@workit-poa/hedera-kms-wallet 0.1.0

package/.env.example

@@ -0,0 +1,21 @@
+# AWS credentials/region
+AWS_REGION=us-east-1
+# AWS_DEFAULT_REGION=us-east-1
+# AWS_ACCESS_KEY_ID=
+# AWS_SECRET_ACCESS_KEY=
+
+# Hedera operator (choose one pair)
+OPERATOR_ID=0.0.0
+OPERATOR_KEY=
+# Optional: force key parsing mode ("ecdsa" | "ed25519" | "der")
+OPERATOR_KEY_TYPE=
+# HEDERA_OPERATOR_ID=0.0.0
+# HEDERA_OPERATOR_KEY=
+
+# Hedera network
+HEDERA_NETWORK=testnet
+
+# Optional provisioning defaults
+# Used by provisionHederaAccountForUser() when creating a new key.
+HEDERA_KMS_ALIAS_PREFIX=alias/workit-user
+HEDERA_KMS_KEY_DESCRIPTION_PREFIX=Workit Hedera key for user

package/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 Workit
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/README.md

@@ -0,0 +1,228 @@
+# @workit-poa/hedera-kms-wallet
+
+Secure Hedera wallet abstraction backed by AWS KMS asymmetric keys (`ECC_SECG_P256K1`, `SIGN_VERIFY`).
+
+Primary references used:
+- Hedera: https://docs.hedera.com/hedera/core-concepts/accounts/account-properties
+- Hedera AWS KMS guide: https://docs.hedera.com/hedera/sdks-and-apis/sdks/client#how-to-sign-a-transaction-with-aws-kms
+- HIP-222 (ECDSA(secp256k1) transaction signatures): https://hips.hedera.com/hip/hip-222
+- AWS KMS `GetPublicKey`: https://docs.aws.amazon.com/kms/latest/APIReference/API_GetPublicKey.html
+- AWS KMS + CloudTrail logging: https://docs.aws.amazon.com/kms/latest/developerguide/logging-using-cloudtrail.html
+
+## Architecture
+
+Components:
+- App backend (`libs/auth`) triggers provisioning + signing calls.
+- AWS KMS stores and uses secp256k1 private keys for signing.
+- Hedera SDK prepares/freeze/sign/submit transactions.
+- Hedera Testnet/Mainnet receives signed transactions.
+
+Data model mapping:
+- `userId` -> `kmsKeyId`/`kmsKeyArn` -> `hederaAccountId` (+ public key fingerprint)
+
+Trust boundaries:
+- Client/UI never receives private key material.
+- Backend runtime can only request `kms:Sign` and key metadata/public key reads.
+- KMS boundary enforces non-exportability of private keys.
+- New keys are created only with explicit least-privilege `policyBindings`.
+- Existing/replacement key usage is verified against KMS tags (`app=workit`, `userId=<owner>`).
+
+## Security Controls
+
+### IAM least privilege
+
+Use separate IAM roles:
+- Key admin role: create/manage key lifecycle and aliases.
+- Runtime signer role: sign and read public key metadata only.
+
+Policy guidance is exposed by `kmsAccessPolicyGuidance()` in `src/kmsKeyManager.ts`.
+Key creation is enforced with explicit key policy input via:
+- `policyBindings` + `buildLeastPrivilegeKeyPolicy()`.
+
+Custom `keyPolicy` overrides and `allowUnsafeDefaultKeyPolicy` bypasses are rejected.
+
+Runtime role should allow only:
+- `kms:Sign`
+- `kms:GetPublicKey`
+- `kms:DescribeKey`
+- `kms:ListResourceTags`
+
+Resource scope:
+- Restrict to specific key ARN(s), never `*`.
+
+### No private keys on client
+
+- Private key generation and custody stays inside KMS.
+- Signing uses KMS `Sign` API.
+- Package converts returned DER signature to Hedera-compatible raw 64-byte `(r||s)` format.
+
+### Audit logging / compliance
+
+AWS CloudTrail logs KMS control-plane and cryptographic API calls.
+Key events to filter in CloudTrail Event History:
+- `CreateKey`
+- `CreateAlias`
+- `GetPublicKey`
+- `Sign`
+- `DescribeKey`
+
+Fields to verify for audit evidence:
+- `eventTime`
+- `eventName`
+- `userIdentity` (principal/role)
+- `requestParameters.keyId`
+- `sourceIPAddress`
+- `awsRegion`
+
+Package-level audit hook:
+- Pass `auditLogger` to provisioning/key functions to emit structured operation events (`CreateKey`, `CreateAlias`, `DescribeKey`, `GetPublicKey`, `ListResourceTags`, `EnableKeyRotation`, `Sign`, `ProvisionAccount`, `RotateAccountKey`) into your SIEM/app logs.
+
+## Bounty Requirement Mapping
+
+- Secure key generation/storage/rotation:
+  - `createUserKmsKey()` creates `ECC_SECG_P256K1` `SIGN_VERIFY` keys.
+  - `rotateHederaAccountKmsKey()` performs managed rotation by creating/reusing a replacement KMS key and submitting Hedera `AccountUpdateTransaction`.
+  - Asymmetric KMS auto-rotation limitation is handled by key replacement workflow rather than automatic in-place rotation.
+- Submit a Hedera transaction:
+  - `examples/hedera-kms-wallet-demo/src/kms-hedera-demo.ts` submits a topic message or tinybar transfer on testnet.
+- Access controls + audit logging:
+  - IAM policy templates via `kmsAccessPolicyGuidance()`.
+  - Enforced create-time key policy requirements in `createUserKmsKey()`.
+  - CloudTrail verification section above.
+- Signing without private-key exposure:
+  - `createKmsHederaSigner()` calls `kms:Sign`; only public key and signatures leave KMS.
+- Working prototype + docs:
+  - This package + `examples/hedera-kms-wallet-demo` + this README.
+
+## How to Run Demo
+
+Required environment variables:
+- AWS:
+  - `AWS_REGION`
+  - `AWS_ACCESS_KEY_ID` and `AWS_SECRET_ACCESS_KEY` (or attach IAM role)
+  - `AWS_ACCOUNT_ID` (required when creating a new KMS key)
+  - `KMS_KEY_ADMIN_PRINCIPAL_ARN` (required when creating a new KMS key)
+  - `KMS_RUNTIME_SIGNER_PRINCIPAL_ARN` (required when creating a new KMS key)
+- Hedera:
+  - `HEDERA_NETWORK=testnet`
+  - `OPERATOR_ID` and `OPERATOR_KEY` (also supports `HEDERA_OPERATOR_ID`/`HEDERA_OPERATOR_KEY`)
+- Optional:
+  - `KMS_KEY_ID` (reuse existing key)
+  - `HEDERA_USER_ACCOUNT_ID` (reuse existing account)
+  - `DEMO_MODE=topic` (default) or `DEMO_MODE=transfer`
+  - `HEDERA_NEW_ACCOUNT_INITIAL_HBAR=1` (required and must be `> 0` when provisioning a new demo account)
+
+Environment file location for demo:
+- Put env vars in `examples/hedera-kms-wallet-demo/.env` (preferred for this demo package)
+- The demo also reads repo-root `../../.env` as fallback
+- Start from `examples/hedera-kms-wallet-demo/.env.example`
+
+Fail-fast behavior:
+- Demo validates `DEMO_MODE` and `DEMO_TRANSFER_TINYBAR` before running.
+- If provisioning a new account (missing `KMS_KEY_ID` or `HEDERA_USER_ACCOUNT_ID`), it fails early unless `HEDERA_NEW_ACCOUNT_INITIAL_HBAR > 0`.
+- If provisioning a new account, it also fails early unless secure key policy bindings are provided (`AWS_ACCOUNT_ID`, `KMS_KEY_ADMIN_PRINCIPAL_ARN`, `KMS_RUNTIME_SIGNER_PRINCIPAL_ARN`).
+
+Run:
+
+```bash
+pnpm demo:kms-hedera
+```
+
+or directly:
+
+```bash
+pnpm --filter @workit-poa/hedera-kms-wallet-demo demo:kms-hedera
+```
+
+Expected output includes:
+- KMS key id
+- compressed public key
+- Hedera account id
+- transaction id
+- receipt status
+- mirror/hashscan link
+
+## Testing
+
+Run package tests (Vitest):
+
+```bash
+pnpm --filter @workit-poa/hedera-kms-wallet test
+```
+
+Run coverage report:
+
+```bash
+pnpm --filter @workit-poa/hedera-kms-wallet test:coverage
+```
+
+Environment file location for tests:
+- Current unit tests are mocked and do not require env vars
+- If you add env-dependent tests, use `libs/hedera-kms-wallet/.env.test`
+- For machine-local secrets, use `libs/hedera-kms-wallet/.env.test.local` (gitignored)
+
+## Publishing
+
+Package is configured for npm publishing:
+- entrypoints: `dist/index.js` + `dist/index.d.ts`
+- export map in `package.json`
+- published files restricted to `dist`, `README.md`, `.env.example`, and `LICENSE`
+- `pnpm --filter @workit-poa/hedera-kms-wallet prepack` runs clean + lint + tests + build
+
+Pack and inspect:
+
+```bash
+pnpm --filter @workit-poa/hedera-kms-wallet prepack
+pnpm --filter @workit-poa/hedera-kms-wallet pack
+```
+
+## Integration With Workit Auth
+
+`libs/auth/src/wallet-provisioning.ts` should call `provisionHederaAccountForUser()` and persist:
+- `kmsKeyId`
+- `hederaAccountId`
+- `hederaPublicKeyFingerprint`
+
+For key rotation, call `rotateHederaAccountKmsKey()` and update persisted values:
+- new `kmsKeyId`
+- new `hederaPublicKeyFingerprint`
+- old key lifecycle status (disabled/scheduled for deletion) per your operations policy
+
+Security default:
+- Runtime flows should pass an `existingKeyId` and keep `allowKeyCreation=false`.
+- Admin provisioning flows can set `allowKeyCreation=true` with explicit `policyBindings`.
+
+## Rotation Notes
+
+AWS KMS automatic rotation is not currently supported for asymmetric secp256k1 signing keys.
+This package provides `rotateHederaAccountKmsKey()` to execute the supported rotation workflow:
+1. Create (or reuse) replacement KMS secp256k1 signing key.
+2. Build `AccountUpdateTransaction` with the replacement public key.
+3. Co-sign update using current key and replacement key.
+4. Submit transaction and return new key metadata/fingerprint.
+5. Persist new key mapping and retire old key per policy.
+
+Minimal example:
+
+```ts
+import { rotateHederaAccountKmsKey } from "@workit-poa/hedera-kms-wallet";
+
+const rotated = await rotateHederaAccountKmsKey({
+  userId: "user-123",
+  accountId: "0.0.12345",
+  currentKeyId: "old-kms-key-id",
+  policyBindings: {
+    accountId: process.env.AWS_ACCOUNT_ID!,
+    keyAdminPrincipalArn: process.env.KMS_KEY_ADMIN_PRINCIPAL_ARN!,
+    runtimeSignerPrincipalArn: process.env.KMS_RUNTIME_SIGNER_PRINCIPAL_ARN!
+  }
+});
+```
+
+## Future Hardening
+
+- Per-user provisioning rate limits and key quotas.
+- Automated key disable/schedule-deletion workflows.
+- Incident-response runbooks for compromised app credentials.
+- Strong tenancy boundaries using per-tenant roles and tighter resource conditions.
+- CloudTrail Lake alerts for suspicious signing patterns.

