@volr/sdk-core 0.1.0

package/dist/index.cjs

@@ -0,0 +1,1342 @@
+'use strict';
+
+var hkdf = require('@noble/hashes/hkdf');
+var sha256 = require('@noble/hashes/sha256');
+var bip32 = require('@scure/bip32');
+var secp256k1 = require('@noble/curves/secp256k1');
+var sha3 = require('@noble/hashes/sha3');
+var ethers = require('ethers');
+var axios = require('axios');
+
+function _interopDefault (e) { return e && e.__esModule ? e : { default: e }; }
+
+var axios__default = /*#__PURE__*/_interopDefault(axios);
+
+var __require = /* @__PURE__ */ ((x) => typeof require !== "undefined" ? require : typeof Proxy !== "undefined" ? new Proxy(x, {
+  get: (a, b) => (typeof require !== "undefined" ? require : a)[b]
+}) : x)(function(x) {
+  if (typeof require !== "undefined") return require.apply(this, arguments);
+  throw Error('Dynamic require of "' + x + '" is not supported');
+});
+
+// src/core/errors.ts
+var VolrError = class _VolrError extends Error {
+  constructor(code, message, cause) {
+    super(message);
+    this.code = code;
+    this.cause = cause;
+    this.name = "VolrError";
+    Object.setPrototypeOf(this, _VolrError.prototype);
+  }
+};
+var ERR_INVALID_PARAM = "ERR_INVALID_PARAM";
+var ERR_CRYPTO_FAIL = "ERR_CRYPTO_FAIL";
+var ERR_AAD_MISMATCH = "ERR_AAD_MISMATCH";
+var ERR_NONCE_SIZE = "ERR_NONCE_SIZE";
+var ERR_LOW_ENTROPY = "ERR_LOW_ENTROPY";
+var ERR_CHAIN_MISMATCH = "ERR_CHAIN_MISMATCH";
+
+// src/core/crypto/hkdf.ts
+function hkdfSha256(ikm, salt, info, len = 32) {
+  if (!info || info.length === 0) {
+    throw new Error(`${ERR_INVALID_PARAM}: info cannot be empty`);
+  }
+  if (len < 1 || len > 255 * 32) {
+    throw new Error(`${ERR_INVALID_PARAM}: len must be between 1 and ${255 * 32}`);
+  }
+  try {
+    const derived = hkdf.hkdf(sha256.sha256, ikm, salt, info, len);
+    return derived;
+  } catch (error) {
+    throw new Error(`HKDF derivation failed: ${error instanceof Error ? error.message : String(error)}`);
+  }
+}
+
+// src/core/crypto/rng.ts
+function getRandomBytes(len) {
+  if (len < 0 || len > 65536) {
+    throw new Error(`Invalid length: ${len}`);
+  }
+  const arr = new Uint8Array(len);
+  if (typeof crypto !== "undefined" && crypto.getRandomValues) {
+    crypto.getRandomValues(arr);
+    return arr;
+  }
+  if (typeof __require !== "undefined") {
+    try {
+      const nodeCrypto = __require("crypto");
+      if (nodeCrypto.webcrypto && nodeCrypto.webcrypto.getRandomValues) {
+        nodeCrypto.webcrypto.getRandomValues(arr);
+        return arr;
+      }
+      const randomBytes = nodeCrypto.randomBytes(len);
+      arr.set(randomBytes);
+      return arr;
+    } catch {
+    }
+  }
+  throw new Error("No secure random source available");
+}
+
+// src/core/crypto/aes-gcm.ts
+function getSubtleCrypto() {
+  if (typeof crypto !== "undefined" && crypto.subtle) {
+    return crypto.subtle;
+  }
+  if (typeof __require !== "undefined") {
+    try {
+      const nodeCrypto = __require("crypto");
+      if (nodeCrypto.webcrypto && nodeCrypto.webcrypto.subtle) {
+        return nodeCrypto.webcrypto.subtle;
+      }
+    } catch {
+    }
+  }
+  throw new Error(`${ERR_CRYPTO_FAIL}: WebCrypto API not available`);
+}
+async function aesGcmEncrypt(plain, params) {
+  const { key, nonce: providedNonce, aad } = params;
+  if (key.length !== 32) {
+    throw new Error(`${ERR_INVALID_PARAM}: key must be 32 bytes, got ${key.length}`);
+  }
+  const nonce = providedNonce || getRandomBytes(12);
+  if (nonce.length !== 12) {
+    throw new Error(`${ERR_NONCE_SIZE}: nonce must be 12 bytes, got ${nonce.length}`);
+  }
+  const subtle = getSubtleCrypto();
+  try {
+    const keyMaterial = await subtle.importKey(
+      "raw",
+      key,
+      { name: "AES-GCM" },
+      false,
+      ["encrypt"]
+    );
+    const encrypted = await subtle.encrypt(
+      {
+        name: "AES-GCM",
+        iv: nonce,
+        additionalData: aad,
+        tagLength: 128
+        // 16 bytes authentication tag
+      },
+      keyMaterial,
+      plain
+    );
+    return {
+      cipher: new Uint8Array(encrypted),
+      nonce
+    };
+  } catch (error) {
+    throw new Error(
+      `${ERR_CRYPTO_FAIL}: Encryption failed: ${error instanceof Error ? error.message : String(error)}`
+    );
+  }
+}
+async function aesGcmDecrypt(cipher, params) {
+  const { key, nonce, aad } = params;
+  if (key.length !== 32) {
+    throw new Error(`${ERR_INVALID_PARAM}: key must be 32 bytes, got ${key.length}`);
+  }
+  if (nonce.length !== 12) {
+    throw new Error(`${ERR_NONCE_SIZE}: nonce must be 12 bytes, got ${nonce.length}`);
+  }
+  const subtle = getSubtleCrypto();
+  try {
+    const keyMaterial = await subtle.importKey(
+      "raw",
+      key,
+      { name: "AES-GCM" },
+      false,
+      ["decrypt"]
+    );
+    const decrypted = await subtle.decrypt(
+      {
+        name: "AES-GCM",
+        iv: nonce,
+        additionalData: aad,
+        tagLength: 128
+      },
+      keyMaterial,
+      cipher
+    );
+    return new Uint8Array(decrypted);
+  } catch (error) {
+    const message = error instanceof Error ? error.message : String(error);
+    if (message.includes("decryption") || message.includes("authentication")) {
+      throw new Error(`${ERR_AAD_MISMATCH}: Decryption failed - wrong key or AAD`);
+    }
+    throw new Error(`${ERR_CRYPTO_FAIL}: Decryption failed: ${message}`);
+  }
+}
+
+// src/core/crypto/zeroize.ts
+function zeroize(buf) {
+  let view;
+  if (buf instanceof ArrayBuffer) {
+    view = new Uint8Array(buf);
+  } else {
+    view = buf;
+  }
+  view.fill(0);
+  view.length;
+}
+
+// src/master-key/encryption.ts
+async function sealMasterSeed(masterSeed, wrapKey, aad) {
+  return aesGcmEncrypt(masterSeed, { key: wrapKey, aad });
