bulletin-deploy 0.7.21 → 0.7.22-rc.0

package/dist/chunk-A5IQ5MKO.js

@@ -0,0 +1,207 @@
+import {
+  buildImplicationMessage,
+  buildV5GeneralExtrinsic,
+  bytesToHex,
+  hexToBytes,
+  readExtensionOrder,
+  toHex
+} from "./chunk-ZYVGHDMU.js";
+import {
+  BANDERSNATCH_SIGNATURE_BYTES
+} from "./chunk-T7EEVWNU.js";
+
+// src/personhood/bind-personal-id.ts
+import { Enum } from "polkadot-api";
+var AS_PERSON_IDENTIFIER = "AsPerson";
+var VERIFY_MULTI_SIGNATURE_IDENTIFIER = "VerifyMultiSignature";
+var IMPLICATION_EXCLUDE = /* @__PURE__ */ new Set([
+  "VerifyMultiSignature",
+  AS_PERSON_IDENTIFIER,
+  "AuthorizeCall",
+  "StorageWeightReclaim"
+]);
+var PersonalIdBindingError = class extends Error {
+  dispatchError;
+  kind;
+  constructor(message, options = {}) {
+    super(message, options);
+    this.name = "PersonalIdBindingError";
+    this.kind = options.kind ?? "unknown";
+    this.dispatchError = options.dispatchError;
+  }
+};
+function buildAsPersonExtensionValue(signature, personalId) {
+  return Enum("AsPersonalIdentityWithProof", [bytesToHex(signature), personalId]);
+}
+var bindPersonalIdToAccount = async ({
+  typedApi,
+  client,
+  personalId,
+  account,
+  signMember,
+  callValidAt,
+  progress
+}) => {
+  const api = typedApi;
+  if (typeof api.tx?.People?.set_personal_id_account !== "function") {
+    throw new PersonalIdBindingError(
+      "typedApi does not expose People.set_personal_id_account \u2014 wrong chain or stale descriptors",
+      { kind: "client_error" }
+    );
+  }
+  const block = callValidAt ?? await api.query.System.Number.getValue();
+  const innerTx = api.tx.People.set_personal_id_account({
+    account,
+    call_valid_at: block
+  });
+  const callBytes = await innerTx.getEncodedData();
+  const passEmpty = await capturePass({
+    innerTx,
+    asPersonValue: new Uint8Array()
+  });
+  const msgHash = buildImplicationMessage(
+    callBytes,
+    passEmpty.extensions,
+    IMPLICATION_EXCLUDE
+  );
+  const signature = await Promise.resolve(signMember(msgHash));
+  if (signature.length !== BANDERSNATCH_SIGNATURE_BYTES) {
+    throw new PersonalIdBindingError(
+      `Bandersnatch signature must be ${BANDERSNATCH_SIGNATURE_BYTES} bytes, got ${signature.length}`,
+      { kind: "client_error" }
+    );
+  }
+  const asPersonProof = Enum("AsPersonalIdentityWithProof", [bytesToHex(signature), personalId]);
+  const passProof = await capturePass({
+    innerTx,
+    asPersonValue: asPersonProof
+  });
+  const extrinsicBytes = buildV5GeneralExtrinsic(callBytes, passProof.extensions);
+  const extrinsicHex = toHex(extrinsicBytes);
+  const blockHash = await submitExtrinsic(client, extrinsicHex, progress);
+  return { extrinsicHex, blockHash };
+};
+var capturePass = async ({
+  innerTx,
+  asPersonValue
+}) => {
+  let captured = null;
+  const sentinel = new Error("__personhood_capture_sentinel__");
+  const signer = {
+    publicKey: new Uint8Array(32),
+    signTx: async (callData, signedExtensions, metadata) => {
+      const order = await readExtensionOrder(metadata);
+      const byIdentifier = {};
+      for (const id of order) {
+        const ext = signedExtensions[id];