package/dist/hederaClient.d.ts

@@ -0,0 +1,50 @@
+import { Client, Transaction, type TransactionReceipt, type TransactionResponse } from "@hashgraph/sdk";
+import type { KmsHederaSigner } from "./kmsSigner";
+export type HederaNetwork = "testnet" | "mainnet";
+export interface WalletDetails {
+    accountId: string;
+    network: HederaNetwork;
+    evmAddress?: string;
+}
+export interface HederaOperatorConfig {
+    network?: HederaNetwork;
+    operatorId: string;
+    operatorKey: string;
+}
+export interface HederaSubmitResult {
+    transactionId: string;
+    receiptStatus: string;
+    receipt: TransactionReceipt;
+    mirrorLink?: string;
+}
+export declare function createHederaClient(config: HederaOperatorConfig): Client;
+export declare function getWalletDetails(accountId: string, network?: HederaNetwork): WalletDetails;
+export declare function createHederaClientFromEnv(): {
+    client: Client;
+    network: HederaNetwork;
+    operatorId: string;
+};
+export declare function addKmsSignatureToFrozenTransaction(transaction: Transaction, signer: KmsHederaSigner): Promise<void>;
+export declare function executeSignedTransaction<Tx extends Transaction>(client: Client, transaction: Tx): Promise<{
+    response: TransactionResponse;
+    receipt: TransactionReceipt;
+}>;
+export declare function submitTopicMessageWithKmsSignature(params: {
+    client: Client;
+    signer: KmsHederaSigner;
+    topicMemo?: string;
+    message: string;
+    network?: HederaNetwork;
+}): Promise<HederaSubmitResult & {
+    topicId: string;
+}>;
+export declare function submitTinybarTransferWithKmsSignature(params: {
+    client: Client;
+    signer: KmsHederaSigner;
+    fromAccountId: string;
+    toAccountId: string;
+    amountTinybar: number;
+    network?: HederaNetwork;
+}): Promise<HederaSubmitResult>;
+export declare function mirrorLinkForTransaction(network: HederaNetwork, transactionId: string): string;
+//# sourceMappingURL=hederaClient.d.ts.map

