@zerodev/wallet-core 0.0.1-alpha.17 → 0.0.1-alpha.19

package/src/core/createZeroDevWallet.ts

@@ -1,4 +1,3 @@
-import { getWebAuthnAttestation } from '@turnkey/http'
 import type { LocalAccount } from 'viem/accounts'
 import type {
   EmailCustomization,
@@ -17,6 +16,7 @@ import {
   KMS_SERVER_URL,
 } from '../constants.js'
 import { createIndexedDbStamper } from '../stampers/indexedDbStamper.js'
+import type { ApiKeyStamper, PasskeyStamper } from '../stampers/types.js'
 import { createWebauthnStamper } from '../stampers/webauthnStamper.js'
 import { createWebStorageAdapter } from '../storage/adapters.js'
 import {
@@ -25,19 +25,16 @@ import {
 } from '../storage/manager.js'
 import { SessionType, type ZeroDevWalletSession } from '../types/session.js'
 import { buildClientSignature } from '../utils/buildClientSignature.js'
-import {
-  base64UrlEncode,
-  generateCompressedPublicKeyFromKeyPair,
-  generateRandomBuffer,
-  humanReadableDateTime,
-  parseSession,
-} from '../utils/utils.js'
+import { encryptOtpAttempt } from '../utils/encryptOtpAttempt.js'
+import { humanReadableDateTime, parseSession } from '../utils/utils.js'
 export interface ZeroDevWalletConfig {
   organizationId?: string
   proxyBaseUrl?: string
   projectId: string
   sessionStorage?: StorageAdapter
   rpId?: string
+  apiKeyStamper?: ApiKeyStamper
+  passkeyStamper?: PasskeyStamper
 }
 
 // Re-export EmailCustomization for convenience
@@ -72,6 +69,11 @@ export type AuthParams =
       mode: 'verifyOtp'
       otpId: string
       otpCode: string
+      /**
+       * The encryption target bundle returned by the matching `sendOtp` call.
+       * Required — used to HPKE-encrypt the OTP attempt to the enclave.
+       */
+      otpEncryptionTargetBundle: string
     }
   | {
       type: 'magicLink'
@@ -85,6 +87,11 @@ export type AuthParams =
       mode: 'verify'
       otpId: string
       code: string
+      /**
+       * The encryption target bundle returned by the matching `sendMagicLink`
+       * (a.k.a. magicLink `send`) call. Required for the encrypted-OTP flow.
+       */
+      otpEncryptionTargetBundle: string
     }
 
 export interface ZeroDevWalletSDK {
@@ -123,13 +130,14 @@ export async function createZeroDevWallet(
     sessionStorage || createWebStorageAdapter(),
   )
 
-  const indexedDbStamper = await createIndexedDbStamper()
+  const apiKeyStamper = config.apiKeyStamper ?? (await createIndexedDbStamper())
 
-  const webauthnStamper = await createWebauthnStamper({ rpId })
+  const passkeyStamper =
+    config.passkeyStamper ?? (await createWebauthnStamper({ rpId }))
 
   const client = createClient({
-    indexedDbStamper,
-    webauthnStamper,
+    apiKeyStamper,
+    passkeyStamper,
     transport: zeroDevWalletTransport({
       baseUrl: config.proxyBaseUrl || `${KMS_SERVER_URL}/api/v1`,
     }),
@@ -140,8 +148,8 @@ export async function createZeroDevWallet(
   return {
     client,
     async getPublicKey() {
-      await client.indexedDbStamper.resetKeyPair()
-      const compressedPublicKey = await client.indexedDbStamper.getPublicKey()
+      await client.apiKeyStamper.resetKeyPair()
+      const compressedPublicKey = await client.apiKeyStamper.getPublicKey()
       return compressedPublicKey
     },
 
