,CAAC;AAI1C,MAAM,WAAW,UAAU;IACzB,SAAS,EAAE,UAAU,CAAC;IACtB,SAAS,EAAE,UAAU,CAAC;CACvB;AAED;;;;;GAKG;AACH,wBAAsB,iBAAiB,CAAC,EACtC,QAAQ,EACR,gBAAgB,EAChB,eAAe,EACf,gBAAgB,EAChB,aAAa,GACd,EAAE;IACD,QAAQ,EAAE,SAAS,CAAC;IACpB,gBAAgB,EAAE,MAAM,CAAC;IACzB,eAAe,EAAE,eAAe,CAAC;IACjC,gBAAgB,EAAE,MAAM,CAAC;IACzB,aAAa,EAAE,aAAa,CAAC;IAC7B,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB,GAAG,OAAO,CAAC;IACV,EAAE,EAAE,GAAG,CAAC;IACR,gBAAgB,EAAE,IAAI,CAAC,UAAU,CAAC;IAClC,UAAU,EAAE,UAAU,CAAC;CACxB,CAAC,CA4CD;AAED;;;;;;;GAOG;AACH,wBAAsB,kBAAkB,CAAC,EACvC,QAAQ,EACR,wBAAwB,EACxB,wBAAwB,EACxB,IAAI,EACJ,aAAa,GACd,EAAE;IACD,QAAQ,EAAE,SAAS,CAAC;IACpB,gGAAgG;IAChG,wBAAwB,EAAE,UAAU,CAAC;IACrC,wBAAwB,EAAE,eAAe,CAAC;IAC1C,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,aAAa,EAAE,aAAa,CAAC;IAC7B,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB,GAAG,OAAO,CAAC;IACV,EAAE,EAAE,GAAG,CAAC;IACR,IAAI,EAAE,UAAU,CAAC;IACjB,GAAG,EAAE,KAAK,MAAM,EAAE,CAAC;IAEnB,wBAAwB,EAAE,UAAU,CAAC;IAErC,wBAAwB,EAAE,UAAU,CAAC;IAErC,eAAe,CAAC,EAAE,UAAU,CAAC;CAC9B,CAAC,CAuFD"}

package/dist/src/handshake.js

@@ -0,0 +1,105 @@
+// packages/sdk/src/handshake.ts
+import { keccak256, toUtf8Bytes, hexlify, getBytes } from "ethers";
+import nacl from 'tweetnacl';
+import { encryptStructuredPayload } from './crypto.js';
+import { serializeHandshakeContent, encodeUnifiedPubKeys, createHandshakeResponseContent, } from './payload.js';
+import { computeHybridTagFromResponder } from './crypto.js';
+import { kem } from './pq/kem.js';
+/**
+ * Initiates an on-chain handshake with unified keys and mandatory identity proof.
+ * Executor-agnostic: works with EOA, UserOp, and Direct EntryPoint
+ *
+ * @returns Transaction, ephemeral keypair, and KEM keypair (must be persisted for session init)
+ */
+export async function initiateHandshake({ executor, recipientAddress, identityKeyPair, plaintextPayload, identityProof, }) {
+    if (!executor) {
+        throw new Error("Executor must be provided");
+    }
+    // Generate ephemeral keypair for this handshake
+    const ephemeralKeyPair = nacl.box.keyPair();
+    // Generate ML-KEM-768 keypair for PQ-hybrid key exchange
+    const kemKeyPair = kem.generateKeyPair();
+    const recipientHash = keccak256(toUtf8Bytes('contact:' + recipientAddress.toLowerCase()));
+    const handshakeContent = {
+        plaintextPayload,
+        identityProof
+    };
+    const serializedPayload = serializeHandshakeContent(handshakeContent);
+    const unifiedPubKeys = encodeUnifiedPubKeys(identityKeyPair.publicKey, identityKeyPair.signingPublicKey);
+    // Ephemeral public key now includes KEM public key (32 + 1184 = 1216 bytes)
+    const ephemeralWithKem = new Uint8Array(32 + kem.publicKeyBytes);
+    ephemeralWithKem.set(ephemeralKeyPair.publicKey, 0);
+    ephemeralWithKem.set(kemKeyPair.publicKey, 32);
+    const tx = await executor.initiateHandshake(recipientHash, hexlify(unifiedPubKeys), hexlify(ephemeralWithKem), toUtf8Bytes(serializedPayload));
+    return {
+        tx,
+        ephemeralKeyPair, // Caller must persist secretKey for ratchet session init
+        kemKeyPair, // Caller must also persist secretKey for KEM decapsulation
+    };
+}
+/**
+ * Responds to a handshake with unified keys and mandatory identity proof.