package/dist/hederaClient.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"hederaClient.d.ts","sourceRoot":"","sources":["../src/hederaClient.ts"],"names":[],"mappings":"AAAA,OAAO,EAEL,MAAM,EAKN,WAAW,EACX,KAAK,kBAAkB,EACvB,KAAK,mBAAmB,EAEzB,MAAM,gBAAgB,CAAC;AACxB,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,aAAa,CAAC;AACnD,MAAM,MAAM,aAAa,GAAG,SAAS,GAAG,SAAS,CAAC;AAElD,MAAM,WAAW,aAAa;IAC5B,SAAS,EAAE,MAAM,CAAC;IAClB,OAAO,EAAE,aAAa,CAAC;IACvB,UAAU,CAAC,EAAE,MAAM,CAAC;CACrB;AAED,MAAM,WAAW,oBAAoB;IACnC,OAAO,CAAC,EAAE,aAAa,CAAC;IACxB,UAAU,EAAE,MAAM,CAAC;IACnB,WAAW,EAAE,MAAM,CAAC;CACrB;AAED,MAAM,WAAW,kBAAkB;IACjC,aAAa,EAAE,MAAM,CAAC;IACtB,aAAa,EAAE,MAAM,CAAC;IACtB,OAAO,EAAE,kBAAkB,CAAC;IAC5B,UAAU,CAAC,EAAE,MAAM,CAAC;CACrB;AAyCD,wBAAgB,kBAAkB,CAAC,MAAM,EAAE,oBAAoB,GAAG,MAAM,CAKvE;AAED,wBAAgB,gBAAgB,CAAC,SAAS,EAAE,MAAM,EAAE,OAAO,GAAE,aAAyB,GAAG,aAAa,CAErG;AAED,wBAAgB,yBAAyB,IAAI;IAAE,MAAM,EAAE,MAAM,CAAC;IAAC,OAAO,EAAE,aAAa,CAAC;IAAC,UAAU,EAAE,MAAM,CAAA;CAAE,CAc1G;AAED,wBAAsB,kCAAkC,CAAC,WAAW,EAAE,WAAW,EAAE,MAAM,EAAE,eAAe,GAAG,OAAO,CAAC,IAAI,CAAC,CAQzH;AAED,wBAAsB,wBAAwB,CAAC,EAAE,SAAS,WAAW,EACnE,MAAM,EAAE,MAAM,EACd,WAAW,EAAE,EAAE,GACd,OAAO,CAAC;IAAE,QAAQ,EAAE,mBAAmB,CAAC;IAAC,OAAO,EAAE,kBAAkB,CAAA;CAAE,CAAC,CAIzE;AAED,wBAAsB,kCAAkC,CAAC,MAAM,EAAE;IAC/D,MAAM,EAAE,MAAM,CAAC;IACf,MAAM,EAAE,eAAe,CAAC;IACxB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,OAAO,EAAE,MAAM,CAAC;IAChB,OAAO,CAAC,EAAE,aAAa,CAAC;CACzB,GAAG,OAAO,CAAC,kBAAkB,GAAG;IAAE,OAAO,EAAE,MAAM,CAAA;CAAE,CAAC,CAgCpD;AAED,wBAAsB,qCAAqC,CAAC,MAAM,EAAE;IAClE,MAAM,EAAE,MAAM,CAAC;IACf,MAAM,EAAE,eAAe,CAAC;IACxB,aAAa,EAAE,MAAM,CAAC;IACtB,WAAW,EAAE,MAAM,CAAC;IACpB,aAAa,EAAE,MAAM,CAAC;IACtB,OAAO,CAAC,EAAE,aAAa,CAAC;CACzB,GAAG,OAAO,CAAC,kBAAkB,CAAC,CAuB9B;AAED,wBAAgB,wBAAwB,CAAC,OAAO,EAAE,aAAa,EAAE,aAAa,EAAE,MAAM,GAAG,MAAM,CAK9F"}