+}
+async function unsealMasterSeed(cipher, wrapKey, aad, nonce) {
+  const decrypted = await aesGcmDecrypt(cipher, { key: wrapKey, aad, nonce });
+  return decrypted;
+}
+
+// src/master-key/provider.ts
+function createMasterKeyProvider() {
+  return {
+    async unsealFromBlob(blob, wrapKey) {
+      const masterSeed = await unsealMasterSeed(
+        blob.cipher,
+        wrapKey,
+        blob.aad,
+        blob.nonce
+      );
+      return {
+        bytes: masterSeed,
+        destroy() {
+          zeroize(masterSeed);
+        }
+      };
+    },
+    async generate() {
+      const masterSeed = getRandomBytes(32);
+      return {
+        bytes: masterSeed,
+        destroy() {
+          zeroize(masterSeed);
+        }
+      };
+    }
+  };
+}
+function deriveWrapKey(input) {
+  const { origin, projectId, salt } = input;
+  const rpId = typeof window !== "undefined" && origin ? new URL(origin).hostname : origin;
+  const prfInput = new TextEncoder().encode(`${rpId}|${projectId}`);
+  const prfOutput = sha256.sha256(prfInput);
+  const defaultSalt = salt || sha256.sha256(
+    new TextEncoder().encode(`volr/salt|${rpId}|${projectId}`)
+  );
+  const info = `volr/wrap-key/v1|${rpId}|${projectId}`;
+  const wrapKey = hkdfSha256(prfOutput, defaultSalt, info, 32);
+  return wrapKey;
+}
+var DEFAULT_EVM_PATH = "m/60'/0'/0'/0/0";
+function deriveEvmKey(args) {
+  const { masterSeed, path = DEFAULT_EVM_PATH } = args;
+  const hdKey = bip32.HDKey.fromMasterSeed(masterSeed);
+  const derived = hdKey.derive(path);
+  if (!derived.privateKey) {
+    throw new Error("Failed to derive private key");
+  }
+  const privateKey = new Uint8Array(derived.privateKey);
+  const publicKey = derived.publicKey;
+  if (!publicKey || publicKey.length !== 33) {
+    throw new Error("Invalid public key length");
+  }
+  const pubKeyPoint = secp256k1.secp256k1.ProjectivePoint.fromHex(publicKey);
+  const uncompressedPubKey = pubKeyPoint.toRawBytes(false);
+  const pubKeyWithoutPrefix = uncompressedPubKey.slice(1);
+  const hash = sha3.keccak_256(pubKeyWithoutPrefix);
+  const addressBytes = hash.slice(12);
+  const address = "0x" + Array.from(addressBytes).map((b) => b.toString(16).padStart(2, "0")).join("");
+  return {
+    privateKey,
+    publicKey: uncompressedPubKey,
+    address,
+    path
+  };
+}
+function toChecksumAddress(addr) {
+  if (!addr.startsWith("0x")) {
+    throw new Error(`${ERR_INVALID_PARAM}: Address must start with 0x`);
+  }
+  const address = addr.slice(2).toLowerCase();
+  if (address.length !== 40) {
+    throw new Error(`${ERR_INVALID_PARAM}: Address must be 40 hex characters (20 bytes)`);
+  }
+  if (!/^[0-9a-f]{40}$/.test(address)) {
+    throw new Error(`${ERR_INVALID_PARAM}: Address contains invalid hex characters`);
+  }
+  const addressBytes = new TextEncoder().encode(address);
+  const hash = sha3.keccak_256(addressBytes);
+  let checksummed = "0x";
+  for (let i = 0; i < address.length; i++) {
+    const char = address[i];
+    const hashByte = Math.floor(i / 2);
+    const hashNibble = i % 2 === 0 ? hash[hashByte] >> 4 : hash[hashByte] & 15;
+    checksummed += hashNibble >= 8 ? char.toUpperCase() : char;
+  }
+  return checksummed;
+}
+function evmSign(privKey, msgHash32) {
+  if (privKey.length !== 32) {
+    throw new Error(`${ERR_INVALID_PARAM}: Private key must be 32 bytes, got ${privKey.length}`);
+  }
+  if (msgHash32.length !== 32) {
+    throw new Error(`${ERR_INVALID_PARAM}: Message hash must be 32 bytes, got ${msgHash32.length}`);
+  }
+  const signature = secp256k1.secp256k1.sign(msgHash32, privKey, {
+    lowS: true
+    // Enforce low-S canonicalization
+  });
+  const r = signature.r;
+  const s = signature.s;
+  const rBytes = new Uint8Array(32);
+  const sBytes = new Uint8Array(32);
+  const rHex = r.toString(16).padStart(64, "0");
+  const sHex = s.toString(16).padStart(64, "0");
+  for (let i = 0; i < 32; i++) {
+    rBytes[i] = parseInt(rHex.slice(i * 2, i * 2 + 2), 16);
+    sBytes[i] = parseInt(sHex.slice(i * 2, i * 2 + 2), 16);
+  }
+  const yParity = signature.recovery % 2;
+  return {
+    r: rBytes,
+    s: sBytes,
+    yParity
+  };
+}
+var Secp256k1SoftwareSigner = class {
+  constructor(privateKey) {
+    this.privateKey = privateKey;
+    if (privateKey.length !== 32) {
+      throw new Error(`${ERR_INVALID_PARAM}: Private key must be 32 bytes, got ${privateKey.length}`);
+    }
+    if (privateKey.every((b) => b === 0)) {
+      throw new Error(`${ERR_INVALID_PARAM}: Private key cannot be zero`);
+    }
+  }
+  /**
+   * Get uncompressed public key (65 bytes)
+   * 
+   * @returns Uncompressed public key with 0x04 prefix
+   */
+  async getPublicKey() {
+    const pubKeyPoint = secp256k1.secp256k1.getPublicKey(this.privateKey, false);
+    const pubKey = new Uint8Array(65);
+    pubKey[0] = 4;
+    pubKey.set(pubKeyPoint.slice(1), 1);
+    return pubKey;
+  }
+  /**
+   * Sign message hash with deterministic, low-S canonicalization
+   * 
+   * @param msgHash32 - 32-byte message hash
+   * @returns Signature with r, s, and yParity
+   * @throws Error if message hash is invalid
+   */
+  async signMessage(msgHash32) {
+    if (msgHash32.length !== 32) {
+      throw new Error(`${ERR_INVALID_PARAM}: Message hash must be 32 bytes, got ${msgHash32.length}`);
+    }
+    const signature = secp256k1.secp256k1.sign(msgHash32, this.privateKey, {
+      lowS: true
+      // Enforce low-S canonicalization
+    });
+    const r = signature.r;
+    const s = signature.s;
+    const rBytes = new Uint8Array(32);
+    const sBytes = new Uint8Array(32);
+    const rHex = r.toString(16).padStart(64, "0");
+    const sHex = s.toString(16).padStart(64, "0");
+    for (let i = 0; i < 32; i++) {
