accounts 0.6.7 → 0.7.0

package/src/server/CliAuth.ts

@@ -1,7 +1,6 @@
-import { Address as core_Address, Base64, Hex, PublicKey } from 'ox'
+import { Address, Base64, Bytes, Hex, PublicKey } from 'ox'
 import { KeyAuthorization as TempoKeyAuthorization, SignatureEnvelope } from 'ox/tempo'
 import { createClient, http, type Chain, type Client, type Transport } from 'viem'
-import type { Address } from 'viem/accounts'
 import { verifyHash } from 'viem/actions'
 import { tempo } from 'viem/chains'
 import * as z from 'zod/mini'
@@ -10,6 +9,11 @@ import * as u from '../core/zod/utils.js'
 import type { MaybePromise } from '../internal/types.js'
 import type { Kv } from './Kv.js'
 
+const limit = z.object({ token: u.address(), limit: u.bigint() })
+const limits = z.readonly(z.array(limit))
+const defaultTtlMs = 10 * 60 * 1_000
+const alphabet = 'ABCDEFGHJKLMNPQRSTUVWXYZ23456789'
+
 /** Supported access-key types for CLI bootstrap. */
 export const keyType = z.union([z.literal('secp256k1'), z.literal('p256'), z.literal('webAuthn')])
 
@@ -20,18 +24,18 @@ export const keyAuthorization = z.object({
   expiry: z.union([u.number(), z.null(), z.undefined()]),
   keyId: u.address(),
   keyType,
-  limits: z.optional(z.readonly(z.array(z.object({ token: u.address(), limit: u.bigint() })))),
+  limits: z.optional(limits),
   signature: z.custom<SignatureEnvelope.SignatureEnvelopeRpc>(),
 })
 
-/** Request body for `POST /auth/pkce/code`. */
+/** CLI auth device-code creation request body. */
 export const createRequest = z.object({
   account: z.optional(u.address()),
   chainId: z.optional(u.bigint()),
   codeChallenge: z.string(),
   expiry: z.optional(z.number()),
   keyType: z.optional(keyType),
-  limits: z.optional(z.readonly(z.array(z.object({ token: u.address(), limit: u.bigint() })))),
+  limits: z.optional(limits),
   pubKey: u.hex(),
 })
 
@@ -68,7 +72,7 @@ export const pendingResponse = z.object({
   code: z.string(),
   expiry: z.number(),
   keyType,
-  limits: z.optional(z.readonly(z.array(z.object({ token: u.address(), limit: u.bigint() })))),
+  limits: z.optional(limits),
   pubKey: u.hex(),
   status: z.literal('pending'),
 })
@@ -96,7 +100,7 @@ export const entry = u.oneOf([
     expiresAt: z.number(),
     expiry: z.number(),
     keyType,
-    limits: z.optional(z.readonly(z.array(z.object({ token: u.address(), limit: u.bigint() })))),
+    limits: z.optional(limits),
     pubKey: u.hex(),
     status: z.literal('pending'),
   }),
@@ -112,7 +116,7 @@ export const entry = u.oneOf([
     expiry: z.number(),
     keyAuthorization,
     keyType,
-    limits: z.optional(z.readonly(z.array(z.object({ token: u.address(), limit: u.bigint() })))),
+    limits: z.optional(limits),
     pubKey: u.hex(),
     status: z.literal('authorized'),
   }),
@@ -129,12 +133,24 @@ export const entry = u.oneOf([
     expiry: z.number(),
     keyAuthorization,
     keyType,
-    limits: z.optional(z.readonly(z.array(z.object({ token: u.address(), limit: u.bigint() })))),
+    limits: z.optional(limits),
     pubKey: u.hex(),
     status: z.literal('consumed'),
   }),
 ])
 