package/dist/hederaClient.js

@@ -0,0 +1,136 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.createHederaClient = createHederaClient;
+exports.getWalletDetails = getWalletDetails;
+exports.createHederaClientFromEnv = createHederaClientFromEnv;
+exports.addKmsSignatureToFrozenTransaction = addKmsSignatureToFrozenTransaction;
+exports.executeSignedTransaction = executeSignedTransaction;
+exports.submitTopicMessageWithKmsSignature = submitTopicMessageWithKmsSignature;
+exports.submitTinybarTransferWithKmsSignature = submitTinybarTransferWithKmsSignature;
+exports.mirrorLinkForTransaction = mirrorLinkForTransaction;
+const sdk_1 = require("@hashgraph/sdk");
+function parseNetwork(network) {
+    if (!network || network === "testnet")
+        return "testnet";
+    if (network === "mainnet")
+        return "mainnet";
+    throw new Error(`Unsupported HEDERA_NETWORK "${network}". Expected "testnet" or "mainnet".`);
+}
+function parseOperatorPrivateKey(operatorKey) {
+    const value = operatorKey.trim();
+    const hexValue = value.startsWith("0x") ? value.slice(2) : value;
+    const isHex = /^[0-9a-fA-F]+$/.test(hexValue);
+    if (isHex && sdk_1.PrivateKey.isDerKey(hexValue)) {
+        return sdk_1.PrivateKey.fromStringDer(hexValue);
+    }
+    const explicitType = process.env.OPERATOR_KEY_TYPE?.toLowerCase();
+    if (explicitType === "ecdsa" || explicitType === "secp256k1") {
+        return sdk_1.PrivateKey.fromStringECDSA(hexValue);
+    }
+    if (explicitType === "ed25519") {
+        return sdk_1.PrivateKey.fromStringED25519(hexValue);
+    }
+    if (explicitType === "der") {
+        return sdk_1.PrivateKey.fromStringDer(hexValue);
+    }
+    if (isHex) {
+        // Prefer ECDSA first to match secp256k1 wallet flow used in this project.
+        try {
+            return sdk_1.PrivateKey.fromStringECDSA(hexValue);
+        }
+        catch {
+            return sdk_1.PrivateKey.fromStringED25519(hexValue);
+        }
+    }
+    // Non-hex formats (mnemonic/legacy encodings) still require generic parsing.
+    return sdk_1.PrivateKey.fromString(value);
+}
+function createHederaClient(config) {
+    const network = parseNetwork(config.network);
+    const client = network === "mainnet" ? sdk_1.Client.forMainnet() : sdk_1.Client.forTestnet();
+    client.setOperator(sdk_1.AccountId.fromString(config.operatorId), parseOperatorPrivateKey(config.operatorKey));
+    return client;
+}
+function getWalletDetails(accountId, network = "testnet") {
+    return { accountId, network };
+}
+function createHederaClientFromEnv() {
+    const network = parseNetwork(process.env.HEDERA_NETWORK);
+    const operatorId = process.env.OPERATOR_ID || process.env.HEDERA_OPERATOR_ID;
+    const operatorKey = process.env.OPERATOR_KEY || process.env.HEDERA_OPERATOR_KEY;
+    if (!operatorId || !operatorKey) {
+        throw new Error("Missing OPERATOR_ID/OPERATOR_KEY (or HEDERA_OPERATOR_ID/HEDERA_OPERATOR_KEY)");
+    }
+    return {
+        client: createHederaClient({ network, operatorId, operatorKey }),
+        network,
+        operatorId
+    };
+}
+async function addKmsSignatureToFrozenTransaction(transaction, signer) {
+    await transaction.signWith(signer.hederaPublicKey, async (bodyBytes) => {
+        const signature = await signer.sign(bodyBytes);
+        if (signature.length !== 64) {
+            throw new Error("Signer must return a 64-byte (r||s) secp256k1 signature");
+        }
+        return signature;
+    });
+}
+async function executeSignedTransaction(client, transaction) {
+    const response = await transaction.execute(client);
+    const receipt = await response.getReceipt(client);
+    return { response, receipt };
+}
+async function submitTopicMessageWithKmsSignature(params) {
+    const { client, signer, message, topicMemo, network = "testnet" } = params;
+    const createTopicTx = await new sdk_1.TopicCreateTransaction()
+        .setTopicMemo(topicMemo ?? "workit-kms-demo-topic")
+        .setSubmitKey(signer.hederaPublicKey)
+        .freezeWith(client);
+    await addKmsSignatureToFrozenTransaction(createTopicTx, signer);
+    const { response: topicCreateResponse, receipt: topicCreateReceipt } = await executeSignedTransaction(client, createTopicTx);
+    const topicId = topicCreateReceipt.topicId?.toString();
+    if (!topicId) {
+        throw new Error("Topic creation did not return a topic id");
+    }
+    const submitMessageTx = await new sdk_1.TopicMessageSubmitTransaction()
+        .setTopicId(topicId)
+        .setMessage(message)
+        .freezeWith(client);
+    await addKmsSignatureToFrozenTransaction(submitMessageTx, signer);
+    const { response, receipt } = await executeSignedTransaction(client, submitMessageTx);
+    const transactionId = response.transactionId.toString();
+    return {
+        topicId,
+        transactionId,
+        receipt,
+        receiptStatus: receipt.status.toString(),
+        mirrorLink: mirrorLinkForTransaction(network, transactionId)
+    };
+}
+async function submitTinybarTransferWithKmsSignature(params) {
+    const { client, signer, fromAccountId, toAccountId, amountTinybar, network = "testnet" } = params;
+    if (!Number.isSafeInteger(amountTinybar) || amountTinybar <= 0) {
+        throw new Error("amountTinybar must be a positive safe integer");
+    }
+    const tx = await new sdk_1.TransferTransaction()
+        .addHbarTransfer(sdk_1.AccountId.fromString(fromAccountId), sdk_1.Hbar.fromTinybars(-amountTinybar))
+        .addHbarTransfer(sdk_1.AccountId.fromString(toAccountId), sdk_1.Hbar.fromTinybars(amountTinybar))
+        .freezeWith(client);
+    await addKmsSignatureToFrozenTransaction(tx, signer);
+    const { response, receipt } = await executeSignedTransaction(client, tx);
+    const transactionId = response.transactionId.toString();
+    return {
+        transactionId,
+        receipt,
+        receiptStatus: receipt.status.toString(),
+        mirrorLink: mirrorLinkForTransaction(network, transactionId)
+    };
+}
+function mirrorLinkForTransaction(network, transactionId) {
+    if (!transactionId.trim()) {
+        throw new Error("transactionId is required");
+    }
+    return `https://hashscan.io/${network}/transaction/${encodeURIComponent(transactionId)}`;
+}
+//# sourceMappingURL=hederaClient.js.map