+      rBytes[i] = parseInt(rHex.slice(i * 2, i * 2 + 2), 16);
+      sBytes[i] = parseInt(sHex.slice(i * 2, i * 2 + 2), 16);
+    }
+    const yParity = signature.recovery % 2;
+    return {
+      r: rBytes,
+      s: sBytes,
+      yParity
+    };
+  }
+  /**
+   * Sign raw hash without EIP-191 prefix (for EIP-7702)
+   * 
+   * @param digest - 32-byte digest to sign
+   * @returns Signature with r, s, and yParity
+   * @throws Error if digest is invalid
+   */
+  async signRawHash(digest) {
+    return this.signMessage(digest);
+  }
+  /**
+   * Sign EIP-712 typed data
+   */
+  async signTyped(data) {
+    const hash = ethers.TypedDataEncoder.hash(data.domain, data.types, data.message);
+    const msgHash = new Uint8Array(Buffer.from(hash.slice(2), "hex"));
+    const sig = await this.signMessage(msgHash);
+    const rHex = Buffer.from(sig.r).toString("hex");
+    const sHex = Buffer.from(sig.s).toString("hex");
+    const v = (sig.yParity + 27).toString(16).padStart(2, "0");
+    return `0x${rHex}${sHex}${v}`;
+  }
+};
+function evmVerify(pubKeyUncompressed, msgHash32, sig) {
+  if (pubKeyUncompressed.length !== 65 || pubKeyUncompressed[0] !== 4) {
+    throw new Error(`${ERR_INVALID_PARAM}: Public key must be 65 bytes uncompressed (0x04 prefix)`);
+  }
+  if (msgHash32.length !== 32) {
+    throw new Error(`${ERR_INVALID_PARAM}: Message hash must be 32 bytes, got ${msgHash32.length}`);
+  }
+  if (sig.r.length !== 32 || sig.s.length !== 32) {
+    throw new Error(`${ERR_INVALID_PARAM}: Signature r and s must be 32 bytes each`);
+  }
+  const sBigInt = BigInt("0x" + Array.from(sig.s).map((b) => b.toString(16).padStart(2, "0")).join(""));
+  const n = secp256k1.secp256k1.CURVE.n;
+  const nHalf = n / 2n;
+  if (sBigInt > nHalf) {
+    return false;
+  }
+  const x = pubKeyUncompressed.slice(1, 33);
+  const y = pubKeyUncompressed.slice(33, 65);
+  const pubKeyPoint = secp256k1.secp256k1.ProjectivePoint.fromAffine({
+    x: BigInt("0x" + Array.from(x).map((b) => b.toString(16).padStart(2, "0")).join("")),
+    y: BigInt("0x" + Array.from(y).map((b) => b.toString(16).padStart(2, "0")).join(""))
+  });
+  const compressedPubKey = pubKeyPoint.toRawBytes(true);
+  try {
+    const compactSig = new Uint8Array([...sig.r, ...sig.s]);
+    return secp256k1.secp256k1.verify(compactSig, msgHash32, compressedPubKey);
+  } catch {
+    return false;
+  }
+}
+var PasskeyP256Signer = class {
+  constructor(provider) {
+    this.provider = provider;
+  }
+  /**
+   * Get uncompressed P-256 public key (65 bytes)
+   * 
+   * @returns Uncompressed public key with 0x04 prefix
+   */
+  async getPublicKey() {
+    const { x, y } = await this.provider.getPublicKey();
+    if (x.length !== 32 || y.length !== 32) {
+      throw new Error(`${ERR_INVALID_PARAM}: Public key coordinates must be 32 bytes each`);
+    }
+    const pubKey = new Uint8Array(65);
+    pubKey[0] = 4;
+    pubKey.set(x, 1);
+    pubKey.set(y, 33);
+    return pubKey;
+  }
+  /**
+   * Sign message hash using P-256 passkey
+   * 
+   * @param msgHash32 - 32-byte message hash
+   * @returns Signature with r, s, and yParity
+   * @throws Error if message hash is invalid
+   */
+  async signMessage(msgHash32) {
+    if (msgHash32.length !== 32) {
+      throw new Error(`${ERR_INVALID_PARAM}: Message hash must be 32 bytes, got ${msgHash32.length}`);
+    }
+    const { r, s } = await this.provider.signP256(msgHash32);
+    if (r.length !== 32 || s.length !== 32) {
+      throw new Error(`${ERR_INVALID_PARAM}: Signature r and s must be 32 bytes each`);
+    }
+    const { y } = await this.provider.getPublicKey();
+    const yParity = y[y.length - 1] & 1;
+    return {
+      r,
+      s,
+      yParity
+    };
+  }
+  /**
+   * Sign raw hash without EIP-191 prefix (for EIP-7702)
+   * 
+   * @param _digest - 32-byte digest to sign
+   * @returns Signature with r, s, and yParity
+   * @throws Error - P-256 cannot be used for EIP-7702
+   */
+  async signRawHash(_digest) {
+    throw new Error("EIP-7702 authorization requires secp256k1, not P-256. Use Secp256k1SoftwareSigner for EIP-7702.");
+  }
+  /**
+   * Sign EIP-712 typed data
+   */
+  async signTyped(data) {
+    const hash = ethers.TypedDataEncoder.hash(data.domain, data.types, data.message);
+    const msgHash = new Uint8Array(Buffer.from(hash.slice(2), "hex"));
+    const sig = await this.signMessage(msgHash);
+    const rHex = Buffer.from(sig.r).toString("hex");
+    const sHex = Buffer.from(sig.s).toString("hex");
+    const v = sig.yParity.toString(16).padStart(2, "0");
+    return `0x${rHex}${sHex}${v}`;
+  }
+};
+
+// src/wallet/signers/external-wallet-errors.ts
+var EIP1193ErrorCode = /* @__PURE__ */ ((EIP1193ErrorCode2) => {
+  EIP1193ErrorCode2[EIP1193ErrorCode2["USER_REJECTED"] = 4001] = "USER_REJECTED";
+  EIP1193ErrorCode2[EIP1193ErrorCode2["UNAUTHORIZED"] = 4100] = "UNAUTHORIZED";
+  EIP1193ErrorCode2[EIP1193ErrorCode2["UNSUPPORTED_METHOD"] = 4200] = "UNSUPPORTED_METHOD";
+  EIP1193ErrorCode2[EIP1193ErrorCode2["DISCONNECTED"] = 4900] = "DISCONNECTED";
+  EIP1193ErrorCode2[EIP1193ErrorCode2["CHAIN_DISCONNECTED"] = 4901] = "CHAIN_DISCONNECTED";
+  EIP1193ErrorCode2[EIP1193ErrorCode2["UNRECOGNIZED_CHAIN"] = 4902] = "UNRECOGNIZED_CHAIN";
+  EIP1193ErrorCode2[EIP1193ErrorCode2["RESOURCE_UNAVAILABLE"] = -32002] = "RESOURCE_UNAVAILABLE";
+  EIP1193ErrorCode2[EIP1193ErrorCode2["RESOURCE_NOT_FOUND"] = -32001] = "RESOURCE_NOT_FOUND";
+  EIP1193ErrorCode2[EIP1193ErrorCode2["INVALID_INPUT"] = -32e3] = "INVALID_INPUT";
+  EIP1193ErrorCode2[EIP1193ErrorCode2["INTERNAL_ERROR"] = -32603] = "INTERNAL_ERROR";
+  EIP1193ErrorCode2[EIP1193ErrorCode2["INVALID_REQUEST"] = -32600] = "INVALID_REQUEST";
+  EIP1193ErrorCode2[EIP1193ErrorCode2["METHOD_NOT_FOUND"] = -32601] = "METHOD_NOT_FOUND";