+/** Shared CLI auth helper with pre-bound defaults and cached clients. */
+export type CliAuth = {
+  /** Creates and stores a new device code. */
+  createDeviceCode: (options: createDeviceCode.Parameters) => Promise<createDeviceCode.ReturnType>
+  /** Looks up a pending device code for browser approval UIs. */
+  pending: (options: pending.Parameters) => Promise<pending.ReturnType>
+  /** Polls a device code with PKCE verification. */
+  poll: (options: poll.Parameters) => Promise<poll.ReturnType>
+  /** Authorizes a pending device code after validating the signed key authorization. */
+  authorize: (options: authorize.Parameters) => Promise<authorize.ReturnType>
+}
+
 /** Stored device-code entry. */
 export type Entry = z.output<typeof entry>
 
@@ -152,6 +168,12 @@ export type Store = {
   delete: (code: string) => MaybePromise<void>
 }
 
+/** Host validation and sanitization for requested CLI auth defaults. */
+export type Policy = {
+  /** Validates and optionally rewrites requested policy before the entry is stored. */
+  validate: (options: Policy.validate.Options) => MaybePromise<Policy.validate.ReturnType>
+}
+
 export declare namespace Entry {
   /** Pending device-code entry. */
   export type Pending = Extract<z.output<typeof entry>, { status: 'pending' }>
@@ -165,7 +187,7 @@ export declare namespace Store {
   export namespace authorize {
     export type Options = {
       /** Root account that approved the access key. */
-      accountAddress: Address
+      accountAddress: Address.Address
       /** Signed key authorization. */
       keyAuthorization: z.output<typeof keyAuthorization>
       /** Verification code to authorize. */
@@ -181,34 +203,17 @@ export declare namespace Store {
   }
 }
 
-/** Error thrown when pending device-code lookup cannot return a pending request. */
-export class PendingError extends Error {
-  status: 400 | 404
-
-  constructor(message: string, status: 400 | 404) {
-    super(message)
-    this.name = 'PendingError'
-    this.status = status
-  }
-}
-
-/** Host validation and sanitization for requested CLI auth defaults. */
-export type Policy = {
-  /** Validates and optionally rewrites requested policy before the entry is stored. */
-  validate: (options: Policy.validate.Options) => MaybePromise<Policy.validate.ReturnType>
-}
-
 export declare namespace Policy {
   export namespace validate {
     export type Options = {
       /** Requested root account restriction. */
-      account?: Address | undefined
+      account?: Address.Address | undefined
       /** Requested access-key expiry timestamp. Omit to let the server choose one. */
       expiry?: number | undefined
       /** Requested key type. */
       keyType: z.output<typeof keyType>
       /** Requested spending limits. */
-      limits?: readonly { token: Address; limit: bigint }[] | undefined
+      limits?: readonly { token: Address.Address; limit: bigint }[] | undefined
       /** Requested access-key public key. */
       pubKey: Hex.Hex
     }
@@ -217,11 +222,23 @@ export declare namespace Policy {
       /** Approved access-key expiry timestamp. */
       expiry: number
       /** Approved spending limits. */
-      limits?: readonly { token: Address; limit: bigint }[] | undefined
+      limits?: readonly { token: Address.Address; limit: bigint }[] | undefined
     }
   }
 }
 
+/** Error thrown when pending device-code lookup cannot return a pending request. */
+export class PendingError extends Error {
+  /** HTTP status returned by handler surfaces. */
+  status: 400 | 404
+
+  constructor(message: string, status: 400 | 404) {
+    super(message)
+    this.name = 'PendingError'
+    this.status = status
+  }
+}
+
 /** Built-in device-code store helpers. */
 export const Store = {
   /**
@@ -341,231 +358,316 @@ export const Policy = {
   },
 }
 