package/dist/hederaClient.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"hederaClient.js","sourceRoot":"","sources":["../src/hederaClient.ts"],"names":[],"mappings":";;AAyEA,gDAKC;AAED,4CAEC;AAED,8DAcC;AAED,gFAQC;AAED,4DAOC;AAED,gFAsCC;AAED,sFA8BC;AAED,4DAKC;AApMD,wCAWwB;AAuBxB,SAAS,YAAY,CAAC,OAAgB;IACpC,IAAI,CAAC,OAAO,IAAI,OAAO,KAAK,SAAS;QAAE,OAAO,SAAS,CAAC;IACxD,IAAI,OAAO,KAAK,SAAS;QAAE,OAAO,SAAS,CAAC;IAC5C,MAAM,IAAI,KAAK,CAAC,+BAA+B,OAAO,qCAAqC,CAAC,CAAC;AAC/F,CAAC;AAED,SAAS,uBAAuB,CAAC,WAAmB;IAClD,MAAM,KAAK,GAAG,WAAW,CAAC,IAAI,EAAE,CAAC;IACjC,MAAM,QAAQ,GAAG,KAAK,CAAC,UAAU,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC;IACjE,MAAM,KAAK,GAAG,gBAAgB,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;IAE9C,IAAI,KAAK,IAAI,gBAAU,CAAC,QAAQ,CAAC,QAAQ,CAAC,EAAE,CAAC;QAC3C,OAAO,gBAAU,CAAC,aAAa,CAAC,QAAQ,CAAC,CAAC;IAC5C,CAAC;IAED,MAAM,YAAY,GAAG,OAAO,CAAC,GAAG,CAAC,iBAAiB,EAAE,WAAW,EAAE,CAAC;IAClE,IAAI,YAAY,KAAK,OAAO,IAAI,YAAY,KAAK,WAAW,EAAE,CAAC;QAC7D,OAAO,gBAAU,CAAC,eAAe,CAAC,QAAQ,CAAC,CAAC;IAC9C,CAAC;IACD,IAAI,YAAY,KAAK,SAAS,EAAE,CAAC;QAC/B,OAAO,gBAAU,CAAC,iBAAiB,CAAC,QAAQ,CAAC,CAAC;IAChD,CAAC;IACD,IAAI,YAAY,KAAK,KAAK,EAAE,CAAC;QAC3B,OAAO,gBAAU,CAAC,aAAa,CAAC,QAAQ,CAAC,CAAC;IAC5C,CAAC;IAED,IAAI,KAAK,EAAE,CAAC;QACV,0EAA0E;QAC1E,IAAI,CAAC;YACH,OAAO,gBAAU,CAAC,eAAe,CAAC,QAAQ,CAAC,CAAC;QAC9C,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,gBAAU,CAAC,iBAAiB,CAAC,QAAQ,CAAC,CAAC;QAChD,CAAC;IACH,CAAC;IAED,6EAA6E;IAC7E,OAAO,gBAAU,CAAC,UAAU,CAAC,KAAK,CAAC,CAAC;AACtC,CAAC;AAED,SAAgB,kBAAkB,CAAC,MAA4B;IAC7D,MAAM,OAAO,GAAG,YAAY,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;IAC7C,MAAM,MAAM,GAAG,OAAO,KAAK,SAAS,CAAC,CAAC,CAAC,YAAM,CAAC,UAAU,EAAE,CAAC,CAAC,CAAC,YAAM,CAAC,UAAU,EAAE,CAAC;IACjF,MAAM,CAAC,WAAW,CAAC,eAAS,CAAC,UAAU,CAAC,MAAM,CAAC,UAAU,CAAC,EAAE,uBAAuB,CAAC,MAAM,CAAC,WAAW,CAAC,CAAC,CAAC;IACzG,OAAO,MAAM,CAAC;AAChB,CAAC;AAED,SAAgB,gBAAgB,CAAC,SAAiB,EAAE,UAAyB,SAAS;IACpF,OAAO,EAAE,SAAS,EAAE,OAAO,EAAE,CAAC;AAChC,CAAC;AAED,SAAgB,yBAAyB;IACvC,MAAM,OAAO,GAAG,YAAY,CAAC,OAAO,CAAC,GAAG,CAAC,cAAc,CAAC,CAAC;IACzD,MAAM,UAAU,GAAG,OAAO,CAAC,GAAG,CAAC,WAAW,IAAI,OAAO,CAAC,GAAG,CAAC,kBAAkB,CAAC;IAC7E,MAAM,WAAW,GAAG,OAAO,CAAC,GAAG,CAAC,YAAY,IAAI,OAAO,CAAC,GAAG,CAAC,mBAAmB,CAAC;IAEhF,IAAI,CAAC,UAAU,IAAI,CAAC,WAAW,EAAE,CAAC;QAChC,MAAM,IAAI,KAAK,CAAC,8EAA8E,CAAC,CAAC;IAClG,CAAC;IAED,OAAO;QACL,MAAM,EAAE,kBAAkB,CAAC,EAAE,OAAO,EAAE,UAAU,EAAE,WAAW,EAAE,CAAC;QAChE,OAAO;QACP,UAAU;KACX,CAAC;AACJ,CAAC;AAEM,KAAK,UAAU,kCAAkC,CAAC,WAAwB,EAAE,MAAuB;IACxG,MAAM,WAAW,CAAC,QAAQ,CAAC,MAAM,CAAC,eAAe,EAAE,KAAK,EAAC,SAAS,EAAC,EAAE;QACnE,MAAM,SAAS,GAAG,MAAM,MAAM,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;QAC/C,IAAI,SAAS,CAAC,MAAM,KAAK,EAAE,EAAE,CAAC;YAC5B,MAAM,IAAI,KAAK,CAAC,yDAAyD,CAAC,CAAC;QAC7E,CAAC;QACD,OAAO,SAAS,CAAC;IACnB,CAAC,CAAC,CAAC;AACL,CAAC;AAEM,KAAK,UAAU,wBAAwB,CAC5C,MAAc,EACd,WAAe;IAEf,MAAM,QAAQ,GAAG,MAAM,WAAW,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC;IACnD,MAAM,OAAO,GAAG,MAAM,QAAQ,CAAC,UAAU,CAAC,MAAM,CAAC,CAAC;IAClD,OAAO,EAAE,QAAQ,EAAE,OAAO,EAAE,CAAC;AAC/B,CAAC;AAEM,KAAK,UAAU,kCAAkC,CAAC,MAMxD;IACC,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,OAAO,EAAE,SAAS,EAAE,OAAO,GAAG,SAAS,EAAE,GAAG,MAAM,CAAC;IAE3E,MAAM,aAAa,GAAG,MAAM,IAAI,4BAAsB,EAAE;SACrD,YAAY,CAAC,SAAS,IAAI,uBAAuB,CAAC;SAClD,YAAY,CAAC,MAAM,CAAC,eAAe,CAAC;SACpC,UAAU,CAAC,MAAM,CAAC,CAAC;IAEtB,MAAM,kCAAkC,CAAC,aAAa,EAAE,MAAM,CAAC,CAAC;IAChE,MAAM,EAAE,QAAQ,EAAE,mBAAmB,EAAE,OAAO,EAAE,kBAAkB,EAAE,GAAG,MAAM,wBAAwB,CAAC,MAAM,EAAE,aAAa,CAAC,CAAC;IAE7H,MAAM,OAAO,GAAG,kBAAkB,CAAC,OAAO,EAAE,QAAQ,EAAE,CAAC;IACvD,IAAI,CAAC,OAAO,EAAE,CAAC;QACb,MAAM,IAAI,KAAK,CAAC,0CAA0C,CAAC,CAAC;IAC9D,CAAC;IAED,MAAM,eAAe,GAAG,MAAM,IAAI,mCAA6B,EAAE;SAC9D,UAAU,CAAC,OAAO,CAAC;SACnB,UAAU,CAAC,OAAO,CAAC;SACnB,UAAU,CAAC,MAAM,CAAC,CAAC;IAEtB,MAAM,kCAAkC,CAAC,eAAe,EAAE,MAAM,CAAC,CAAC;IAClE,MAAM,EAAE,QAAQ,EAAE,OAAO,EAAE,GAAG,MAAM,wBAAwB,CAAC,MAAM,EAAE,eAAe,CAAC,CAAC;IAEtF,MAAM,aAAa,GAAG,QAAQ,CAAC,aAAa,CAAC,QAAQ,EAAE,CAAC;IACxD,OAAO;QACL,OAAO;QACP,aAAa;QACb,OAAO;QACP,aAAa,EAAE,OAAO,CAAC,MAAM,CAAC,QAAQ,EAAE;QACxC,UAAU,EAAE,wBAAwB,CAAC,OAAO,EAAE,aAAa,CAAC;KAC7D,CAAC;AACJ,CAAC;AAEM,KAAK,UAAU,qCAAqC,CAAC,MAO3D;IACC,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,aAAa,EAAE,WAAW,EAAE,aAAa,EAAE,OAAO,GAAG,SAAS,EAAE,GAAG,MAAM,CAAC;IAElG,IAAI,CAAC,MAAM,CAAC,aAAa,CAAC,aAAa,CAAC,IAAI,aAAa,IAAI,CAAC,EAAE,CAAC;QAC/D,MAAM,IAAI,KAAK,CAAC,+CAA+C,CAAC,CAAC;IACnE,CAAC;IAED,MAAM,EAAE,GAAG,MAAM,IAAI,yBAAmB,EAAE;SACvC,eAAe,CAAC,eAAS,CAAC,UAAU,CAAC,aAAa,CAAC,EAAE,UAAI,CAAC,YAAY,CAAC,CAAC,aAAa,CAAC,CAAC;SACvF,eAAe,CAAC,eAAS,CAAC,UAAU,CAAC,WAAW,CAAC,EAAE,UAAI,CAAC,YAAY,CAAC,aAAa,CAAC,CAAC;SACpF,UAAU,CAAC,MAAM,CAAC,CAAC;IAEtB,MAAM,kCAAkC,CAAC,EAAE,EAAE,MAAM,CAAC,CAAC;IACrD,MAAM,EAAE,QAAQ,EAAE,OAAO,EAAE,GAAG,MAAM,wBAAwB,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC;IAEzE,MAAM,aAAa,GAAG,QAAQ,CAAC,aAAa,CAAC,QAAQ,EAAE,CAAC;IAExD,OAAO;QACL,aAAa;QACb,OAAO;QACP,aAAa,EAAE,OAAO,CAAC,MAAM,CAAC,QAAQ,EAAE;QACxC,UAAU,EAAE,wBAAwB,CAAC,OAAO,EAAE,aAAa,CAAC;KAC7D,CAAC;AACJ,CAAC;AAED,SAAgB,wBAAwB,CAAC,OAAsB,EAAE,aAAqB;IACpF,IAAI,CAAC,aAAa,CAAC,IAAI,EAAE,EAAE,CAAC;QAC1B,MAAM,IAAI,KAAK,CAAC,2BAA2B,CAAC,CAAC;IAC/C,CAAC;IACD,OAAO,uBAAuB,OAAO,gBAAgB,kBAAkB,CAAC,aAAa,CAAC,EAAE,CAAC;AAC3F,CAAC"}