+  EIP1193ErrorCode2[EIP1193ErrorCode2["INVALID_PARAMS"] = -32602] = "INVALID_PARAMS";
+  EIP1193ErrorCode2[EIP1193ErrorCode2["PARSE_ERROR"] = -32700] = "PARSE_ERROR";
+  return EIP1193ErrorCode2;
+})(EIP1193ErrorCode || {});
+var WalletError = class extends Error {
+  constructor(message, code, originalError) {
+    super(message);
+    this.code = code;
+    this.originalError = originalError;
+    this.name = "WalletError";
+  }
+};
+var UserRejectedError = class extends WalletError {
+  constructor(message = "User rejected the request", originalError) {
+    super(message, 4001 /* USER_REJECTED */, originalError);
+    this.name = "UserRejectedError";
+  }
+};
+var UnauthorizedError = class extends WalletError {
+  constructor(message = "Unauthorized to perform this action", originalError) {
+    super(message, 4100 /* UNAUTHORIZED */, originalError);
+    this.name = "UnauthorizedError";
+  }
+};
+var UnsupportedMethodError = class extends WalletError {
+  constructor(message = "Method not supported by wallet", originalError) {
+    super(message, 4200 /* UNSUPPORTED_METHOD */, originalError);
+    this.name = "UnsupportedMethodError";
+  }
+};
+var WrongNetworkError = class extends WalletError {
+  constructor(message = "Wrong network", expectedChainId, actualChainId, originalError) {
+    super(message, 4902 /* UNRECOGNIZED_CHAIN */, originalError);
+    this.expectedChainId = expectedChainId;
+    this.actualChainId = actualChainId;
+    this.name = "WrongNetworkError";
+  }
+};
+var ChainNotAddedError = class extends WalletError {
+  constructor(message = "Chain not added to wallet", originalError) {
+    super(message, 4902 /* UNRECOGNIZED_CHAIN */, originalError);
+    this.name = "ChainNotAddedError";
+  }
+};
+var RequestPendingError = class extends WalletError {
+  constructor(message = "Request already pending in wallet", originalError) {
+    super(message, -32002 /* RESOURCE_UNAVAILABLE */, originalError);
+    this.name = "RequestPendingError";
+  }
+};
+function normalizeWalletError(error) {
+  if (error instanceof WalletError) {
+    return error;
+  }
+  if (typeof error === "object" && error !== null) {
+    const err = error;
+    const code = err.code;
+    const message2 = err.message || "Unknown wallet error";
+    switch (code) {
+      case 4001 /* USER_REJECTED */:
+        return new UserRejectedError(message2, error);
+      case 4100 /* UNAUTHORIZED */:
+        return new UnauthorizedError(message2, error);
+      case 4200 /* UNSUPPORTED_METHOD */:
+        return new UnsupportedMethodError(message2, error);
+      case 4902 /* UNRECOGNIZED_CHAIN */:
+        return new ChainNotAddedError(message2, error);
+      case -32002 /* RESOURCE_UNAVAILABLE */:
+        return new RequestPendingError(message2, error);
+      default:
+        return new WalletError(message2, code || -1, error);
+    }
+  }
+  const message = error instanceof Error ? error.message : String(error);
+  return new WalletError(message, -1, error);
+}
+
+// src/wallet/signers/external-wallet.ts
+var ExternalWalletSigner = class {
+  constructor(provider, expectedChainId, address) {
+    this.provider = provider;
+    this.expectedChainId = expectedChainId;
+    this.address = address;
+  }
+  /**
+   * Verify that the wallet is on the correct network
+   * @throws WrongNetworkError if network mismatch
+   */
+  async verifyNetwork() {
+    try {
+      const chainIdHex = await this.provider.request({
+        method: "eth_chainId"
+      });
+      const actualChainId = parseInt(chainIdHex, 16);
+      if (actualChainId !== this.expectedChainId) {
+        throw new WrongNetworkError(
+          `Wrong network. Expected: ${this.expectedChainId}, Got: ${actualChainId}`,
+          this.expectedChainId,
+          actualChainId
+        );
+      }
+    } catch (error) {
+      if (error instanceof WrongNetworkError) {
+        throw error;
+      }
+      throw normalizeWalletError(error);
+    }
+  }
+  /**
+   * Get the wallet address
+   */
+  async getAddress() {
+    return this.address;
+  }
+  /**
+   * Get public key - not directly supported by EIP-1193
+   * Returns a placeholder as external wallets don't expose raw public keys
+   * 
+   * For external wallets, we rely on address-based verification instead
+   */
+  async getPublicKey() {
+    return new Uint8Array(65);
+  }
+  /**
+   * Sign a message hash using personal_sign
+   * 
+   * Note: personal_sign automatically adds EIP-191 prefix
+   * 
+   * @param msgHash32 - 32-byte message hash
+   * @returns Signature components (r, s, yParity)
+   */
+  async signMessage(msgHash32) {
+    try {
+      await this.verifyNetwork();
+      const msgHashHex = "0x" + Array.from(msgHash32).map((b) => b.toString(16).padStart(2, "0")).join("");
+      const signature = await this.provider.request({
+        method: "personal_sign",
+        params: [msgHashHex, this.address]
+      });
+      const sig = signature.startsWith("0x") ? signature.slice(2) : signature;
+      if (sig.length !== 130) {
+        throw new Error(`Invalid signature length: ${sig.length}`);
+      }
+      const r = new Uint8Array(32);
+      const s = new Uint8Array(32);
+      for (let i = 0; i < 32; i++) {
+        r[i] = parseInt(sig.slice(i * 2, i * 2 + 2), 16);
+        s[i] = parseInt(sig.slice(64 + i * 2, 64 + i * 2 + 2), 16);
+      }
+      const v = parseInt(sig.slice(128, 130), 16);
+      const yParity = v === 27 ? 0 : 1;
+      return { r, s, yParity };
+    } catch (error) {
+      throw normalizeWalletError(error);
+    }
+  }
+  /**
+   * Sign raw hash for EIP-7702 authorization
+   * 
+   * External wallets don't support raw hash signing directly (eth_sign is deprecated/disabled).