-/** Creates and stores a new device code. */
-export async function createDeviceCode(
-  options: createDeviceCode.Options,
-): Promise<createDeviceCode.ReturnType> {
+/**
+ * Instantiates a CLI auth helper with shared defaults and cached clients.
+ *
+ * @example
+ * ```ts
+ * import { CliAuth } from 'accounts/server'
+ *
+ * const cli = CliAuth.from({
+ *   store: CliAuth.Store.memory(),
+ * })
+ *
+ * const created = await cli.createDeviceCode({ request })
+ * ```
+ *
+ * @param options - Shared CLI auth defaults.
+ * @returns CLI auth helper.
+ */
+export function from(options: from.Options = {}): CliAuth {
+  const cache = createClientCache(options)
   const {
+    chainId,
     now = Date.now,
     policy = Policy.allow(),
     random = randomBytes,
-    request,
     store = Store.memory(),
-    ttlMs = 10 * 60 * 1_000,
+    ttlMs = defaultTtlMs,
   } = options
-  const chainId = request.chainId ?? options.chainId ?? BigInt(tempo.id)
-  const { account, codeChallenge, pubKey } = request
-  const keyType = request.keyType ?? 'secp256k1'
-  const approved = await policy.validate({
-    ...(account ? { account } : {}),
-    expiry: request.expiry,
-    keyType,
-    ...(request.limits ? { limits: request.limits } : {}),
-    pubKey,
-  })
 
-  let code: string | undefined
-  for (let i = 0; i < 10; i++) {
-    const candidate = createCode(random)
-    if (await store.get(candidate)) continue
-    code = candidate
-    break
+  return {
+    async authorize(options) {
+      const code = normalizeCode(options.request.code)
+      const current = await store.get(code)
+      if (!current) throw new Error('Unknown device code.')
+      if (isExpired(current, now)) {
+        await store.delete(code)
+        throw new Error('Expired device code.')
+      }
+      if (current.status !== 'pending') throw new Error('Device code already completed.')
+      if (
+        current.account &&
+        current.account.toLowerCase() !== options.request.accountAddress.toLowerCase()
+      )
+        throw new Error('Account does not match requested account.')
+
+      const expected = expectedKeyAuthorization(current)
+      const actual = normalizeKeyAuthorization(options.request.keyAuthorization)
+
+      if (actual.keyId.toLowerCase() !== expected.address.toLowerCase())
+        throw new Error('Key authorization key does not match the device-code request.')
+      if (actual.address.toLowerCase() !== expected.address.toLowerCase())
+        throw new Error('Key authorization address does not match the device-code request.')
+      if (actual.keyType !== expected.type)
+        throw new Error('Key authorization key type does not match the device-code request.')
+      if (actual.chainId !== expected.chainId)
+        throw new Error('Key authorization chain does not match the device-code request.')
+      if ((actual.expiry ?? undefined) !== (expected.expiry ?? undefined))
+        throw new Error('Key authorization expiry does not match the device-code request.')
+      if (!sameLimits(actual.limits, expected.limits))
+        throw new Error('Key authorization limits do not match the device-code request.')
+
+      const valid = await verifyHash((options.client ?? cache.get(current.chainId)) as never, {
+        address: options.request.accountAddress,
+        hash: TempoKeyAuthorization.getSignPayload(expected),
+        signature: SignatureEnvelope.serialize(SignatureEnvelope.fromRpc(actual.signature), {
+          magic: actual.signature.type === 'webAuthn',
+        }),
+      })
+      if (!valid) throw new Error('Key authorization signature is invalid.')
+
+      const authorized = await store.authorize({
+        accountAddress: options.request.accountAddress,
+        code,
+        keyAuthorization: options.request.keyAuthorization,
+      })
+      if (!authorized) throw new Error('Unable to authorize device code.')
+
+      return { status: 'authorized' }
+    },
+    async createDeviceCode(options) {
+      const nextChainId = options.request.chainId ?? chainId ?? cache.defaultChainId
+      const { account, codeChallenge, pubKey } = options.request
+      const keyType = options.request.keyType ?? 'secp256k1'
+      const approved = await policy.validate({
+        ...(account ? { account } : {}),
+        expiry: options.request.expiry,
+        keyType,
+        ...(options.request.limits ? { limits: options.request.limits } : {}),
+        pubKey,
+      })
+
+      let code: string | undefined
+      for (let i = 0; i < 10; i++) {
+        const candidate = createCode(random)
+        if (await store.get(candidate)) continue
+        code = candidate
+        break
+      }
+      if (!code) throw new Error('Unable to allocate device code.')
+
+      const createdAt = now()
+
+      await store.create({
+        ...(account ? { account } : {}),
+        chainId: typeof nextChainId === 'bigint' ? nextChainId : BigInt(nextChainId),
+        code,
+        codeChallenge,
+        createdAt,
+        expiresAt: createdAt + ttlMs,
+        expiry: approved.expiry,
+        keyType,
+        ...(approved.limits ? { limits: approved.limits } : {}),
+        pubKey,
+        status: 'pending',
+      })
+
+      return { code }
+    },
+    async pending(options) {
+      const normalized = normalizeCode(options.code)
+      const current = await store.get(normalized)
+      if (!current) throw new PendingError('Unknown device code.', 404)
+      if (isExpired(current, now)) {
+        await store.delete(normalized)
+        throw new PendingError('Expired device code.', 404)
+      }
+      if (current.status !== 'pending')
+        throw new PendingError('Device code already completed.', 400)
+
+      return {
+        accessKeyAddress: Address.fromPublicKey(PublicKey.from(current.pubKey)),
+        ...(current.account ? { account: current.account } : {}),
+        chainId: current.chainId,
+        code: current.code,
+        expiry: current.expiry,
+        keyType: current.keyType,
+        ...(current.limits ? { limits: current.limits } : {}),
+        pubKey: current.pubKey,
+        status: 'pending',
+      }
+    },
+    async poll(options) {
+      const normalized = normalizeCode(options.code)
+      const current = await store.get(normalized)
+      if (!current) return { status: 'expired' }
+      if (isExpired(current, now)) {
+        await store.delete(normalized)
+        return { status: 'expired' }
+      }
+      if (!(await verifyCodeChallenge(options.request.codeVerifier, current.codeChallenge)))
+        throw new Error('Invalid code verifier.')
+      if (current.status === 'pending') return { status: 'pending' }
+      if (current.status === 'consumed') {
+        await store.delete(normalized)
+        return { status: 'expired' }
+      }
+      const authorized = await store.consume(normalized)
+      if (!authorized) return { status: 'expired' }
+      return {
+        accountAddress: authorized.accountAddress,
+        keyAuthorization: authorized.keyAuthorization,
+        status: 'authorized',
+      }
+    },
   }
-  if (!code) throw new Error('Unable to allocate device code.')
-
-  const createdAt = now()
-
-  await store.create({
-    ...(account ? { account } : {}),
-    chainId: typeof chainId === 'bigint' ? chainId : BigInt(chainId),
-    code,
-    codeChallenge,
-    createdAt,
-    expiresAt: createdAt + ttlMs,
-    expiry: approved.expiry,
-    keyType,
-    ...(approved.limits ? { limits: approved.limits } : {}),
-    pubKey,
-    status: 'pending',
-  })
-
-  return { code }
 }
 