package/dist/hederaKeyCodec.d.ts

@@ -0,0 +1,10 @@
+export declare function spkiToUncompressedPublicKey(spkiDerBytes: Uint8Array): Buffer;
+export declare function compressPublicKey(uncompressed: Uint8Array): Buffer;
+export declare function derSigToRS(der: Buffer): {
+    r: Buffer;
+    s: Buffer;
+};
+export declare function normalizeS(s: Buffer): Buffer;
+export declare function rsToRaw64(r: Buffer, s: Buffer): Buffer;
+export declare function kmsDerSignatureToHederaRaw64(derSignature: Uint8Array): Buffer;
+//# sourceMappingURL=hederaKeyCodec.d.ts.map

package/dist/hederaKeyCodec.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"hederaKeyCodec.d.ts","sourceRoot":"","sources":["../src/hederaKeyCodec.ts"],"names":[],"mappings":"AA8BA,wBAAgB,2BAA2B,CAAC,YAAY,EAAE,UAAU,GAAG,MAAM,CAoB5E;AAED,wBAAgB,iBAAiB,CAAC,YAAY,EAAE,UAAU,GAAG,MAAM,CAYlE;AAED,wBAAgB,UAAU,CAAC,GAAG,EAAE,MAAM,GAAG;IAAE,CAAC,EAAE,MAAM,CAAC;IAAC,CAAC,EAAE,MAAM,CAAA;CAAE,CAgFhE;AAED,wBAAgB,UAAU,CAAC,CAAC,EAAE,MAAM,GAAG,MAAM,CAI5C;AAED,wBAAgB,SAAS,CAAC,CAAC,EAAE,MAAM,EAAE,CAAC,EAAE,MAAM,GAAG,MAAM,CAItD;AAED,wBAAgB,4BAA4B,CAAC,YAAY,EAAE,UAAU,GAAG,MAAM,CAG7E"}

package/dist/hederaKeyCodec.js

@@ -0,0 +1,140 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.spkiToUncompressedPublicKey = spkiToUncompressedPublicKey;
+exports.compressPublicKey = compressPublicKey;
+exports.derSigToRS = derSigToRS;
+exports.normalizeS = normalizeS;
+exports.rsToRaw64 = rsToRaw64;
+exports.kmsDerSignatureToHederaRaw64 = kmsDerSignatureToHederaRaw64;
+const node_crypto_1 = require("node:crypto");
+const SECP256K1_N = BigInt("0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEBAAEDCE6AF48A03BBFD25E8CD0364141");
+const SECP256K1_HALF_N = SECP256K1_N / 2n;
+function leftPad32(bytes) {
+    if (bytes.length === 32) {
+        return bytes;
+    }
+    return Buffer.concat([Buffer.alloc(32 - bytes.length, 0), bytes]);
+}
+function bigIntToBuffer(value) {
+    const hex = value.toString(16);
+    return Buffer.from(hex.length % 2 === 0 ? hex : `0${hex}`, "hex");
+}
+function parseScalar(bytes, fieldName) {
+    if (bytes.length === 0 || bytes.length > 32) {
+        throw new Error(`Invalid ${fieldName} scalar length: ${bytes.length}`);
+    }
+    const value = BigInt(`0x${bytes.toString("hex")}`);
+    if (value <= 0n || value >= SECP256K1_N) {
+        throw new Error(`Invalid ${fieldName} scalar range`);
+    }
+    return value;
+}
+function spkiToUncompressedPublicKey(spkiDerBytes) {
+    const keyObject = (0, node_crypto_1.createPublicKey)({
+        key: Buffer.from(spkiDerBytes),
+        format: "der",
+        type: "spki"
+    });
+    const jwk = keyObject.export({ format: "jwk" });
+    if (jwk.kty !== "EC" || jwk.crv !== "secp256k1" || !jwk.x || !jwk.y) {
+        throw new Error("Unexpected KMS key type. Expected secp256k1 EC key.");
+    }
+    const x = Buffer.from(jwk.x, "base64url");
+    const y = Buffer.from(jwk.y, "base64url");
+    if (x.length !== 32 || y.length !== 32) {
+        throw new Error("Invalid secp256k1 public key coordinates");
+    }
+    return Buffer.concat([Buffer.from([0x04]), x, y]);
+}
+function compressPublicKey(uncompressed) {
+    const key = Buffer.from(uncompressed);
+    if (key.length !== 65 || key[0] !== 0x04) {
+        throw new Error("Expected 65-byte uncompressed secp256k1 public key");
+    }
+    const x = key.subarray(1, 33);
+    const y = key.subarray(33, 65);
+    const prefix = (y[y.length - 1] & 1) === 0 ? 0x02 : 0x03;
+    return Buffer.concat([Buffer.from([prefix]), x]);
+}
+function derSigToRS(der) {
+    let offset = 0;
+    const readByte = () => {
+        const byte = der[offset];
+        if (byte === undefined) {
+            throw new Error("Invalid DER signature: unexpected end of buffer");
+        }
+        offset += 1;
+        return byte;
+    };
+    const readLength = () => {
+        const lengthByte = readByte();
+        if ((lengthByte & 0x80) === 0) {
+            return lengthByte;
+        }
+        const lengthOfLength = lengthByte & 0x7f;
+        if (lengthOfLength === 0 || lengthOfLength > 2) {
+            throw new Error("Invalid DER signature: unsupported length encoding");
+        }
+        let length = 0;
+        for (let i = 0; i < lengthOfLength; i += 1) {
+            length = (length << 8) | readByte();
+        }
+        return length;
+    };
+    const readInteger = () => {
+        const type = readByte();
+        if (type !== 0x02) {
+            throw new Error("Invalid DER signature: expected INTEGER");
+        }
+        const len = readLength();
+        if (len === 0) {
+            throw new Error("Invalid DER signature: empty INTEGER");
+        }
+        const value = der.subarray(offset, offset + len);
+        if (value.length !== len) {
+            throw new Error("Invalid DER signature: truncated INTEGER");
+        }
+        offset += len;
+        if ((value[0] & 0x80) !== 0) {
+            throw new Error("Invalid DER signature: negative INTEGER");
+        }
+        if (value.length > 1 && value[0] === 0x00 && (value[1] & 0x80) === 0) {
+            throw new Error("Invalid DER signature: non-canonical INTEGER encoding");
+        }
+        // Trim optional sign byte if present.
+        return value[0] === 0x00 ? value.subarray(1) : value;
+    };
+    const sequenceTag = readByte();
+    if (sequenceTag !== 0x30) {
+        throw new Error("Invalid DER signature: expected SEQUENCE");
+    }
+    const seqLen = readLength();
+    const seqEnd = offset + seqLen;
+    if (seqEnd > der.length) {
+        throw new Error("Invalid DER signature: truncated SEQUENCE");
+    }
+    const r = readInteger();
+    const s = readInteger();
+    if (offset !== seqEnd) {
+        throw new Error("Invalid DER signature: trailing bytes in sequence");
+    }
+    if (seqEnd !== der.length) {
+        throw new Error("Invalid DER signature: trailing bytes after sequence");
+    }
+    return { r, s };
+}
+function normalizeS(s) {
+    const sBigInt = parseScalar(s, "s");
+    const normalized = sBigInt > SECP256K1_HALF_N ? SECP256K1_N - sBigInt : sBigInt;
+    return leftPad32(bigIntToBuffer(normalized));
+}
+function rsToRaw64(r, s) {
+    const normalizedR = leftPad32(bigIntToBuffer(parseScalar(r, "r")));
+    const normalizedS = normalizeS(s);
+    return Buffer.concat([normalizedR, normalizedS]);
+}
+function kmsDerSignatureToHederaRaw64(derSignature) {
+    const { r, s } = derSigToRS(Buffer.from(derSignature));
+    return rsToRaw64(r, s);
+}
+//# sourceMappingURL=hederaKeyCodec.js.map

