@zkproofport-app/sdk 0.2.2 → 0.2.4

package/README.md

@@ -122,7 +122,36 @@ const relay = await sdk.createRelayRequest('coinbase_country_attestation', {
 });
 ```
 
-> The ZKProofport mobile app handles wallet connection and attestation data retrieval automatically. You only provide the inputs above.
+### `oidc_domain_attestation`
+
+Prove email domain affiliation via Google Sign-In. The mobile app handles authentication and proof generation entirely on-device — the user's email is never revealed.
+
+| Field | Type | Required | Description |
+|-------|------|----------|-------------|
+| `domain` | `string` | Yes | Target email domain to prove (e.g., `'google.com'`, `'company.com'`) |
+| `scope` | `string` | Yes | dApp scope identifier for proof uniqueness |
+| `provider` | `string` | No | OIDC workspace provider for organization membership verification. Currently supported: `'google'`. |
+
+**Email domain verification (default):**
+
+```typescript
+const relay = await sdk.createRelayRequest('oidc_domain_attestation', {
+  domain: 'gmail.com',
+  scope: 'myapp.com',
+});
+```
+
+**Organization membership verification (Google Workspace):**
+
+```typescript
+const relay = await sdk.createRelayRequest('oidc_domain_attestation', {
+  domain: 'company.com',
+  scope: 'myapp.com',
+  provider: 'google',
+});
+```
+
+> When `provider` is set, the mobile app verifies the user's account is managed by the specified workspace provider (e.g., Google Workspace `hd` claim). Without `provider`, only the email domain is verified.
 
 ## Integration Guide
 
@@ -159,6 +188,8 @@ interface WalletSigner {
 
 Any ethers v5/v6 `Signer` is compatible.
 
+> **OIDC Domain note:** Wallet signer is not required for OIDC Domain proofs. See Step 3 for OIDC-specific usage.
+
 #### About challenge-signature
 
 The challenge-signature mechanism was developed **for relay nonce replay prevention**. Each challenge is one-time use and consumed immediately. The signer's recovered address is recorded as `clientId` in relay server logs, which helps the relay operator track requests.
@@ -192,6 +223,33 @@ const relay = await sdk.createRelayRequest('coinbase_attestation', {
 // relay.pollUrl    — Relative URL for HTTP polling
 ```
 
+**OIDC Domain Attestation:**
+
+```typescript
+// Email domain verification
+const relay = await sdk.createRelayRequest('oidc_domain_attestation', {
+  domain: 'company.com',
+  scope: 'myapp.com',
+}, {
+  dappName: 'My DApp',
+  dappIcon: 'https://myapp.com/icon.png',
+  message: 'Verify your email domain',
+});
+
+// Organization membership verification (Google Workspace)
+const relay = await sdk.createRelayRequest('oidc_domain_attestation', {
+  domain: 'company.com',
+  scope: 'myapp.com',
+  provider: 'google',
+}, {
+  dappName: 'My DApp',
+  dappIcon: 'https://myapp.com/icon.png',
+  message: 'Verify your organization membership',
+});
+```
+
+The mobile app prompts Google Sign-In and generates the proof locally. When `provider` is set, the app additionally verifies organization membership (e.g., Google Workspace `hd` claim).
+
 ### Step 4: Display QR Code
 
 Generate a QR code from the relay deep link for the user to scan with the ZKProofport mobile app:
@@ -314,9 +372,11 @@ if (result.status === 'completed') {
 
 The **nullifier** serves as a privacy-preserving user identifier:
 - Deterministic: same user + same scope = same nullifier (enables duplicate detection)
-- Privacy-preserving: the wallet address is never revealed
+- Privacy-preserving: the wallet address (Coinbase) or email (OIDC) is never revealed
 - Scope-bound: different scopes produce different nullifiers for the same user
 