@@ -180,30 +188,22 @@ export async function createZeroDevWallet(
       if (!activeSession) {
         throw new Error('No active session')
       }
-      if (activeSession.stamperType === 'indexedDb') {
-        const newKeyPair = await crypto.subtle.generateKey(
-          {
-            name: 'ECDSA',
-            namedCurve: 'P-256',
-          },
-          false,
-          ['sign', 'verify'],
-        )
+      if (activeSession.stamperType === 'apiKey') {
         const compressedPublicKeyHex =
-          await generateCompressedPublicKeyFromKeyPair(newKeyPair)
+          await client.apiKeyStamper.prepareKeyRotation()
         const data = await client.loginWithStamp({
           targetPublicKey: compressedPublicKeyHex,
           projectId,
           organizationId: activeSession.organizationId,
-          stampWith: 'indexedDb',
+          stampWith: 'apiKey',
         })
-        await client.indexedDbStamper.resetKeyPair(newKeyPair)
+        await client.apiKeyStamper.commitKeyRotation()
         const parsedSession = parseSession(data.session)
         const session: ZeroDevWalletSession = {
           id: `session_indexedDb_${Date.now()}`,
           userId: parsedSession.userId,
           organizationId: parsedSession.organizationId,
-          stamperType: 'indexedDb',
+          stamperType: 'apiKey',
           sessionType: SessionType.READ_WRITE,
           token: data.session,
           expiry: parsedSession.expiry,
@@ -229,17 +229,15 @@ export async function createZeroDevWallet(
           if (data.session) {
             // Parse the JWT to get session data
             const parsedSession = parseSession(data.session)
-            const publicKey = await client.indexedDbStamper.getPublicKey()
             const session: ZeroDevWalletSession = {
               id: `session_oauth_${Date.now()}`,
               userId: parsedSession.userId,
               organizationId: parsedSession.organizationId,
-              stamperType: 'indexedDb',
+              stamperType: 'apiKey',
               sessionType: parsedSession.sessionType || SessionType.READ_WRITE,
               token: data.session,
               expiry: parsedSession.expiry,
               createdAt: Date.now(),
-              publicKey: publicKey || '',
             }
             await sessionStorageManager.storeSession(session, session.id)
           }
@@ -252,62 +250,35 @@ export async function createZeroDevWallet(
             'mode' in params &&
             params.mode === 'register'
           ) {
-            await client.indexedDbStamper.resetKeyPair()
-            const tempPublicKey = await client.indexedDbStamper.getPublicKey()
+            await client.apiKeyStamper.resetKeyPair()
+            const tempPublicKey = await client.apiKeyStamper.getPublicKey()
             if (!tempPublicKey) {
               throw new Error('Failed to get public key')
             }
-            const challenge = generateRandomBuffer()
-            const encodedChallenge = base64UrlEncode(challenge)
-            const authenticatorUserId = generateRandomBuffer()
             const name = `ZeroDevWallet-${humanReadableDateTime()}`
-            const attestation = await getWebAuthnAttestation({
-              publicKey: {
+            const { attestation, encodedChallenge } =
+              await passkeyStamper.register({
                 rp: { id: rpId, name: '' },
-                challenge,
-                pubKeyCredParams: [
-                  {
-                    type: 'public-key',
-                    alg: -7,
-                  },
-                  {
-                    type: 'public-key',
-                    alg: -257,
-                  },
-                ],
-                user: {
-                  id: authenticatorUserId,
-                  name,
-                  displayName: name,
-                },
-              },
-            })
+                userName: name,
+              })
             const data = await client.registerWithPasskey({
               attestation,
               challenge: encodedChallenge,
               projectId,
               encodedPublicKey: tempPublicKey,
             })
-            const newKeyPair = await crypto.subtle.generateKey(
-              {
-                name: 'ECDSA',
-                namedCurve: 'P-256',
-              },
-              false,
-              ['sign', 'verify'],
-            )
             const compressedPublicKeyHex =
-              await generateCompressedPublicKeyFromKeyPair(newKeyPair)
+              await client.apiKeyStamper.prepareKeyRotation()
             const loginData = await client.loginWithStamp({
               projectId,
               targetPublicKey: compressedPublicKeyHex,
               organizationId: data.subOrganizationId,
             })
-            await client.indexedDbStamper.resetKeyPair(newKeyPair)
+            await client.apiKeyStamper.commitKeyRotation()
             const parsedSession = parseSession(loginData.session)
             const session: ZeroDevWalletSession = {
               id: `session_indexedDb_${Date.now()}`,
-              stamperType: 'indexedDb',
+              stamperType: 'apiKey',
               createdAt: Date.now(),
               sessionType: SessionType.READ_WRITE,
               userId: parsedSession.userId,
@@ -325,9 +296,8 @@ export async function createZeroDevWallet(
             'mode' in params &&
             params.mode === 'login'
           ) {
-            await client.indexedDbStamper.resetKeyPair()
-            const generatedPublicKey =
-              await client.indexedDbStamper.getPublicKey()
+            await client.apiKeyStamper.resetKeyPair()
+            const generatedPublicKey = await client.apiKeyStamper.getPublicKey()
             if (!generatedPublicKey) {
               throw new Error('Failed to get public key')
             }
@@ -335,12 +305,12 @@ export async function createZeroDevWallet(
               targetPublicKey: generatedPublicKey,
               projectId,
               organizationId,
-              stampWith: 'webauthn',
+              stampWith: 'passkey',
             })
             const parsedSession = parseSession(loginData.session)
             const session: ZeroDevWalletSession = {
               id: `session_indexedDb_${Date.now()}`,
-              stamperType: 'indexedDb',
+              stamperType: 'apiKey',
               createdAt: Date.now(),
               sessionType: SessionType.READ_WRITE,
               userId: parsedSession.userId,
@@ -379,6 +349,7 @@ export async function createZeroDevWallet(
                 mode: 'verifyOtp',
                 otpId: params.otpId,
                 otpCode: params.code,
+                otpEncryptionTargetBundle: params.otpEncryptionTargetBundle,
               }
             }
           } else {
@@ -401,17 +372,25 @@ export async function createZeroDevWallet(
           }
 