+ * Executor-agnostic: works with EOA, UserOp, and Direct EntryPoint
+ *
+ * If initiator includes KEM public key, encapsulates a shared secret and includes ciphertext in response.
+ *
+ * @returns Transaction, tag, salt, ephemeral keys, and KEM secret
+ */
+export async function respondToHandshake({ executor, initiatorEphemeralPubKey, responderIdentityKeyPair, note, identityProof, }) {
+    if (!executor) {
+        throw new Error("Executor must be provided");
+    }
+    // =========================================================================
+    // TWO SEPARATE KEYPAIRS for unlinkability:
+    //
+    // 1. tagKeyPair (R, r): only for tag computation
+    //    - R goes on-chain as responderEphemeralR
+    //    - Used by Alice to verify the tag
+    //    - not used for ratchet
+    //
+    // 2. ratchetKeyPair: For post-handshake encryption and first DH ratchet key
+    //    - Public key goes inside encrypted payload 
+    //    - Becomes dhMySecretKey/dhMyPublicKey in ratchet session
+    //
+    // Why this matters: With a single keypair, the on-chain R would equal the
+    // first message's DH header, allowing observers to link HandshakeResponse
+    // to subsequent conversation. With two keypairs, there's no on-chain link.
+    // =========================================================================
+    const tagKeyPair = nacl.box.keyPair();
+    const ratchetKeyPair = nacl.box.keyPair();
+    // Check if initiator included KEM public key (extended format: 32 + 1184 = 1216 bytes)
+    const hasKem = initiatorEphemeralPubKey.length === 32 + kem.publicKeyBytes;
+    const initiatorX25519Pub = hasKem
+        ? initiatorEphemeralPubKey.slice(0, 32)
+        : initiatorEphemeralPubKey;
+    // KEM encapsulation needed for hybrid tag
+    let kemCiphertext;
+    let kemSharedSecret;
+    if (hasKem) {
+        const initiatorKemPub = initiatorEphemeralPubKey.slice(32, 32 + kem.publicKeyBytes);
+        const { ciphertext, sharedSecret } = kem.encapsulate(initiatorKemPub);
+        kemCiphertext = ciphertext;
+        kemSharedSecret = sharedSecret;
+    }
+    if (!kemSharedSecret) {
+        throw new Error("KEM is required for PQ-secure handshake");
+    }
+    // Hybrid tag combines ECDH(r, viewPubA) + kemSecret
+    const inResponseTo = computeHybridTagFromResponder(tagKeyPair.secretKey, initiatorX25519Pub, kemSharedSecret);
+    const salt = getBytes(inResponseTo);
+    const responseContent = createHandshakeResponseContent(responderIdentityKeyPair.publicKey, responderIdentityKeyPair.signingPublicKey, ratchetKeyPair.publicKey, // first DH ratchet key inside payload