+> **OIDC Domain:** The nullifier is a hash of the user's email and scope. The same email + scope always produces the same nullifier, enabling Sybil resistance without revealing the email address.
+
 **Standalone utility functions** are also available for use outside the SDK class:
 
 ```typescript
@@ -389,21 +449,7 @@ async function verifyUser() {
 
 ## Configuration
 
-`ProofportSDK.create()` returns a fully configured SDK instance. No manual configuration is needed for standard usage.
-
-For advanced scenarios (e.g., custom verifier deployments), pass a `ProofportConfig`:
-
-```typescript
-const sdk = new ProofportSDK({
-  relayUrl: 'https://relay.zkproofport.app',
-  verifiers: {
-    coinbase_attestation: {
-      verifierAddress: '0x...',
-      chainId: 8453,
-    },
-  },
-});
-```
+`ProofportSDK.create()` returns a fully configured SDK instance. No manual configuration is needed — relay URLs, verifier contracts, and chain settings are all built-in.
 
 ## Types Reference
 
@@ -415,6 +461,7 @@ import type {
   ProofRequestStatus,
   CoinbaseKycInputs,
   CoinbaseCountryInputs,
+  OidcDomainInputs,
   CircuitInputs,
   ProofRequest,
   ProofResponse,
@@ -425,27 +472,36 @@ import type {
   WalletSigner,
   RelayProofRequest,
   RelayProofResult,
-  SDKEnvironment,
 } from '@zkproofport-app/sdk';
 ```
 
 | Type | Description |
 |------|-------------|
-| `CircuitType` | `'coinbase_attestation' \| 'coinbase_country_attestation'` |
+| `CircuitType` | `'coinbase_attestation' \| 'coinbase_country_attestation' \| 'oidc_domain_attestation'` |
 | `ProofRequestStatus` | `'pending' \| 'completed' \| 'error' \| 'cancelled'` |
 | `CoinbaseKycInputs` | Inputs for `coinbase_attestation` (`{ scope, userAddress?, rawTransaction? }`) |
 | `CoinbaseCountryInputs` | Inputs for `coinbase_country_attestation` (`{ scope, countryList, isIncluded, ... }`) |
-| `CircuitInputs` | Union: `CoinbaseKycInputs \| CoinbaseCountryInputs` |
+| `OidcDomainInputs` | Inputs for `oidc_domain_attestation` (`{ domain, scope, provider? }`) |
+| `CircuitInputs` | Union: `CoinbaseKycInputs \| CoinbaseCountryInputs \| OidcDomainInputs` |
 | `ProofRequest` | Proof request object with `requestId`, `circuit`, `inputs`, metadata, and expiry |
 | `ProofResponse` | Proof response with `status`, `proof`, `publicInputs`, `verifierAddress`, `chainId` |
 | `QRCodeOptions` | QR customization: `width`, `margin`, `darkColor`, `lightColor`, `errorCorrectionLevel` |
 | `VerifierContract` | Verifier contract info: `{ address, chainId, abi }` |
-| `ProofportConfig` | SDK configuration: `{ scheme?, relayUrl?, verifiers? }` |
+| `ProofportConfig` | SDK configuration (internal use — `ProofportSDK.create()` handles defaults) |
 | `ChallengeResponse` | Challenge from relay: `{ challenge, expiresAt }` |
 | `WalletSigner` | Signer interface: `{ signMessage(msg), getAddress() }` |
 | `RelayProofRequest` | Relay response: `{ requestId, deepLink, status, pollUrl }` |
 | `RelayProofResult` | Relay result: `{ requestId, status, proof?, publicInputs?, circuit?, error? }` |
-| `SDKEnvironment` | Environment preset (not needed for normal usage) |
+
+The `OidcDomainInputs` interface:
+
+```typescript
+interface OidcDomainInputs {
+  domain: string;     // Target email domain (e.g., 'google.com')
+  scope: string;      // dApp scope identifier
+  provider?: string;  // Workspace provider for org membership (currently: 'google')
+}
+```
 
 ## Error Handling
 
@@ -467,10 +523,7 @@ try {
 
 ## Networks
 
-| Network | Chain ID | Status |
-|---------|----------|--------|
-| Base Mainnet | 8453 | Production |
-| Base Sepolia | 84532 | Testnet |
+Proofs are verified on **Base** (Ethereum L2). The SDK handles network configuration automatically — no manual setup required.
 