+        if (!ext) {
+          throw new PersonalIdBindingError(
+            `papi did not produce signed extension '${id}'`
+          );
+        }
+        byIdentifier[id] = {
+          value: ext.value,
+          additionalSigned: ext.additionalSigned
+        };
+      }
+      captured = { callData, extensions: { order, byIdentifier } };
+      throw sentinel;
+    },
+    signBytes: async () => new Uint8Array(64)
+  };
+  try {
+    await innerTx.sign(signer, {
+      customSignedExtensions: {
+        [AS_PERSON_IDENTIFIER]: {
+          value: asPersonValue,
+          additionalSigned: new Uint8Array()
+        },
+        [VERIFY_MULTI_SIGNATURE_IDENTIFIER]: {
+          value: Enum("Disabled")
+        },
+        RestrictOrigins: {
+          value: new Uint8Array([1]),
+          additionalSigned: new Uint8Array()
+        }
+      }
+    });
+  } catch (err) {
+    if (err !== sentinel) throw err;
+  }
+  if (!captured) {
+    throw new PersonalIdBindingError(
+      "extension capture failed \u2014 papi never invoked signTx",
+      { kind: "client_error" }
+    );
+  }
+  return captured;
+};
+var submitExtrinsic = (client, extrinsicHex, progress) => {
+  return new Promise((resolve, reject) => {
+    let settled = false;
+    const fail = (err) => {
+      if (settled) return;
+      settled = true;
+      reject(err);
+    };
+    const succeed = (blockHash) => {
+      if (settled) return;
+      settled = true;
+      resolve(blockHash);
+    };
+    client.submitAndWatch(hexToBytes(extrinsicHex)).subscribe({
+      next: (event) => {
+        if (settled) return;
+        if (event.type === "broadcasted") {
+          progress?.onBroadcasted?.();
+          return;
+        }
+        if (event.type === "txBestBlocksState" && event.found) {
+          if (event.ok === false) {
+            fail(
+              new PersonalIdBindingError(
+                "set_personal_id_account dispatched but failed in-block",
+                {
+                  kind: "dispatch_error",
+                  dispatchError: event.dispatchError
+                }
+              )
+            );
+            return;
+          }
+          progress?.onBestBlock?.(event.block.hash);
+          return;
+        }
+        if (event.type === "finalized") {
+          if (event.ok === false) {
+            fail(
+              new PersonalIdBindingError(
+                "set_personal_id_account dispatch failed at finalization",
+                {
+                  kind: "dispatch_error",
+                  dispatchError: event.dispatchError
+                }
+              )
+            );
+            return;
+          }
+          succeed(event.block.hash);
+        }
+      },
+      error: (err) => {
+        fail(
+          err instanceof PersonalIdBindingError ? err : new PersonalIdBindingError(
+            err instanceof Error ? `RPC rejected extrinsic: ${err.message}` : "RPC error during submitAndWatch",
+            { cause: err, kind: "rpc_error" }
+          )
+        );
+      }
+    });
+  });
+};
+
+export {
+  PersonalIdBindingError,
+  buildAsPersonExtensionValue,
+  bindPersonalIdToAccount
+};