+   * Instead, we use personal_sign which adds EIP-191 prefix, then we need to account for this
+   * when verifying the signature on-chain.
+   * 
+   * ⚠️ IMPORTANT: This creates a signature over the EIP-191 prefixed message, NOT the raw digest.
+   * The backend/contract must verify accordingly.
+   * 
+   * Alternative approach: Use EIP-712 typed data for authorization (more wallet-friendly)
+   * 
+   * @param digest - 32-byte digest to sign
+   * @returns Signature components (r, s, yParity)
+   * @throws WalletError if signing fails
+   */
+  async signRawHash(digest) {
+    try {
+      await this.verifyNetwork();
+      const digestHex = "0x" + Array.from(digest).map((b) => b.toString(16).padStart(2, "0")).join("");
+      let signature;
+      try {
+        signature = await this.provider.request({
+          method: "eth_sign",
+          params: [this.address, digestHex]
+        });
+      } catch (ethSignError) {
+        if (ethSignError?.code === -32004 || ethSignError?.code === 4200) {
+          throw new Error(
+            'eth_sign is required for EIP-7702 authorization but is disabled in your wallet. \n\nTo enable eth_sign in MetaMask:\n1. Go to Settings \u2192 Advanced\n2. Enable "Eth_sign requests"\n\nNote: eth_sign can be dangerous if used carelessly. Only enable it for trusted dApps.\n\nOriginal error: ' + (ethSignError?.message || "eth_sign not supported")
+          );
+        } else {
+          throw ethSignError;
+        }
+      }
+      const sig = signature.startsWith("0x") ? signature.slice(2) : signature;
+      if (sig.length !== 130) {
+        throw new Error(`Invalid signature length: ${sig.length}`);
+      }
+      const r = new Uint8Array(32);
+      const s = new Uint8Array(32);
+      for (let i = 0; i < 32; i++) {
+        r[i] = parseInt(sig.slice(i * 2, i * 2 + 2), 16);
+        s[i] = parseInt(sig.slice(64 + i * 2, 64 + i * 2 + 2), 16);
+      }
+      const v = parseInt(sig.slice(128, 130), 16);
+      const yParity = v === 27 || v === 0 ? 0 : 1;
+      return { r, s, yParity };
+    } catch (error) {
+      throw normalizeWalletError(error);
+    }
+  }
+  /**
+   * Sign typed data (EIP-712)
+   * 
+   * @param typed - Typed data structure with domain, types, and message
+   * @returns Signature hex string
+   */
+  async signTyped(typed) {
+    try {
+      await this.verifyNetwork();
+      if (typeof typed !== "object" || typed === null) {
+        throw new Error("Invalid typed data: must be an object");
+      }
+      const input = typed;
+      if (!input.domain || !input.types || !input.message) {
+        throw new Error("Invalid typed data: missing domain, types, or message");
+      }
+      const signature = await this.provider.request({
+        method: "eth_signTypedData_v4",
+        params: [this.address, JSON.stringify(input)]
+      });
+      return signature;
+    } catch (error) {
+      throw normalizeWalletError(error);
+    }
+  }
+  /**
+   * Switch to the expected network
+   * 
+   * @returns true if switch successful, false if user rejected
+   * @throws Error if switch fails for other reasons
+   */
+  async switchNetwork() {
+    try {
+      const chainIdHex = "0x" + this.expectedChainId.toString(16);
+      await this.provider.request({
+        method: "wallet_switchEthereumChain",
+        params: [{ chainId: chainIdHex }]
+      });
+      return true;
+    } catch (error) {
+      const normalized = normalizeWalletError(error);
+      if (normalized.code === 4902) {
+        return false;
+      }
+      if (normalized.code === 4001) {
+        return false;
+      }
+      throw normalized;
+    }
+  }
+  /**
+   * Add a new network to the wallet
+   * 
+   * @param chainConfig - Network configuration
+   * @returns true if add successful, false if user rejected
+   */
+  async addNetwork(chainConfig) {
+    try {
+      await this.provider.request({
+        method: "wallet_addEthereumChain",
+        params: [chainConfig]
+      });
+      return true;
+    } catch (error) {
+      const normalized = normalizeWalletError(error);
+      if (normalized.code === 4001) {
+        return false;
+      }
+      throw normalized;
+    }
+  }
+};
+function blobToBase64(blob) {
+  return new Promise((resolve, reject) => {
+    if (blob instanceof Uint8Array || blob instanceof ArrayBuffer) {
+      const bytes = blob instanceof Uint8Array ? blob : new Uint8Array(blob);
+      const binary = String.fromCharCode(...bytes);
+      resolve(btoa(binary));
+    } else if (blob instanceof Blob) {
+      const reader = new FileReader();
+      reader.onloadend = () => {
+        const base64 = reader.result.split(",")[1] || reader.result;
+        resolve(base64);
+      };
+      reader.onerror = reject;
+      reader.readAsDataURL(blob);
+    } else {
+      reject(new Error("Unsupported blob type"));
+    }
+  });
+}
+async function uploadBlob(options) {
+  const {
+    baseUrl,
+    apiKey,
+    accessToken,
+    blob,
+    axiosInstance
+  } = options;
+  if (!apiKey) {
+    throw new Error("apiKey is required");
+  }
+  if (!accessToken) {
+    throw new Error("accessToken is required");
+  }
+  const blobB64 = await blobToBase64(blob);
+  let axiosClient;
+  if (axiosInstance) {
+    axiosClient = axiosInstance;
+  } else {
+    axiosClient = axios__default.default.create({
+      baseURL: baseUrl.replace(/\/+$/, ""),
+      withCredentials: true,
+      headers: {
+        "Content-Type": "application/json",
+        "X-API-Key": String(apiKey),
+        Authorization: `Bearer ${accessToken}`
+      }
+    });
+  }
+  const response = await axiosClient.post("/blob/upload", {
+    blobB64
+  });
+  if (!response.data?.ok || !response.data?.data?.key) {
+    const errorMessage = response.data?.error?.message || "Failed to upload blob";
+    throw new Error(errorMessage);
+  }
+  return { key: response.data.data.key };
+}
+function stripTrailingSlash(u) {