 ## Development
 

package/dist/ProofportSDK.d.ts

@@ -763,6 +763,7 @@ export declare class ProofportSDK {
      * const result = await sdk.waitForProof(relay.requestId);
      * ```
      */
+    private static readonly WALLET_SIGNATURE_CIRCUITS;
     createRelayRequest(circuit: CircuitType, inputs: CircuitInputs, options?: {
         message?: string;
         dappName?: string;

package/dist/constants.d.ts

@@ -183,3 +183,31 @@ export declare const COINBASE_COUNTRY_PUBLIC_INPUT_LAYOUT: {
     readonly NULLIFIER_START: 118;
     readonly NULLIFIER_END: 149;
 };
+/**
+ * OIDC Domain Attestation circuit public input layout (byte offsets).
+ * Defines the byte positions of each field in the flattened public inputs array.
+ *
+ * Public inputs are packed as individual field elements (one byte per element):
+ * - pubkey_modulus_limbs: 18 x u128 = 18 x 16 bytes = 288 bytes → fields 0–287
+ * - domain (BoundedVec<u8, 64>): 4-byte length (u32) + 64-byte storage = 68 fields → fields 288–355
+ * - scope: 32 bytes → fields 356–387
+ * - nullifier: 32 bytes → fields 388–419
+ *
+ * @example
+ * ```typescript
+ * const scope = publicInputs.slice(
+ *   OIDC_DOMAIN_ATTESTATION_PUBLIC_INPUT_LAYOUT.SCOPE_START,
+ *   OIDC_DOMAIN_ATTESTATION_PUBLIC_INPUT_LAYOUT.SCOPE_END + 1
+ * );
+ * ```
+ */
+export declare const OIDC_DOMAIN_ATTESTATION_PUBLIC_INPUT_LAYOUT: {
+    readonly PUBKEY_MODULUS_START: 0;
+    readonly PUBKEY_MODULUS_END: 287;
+    readonly DOMAIN_START: 288;
+    readonly DOMAIN_END: 355;
+    readonly SCOPE_START: 356;
+    readonly SCOPE_END: 387;
+    readonly NULLIFIER_START: 388;
+    readonly NULLIFIER_END: 419;
+};