+    note, identityProof, kemCiphertext);
+    // Encrypt using ratchetKeyPair (the epk in encrypted payload = ratchetKeyPair.publicKey)
+    const payload = encryptStructuredPayload(responseContent, initiatorX25519Pub, ratchetKeyPair.secretKey, ratchetKeyPair.publicKey);
+    // tagKeyPair.publicKey goes on-chain, not ratchetKeyPair
+    const tx = await executor.respondToHandshake(inResponseTo, hexlify(tagKeyPair.publicKey), toUtf8Bytes(payload));
+    return {
+        tx,
+        salt,
+        tag: inResponseTo,
+        // Return ratchet keys for session initialization
+        responderEphemeralSecret: ratchetKeyPair.secretKey,
+        responderEphemeralPublic: ratchetKeyPair.publicKey,
+        kemSharedSecret,
+    };
+}

package/dist/src/identity.d.ts

@@ -1,28 +1,34 @@
 import { Signer } from "ethers";
-import { IdentityProof } from "./types.js";
-interface IdentityKeyPair {
-    publicKey: Uint8Array;
-    secretKey: Uint8Array;
-    signingPublicKey: Uint8Array;
-    signingSecretKey: Uint8Array;
+import { IdentityContext, IdentityKeyPair, IdentityProof } from "./types.js";
+export interface DerivedIdentityKeys {
+    /** VerbEth identity key pair (X25519 + Ed25519) */
+    keyPair: IdentityKeyPair;
+    /** Hex-encoded secp256k1 private key for session signer */
+    sessionPrivateKey: string;
+    /** Ethereum address of the session signer */
+    sessionAddress: string;
+    /** Public key hex strings for binding message */
+    pkX25519Hex: string;
+    pkEd25519Hex: string;
+}
+export interface DerivedIdentityWithProof extends DerivedIdentityKeys {
+    identityProof: IdentityProof;
 }
 /**
- * HKDF (RFC 5869) identity key derivation.
- * Returns a proof binding the derived keypair to the wallet address.
+ * Derive all identity keys and session key from a single seed signature.
  */
-export declare function deriveIdentityKeyPairWithProof(signer: any, address: string): Promise<{
-    keyPair: IdentityKeyPair;
-    identityProof: {
-        message: string;
-        signature: string;
-        messageRawHex?: `0x${string}`;
-    };
-}>;
-export declare function deriveIdentityWithUnifiedKeys(signer: Signer, address: string): Promise<{
+export declare function deriveIdentityKeys(signer: any, address: string): Promise<DerivedIdentityKeys>;
+/**
+ * Create the binding proof that ties the derived keys to the Safe address.
+ */
+export declare function createBindingProof(signer: any, address: string, derivedKeys: DerivedIdentityKeys, executorSafeAddress: string, ctx?: IdentityContext): Promise<IdentityProof>;