+  return u.endsWith("/") ? u.slice(0, -1) : u;
+}
+async function uploadBlobViaPresign(options) {
+  const {
+    baseUrl,
+    apiKey,
+    accessToken,
+    blob,
+    contentType = "application/octet-stream",
+    fetchFn
+  } = options;
+  const f = fetchFn ?? globalThis.fetch;
+  if (typeof f !== "function") {
+    throw new Error("Global fetch is not available; provide options.fetchFn");
+  }
+  const base = stripTrailingSlash(baseUrl);
+  const presignRes = await f(`${base}/blob/presign`, {
+    method: "POST",
+    headers: {
+      "Content-Type": "application/json",
+      ...apiKey ? { "X-API-Key": String(apiKey) } : {},
+      ...accessToken ? { Authorization: `Bearer ${accessToken}` } : {}
+    },
+    // backend expects { op: 'put', contentType }
+    body: JSON.stringify({ op: "put", contentType }),
+    // include cookies if backend also uses cookie-based sessions
+    credentials: "include"
+  });
+  const presignJson = await presignRes.json();
+  if (!presignRes.ok || presignJson && presignJson.ok === false) {
+    const msg = presignJson && presignJson.error && presignJson.error.message || `presign failed with status ${presignRes.status}`;
+    throw new Error(typeof msg === "string" ? msg : "Presign failed");
+  }
+  const url = presignJson?.data?.url ?? presignJson?.url;
+  const s3Key = presignJson?.data?.proposedKey ?? presignJson?.s3Key;
+  if (!url || !s3Key) {
+    throw new Error("Invalid presign response: missing url or s3Key");
+  }
+  const putHeaders = {
+    "Content-Type": contentType,
+    "x-amz-server-side-encryption": "AES256"
+  };
+  const body = typeof Blob !== "undefined" && blob instanceof Blob ? blob : blob;
+  const putRes = await f(url, {
+    method: "PUT",
+    headers: putHeaders,
+    body,
+    // allow browser CORS preflight to succeed
+    // (ignored in Node >= 18 where fetch is not CORS-restricted)
+    mode: "cors"
+  });
+  if (!putRes.ok) {
+    const text = await putRes.text().catch(() => "");
+    throw new Error(`S3 upload failed (${putRes.status}): ${text || putRes.statusText}`);
+  }
+  return { s3Key, url };
+}
+
+// src/chains/evm/constants.ts
+var ZERO_HASH = "0x0000000000000000000000000000000000000000000000000000000000000000";
+var ZERO_ADDRESS = "0x0000000000000000000000000000000000000000";
+function computeCallsHash(calls) {
+  const coder = ethers.AbiCoder.defaultAbiCoder();
+  const tupleType = "tuple(address,uint256,bytes,uint256)[]";
+  const values = calls.map((c) => [c.target, c.value, c.data, c.gasLimit]);
+  const encoded = coder.encode([tupleType], [values]);
+  return ethers.keccak256(encoded);
+}
+
+// src/chains/evm/eip712/session.ts
+var DOMAIN = (chainId, verifyingContract) => ({
+  name: "volr",
+  version: "1",
+  chainId,
+  verifyingContract
+});
+var EIP712_DOMAIN = DOMAIN;
+var TYPES = {
+  Call: [
+    { name: "target", type: "address" },
+    { name: "data", type: "bytes" },
+    { name: "value", type: "uint256" },
+    { name: "gasLimit", type: "uint256" }
+  ],
+  SessionAuth: [
+    { name: "chainId", type: "uint256" },
+    { name: "sessionKey", type: "address" },
+    { name: "sessionId", type: "uint64" },
+    { name: "nonce", type: "uint64" },
+    { name: "expiresAt", type: "uint64" },
+    { name: "policyId", type: "bytes32" },
+    { name: "policySnapshotHash", type: "bytes32" },
+    { name: "gasLimitMax", type: "uint256" },
+    { name: "maxFeePerGas", type: "uint256" },
+    { name: "maxPriorityFeePerGas", type: "uint256" },
+    { name: "totalGasCap", type: "uint256" }
+  ],
+  SignedBatch: [
+    { name: "auth", type: "SessionAuth" },
+    { name: "calls", type: "Call[]" },
+    { name: "revertOnFail", type: "bool" },
+    { name: "callsHash", type: "bytes32" }
+  ]
+};
+function buildSignedBatchMessage(input) {
+  const callsHash = computeCallsHash(input.calls);
+  const domain = DOMAIN(Number(input.auth.chainId), input.invokerAddress);
+  const ensureHex = (val) => val.startsWith("0x") ? val : `0x${val}`;
+  const eip712Auth = {
+    chainId: BigInt(input.auth.chainId),
+    sessionKey: ensureHex(input.auth.sessionKey),
+    sessionId: input.auth.sessionId,
+    nonce: input.auth.nonce,
+    expiresAt: BigInt(input.auth.expiresAt),
+    policyId: ensureHex(input.auth.policyId),
+    policySnapshotHash: ensureHex(input.auth.policySnapshotHash),
+    gasLimitMax: input.auth.gasLimitMax,
+    maxFeePerGas: input.auth.maxFeePerGas,
+    maxPriorityFeePerGas: input.auth.maxPriorityFeePerGas,
+    totalGasCap: input.auth.totalGasCap
+  };
+  const eip712Calls = input.calls.map((call) => ({
+    target: ensureHex(call.target),
+    data: ensureHex(call.data),
+    value: call.value,
+    gasLimit: call.gasLimit
+  }));
+  return {
+    domain,
+    primaryType: "SignedBatch",
+    message: {
+      auth: eip712Auth,
+      calls: eip712Calls,
+      revertOnFail: input.revertOnFail ?? true,
+      callsHash
+    },
+    callsHash
+  };
+}
+async function signSession(input) {
+  if (input.from.toLowerCase() !== input.auth.sessionKey.toLowerCase()) {
+    throw new Error(
+      `from address (${input.from}) does not match sessionKey (${input.auth.sessionKey})`
+    );
+  }
+  const message = buildSignedBatchMessage({
+    auth: input.auth,
+    calls: input.calls,
+    invokerAddress: input.invokerAddress
+  });
+  if (!input.signer.signTyped) {
+    throw new Error("Signer must support signTyped for EIP-712 signing");
+  }
+  const typedData = {
+    domain: message.domain,
+    types: TYPES,
+    primaryType: message.primaryType,
+    message: message.message
+  };
+  const sessionSig = await input.signer.signTyped(typedData);
+  return {
+    sessionSig,
+    callsHash: message.callsHash
+  };
+}
+async function signAuthorization(input) {
+  const { signer, chainId, address, nonce } = input;
+  if (chainId === 0) {
+    throw new Error(`${ERR_INVALID_PARAM}: chainId cannot be 0 (use specific chain ID)`);
+  }
+  if (nonce < 0n) {