package/dist/hederaKeyCodec.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"hederaKeyCodec.js","sourceRoot":"","sources":["../src/hederaKeyCodec.ts"],"names":[],"mappings":";;AA8BA,kEAoBC;AAED,8CAYC;AAED,gCAgFC;AAED,gCAIC;AAED,8BAIC;AAED,oEAGC;AAnKD,6CAA8C;AAE9C,MAAM,WAAW,GAAG,MAAM,CAAC,oEAAoE,CAAC,CAAC;AACjG,MAAM,gBAAgB,GAAG,WAAW,GAAG,EAAE,CAAC;AAE1C,SAAS,SAAS,CAAC,KAAa;IAC9B,IAAI,KAAK,CAAC,MAAM,KAAK,EAAE,EAAE,CAAC;QACxB,OAAO,KAAK,CAAC;IACf,CAAC;IACD,OAAO,MAAM,CAAC,MAAM,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,EAAE,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,CAAC,EAAE,KAAK,CAAC,CAAC,CAAC;AACpE,CAAC;AAED,SAAS,cAAc,CAAC,KAAa;IACnC,MAAM,GAAG,GAAG,KAAK,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC;IAC/B,OAAO,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,MAAM,GAAG,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,IAAI,GAAG,EAAE,EAAE,KAAK,CAAC,CAAC;AACpE,CAAC;AAED,SAAS,WAAW,CAAC,KAAa,EAAE,SAAoB;IACtD,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,IAAI,KAAK,CAAC,MAAM,GAAG,EAAE,EAAE,CAAC;QAC5C,MAAM,IAAI,KAAK,CAAC,WAAW,SAAS,mBAAmB,KAAK,CAAC,MAAM,EAAE,CAAC,CAAC;IACzE,CAAC;IAED,MAAM,KAAK,GAAG,MAAM,CAAC,KAAK,KAAK,CAAC,QAAQ,CAAC,KAAK,CAAC,EAAE,CAAC,CAAC;IACnD,IAAI,KAAK,IAAI,EAAE,IAAI,KAAK,IAAI,WAAW,EAAE,CAAC;QACxC,MAAM,IAAI,KAAK,CAAC,WAAW,SAAS,eAAe,CAAC,CAAC;IACvD,CAAC;IAED,OAAO,KAAK,CAAC;AACf,CAAC;AAED,SAAgB,2BAA2B,CAAC,YAAwB;IAClE,MAAM,SAAS,GAAG,IAAA,6BAAe,EAAC;QAChC,GAAG,EAAE,MAAM,CAAC,IAAI,CAAC,YAAY,CAAC;QAC9B,MAAM,EAAE,KAAK;QACb,IAAI,EAAE,MAAM;KACb,CAAC,CAAC;IACH,MAAM,GAAG,GAAG,SAAS,CAAC,MAAM,CAAC,EAAE,MAAM,EAAE,KAAK,EAAE,CAA2D,CAAC;IAE1G,IAAI,GAAG,CAAC,GAAG,KAAK,IAAI,IAAI,GAAG,CAAC,GAAG,KAAK,WAAW,IAAI,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,CAAC;QACpE,MAAM,IAAI,KAAK,CAAC,qDAAqD,CAAC,CAAC;IACzE,CAAC;IAED,MAAM,CAAC,GAAG,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,WAAW,CAAC,CAAC;IAC1C,MAAM,CAAC,GAAG,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,WAAW,CAAC,CAAC;IAE1C,IAAI,CAAC,CAAC,MAAM,KAAK,EAAE,IAAI,CAAC,CAAC,MAAM,KAAK,EAAE,EAAE,CAAC;QACvC,MAAM,IAAI,KAAK,CAAC,0CAA0C,CAAC,CAAC;IAC9D,CAAC;IAED,OAAO,MAAM,CAAC,MAAM,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,CAAC,EAAE,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC;AACpD,CAAC;AAED,SAAgB,iBAAiB,CAAC,YAAwB;IACxD,MAAM,GAAG,GAAG,MAAM,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC;IAEtC,IAAI,GAAG,CAAC,MAAM,KAAK,EAAE,IAAI,GAAG,CAAC,CAAC,CAAC,KAAK,IAAI,EAAE,CAAC;QACzC,MAAM,IAAI,KAAK,CAAC,oDAAoD,CAAC,CAAC;IACxE,CAAC;IAED,MAAM,CAAC,GAAG,GAAG,CAAC,QAAQ,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;IAC9B,MAAM,CAAC,GAAG,GAAG,CAAC,QAAQ,CAAC,EAAE,EAAE,EAAE,CAAC,CAAC;IAC/B,MAAM,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,MAAM,GAAG,CAAC,CAAC,GAAG,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC;IAEzD,OAAO,MAAM,CAAC,MAAM,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,MAAM,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC;AACnD,CAAC;AAED,SAAgB,UAAU,CAAC,GAAW;IACpC,IAAI,MAAM,GAAG,CAAC,CAAC;IAEf,MAAM,QAAQ,GAAG,GAAW,EAAE;QAC5B,MAAM,IAAI,GAAG,GAAG,CAAC,MAAM,CAAC,CAAC;QACzB,IAAI,IAAI,KAAK,SAAS,EAAE,CAAC;YACvB,MAAM,IAAI,KAAK,CAAC,iDAAiD,CAAC,CAAC;QACrE,CAAC;QACD,MAAM,IAAI,CAAC,CAAC;QACZ,OAAO,IAAI,CAAC;IACd,CAAC,CAAC;IAEF,MAAM,UAAU,GAAG,GAAW,EAAE;QAC9B,MAAM,UAAU,GAAG,QAAQ,