package/dist/index.d.ts

@@ -7,8 +7,8 @@
  * ```typescript
  * import { ProofportSDK } from '@zkproofport-app/sdk';
  *
- * // Initialize with environment preset
- * const sdk = ProofportSDK.create('production');
+ * // Initialize SDK
+ * const sdk = ProofportSDK.create();
  *
  * // Set wallet signer
  * sdk.setSigner(signer);
@@ -27,5 +27,5 @@
  */
 export { ProofportSDK, default } from './ProofportSDK';
 export { extractScopeFromPublicInputs, extractNullifierFromPublicInputs, } from './verifier';
-export { COINBASE_ATTESTATION_PUBLIC_INPUT_LAYOUT, COINBASE_COUNTRY_PUBLIC_INPUT_LAYOUT, } from './constants';
-export type { CircuitType, ProofRequestStatus, CoinbaseKycInputs, CoinbaseCountryInputs, CircuitInputs, ProofRequest, ProofResponse, QRCodeOptions, VerifierContract, ProofportConfig, ChallengeResponse, WalletSigner, RelayProofRequest, RelayProofResult, SDKEnvironment, } from './types';
+export { COINBASE_ATTESTATION_PUBLIC_INPUT_LAYOUT, COINBASE_COUNTRY_PUBLIC_INPUT_LAYOUT, OIDC_DOMAIN_ATTESTATION_PUBLIC_INPUT_LAYOUT, } from './constants';
+export type { CircuitType, ProofRequestStatus, CoinbaseKycInputs, CoinbaseCountryInputs, OidcDomainInputs, CircuitInputs, ProofRequest, ProofResponse, QRCodeOptions, VerifierContract, ProofportConfig, ChallengeResponse, WalletSigner, RelayProofRequest, RelayProofResult, SDKEnvironment, } from './types';

package/dist/index.esm.js

@@ -67,6 +67,12 @@ const CIRCUIT_METADATA = {
         publicInputsCount: 14,
         publicInputNames: ['signal_hash', 'signer_list_merkle_root', 'country_list', 'country_list_length', 'is_included'],
     },
+    oidc_domain_attestation: {
+        name: 'OIDC Domain',
+        description: 'Prove email domain affiliation via OIDC JWT',
+        publicInputsCount: 420,
+        publicInputNames: ['pubkey_modulus_limbs', 'domain', 'scope', 'nullifier'],
+    },
 };
 /**
  * Standard verifier contract ABI shared across all Barretenberg-generated verifiers.
@@ -198,6 +204,34 @@ const COINBASE_COUNTRY_PUBLIC_INPUT_LAYOUT = {
     NULLIFIER_START: 118,
     NULLIFIER_END: 149,
 };
+/**
+ * OIDC Domain Attestation circuit public input layout (byte offsets).
+ * Defines the byte positions of each field in the flattened public inputs array.
+ *
+ * Public inputs are packed as individual field elements (one byte per element):
+ * - pubkey_modulus_limbs: 18 x u128 = 18 x 16 bytes = 288 bytes → fields 0–287
+ * - domain (BoundedVec<u8, 64>): 4-byte length (u32) + 64-byte storage = 68 fields → fields 288–355
+ * - scope: 32 bytes → fields 356–387
+ * - nullifier: 32 bytes → fields 388–419
+ *
+ * @example
+ * ```typescript
+ * const scope = publicInputs.slice(
+ *   OIDC_DOMAIN_ATTESTATION_PUBLIC_INPUT_LAYOUT.SCOPE_START,
+ *   OIDC_DOMAIN_ATTESTATION_PUBLIC_INPUT_LAYOUT.SCOPE_END + 1
+ * );
+ * ```
+ */
+const OIDC_DOMAIN_ATTESTATION_PUBLIC_INPUT_LAYOUT = {
+    PUBKEY_MODULUS_START: 0,
+    PUBKEY_MODULUS_END: 287,
+    DOMAIN_START: 288,
+    DOMAIN_END: 355,
+    SCOPE_START: 356,
+    SCOPE_END: 387,
+    NULLIFIER_START: 388,
+    NULLIFIER_END: 419,
+};
 
 /**
  * Deep Link utilities for ZKProofport SDK
@@ -450,7 +484,7 @@ function validateProofRequest(request) {
     if (!request.circuit) {
         return { valid: false, error: 'Missing circuit type' };
     }
-    if (!['coinbase_attestation', 'coinbase_country_attestation'].includes(request.circuit)) {
+    if (!['coinbase_attestation', 'coinbase_country_attestation', 'oidc_domain_attestation'].includes(request.circuit)) {
         return { valid: false, error: `Invalid circuit type: ${request.circuit}` };
     }
     if (!request.callbackUrl) {
@@ -480,6 +514,18 @@ function validateProofRequest(request) {
             return { valid: false, error: 'isIncluded is required and must be a boolean' };
         }
     }
+    else if (request.circuit === 'oidc_domain_attestation') {
+        const inputs = request.inputs;
+        if (!inputs.domain || typeof inputs.domain !== 'string' || inputs.domain.trim() === '') {
+            return { valid: false, error: 'domain is required and must be a non-empty string' };
+        }
+        if (!inputs.scope || typeof inputs.scope !== 'string' || inputs.scope.trim() === '') {
+            return { valid: false, error: 'scope is required and must be a non-empty string' };
+        }
+        if (inputs.provider !== undefined && (typeof inputs.provider !== 'string' || inputs.provider.trim() === '')) {
+            return { valid: false, error: 'provider must be a non-empty string when specified' };
+        }
+    }
     // Check expiry
     if (request.expiresAt && Date.now() > request.expiresAt) {
         return { valid: false, error: 'Request has expired' };
@@ -3781,6 +3827,10 @@ function extractScopeFromPublicInputs(publicInputsHex, circuit) {
         start = 86;
         end = 117;
     }
+    else if (circuit === 'oidc_domain_attestation') {
+        start = 356;
+        end = 387;
+    }
     else {