           if (otpParams.mode === 'verifyOtp') {
-            const { otpId, otpCode } = otpParams
+            const { otpId, otpCode, otpEncryptionTargetBundle } = otpParams
 
             // Step 1: Generate new key pair
-            await client.indexedDbStamper.resetKeyPair()
-            const targetPublicKey = await client.indexedDbStamper.getPublicKey()
+            await client.apiKeyStamper.resetKeyPair()
+            const targetPublicKey = await client.apiKeyStamper.getPublicKey()
 
             if (!targetPublicKey) {
               throw new Error('Failed to get public key')
             }
 
-            // Step 2: Verify OTP via Auth Proxy
+            // Step 2a: HPKE-seal the OTP attempt to the enclave's per-session
+            // target key. The auth proxy never sees the plaintext OTP code.
+            const encryptedOtpBundle = await encryptOtpAttempt({
+              otpCode,
+              publicKey: targetPublicKey,
+              encryptionTargetBundle: otpEncryptionTargetBundle,
+            })
+
+            // Step 2b: Verify OTP via Auth Proxy
             if (!cachedAuthProxyConfigId) {
               const { authProxyConfigId } = await client.getAuthProxyConfigId()
               cachedAuthProxyConfigId = authProxyConfigId
@@ -422,15 +401,14 @@ export async function createZeroDevWallet(
 
             const { verificationToken } = await authProxyClient.verifyOtp({
               otpId,
-              otpCode,
-              public_key: targetPublicKey,
+              encryptedOtpBundle,
             })
 
             // Step 3: Build client signature
             const clientSignature = await buildClientSignature({
               verificationToken,
               publicKey: targetPublicKey,
-              stamper: client.indexedDbStamper,
+              stamper: client.apiKeyStamper,
             })
 
             // Step 4: Login via backend (not Auth Proxy!)
@@ -447,13 +425,12 @@ export async function createZeroDevWallet(
                 id: `session_otp_${Date.now()}`,
                 userId: parsedSession.userId,
                 organizationId: parsedSession.organizationId,
-                stamperType: 'indexedDb',
+                stamperType: 'apiKey',
                 sessionType:
                   parsedSession.sessionType || SessionType.READ_WRITE,
                 token: data.session,
                 expiry: parsedSession.expiry,
                 createdAt: Date.now(),
-                publicKey: targetPublicKey,
               }
               await sessionStorageManager.storeSession(session, session.id)
             }
@@ -469,7 +446,7 @@ export async function createZeroDevWallet(
 
     async logout() {
       await sessionStorageManager.clearAllSessions()
-      await client.indexedDbStamper.resetKeyPair()
+      await client.apiKeyStamper.resetKeyPair()
       return true
     },
 

package/src/index.ts

@@ -80,9 +80,12 @@ export {
   createWebauthnStamper,
 } from './stampers/index.js'
 export type {
+  ApiKeyStamper,
+  Attestation,
   IframeStamper,
-  IndexedDbStamper,
-  WebauthnStamper,
+  PasskeyRegistrationOptions,
+  PasskeyRegistrationResult,
+  PasskeyStamper,
 } from './stampers/types.js'
 // Storage
 export type { StorageAdapter, StorageManager } from './storage/manager.js'