EAAE,CAAC;QAC9B,IAAI,CAAC,UAAU,GAAG,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC;YAC9B,OAAO,UAAU,CAAC;QACpB,CAAC;QAED,MAAM,cAAc,GAAG,UAAU,GAAG,IAAI,CAAC;QACzC,IAAI,cAAc,KAAK,CAAC,IAAI,cAAc,GAAG,CAAC,EAAE,CAAC;YAC/C,MAAM,IAAI,KAAK,CAAC,oDAAoD,CAAC,CAAC;QACxE,CAAC;QAED,IAAI,MAAM,GAAG,CAAC,CAAC;QACf,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,cAAc,EAAE,CAAC,IAAI,CAAC,EAAE,CAAC;YAC3C,MAAM,GAAG,CAAC,MAAM,IAAI,CAAC,CAAC,GAAG,QAAQ,EAAE,CAAC;QACtC,CAAC;QACD,OAAO,MAAM,CAAC;IAChB,CAAC,CAAC;IAEF,MAAM,WAAW,GAAG,GAAW,EAAE;QAC/B,MAAM,IAAI,GAAG,QAAQ,EAAE,CAAC;QACxB,IAAI,IAAI,KAAK,IAAI,EAAE,CAAC;YAClB,MAAM,IAAI,KAAK,CAAC,yCAAyC,CAAC,CAAC;QAC7D,CAAC;QAED,MAAM,GAAG,GAAG,UAAU,EAAE,CAAC;QACzB,IAAI,GAAG,KAAK,CAAC,EAAE,CAAC;YACd,MAAM,IAAI,KAAK,CAAC,sCAAsC,CAAC,CAAC;QAC1D,CAAC;QAED,MAAM,KAAK,GAAG,GAAG,CAAC,QAAQ,CAAC,MAAM,EAAE,MAAM,GAAG,GAAG,CAAC,CAAC;QACjD,IAAI,KAAK,CAAC,MAAM,KAAK,GAAG,EAAE,CAAC;YACzB,MAAM,IAAI,KAAK,CAAC,0CAA0C,CAAC,CAAC;QAC9D,CAAC;QACD,MAAM,IAAI,GAAG,CAAC;QAEd,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,GAAG,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC;YAC5B,MAAM,IAAI,KAAK,CAAC,yCAAyC,CAAC,CAAC;QAC7D,CAAC;QACD,IAAI,KAAK,CAAC,MAAM,GAAG,CAAC,IAAI,KAAK,CAAC,CAAC,CAAC,KAAK,IAAI,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,GAAG,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC;YACrE,MAAM,IAAI,KAAK,CAAC,uDAAuD,CAAC,CAAC;QAC3E,CAAC;QAED,sCAAsC;QACtC,OAAO,KAAK,CAAC,CAAC,CAAC,KAAK,IAAI,CAAC,CAAC,CAAC,KAAK,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC;IACvD,CAAC,CAAC;IAEF,MAAM,WAAW,GAAG,QAAQ,EAAE,CAAC;IAC/B,IAAI,WAAW,KAAK,IAAI,EAAE,CAAC;QACzB,MAAM,IAAI,KAAK,CAAC,0CAA0C,CAAC,CAAC;IAC9D,CAAC;IAED,MAAM,MAAM,GAAG,UAAU,EAAE,CAAC;IAC5B,MAAM,MAAM,GAAG,MAAM,GAAG,MAAM,CAAC;IAC/B,IAAI,MAAM,GAAG,GAAG,CAAC,MAAM,EAAE,CAAC;QACxB,MAAM,IAAI,KAAK,CAAC,2CAA2C,CAAC,CAAC;IAC/D,CAAC;IAED,MAAM,CAAC,GAAG,WAAW,EAAE,CAAC;IACxB,MAAM,CAAC,GAAG,WAAW,EAAE,CAAC;IAExB,IAAI,MAAM,KAAK,MAAM,EAAE,CAAC;QACtB,MAAM,IAAI,KAAK,CAAC,mDAAmD,CAAC,CAAC;IACvE,CAAC;IACD,IAAI,MAAM,KAAK,GAAG,CAAC,MAAM,EAAE,CAAC;QAC1B,MAAM,IAAI,KAAK,CAAC,sDAAsD,CAAC,CAAC;IAC1E,CAAC;IAED,OAAO,EAAE,CAAC,EAAE,CAAC,EAAE,CAAC;AAClB,CAAC;AAED,SAAgB,UAAU,CAAC,CAAS;IAClC,MAAM,OAAO,GAAG,WAAW,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC;IACpC,MAAM,UAAU,GAAG,OAAO,GAAG,gBAAgB,CAAC,CAAC,CAAC,WAAW,GAAG,OAAO,CAAC,CAAC,CAAC,OAAO,CAAC;IAChF,OAAO,SAAS,CAAC,cAAc,CAAC,UAAU,CAAC,CAAC,CAAC;AAC/C,CAAC;AAED,SAAgB,SAAS,CAAC,CAAS,EAAE,CAAS;IAC5C,MAAM,WAAW,GAAG,SAAS,CAAC,cAAc,CAAC,WAAW,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC,CAAC,CAAC;IACnE,MAAM,WAAW,GAAG,UAAU,CAAC,CAAC,CAAC,CAAC;IAClC,OAAO,MAAM,CAAC,MAAM,CAAC,CAAC,WAAW,EAAE,WAAW,CAAC,CAAC,CAAC;AACnD,CAAC;AAED,SAAgB,4BAA4B,CAAC,YAAwB;IACnE,MAAM,EAAE,CAAC,EAAE,CAAC,EAAE,GAAG,UAAU,CAAC,MAAM,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC,CAAC;IACvD,OAAO,SAAS,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC;AACzB,CAAC"}

package/dist/index.d.ts

@@ -0,0 +1,6 @@
+export * from "./hederaClient";
+export * from "./hederaKeyCodec";
+export * from "./kmsKeyManager";
+export * from "./kmsSigner";
+export * from "./walletProvisioning";
+//# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,cAAc,gBAAgB,CAAC;AAC/B,cAAc,kBAAkB,CAAC;AACjC,cAAc,iBAAiB,CAAC;AAChC,cAAc,aAAa,CAAC;AAC5B,cAAc,sBAAsB,CAAC"}