package/dist/chunk-EJ5TNGAY.js

@@ -0,0 +1,24 @@
+import {
+  blake2b256Keyed
+} from "./chunk-UPWEOGLQ.js";
+import {
+  MEMBER_ENTROPY_KEY
+} from "./chunk-T7EEVWNU.js";
+
+// src/personhood/member-key.ts
+import { mnemonicToEntropy } from "@polkadot-labs/hdkd-helpers";
+import * as verifiable from "verifiablejs/nodejs";
+function deriveMemberEntropy(mnemonic) {
+  const normalized = mnemonic.trim().split(/\s+/).join(" ");
+  const bip39Entropy = mnemonicToEntropy(normalized);
+  return blake2b256Keyed(bip39Entropy, MEMBER_ENTROPY_KEY);
+}
+function deriveMemberKey(mnemonic) {
+  const entropy = deriveMemberEntropy(mnemonic);
+  return verifiable.member_from_entropy(entropy);
+}
+
+export {
+  deriveMemberEntropy,
+  deriveMemberKey
+};

package/dist/{chunk-BFXHVC23.js → chunk-HEUS42MX.js}

@@ -2,7 +2,7 @@ import {
   computeStats,
   renderSummary,
   telemetryAttributes
-} from "./chunk-MJTQOXBC.js";
+} from "./chunk-LEYQOOWC.js";
 import {
   finaliseEmbeddedManifest,
   writeEmbeddedManifestPlaceholder
@@ -20,10 +20,10 @@ import {
 } from "./chunk-S7EM5VMW.js";
 import {
   setDeployContext
-} from "./chunk-SA37SLYF.js";
+} from "./chunk-TA3NCL6U.js";
 import {
   probeChunks
-} from "./chunk-ZY6QLNKQ.js";
+} from "./chunk-KTOZL74I.js";
 import {
   packSection
 } from "./chunk-C2TS5MER.js";
@@ -34,7 +34,7 @@ import {
   parseDomainName,
   popStatusName,
   verifyNonceAdvanced
-} from "./chunk-VTTN4BX7.js";
+} from "./chunk-4YO5SOAY.js";
 import {
   derivePoolAccounts,
   detectTestnet,
@@ -42,7 +42,7 @@ import {
   fetchPoolAuthorizations,
   selectAccount,
   topUpBy
-} from "./chunk-4TS6R26J.js";
+} from "./chunk-WVCIU6WM.js";
 import {
   VERSION,
   captureWarning,
@@ -56,7 +56,7 @@ import {
   truncateAddress,
   withDeploySpan,
   withSpan
-} from "./chunk-2VNGK2MU.js";
+} from "./chunk-3LGLMHQI.js";
 import {
   DEFAULT_ENV_ID,
   loadEnvironments,
@@ -395,7 +395,7 @@ function assignDenseNonces(stored, startNonce) {
   return nonces;
 }
 var __assignDenseNoncesForTest = assignDenseNonces;
-async function storeChunkedContent(chunks, { client: existingClient, unsafeApi: existingApi, signer: existingSigner, ss58: existingSS58, reconnect, fetchNonce: fetchNonceOverride, skipCids, probeFailedCids, gateway: providerGateway } = {}) {
+async function storeChunkedContent(chunks, { client: existingClient, unsafeApi: existingApi, signer: existingSigner, ss58: existingSS58, reconnect, fetchNonce: fetchNonceOverride, skipCids, probeFailedCids, gateway: providerGateway, bulletinAuthorizeV2 } = {}) {
   const _fetchNonce = fetchNonceOverride ?? fetchNonce;
   console.log(`
    Chunks: ${chunks.length}`);
@@ -461,11 +461,13 @@ async function storeChunkedContent(chunks, { client: existingClient, unsafeApi:
   const bytesRemaining = uploadAuth ? BigInt(uploadAuth.extent.bytes_allowance) - BigInt(uploadAuth.extent.bytes) : 0n;
   const isAuthorized = uploadAuth !== void 0 && Number(uploadAuth.expiration ?? 0) > currentBlockNum;
   if (!isAuthorized || txsRemaining < requiredTxs || bytesRemaining < requiredBytes) {
+    const txsRemainingDisplay = txsRemaining < 0n ? 0n : txsRemaining;
+    const bytesRemainingDisplay = bytesRemaining < 0n ? 0n : bytesRemaining;
     console.log(`
-   Account needs re-authorization (authorized=${isAuthorized}, need ${requiredTxs} txs / ${(totalBytes / 1e6).toFixed(1)}MB, have ${txsRemaining} txs / ${Number(bytesRemaining) / 1e6}MB)`);
+   Account needs re-authorization (authorized=${isAuthorized}, need ${requiredTxs} txs / ${(totalBytes / 1e6).toFixed(1)}MB, have ${txsRemainingDisplay} txs / ${(Number(bytesRemainingDisplay) / 1e6).toFixed(2)}MB)`);
     console.log(`   Attempting to re-authorize with Alice...`);
     try {
-      await ensureAuthorized(unsafeApi, ss58);
+      await ensureAuthorized(unsafeApi, ss58, void 0, bulletinAuthorizeV2, { txs: requiredTxs, bytes: requiredBytes });
       console.log(`   Re-authorization successful`);
     } catch (e) {
       throw new NonRetryableError(`Account ${ss58} has insufficient Bulletin authorization and auto-authorization via Alice failed (${e.message}). Authorize the account on-chain.`);
@@ -1024,11 +1026,11 @@ async function storeDirectoryV2(directoryPath, opts = {}) {