         start = 64;
         end = 95;
@@ -3814,6 +3864,10 @@ function extractNullifierFromPublicInputs(publicInputsHex, circuit) {
         start = 118;
         end = 149;
     }
+    else if (circuit === 'oidc_domain_attestation') {
+        start = 388;
+        end = 419;
+    }
     else {
         start = 96;
         end = 127;
@@ -4705,53 +4759,26 @@ class ProofportSDK {
         }
         return await response.json();
     }
-    /**
-     * Creates a proof request through the relay server.
-     *
-     * This is the recommended way to create proof requests. The relay server:
-     * - Issues a server-side requestId (validated by the mobile app)
-     * - Tracks request status in Redis
-     * - Builds the deep link with relay callback URL
-     * - Stores inputs hash for deep link integrity verification
-     *
-     * @param circuit - Circuit type identifier
-     * @param inputs - Circuit-specific inputs
-     * @param options - Request options (message, dappName, dappIcon, nonce)
-     * @returns Promise resolving to RelayProofRequest with requestId, deepLink, pollUrl
-     * @throws Error if signer not set or relay request fails
-     *
-     * @example
-     * ```typescript
-     * const sdk = ProofportSDK.create();
-     * sdk.setSigner(signer);
-     *
-     * const relay = await sdk.createRelayRequest('coinbase_attestation', {
-     *   scope: 'myapp.com'
-     * }, { dappName: 'My DApp' });
-     *
-     * // Generate QR code from relay deep link
-     * const qr = await sdk.generateQRCode(relay.deepLink);
-     *
-     * // Wait for proof (WebSocket primary, polling fallback)
-     * const result = await sdk.waitForProof(relay.requestId);
-     * ```
-     */
     async createRelayRequest(circuit, inputs, options = {}) {
-        if (!this.signer) {
-            throw new Error('Signer not set. Call setSigner() first.');
-        }
         if (!this.relayUrl) {
             throw new Error('relayUrl is required. Set it in ProofportSDK config.');
         }
-        // Get challenge from relay and sign it
-        const { challenge } = await this.getChallenge();
-        const signature = await this.signer.signMessage(challenge);
+        const needsSignature = ProofportSDK.WALLET_SIGNATURE_CIRCUITS.includes(circuit);
+        if (needsSignature && !this.signer) {
+            throw new Error('Signer not set. Call setSigner() first. Wallet signature is required for this circuit.');
+        }
+        // Get challenge + requestId from relay
+        const { requestId, challenge } = await this.getChallenge();
         const body = {
+            requestId,
             circuitId: circuit,
             inputs,
             challenge,
-            signature,
         };
+        // Sign challenge for circuits that require wallet signature
+        if (needsSignature && this.signer) {
+            body.signature = await this.signer.signMessage(challenge);
+        }
         if (options.message)
             body.message = options.message;
         if (options.dappName)
@@ -5028,6 +5055,42 @@ class ProofportSDK {
         return extractNullifierFromPublicInputs(publicInputs, circuit);
     }
 }
+/**
+ * Creates a proof request through the relay server.
+ *
+ * This is the recommended way to create proof requests. The relay server:
+ * - Issues a server-side requestId (validated by the mobile app)
+ * - Tracks request status in Redis
+ * - Builds the deep link with relay callback URL
+ * - Stores inputs hash for deep link integrity verification
+ *
+ * @param circuit - Circuit type identifier
+ * @param inputs - Circuit-specific inputs
+ * @param options - Request options (message, dappName, dappIcon, nonce)
+ * @returns Promise resolving to RelayProofRequest with requestId, deepLink, pollUrl
+ * @throws Error if signer not set or relay request fails
+ *
+ * @example
+ * ```typescript
+ * const sdk = ProofportSDK.create();
+ * sdk.setSigner(signer);
+ *
+ * const relay = await sdk.createRelayRequest('coinbase_attestation', {
+ *   scope: 'myapp.com'
+ * }, { dappName: 'My DApp' });
+ *
+ * // Generate QR code from relay deep link
+ * const qr = await sdk.generateQRCode(relay.deepLink);
+ *
+ * // Wait for proof (WebSocket primary, polling fallback)
+ * const result = await sdk.waitForProof(relay.requestId);
+ * ```
+ */
+// Circuits that require wallet signature (used as circuit input)
+ProofportSDK.WALLET_SIGNATURE_CIRCUITS = [
+    'coinbase_attestation',
+    'coinbase_country_attestation',
+];
 
-export { COINBASE_ATTESTATION_PUBLIC_INPUT_LAYOUT, COINBASE_COUNTRY_PUBLIC_INPUT_LAYOUT, ProofportSDK, ProofportSDK as default, extractNullifierFromPublicInputs, extractScopeFromPublicInputs };
+export { COINBASE_ATTESTATION_PUBLIC_INPUT_LAYOUT, COINBASE_COUNTRY_PUBLIC_INPUT_LAYOUT, OIDC_DOMAIN_ATTESTATION_PUBLIC_INPUT_LAYOUT, ProofportSDK, ProofportSDK as default, extractNullifierFromPublicInputs, extractScopeFromPublicInputs };
 //# sourceMappingURL=index.esm.js.map