-export declare namespace createDeviceCode {
+export declare namespace from {
+  /** Shared CLI auth helper configuration. */
   export type Options = {
-    /** Chain ID embedded into the expected key authorization. @default tempo.id */
+    /** Default chain ID embedded into created device codes. @default tempo.id */
     chainId?: bigint | number | undefined
+    /**
+     * Preconfigured chains used to build and cache viem clients.
+     *
+     * Unknown chain IDs are cached lazily using a tempo-shaped chain object so
+     * standalone helpers can still verify signatures without a full chain list.
+     *
+     * @default [tempo]
+     */
+    chains?: readonly [Chain, ...Chain[]] | undefined
     /** Time source used for TTL evaluation. */
     now?: (() => number) | undefined
     /** Policy used to validate requested expiry and limits. */
     policy?: Policy | undefined
     /** Random byte generator used for verification code allocation. */
     random?: ((size: number) => Uint8Array) | undefined
-    /** Incoming device-code creation request. */
-    request: z.output<typeof createRequest>
     /** Device-code store. */
     store?: Store | undefined
     /** Pending entry TTL in milliseconds. @default 600000 */
     ttlMs?: number | undefined
+    /** Transports keyed by chain ID. Defaults to `http()` for each chain. */
+    transports?: Record<number, Transport> | undefined
   }
+}
 