   const probe = carChunkCidsA.length > 0 ? await withSpan("deploy.chain-probe", "2. chain probe", { "deploy.probe.total": carChunkCidsA.length }, () => probeChunks(carChunkCidsA, { client: provider.client })) : [];
   const skipCids = /* @__PURE__ */ new Set();
   const probeFailedCidsA = /* @__PURE__ */ new Set();
-  let bytesSkipped = 0;
+  let bytesProbePresent = 0;
   for (let i = 0; i < probe.length; i++) {
     if (probe[i].present === true) {
       skipCids.add(carChunkCidsA[i]);
-      bytesSkipped += carChunksA[i].length;
+      bytesProbePresent += carChunksA[i].length;
     } else if (probe[i].present === null) {
       probeFailedCidsA.add(carChunkCidsA[i]);
     }
@@ -1165,6 +1167,7 @@ async function storeDirectoryV2(directoryPath, opts = {}) {
     probeResults: probe,
     prevChunks: prevManifest?.chunks ?? {},
     retentionPeriodBlocks,
+    bytesProbePresent,
     bytesSkipped: bytesSkippedB,
     bytesUploaded: bytesUploadedB,
     chunksTotal: phaseB.chunks.length,
@@ -1182,15 +1185,16 @@ async function storeDirectoryV2(directoryPath, opts = {}) {
   console.log("\n" + renderSummary(stats));
   return { storageCid, ipfsCid: phaseB.cid, carBytes: phaseB.carBytes };
 }
-function resolveDotnsConnectOptions(options, assetHubEndpoints, autoAccountMapping, contracts, nativeToEthRatio) {
+function resolveDotnsConnectOptions(options, assetHubEndpoints, autoAccountMapping, contracts, nativeToEthRatio, environmentId) {
   const tail = assetHubEndpoints && assetHubEndpoints.length > 0 ? { assetHubEndpoints } : {};
   const mappingTail = autoAccountMapping ? { autoAccountMapping } : {};
   const contractsTail = contracts && Object.keys(contracts).length > 0 ? { contracts } : {};
   const ratioTail = nativeToEthRatio ? { nativeToEthRatio } : {};
+  const envTail = environmentId ? { environmentId } : {};
   if (options.signer && options.signerAddress) {
-    return { signer: options.signer, signerAddress: options.signerAddress, ...tail, ...mappingTail, ...contractsTail, ...ratioTail };
+    return { signer: options.signer, signerAddress: options.signerAddress, ...tail, ...mappingTail, ...contractsTail, ...ratioTail, ...envTail };
   }
-  return { mnemonic: options.mnemonic, derivationPath: options.derivationPath, ...tail, ...mappingTail, ...contractsTail, ...ratioTail };
+  return { mnemonic: options.mnemonic, derivationPath: options.derivationPath, ...tail, ...mappingTail, ...contractsTail, ...ratioTail, ...envTail };
 }
 async function estimateUploadBytes(content) {
   try {
@@ -1328,7 +1332,7 @@ async function deploy(content, domainName = null, options = {}) {
         }
       }
       provider = await reconnect();
-      const providerWithReconnect = { ...provider, reconnect };
+      const providerWithReconnect = { ...provider, reconnect, bulletinAuthorizeV2: envBulletinAuthorizeV2 };
       const [isTestnet, estimated] = await Promise.all([
         detectTestnet(provider.unsafeApi),
         estimateUploadBytes(content)
@@ -1337,7 +1341,7 @@ async function deploy(content, domainName = null, options = {}) {
         const uploadBytes = Math.ceil(estimated * 1.2);
         const chunksNeeded = Math.max(1, Math.ceil(uploadBytes / CHUNK_SIZE));
         const needs = { txs: BigInt(chunksNeeded + 2), bytes: BigInt(uploadBytes) };
-        await topUpBy(provider.unsafeApi, provider.ss58, needs, "uploader");
+        await topUpBy(provider.unsafeApi, provider.ss58, needs, "uploader", envBulletinAuthorizeV2);
       }
       console.log("\n" + "=".repeat(60));
       console.log("Storage");
@@ -1502,7 +1506,7 @@ async function deploy(content, domainName = null, options = {}) {
       console.log("=".repeat(60));
       await withSpan("deploy.dotns", "2. dotns", { "deploy.domain": name, "deploy.subdomain": String(parsed?.isSubdomain ?? false) }, async () => {
         const dotns = new DotNS();
-        await dotns.connect(resolveDotnsConnectOptions(options, envAssetHub, envAutoAccountMapping, envContracts, envNativeToEthRatio));
+        await dotns.connect(resolveDotnsConnectOptions(options, envAssetHub, envAutoAccountMapping, envContracts, envNativeToEthRatio, envId));
         if (parsed?.isSubdomain) {
           const { owned, owner } = await dotns.checkSubdomainOwnership(parsed.sublabel, parsed.parentLabel);
           if (owned) {