+    throw new Error(`${ERR_INVALID_PARAM}: nonce must be >= 0`);
+  }
+  if (!address.startsWith("0x") || address.length !== 42) {
+    throw new Error(`${ERR_INVALID_PARAM}: address must be valid Ethereum address`);
+  }
+  const digest = ethers.hashAuthorization({
+    chainId: BigInt(chainId),
+    address: address.toLowerCase(),
+    nonce
+  });
+  const digestBytes = ethers.getBytes(digest);
+  let sig = await signer.signRawHash(digestBytes);
+  const sBigInt = BigInt("0x" + Array.from(sig.s).map((b) => b.toString(16).padStart(2, "0")).join(""));
+  const SECP256K1_N = secp256k1.secp256k1.CURVE.n;
+  const nHalf = SECP256K1_N / 2n;
+  let finalS = sig.s;
+  let finalYParity = sig.yParity;
+  if (sBigInt > nHalf) {
+    const normalizedS = SECP256K1_N - sBigInt;
+    const normalizedSHex = normalizedS.toString(16).padStart(64, "0");
+    finalS = new Uint8Array(32);
+    for (let i = 0; i < 32; i++) {
+      finalS[i] = parseInt(normalizedSHex.slice(i * 2, i * 2 + 2), 16);
+    }
+    finalYParity = finalYParity === 0 ? 1 : 0;
+  }
+  const rHex = Array.from(sig.r).map((b) => b.toString(16).padStart(2, "0")).join("");
+  const sHex = Array.from(finalS).map((b) => b.toString(16).padStart(2, "0")).join("");
+  return {
+    chainId,
+    address: address.toLowerCase(),
+    nonce,
+    yParity: finalYParity,
+    r: `0x${rHex}`,
+    s: `0x${sHex}`
+  };
+}
+
+// src/chains/evm/nonce.ts
+async function getAuthNonce(client, from, mode) {
+  if (!client.getTransactionCount) {
+    throw new Error("RPC client must implement getTransactionCount method. Use ExtendedRPCClient.");
+  }
+  const nonce = await client.getTransactionCount(from, "latest");
+  if (mode === "self") {
+    return nonce + 1n;
+  } else {
+    return nonce;
+  }
+}
+function createPasskeyProvider(passkey, options) {
+  let unwrappedKeypair = null;
+  const ensureSession = async (opts) => {
+    if (opts?.force && unwrappedKeypair) {
+      console.log("[PasskeyProvider] force=true: zeroizing existing session");
+      zeroize(unwrappedKeypair.privateKey);
+      zeroize(unwrappedKeypair.publicKey);
+      unwrappedKeypair = null;
+    }
+    if (unwrappedKeypair) {
+      return;
+    }
+    if (opts?.interactive || opts?.force) {
+      console.log("[PasskeyProvider] interactive mode: triggering WebAuthn prompt");
+      const prfSalt = deriveWrapKey(options.prfInput);
+      const { prfOutput } = await passkey.authenticate({
+        salt: prfSalt,
+        credentialId: options.prfInput.credentialId
+      });
+      const wrapKey = prfOutput;
+      const aad = options.aad || new TextEncoder().encode("volr/master-seed/v1");
+      const masterSeed = await unsealMasterSeed(
+        options.encryptedBlob.cipher,
+        wrapKey,
+        aad,
+        options.encryptedBlob.nonce
+      );
+      const keypair = deriveEvmKey({ masterSeed });
+      unwrappedKeypair = {
+        privateKey: keypair.privateKey,
+        publicKey: keypair.publicKey,
+        address: keypair.address
+      };
+      zeroize(masterSeed);
+      zeroize(wrapKey);
+      zeroize(prfSalt);
+    } else {
+      console.warn("[PasskeyProvider] Non-interactive mode: using deterministic wrap key (insecure for TTL=0)");
+      const wrapKey = deriveWrapKey(options.prfInput);
+      const aad = options.aad || new TextEncoder().encode("volr/master-seed/v1");
+      const masterSeed = await unsealMasterSeed(
+        options.encryptedBlob.cipher,
+        wrapKey,
+        aad,
+        options.encryptedBlob.nonce
+      );
+      const keypair = deriveEvmKey({ masterSeed });
+      unwrappedKeypair = {
+        privateKey: keypair.privateKey,
+        publicKey: keypair.publicKey,
+        address: keypair.address
+      };
+      zeroize(masterSeed);
+      zeroize(wrapKey);
+    }
+  };
+  const getAddress = async () => {
+    await ensureSession();
+    if (!unwrappedKeypair) {
+      throw new Error(`${ERR_INVALID_PARAM}: Session not established`);
+    }
+    return toChecksumAddress(unwrappedKeypair.address);
+  };
+  const signMessage = async (hash32) => {
+    if (hash32.length !== 32) {
+      throw new Error(`${ERR_INVALID_PARAM}: Message hash must be 32 bytes, got ${hash32.length}`);
+    }
+    await ensureSession();
+    if (!unwrappedKeypair) {
+      throw new Error(`${ERR_INVALID_PARAM}: Session not established`);
+    }
+    const sig = evmSign(unwrappedKeypair.privateKey, hash32);
+    return {
+      r: sig.r,
+      s: sig.s,
+      yParity: sig.yParity
+    };
+  };
+  const signTypedData = async (input) => {
+    await ensureSession();
+    if (!unwrappedKeypair) {
+      throw new Error(`${ERR_INVALID_PARAM}: Session not established`);
+    }
+    console.log("[PasskeyProvider] signTypedData input:", JSON.stringify(
+      input,
+      (_key, value) => typeof value === "bigint" ? value.toString() : value
+    ));
+    const hash = ethers.TypedDataEncoder.hash(input.domain, input.types, input.message);
+    const msgHash = hash;
+    console.log("[PasskeyProvider] msgHash:", msgHash);
+    const msgHashBytes = new Uint8Array(32);
+    const hex = msgHash.startsWith("0x") ? msgHash.slice(2) : msgHash;
+    for (let i = 0; i < 32; i++) {
+      msgHashBytes[i] = parseInt(hex.slice(i * 2, i * 2 + 2), 16);
+    }
+    const sig = await signMessage(msgHashBytes);
+    const v = sig.yParity + 27;
+    const rHex = Array.from(sig.r).map((b) => b.toString(16).padStart(2, "0")).join("");
+    const sHex = Array.from(sig.s).map((b) => b.toString(16).padStart(2, "0")).join("");
+    const vHex = v.toString(16).padStart(2, "0");
+    return `0x${rHex}${sHex}${vHex}`;
+  };
+  const getPublicKey = async () => {
+    await ensureSession();
+    if (!unwrappedKeypair) {
+      throw new Error(`${ERR_INVALID_PARAM}: Session not established`);
+    }
+    return new Uint8Array(unwrappedKeypair.publicKey);
+  };
+  const lock = async () => {
+    if (unwrappedKeypair) {