+export declare function deriveIdentityKeyPairWithProof(signer: any, address: string, executorSafeAddress?: string, ctx?: IdentityContext): Promise<DerivedIdentityWithProof>;
+export declare function deriveIdentityWithUnifiedKeys(signer: Signer, address: string, executorSafeAddress?: string, ctx?: IdentityContext): Promise<{
     identityProof: IdentityProof;
     identityPubKey: Uint8Array;
     signingPubKey: Uint8Array;
     unifiedPubKeys: Uint8Array;
+    sessionPrivateKey: string;
+    sessionAddress: string;
 }>;
-export {};
 //# sourceMappingURL=identity.d.ts.map

package/dist/src/identity.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"identity.d.ts","sourceRoot":"","sources":["../../src/identity.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,MAAM,EAAmB,MAAM,QAAQ,CAAC;AAGjD,OAAO,EAAE,aAAa,EAAE,MAAM,YAAY,CAAC;AAE3C,UAAU,eAAe;IAEvB,SAAS,EAAE,UAAU,CAAC;IACtB,SAAS,EAAE,UAAU,CAAC;IAEtB,gBAAgB,EAAE,UAAU,CAAC;IAC7B,gBAAgB,EAAE,UAAU,CAAC;CAC9B;AAED;;;GAGG;AACH,wBAAsB,8BAA8B,CAClD,MAAM,EAAE,GAAG,EACX,OAAO,EAAE,MAAM,GACd,OAAO,CAAC;IACT,OAAO,EAAE,eAAe,CAAC;IACzB,aAAa,EAAE;QACb,OAAO,EAAE,MAAM,CAAC;QAChB,SAAS,EAAE,MAAM,CAAC;QAClB,aAAa,CAAC,EAAE,KAAK,MAAM,EAAE,CAAC;KAC/B,CAAC;CACH,CAAC,CAyDD;AAED,wBAAsB,6BAA6B,CACjD,MAAM,EAAE,MAAM,EACd,OAAO,EAAE,MAAM,GACd,OAAO,CAAC;IACT,aAAa,EAAE,aAAa,CAAC;IAC7B,cAAc,EAAE,UAAU,CAAC;IAC3B,aAAa,EAAE,UAAU,CAAC;IAC1B,cAAc,EAAE,UAAU,CAAC;CAC5B,CAAC,CAcD"}
+{"version":3,"file":"identity.d.ts","sourceRoot":"","sources":["../../src/identity.ts"],"names":[],"mappings":"AAGA,OAAO,EAAE,MAAM,EAAqC,MAAM,QAAQ,CAAC;AAGnE,OAAO,EAAE,eAAe,EAAE,eAAe,EAAE,aAAa,EAAE,MAAM,YAAY,CAAC;AAwE7E,MAAM,WAAW,mBAAmB;IAClC,mDAAmD;IACnD,OAAO,EAAE,eAAe,CAAC;IACzB,2DAA2D;IAC3D,iBAAiB,EAAE,MAAM,CAAC;IAC1B,6CAA6C;IAC7C,cAAc,EAAE,MAAM,CAAC;IACvB,iDAAiD;IACjD,WAAW,EAAE,MAAM,CAAC;IACpB,YAAY,EAAE,MAAM,CAAC;CACtB;AAED,MAAM,WAAW,wBAAyB,SAAQ,mBAAmB;IACnE,aAAa,EAAE,aAAa,CAAC;CAC9B;AAMD;;GAEG;AACH,wBAAsB,kBAAkB,CACtC,MAAM,EAAE,GAAG,EACX,OAAO,EAAE,MAAM,GACd,OAAO,CAAC,mBAAmB,CAAC,CA8D9B;AAMD;;GAEG;AACH,wBAAsB,kBAAkB,CACtC,MAAM,EAAE,GAAG,EACX,OAAO,EAAE,MAAM,EACf,WAAW,EAAE,mBAAmB,EAChC,mBAAmB,EAAE,MAAM,EAC3B,GAAG,CAAC,EAAE,eAAe,GACpB,OAAO,CAAC,aAAa,CAAC,CAsBxB;AAID,wBAAsB,8BAA8B,CAClD,MAAM,EAAE,GAAG,EACX,OAAO,EAAE,MAAM,EACf,mBAAmB,CAAC,EAAE,MAAM,EAC5B,GAAG,CAAC,EAAE,eAAe,GACpB,OAAO,CAAC,wBAAwB,CAAC,CAcnC;AAED,wBAAsB,6BAA6B,CACjD,MAAM,EAAE,MAAM,EACd,OAAO,EAAE,MAAM,EACf,mBAAmB,CAAC,EAAE,MAAM,EAC5B,GAAG,CAAC,EAAE,eAAe,GACpB,OAAO,CAAC;IACT,aAAa,EAAE,aAAa,CAAC;IAC7B,cAAc,EAAE,UAAU,CAAC;IAC3B,aAAa,EAAE,UAAU,CAAC;IAC1B,cAAc,EAAE,UAAU,CAAC;IAC3B,iBAAiB,EAAE,MAAM,CAAC;IAC1B,cAAc,EAAE,MAAM,CAAC;CACxB,CAAC,CAqBD"}