package/dist/{chunk-ZY6QLNKQ.js → chunk-KTOZL74I.js}

@@ -1,6 +1,6 @@
 import {
   captureWarning
-} from "./chunk-2VNGK2MU.js";
+} from "./chunk-3LGLMHQI.js";
 
 // src/chunk-probe.ts
 import { Twox128, Blake2128Concat, decAnyMetadata, unifyMetadata } from "@polkadot-api/substrate-bindings";

package/dist/{chunk-MJTQOXBC.js → chunk-LEYQOOWC.js}

@@ -6,7 +6,6 @@ function countByReason(probe, reason) {
 function computeStats(input) {
   const present = input.probeResults.filter((r) => r.present === true);
   const failed = input.probeResults.filter((r) => r.present === null);
-  const presentInPrev = present.filter((r) => input.prevChunks[r.cid] != null);
   const recycled = present.filter((r) => input.prevChunks[r.cid] == null);
   return {
     manifestSource: input.manifestSource,
@@ -25,6 +24,7 @@ function computeStats(input) {
     probeFailedMetadata: countByReason(input.probeResults, "metadata_error"),
     recycledCids: recycled.length,
     retentionPeriodBlocks: input.retentionPeriodBlocks,
+    bytesProbePresent: input.bytesProbePresent,
     bytesSkipped: input.bytesSkipped,
     bytesUploaded: input.bytesUploaded,
     chunksTotal: input.chunksTotal,
@@ -34,7 +34,7 @@ function computeStats(input) {
     section0Bytes: input.sectionSizes.section0,
     section1Bytes: input.sectionSizes.section1,
     section2Bytes: input.sectionSizes.section2,
-    estimatedSecondsSaved: Math.round(SECONDS_PER_PROBE_SKIP * presentInPrev.length),
+    estimatedSecondsSaved: Math.round(SECONDS_PER_PROBE_SKIP * present.length),
     tier2VerifiedCount: input.tier2VerifiedCount,
     tier2InconclusiveCount: input.tier2InconclusiveCount,
     tier2FallbackCount: input.tier2FallbackCount
@@ -63,6 +63,7 @@ function telemetryAttributes(s) {
     "deploy.cache.chunks_total": String(s.chunksTotal),
     "deploy.cache.chunks_uploaded": String(s.chunksUploaded),
     "deploy.cache.chunks_skipped": String(s.chunksSkipped),
+    "deploy.cache.bytes_probe_present": String(s.bytesProbePresent),
     "deploy.cache.bytes_skipped": String(s.bytesSkipped),
     "deploy.cache.bytes_uploaded": String(s.bytesUploaded),
     "deploy.cache.car_bytes": String(s.carBytes),