-  export type ReturnType = z.output<typeof createResponse>
+/**
+ * Creates and stores a new device code.
+ *
+ * @param options - Shared defaults plus the incoming request.
+ * @returns Created device code.
+ */
+export async function createDeviceCode(
+  options: createDeviceCode.Options,
+): Promise<createDeviceCode.ReturnType> {
+  const { request, ...rest } = options
+  return from(rest).createDeviceCode({ request })
 }
 
-/** Looks up a pending device code for browser approval UIs. */
-export async function pending(options: pending.Options): Promise<pending.ReturnType> {
-  const { code, now = Date.now, store = Store.memory() } = options
-  const normalized = normalizeCode(code)
-  const current = await store.get(normalized)
-  if (!current) throw new PendingError('Unknown device code.', 404)
-  if (isExpired(current, now)) {
-    await store.delete(normalized)
-    throw new PendingError('Expired device code.', 404)
+export declare namespace createDeviceCode {
+  /** Parameters for creating a new device code. */
+  export type Parameters = {
+    /** Incoming device-code creation request. */
+    request: z.output<typeof createRequest>
   }
-  if (current.status !== 'pending') throw new PendingError('Device code already completed.', 400)
 
-  return {
-    accessKeyAddress: core_Address.fromPublicKey(PublicKey.from(current.pubKey)),
-    ...(current.account ? { account: current.account } : {}),
-    chainId: current.chainId,
-    code: current.code,
-    expiry: current.expiry,
-    keyType: current.keyType,
-    ...(current.limits ? { limits: current.limits } : {}),
-    pubKey: current.pubKey,
-    status: 'pending',
-  }
+  /** Shared CLI auth defaults plus create-device-code parameters. */
+  export type Options = from.Options & Parameters
+
+  /** Created device-code response body. */
+  export type ReturnType = z.output<typeof createResponse>
+}
+
+/**
+ * Looks up a pending device code for browser approval UIs.
+ *
+ * @param options - Shared defaults plus the pending lookup parameters.
+ * @returns Pending device-code payload.
+ */
+export async function pending(options: pending.Options): Promise<pending.ReturnType> {
+  const { code, ...rest } = options
+  return from(rest).pending({ code })
 }
 
 export declare namespace pending {
-  export type Options = {
+  /** Parameters for looking up a pending device code. */
+  export type Parameters = {
     /** Verification code from the route path. */
     code: string
-    /** Time source used for TTL evaluation. */
-    now?: (() => number) | undefined
-    /** Device-code store. */
-    store?: Store | undefined
   }
 
+  /** Shared CLI auth defaults plus pending lookup parameters. */
+  export type Options = from.Options & Parameters
+
+  /** Pending device-code response body. */
   export type ReturnType = z.output<typeof pendingResponse>
 }
 
-/** Polls a device code with PKCE verification. */
+/**
+ * Polls a device code with PKCE verification.
+ *
+ * @param options - Shared defaults plus the poll parameters.
+ * @returns Pending, authorized, or expired poll response.
+ */
 export async function poll(options: poll.Options): Promise<poll.ReturnType> {
-  const { code, now = Date.now, request, store = Store.memory() } = options
-  const normalized = normalizeCode(code)
-  const current = await store.get(normalized)
-  if (!current) return { status: 'expired' }
-  if (isExpired(current, now)) {
-    await store.delete(normalized)
-    return { status: 'expired' }
-  }
-  if (!(await verifyCodeChallenge(request.codeVerifier, current.codeChallenge)))
-    throw new Error('Invalid code verifier.')
-  if (current.status === 'pending') return { status: 'pending' }
-  if (current.status === 'consumed') {
-    await store.delete(normalized)
-    return { status: 'expired' }
-  }
-  const authorized = await store.consume(normalized)
-  if (!authorized) return { status: 'expired' }
-  return {
-    accountAddress: authorized.accountAddress,
-    keyAuthorization: authorized.keyAuthorization,
-    status: 'authorized',
-  }
+  const { code, request, ...rest } = options
+  return from(rest).poll({ code, request })
 }
 