package/src/stampers/index.ts

@@ -1,8 +1,8 @@
 export { createIframeStamper } from './iframeStamper.js'
 export { createIndexedDbStamper } from './indexedDbStamper.js'
 export type {
+  ApiKeyStamper,
   IframeStamper,
-  IndexedDbStamper,
-  WebauthnStamper,
+  PasskeyStamper,
 } from './types.js'
 export { createWebauthnStamper } from './webauthnStamper.js'

package/src/stampers/indexedDbStamper.ts

@@ -1,10 +1,13 @@
 import { IndexedDbStamper as TurnkeyIndexedDbStamper } from '@turnkey/indexed-db-stamper'
-import type { IndexedDbStamper } from './types.js'
+import { generateCompressedPublicKeyFromKeyPair } from '../utils/utils.js'
+import type { ApiKeyStamper } from './types.js'
 
-export async function createIndexedDbStamper(): Promise<IndexedDbStamper> {
+export async function createIndexedDbStamper(): Promise<ApiKeyStamper> {
   const inner = new TurnkeyIndexedDbStamper()
   await inner.init()
 
+  let pendingKeyPair: CryptoKeyPair | null = null
+
   return {
     async getPublicKey() {
       return await inner.getPublicKey()
@@ -15,8 +18,25 @@ export async function createIndexedDbStamper(): Promise<IndexedDbStamper> {
     async clear() {
       await inner.clear()
     },
-    async resetKeyPair(externalKeyPair?: CryptoKeyPair) {
-      await inner.resetKeyPair(externalKeyPair)
+    async resetKeyPair() {
+      pendingKeyPair = null
+      await inner.resetKeyPair()
+    },
+    async prepareKeyRotation() {
+      const keyPair = await crypto.subtle.generateKey(
+        { name: 'ECDSA', namedCurve: 'P-256' },
+        false,
+        ['sign', 'verify'],
+      )
+      pendingKeyPair = keyPair
+      return await generateCompressedPublicKeyFromKeyPair(keyPair)
+    },
+    async commitKeyRotation() {
+      if (!pendingKeyPair) {
+        throw new Error('No pending key rotation to commit')
+      }
+      await inner.resetKeyPair(pendingKeyPair)
+      pendingKeyPair = null
     },
   }
 }

package/src/stampers/types.ts

@@ -5,8 +5,6 @@ export type Stamp = {
 }
 
 export type Stamper = {
-  /** retrieve public key compressed or otherwise as per the stamper */
-  getPublicKey: () => Promise<string | null>
   /** produce Turnkey header value for a given request body */
   stamp: (payload: string) => Promise<Stamp>
   /** clear local state (embedded key, IDB keypair, etc.) */
@@ -16,6 +14,8 @@ export type Stamper = {
 export type KeyFormat = 'Hexadecimal' | 'Solana'
 
 export type IframeStamper = Stamper & {
+  /** retrieve public key compressed or otherwise as per the stamper */
+  getPublicKey: () => Promise<string | null>
   init(): Promise<string>
   injectCredentialBundle(bundle: string): Promise<boolean>
   injectWalletExportBundle(
@@ -30,7 +30,35 @@ export type IframeStamper = Stamper & {
   applySettings(settings: { styles?: Record<string, string> }): Promise<boolean>
 }
 
-export type IndexedDbStamper = Stamper & {
-  resetKeyPair: (externalKeyPair?: CryptoKeyPair) => Promise<void>
+export type ApiKeyStamper = Stamper & {
+  /** retrieve public key compressed or otherwise as per the stamper */
+  getPublicKey: () => Promise<string | null>
+  /** Generate + activate a new key pair immediately (simple cases: login init, logout). */
+  resetKeyPair: () => Promise<void>
+  /** Generate a new key pair internally, return its compressed public key, but keep the OLD key active for stamp(). */
+  prepareKeyRotation: () => Promise<string>
+  /** Promote the pending key to active. Call after the server accepts the new key. */
+  commitKeyRotation: () => Promise<void>
+}
+export type Attestation = {
+  attestationObject: string
+  clientDataJson: string
+  credentialId: string
+}
+
+export type PasskeyRegistrationOptions = {
+  rp: { id: string; name: string }
+  userName: string
+}
+
+export type PasskeyRegistrationResult = {
+  attestation: Attestation
+  encodedChallenge: string
+}
+
+export type PasskeyStamper = Stamper & {
+  /** Create a new passkey credential. Owns challenge and user ID generation internally. */
+  register: (
+    options: PasskeyRegistrationOptions,
+  ) => Promise<PasskeyRegistrationResult>
 }
-export type WebauthnStamper = Stamper