+      console.log("[PasskeyProvider] lock(): zeroizing sensitive data from memory");
+      zeroize(unwrappedKeypair.privateKey);
+      zeroize(unwrappedKeypair.publicKey);
+      unwrappedKeypair = null;
+    }
+  };
+  return {
+    keyStorageType: "passkey",
+    ensureSession,
+    getAddress,
+    signMessage,
+    signTypedData,
+    getPublicKey,
+    lock,
+    capabilities: {
+      secp256k1: true,
+      p256: false
+      // Passkey provider uses secp256k1 after unwrapping
+    }
+  };
+}
+
+// src/chains/evm/providers/mpcProvider.ts
+function createMpcProvider(transport) {
+  return {
+    keyStorageType: "mpc",
+    ensureSession: () => transport.ensureSession(),
+    getAddress: () => transport.getAddress(),
+    signMessage: (hash32) => transport.signMessage(hash32),
+    signTypedData: (input) => transport.signTypedData(input),
+    getPublicKey: transport.getPublicKey ? () => transport.getPublicKey() : void 0,
+    capabilities: {
+      secp256k1: true,
+      p256: false
+      // MPC uses secp256k1 via backend
+    }
+  };
+}
+
+// src/chains/evm/signers/selectSigner.ts
+async function selectSigner(ctx) {
+  const { provider } = ctx;
+  if (provider.getPublicKey) {
+    return new ProviderBackedSigner(provider);
+  }
+  throw new Error(
+    `${ERR_INVALID_PARAM}: Provider must expose getPublicKey() for signer creation. Use provider.signMessage() directly or implement getPublicKey() in provider.`
+  );
+}
+var ProviderBackedSigner = class {
+  constructor(provider) {
+    this.provider = provider;
+    if (!provider.getPublicKey) {
+      throw new Error(`${ERR_INVALID_PARAM}: Provider must implement getPublicKey()`);
+    }
+  }
+  async getPublicKey() {
+    return this.provider.getPublicKey();
+  }
+  async signMessage(msgHash32) {
+    return this.provider.signMessage(msgHash32);
+  }
+  async signRawHash(digest) {
+    return this.provider.signMessage(digest);
+  }
+  async signTyped(typed) {
+    if (typeof typed === "object" && typed !== null) {
+      const input = typed;
+      return this.provider.signTypedData(input);
+    }
+    throw new Error(`${ERR_INVALID_PARAM}: Invalid typed data input`);
+  }
+};
+
+// src/wallet/signer.ts
+var ProviderBackedSigner2 = class {
+  constructor(provider) {
+    this.provider = provider;
+    if (!provider.getPublicKey) {
+      throw new Error(`${ERR_INVALID_PARAM}: Provider must implement getPublicKey()`);
+    }
+  }
+  async getPublicKey() {
+    return this.provider.getPublicKey();
+  }
+  async signMessage(msgHash32) {
+    return this.provider.signMessage(msgHash32);
+  }
+  async signRawHash(_digest) {
+    throw new Error("EIP-7702 raw hash signing not supported by wallet provider. Use Secp256k1SoftwareSigner for EIP-7702.");
+  }
+  async signTyped(typed) {
+    if (typeof typed === "object" && typed !== null) {
+      const input = typed;
+      return this.provider.signTypedData(input);
+    }
+    throw new Error(`${ERR_INVALID_PARAM}: Invalid typed data input`);
+  }
+};
+async function selectSigner2(ctx) {
+  const { provider, secpKey } = ctx;
+  if (provider) {
+    if (!provider.getPublicKey) {
+      throw new Error(
+        `${ERR_INVALID_PARAM}: Provider must implement getPublicKey() for signer creation. Use provider.signMessage() directly or implement getPublicKey() in provider.`
+      );
+    }
+    return {
+      kind: "secp256k1",
+      // Provider signs with secp256k1
+      signer: new ProviderBackedSigner2(provider)
+    };
+  }
+  if (secpKey) {
+    return {
+      kind: "secp256k1",
+      signer: new Secp256k1SoftwareSigner(secpKey)
+    };
+  }
+  throw new Error(
+    `${ERR_INVALID_PARAM}: No signer input available. Provide either provider, passkey (for P-256), or secpKey (for secp256k1).`
+  );
+}
+
+exports.ChainNotAddedError = ChainNotAddedError;
+exports.DEFAULT_EVM_PATH = DEFAULT_EVM_PATH;
+exports.DOMAIN = DOMAIN;
+exports.EIP1193ErrorCode = EIP1193ErrorCode;
+exports.EIP712_DOMAIN = EIP712_DOMAIN;
+exports.ERR_AAD_MISMATCH = ERR_AAD_MISMATCH;
+exports.ERR_CHAIN_MISMATCH = ERR_CHAIN_MISMATCH;
+exports.ERR_CRYPTO_FAIL = ERR_CRYPTO_FAIL;
+exports.ERR_INVALID_PARAM = ERR_INVALID_PARAM;
+exports.ERR_LOW_ENTROPY = ERR_LOW_ENTROPY;
+exports.ERR_NONCE_SIZE = ERR_NONCE_SIZE;
+exports.ExternalWalletSigner = ExternalWalletSigner;
+exports.PasskeyP256Signer = PasskeyP256Signer;
+exports.RequestPendingError = RequestPendingError;
+exports.Secp256k1SoftwareSigner = Secp256k1SoftwareSigner;
+exports.TYPES = TYPES;
+exports.UnauthorizedError = UnauthorizedError;
+exports.UnsupportedMethodError = UnsupportedMethodError;
+exports.UserRejectedError = UserRejectedError;
+exports.VolrError = VolrError;
+exports.WalletError = WalletError;
+exports.WrongNetworkError = WrongNetworkError;
+exports.ZERO_ADDRESS = ZERO_ADDRESS;
+exports.ZERO_HASH = ZERO_HASH;
+exports.aesGcmDecrypt = aesGcmDecrypt;
+exports.aesGcmEncrypt = aesGcmEncrypt;
+exports.buildSignedBatchMessage = buildSignedBatchMessage;
+exports.computeCallsHash = computeCallsHash;
+exports.createMasterKeyProvider = createMasterKeyProvider;
+exports.createMpcProvider = createMpcProvider;
+exports.createPasskeyProvider = createPasskeyProvider;
+exports.deriveEvmKey = deriveEvmKey;
+exports.deriveWrapKey = deriveWrapKey;
+exports.evmSign = evmSign;
+exports.evmVerify = evmVerify;
+exports.getAuthNonce = getAuthNonce;
+exports.getRandomBytes = getRandomBytes;
+exports.hkdfSha256 = hkdfSha256;
+exports.normalizeWalletError = normalizeWalletError;
+exports.sealMasterSeed = sealMasterSeed;
+exports.selectSigner = selectSigner;
+exports.selectSignerLegacy = selectSigner2;
+exports.signAuthorization = signAuthorization;
+exports.signSession = signSession;
+exports.toChecksumAddress = toChecksumAddress;
+exports.unsealMasterSeed = unsealMasterSeed;
+exports.uploadBlob = uploadBlob;
+exports.uploadBlobViaPresign = uploadBlobViaPresign;
+exports.zeroize = zeroize;
+//# sourceMappingURL=index.cjs.map
+//# sourceMappingURL=index.cjs.map