 export declare namespace poll {
-  export type Options = {
+  /** Parameters for polling a device code. */
+  export type Parameters = {
     /** Verification code from the route path. */
     code: string
-    /** Time source used for TTL evaluation. */
-    now?: (() => number) | undefined
     /** Poll request body. */
     request: z.output<typeof pollRequest>
-    /** Device-code store. */
-    store?: Store | undefined
   }
 
+  /** Shared CLI auth defaults plus poll parameters. */
+  export type Options = from.Options & Parameters
+
+  /** Poll response body. */
   export type ReturnType = z.output<typeof pollResponse>
 }
 
-/** Authorizes a pending device code after validating the signed key authorization. */
+/**
+ * Authorizes a pending device code after validating the signed key authorization.
+ *
+ * @param options - Shared defaults plus the authorization request.
+ * @returns Authorized response body.
+ */
 export async function authorize(options: authorize.Options): Promise<authorize.ReturnType> {
-  const {
-    chainId,
-    client = getClient({ chainId }),
-    now = Date.now,
+  const { client, request, ...rest } = options
+  return from(rest).authorize({
+    ...(client ? { client } : {}),
     request,
-    store = Store.memory(),
-  } = options
-  const code = normalizeCode(request.code)
-  const current = await store.get(code)
-  if (!current) throw new Error('Unknown device code.')
-  if (isExpired(current, now)) {
-    await store.delete(code)
-    throw new Error('Expired device code.')
-  }
-  if (current.status !== 'pending') throw new Error('Device code already completed.')
-  if (current.account && current.account.toLowerCase() !== request.accountAddress.toLowerCase())
-    throw new Error('Account does not match requested account.')
-
-  const expected = expectedKeyAuthorization(current)
-  const actual = normalizeKeyAuthorization(request.keyAuthorization)
-
-  if (actual.keyId.toLowerCase() !== expected.address.toLowerCase())
-    throw new Error('Key authorization key does not match the device-code request.')
-  if (actual.address.toLowerCase() !== expected.address.toLowerCase())
-    throw new Error('Key authorization address does not match the device-code request.')
-  if (actual.keyType !== expected.type)
-    throw new Error('Key authorization key type does not match the device-code request.')
-  if (actual.chainId !== expected.chainId)
-    throw new Error('Key authorization chain does not match the device-code request.')
-  if ((actual.expiry ?? undefined) !== (expected.expiry ?? undefined))
-    throw new Error('Key authorization expiry does not match the device-code request.')
-  if (!sameLimits(actual.limits, expected.limits))
-    throw new Error('Key authorization limits do not match the device-code request.')
-
-  const valid = await verifyHash(client as never, {
-    address: request.accountAddress,
-    hash: TempoKeyAuthorization.getSignPayload(expected),
-    signature: SignatureEnvelope.serialize(SignatureEnvelope.fromRpc(actual.signature), {
-      magic: actual.signature.type === 'webAuthn',
-    }),
   })
-  if (!valid) throw new Error('Key authorization signature is invalid.')
-
-  const authorized = await store.authorize({
-    accountAddress: request.accountAddress,
-    code,
-    keyAuthorization: request.keyAuthorization,
-  })
-  if (!authorized) throw new Error('Unable to authorize device code.')
-
-  return { status: 'authorized' }
 }
 
 export declare namespace authorize {
-  export type Options = {
-    /** Chain ID embedded into the expected key authorization. Defaults to the client chain or tempo.id. */
-    chainId?: bigint | number | undefined
+  /** Parameters for authorizing a pending device code. */
+  export type Parameters = {
     /** Client used to verify the signed key authorization. */
     client?: Client<Transport, Chain | undefined> | undefined
-    /** Time source used for TTL evaluation. */
-    now?: (() => number) | undefined
     /** Authorize request body. */
     request: z.output<typeof authorizeRequest>
-    /** Device-code store. */
-    store?: Store | undefined
   }
 