package/src/stampers/webauthnStamper.ts

@@ -1,21 +1,42 @@
+import { getWebAuthnAttestation } from '@turnkey/http'
 import { WebauthnStamper as TurnkeyWebauthnStamper } from '@turnkey/webauthn-stamper'
-import type { WebauthnStamper } from './types.js'
+import { base64UrlEncode, generateRandomBuffer } from '../utils/utils.js'
+import type { PasskeyRegistrationOptions, PasskeyStamper } from './types.js'
 
 export async function createWebauthnStamper({
   rpId,
 }: {
   rpId: string
-}): Promise<WebauthnStamper> {
+}): Promise<PasskeyStamper> {
   const inner = new TurnkeyWebauthnStamper({ rpId })
 
   return {
-    async getPublicKey() {
-      //   return await inner.();
-      return null
-    },
     async stamp(payload: string) {
       return await inner.stamp(payload)
     },
     async clear() {},
+    async register(options: PasskeyRegistrationOptions) {
+      const challenge = generateRandomBuffer()
+      const encodedChallenge = base64UrlEncode(challenge)
+      const authenticatorUserId = generateRandomBuffer()
+
+      const attestation = await getWebAuthnAttestation({
+        publicKey: {
+          rp: options.rp,
+          challenge,
+          pubKeyCredParams: [
+            { type: 'public-key', alg: -7 },
+            { type: 'public-key', alg: -257 },
+          ],
+          user: {
+            id: authenticatorUserId,
+            name: options.userName,
+            displayName: options.userName,
+          },
+        },
+      })
+
+      return { attestation, encodedChallenge }
+    },
   }
 }

package/src/types/session.ts

@@ -3,7 +3,7 @@ export enum SessionType {
   READ_WRITE = 'SESSION_TYPE_READ_WRITE',
 }
 
-export type StamperType = 'iframe' | 'indexedDb' | 'passkey'
+export type StamperType = 'apiKey' | 'passkey'
 
 export type ZeroDevWalletSession = {
   id: string
@@ -11,8 +11,7 @@ export type ZeroDevWalletSession = {
   organizationId: string
   stamperType: StamperType
   sessionType?: SessionType
-  token?: string
-  publicKey?: string
+  token: string
   expiry: number
   createdAt: number
 }

package/src/utils/buildClientSignature.ts

@@ -1,4 +1,4 @@
-import type { IndexedDbStamper } from '../stampers/types.js'
+import type { ApiKeyStamper } from '../stampers/types.js'
 import { derToRawSignature } from './derToRawSignature.js'
 
 export type BuildClientSignatureParams = {
@@ -6,8 +6,8 @@ export type BuildClientSignatureParams = {
   verificationToken: string
   /** The compressed public key hex */
   publicKey: string
-  /** The IndexedDB stamper for signing */
-  stamper: IndexedDbStamper
+  /** The API key stamper for signing */
+  stamper: ApiKeyStamper
 }
 
 /**

package/src/utils/encryptOtpAttempt.ts

@@ -0,0 +1,142 @@
+/**
+ * Wraps the OTP code + client public key in a Turnkey-compatible HPKE bundle
+ * for the `/v1/otp_verify_v2` auth-proxy endpoint.
+ *
+ * Bundle flow (RFC 9180 mode_base over Turnkey's TLS Fetcher enclave):
+ *   1. The backend's /init/otp returns a signed envelope that contains an
+ *      ephemeral HPKE public key (`targetPublic`) generated fresh by the
+ *      enclave for this OTP attempt.
+ *   2. We verify the envelope's ECDSA signature against a pinned production
+ *      key (`TURNKEY_TLS_FETCHER_SIGN_PUBLIC_KEY`) so a compromised proxy
+ *      cannot substitute its own ephemeral key.
+ *   3. We HPKE-seal `{otp_code, public_key}` to `targetPublic`. The auth proxy
+ *      forwards the ciphertext to the enclave; only the enclave can decrypt
+ *      it. The enclave then issues a `verificationToken` bound to the public
+ *      key embedded in the plaintext.
+ *
+ * See: tkhq/go-sdk `examples/email_otp` and `pkg/enclave_encrypt`.
+ */
+
+import { p256 } from '@noble/curves/nist.js'
+import { bytesToHex, hexToBytes } from '@noble/hashes/utils.js'
+import { TURNKEY_TLS_FETCHER_SIGN_PUBLIC_KEY } from '../constants.js'
+import { hpkeSealP256 } from './hpke.js'
+
+const BUNDLE_DATA_VERSION = 'v1.0.0'
+
+type EncryptionTargetEnvelope = {
+  version: string
+  /** Hex-encoded JSON: `{ targetPublic, organizationId, userId? }` */
+  data: string
+  /** Hex-encoded ECDSA-P256 signature over the raw `data` bytes (DER). */
+  dataSignature: string
+  /** Hex-encoded uncompressed P-256 pubkey of the signing enclave. */
+  enclaveQuorumPublic: string
+}
+
+type SignedTargetData = {
+  targetPublic: string
+  organizationId?: string
+  userId?: string
+}
+
+export type EncryptOtpAttemptParams = {
+  /** The OTP code the user entered. */
+  otpCode: string
+  /**
+   * The client's session public key (compressed P-256 hex). The enclave binds
+   * this key into the `verificationToken` it issues.
+   */
+  publicKey: string
+  /** The signed envelope returned by `/auth/init/otp`. */
+  encryptionTargetBundle: string
+  /**
+   * Test-only override for the pinned signing key. Production callers should
+   * leave this undefined; it exists so tests don't have to use the real key.
+   */
+  dangerouslyOverrideSignerPublicKey?: string
+}
+
+/**
+ * Returns a JSON string ready to be sent as `encryptedOtpBundle` on
+ * `POST /v1/otp_verify_v2`.
+ */
+export async function encryptOtpAttempt({
+  otpCode,
+  publicKey,
+  encryptionTargetBundle,
+  dangerouslyOverrideSignerPublicKey,
+}: EncryptOtpAttemptParams): Promise<string> {
+  const expectedSignerHex =
+    dangerouslyOverrideSignerPublicKey ?? TURNKEY_TLS_FETCHER_SIGN_PUBLIC_KEY
+
+  let envelope: EncryptionTargetEnvelope
+  try {
+    envelope = JSON.parse(encryptionTargetBundle)
+  } catch (err) {
+    throw new Error(
+      `encryptOtpAttempt: failed to parse encryption target bundle: ${(err as Error).message}`,
+    )
+  }
+
+  if (envelope.version !== BUNDLE_DATA_VERSION) {
+    throw new Error(
+      `encryptOtpAttempt: unsupported bundle version ${envelope.version}`,
+    )
+  }
+
+  if (
+    envelope.enclaveQuorumPublic.toLowerCase() !==
+    expectedSignerHex.toLowerCase()
+  ) {
+    throw new Error(
+      'encryptOtpAttempt: enclave quorum public key does not match pinned signing key',
+    )
+  }
+
+  const dataBytes = hexToBytes(envelope.data)
+  const signatureBytes = hexToBytes(envelope.dataSignature)
+  const signerPublicKeyBytes = hexToBytes(envelope.enclaveQuorumPublic)
+
+  // The Go side does sha256(data) then ASN.1 DER ECDSA verify, without
+  // enforcing low-S. Match that here.
+  const valid = p256.verify(signatureBytes, dataBytes, signerPublicKeyBytes, {
+    prehash: true,
+    format: 'der',
+    lowS: false,
+  })
+  if (!valid) {
+    throw new Error('encryptOtpAttempt: invalid enclave signature on bundle')
+  }
+
+  let signedData: SignedTargetData
+  try {
+    signedData = JSON.parse(new TextDecoder().decode(dataBytes))
+  } catch (err) {
+    throw new Error(
+      `encryptOtpAttempt: failed to parse signed bundle data: ${(err as Error).message}`,
+    )
+  }
+  if (!signedData.targetPublic) {
+    throw new Error('encryptOtpAttempt: missing targetPublic in signed data')
+  }
+
+  const targetPublicKey = hexToBytes(signedData.targetPublic)
+
+  // Plaintext shape matches what the Go example marshals:
+  //   { otp_code: string, public_key: string }
+  const plaintext = new TextEncoder().encode(
+    JSON.stringify({ otp_code: otpCode, public_key: publicKey }),
+  )
+
+  const { encappedPublic, ciphertext } = await hpkeSealP256({
+    receiverPublicKey: targetPublicKey,
+    plaintext,
+  })
+
+  // Wire format = the Go SDK's `ClientSendMsg`: Bytes fields hex-encoded.
+  return JSON.stringify({
+    encappedPublic: bytesToHex(encappedPublic),
+    ciphertext: bytesToHex(ciphertext),
+  })
+}