+  /** Shared CLI auth defaults plus authorization parameters. */
+  export type Options = from.Options & Parameters
+
+  /** Authorization response body. */
   export type ReturnType = z.output<typeof authorizeResponse>
 }
 
-const alphabet = 'ABCDEFGHJKLMNPQRSTUVWXYZ23456789'
+/** @internal */
+function randomBytes(size: number) {
+  return Bytes.random(size)
+}
 
+/** @internal */
 function createCode(random: (size: number) => Uint8Array) {
   const bytes = random(8)
   let code = ''
@@ -573,13 +675,47 @@ function createCode(random: (size: number) => Uint8Array) {
   return code
 }
 
+/** @internal */
+function createClientCache(options: from.Options = {}) {
+  const chains = options.chains ?? [tempo]
+  const transports = options.transports ?? {}
+  const clients = new Map<number, Client<Transport, Chain | undefined>>()
+
+  for (const chain of chains) {
+    const transport = transports[chain.id] ?? http()
+    clients.set(chain.id, createClient({ chain, transport }))
+  }
+
+  const defaultChainId = options.chainId ?? chains[0]!.id
+
+  return {
+    defaultChainId,
+    get(chainId: bigint | number = defaultChainId) {
+      const id = typeof chainId === 'bigint' ? Number(chainId) : chainId
+      const current = clients.get(id)
+      if (current) return current
+      const client = createClient({
+        chain: {
+          ...tempo,
+          id,
+        },
+        transport: transports[id] ?? http(),
+      })
+      clients.set(id, client)
+      return client
+    },
+  }
+}
+
+/** @internal */
 function normalizeCode(code: string) {
   return code.replaceAll('-', '').toUpperCase()
 }
 
+/** @internal */
 function expectedKeyAuthorization(entry: Entry.Pending) {
   return TempoKeyAuthorization.from({
-    address: core_Address.fromPublicKey(PublicKey.from(entry.pubKey)),
+    address: Address.fromPublicKey(PublicKey.from(entry.pubKey)),
     chainId: entry.chainId,
     expiry: entry.expiry,
     ...(entry.limits ? { limits: entry.limits } : {}),
@@ -587,23 +723,12 @@ function expectedKeyAuthorization(entry: Entry.Pending) {
   })
 }
 
-function getClient(options: { chainId?: bigint | number | undefined } = {}) {
-  const chainId = options.chainId
-  return createClient({
-    chain: chainId
-      ? {
-          ...tempo,
-          id: typeof chainId === 'bigint' ? Number(chainId) : chainId,
-        }
-      : tempo,
-    transport: http(),
-  })
-}
-
+/** @internal */
 function isExpired(entry: Entry, now: () => number) {
   return now() > entry.expiresAt
 }
 
+/** @internal */
 function normalizeKeyAuthorization(value: z.output<typeof keyAuthorization>) {
   return {
     ...value,
@@ -612,13 +737,10 @@ function normalizeKeyAuthorization(value: z.output<typeof keyAuthorization>) {
   }
 }
 
-function randomBytes(size: number) {
-  return crypto.getRandomValues(new Uint8Array(size))
-}
-
+/** @internal */
 function sameLimits(
-  a: readonly { token: Address; limit: bigint }[] | undefined,
-  b: readonly { token: Address; limit: bigint }[] | undefined,
+  a: Policy.validate.ReturnType['limits'],
+  b: Policy.validate.ReturnType['limits'],
 ) {
   if (!a && !b) return true
   if (!a || !b || a.length !== b.length) return false
@@ -629,6 +751,7 @@ function sameLimits(
   })
 }
 
+/** @internal */
 async function verifyCodeChallenge(codeVerifier: string, codeChallenge: string) {
   const hash = await crypto.subtle.digest('SHA-256', new TextEncoder().encode(codeVerifier))
   return Base64.fromBytes(new Uint8Array(hash), { pad: false, url: true }) === codeChallenge