package/dist/{chunk-G2P5UIPX.js → chunk-LZO2QX4T.js}

@@ -6,7 +6,7 @@ import * as path from "path";
 // package.json
 var package_default = {
   name: "bulletin-deploy",
-  version: "0.7.21",
+  version: "0.7.22-rc.0",
   private: false,
   repository: {
     type: "git",
@@ -36,11 +36,11 @@ var package_default = {
     "assets"
   ],
   scripts: {
-    build: "tsup src/index.ts src/deploy.ts src/dotns.ts src/pool.ts src/telemetry.ts src/memory-report.ts src/merkle.ts src/gh-pages-mirror.ts src/version-check.ts src/bug-report.ts src/run-state.ts src/environments.ts src/errors.ts src/manifest.ts src/chunk-probe.ts src/manifest-embed.ts src/manifest-fetch.ts src/manifest-roundtrip.ts src/incremental-stats.ts src/chunker.ts src/mirror.ts --format esm --dts --clean --target node22",
+    build: "tsup src/index.ts src/deploy.ts src/dotns.ts src/pool.ts src/telemetry.ts src/memory-report.ts src/merkle.ts src/gh-pages-mirror.ts src/version-check.ts src/bug-report.ts src/run-state.ts src/environments.ts src/errors.ts src/manifest.ts src/chunk-probe.ts src/manifest-embed.ts src/manifest-fetch.ts src/manifest-roundtrip.ts src/incremental-stats.ts src/chunker.ts src/mirror.ts src/personhood/encoding.ts src/personhood/hashing.ts src/personhood/constants.ts src/personhood/member-key.ts src/personhood/people-client.ts src/personhood/reprove.ts src/personhood/bind-personal-id.ts src/personhood/claim-pgas.ts src/personhood/bind-paid-alias.ts src/personhood/bootstrap.ts --format esm --dts --clean --target node22",
     "refresh-environments": "node scripts/refresh-environments.mjs",
     "check:watched-dependencies": "node tools/check-watched-dependencies.mjs",
     prepare: "npm run build",
-    test: "npm run build && node --test test/test.js test/cli-help.test.js test/helpers/e2e-helpers.test.js test/environments.test.js test/refresh-environments.test.js test/watched-dependencies.test.js",
+    test: "npm run build && node --test test/test.js test/cli-help.test.js test/helpers/e2e-helpers.test.js test/environments.test.js test/refresh-environments.test.js test/watched-dependencies.test.js test/chunk-sharing-report.test.js",
     "test:e2e": "npm run build && node --test test/e2e.test.js",
     "test:e2e:smoke": "bash scripts/e2e-pass.sh smoke",
     "test:e2e:pr": "bash scripts/e2e-pass.sh pr",
@@ -62,6 +62,7 @@ var package_default = {
     "ipfs-unixfs-importer": "^16.1.4",
     multiformats: "^13.4.1",
     "polkadot-api": "^2.1.3",
+    verifiablejs: "^1.2.0",
     viem: "^2.30.5"
   },
   devDependencies: {

package/dist/chunk-QHOZEY5X.js

@@ -0,0 +1,231 @@
+import {
+  blake2_256,
+  bytesToHex,
+  concatBytes,
+  encodeMembers,
+  hexToBytes
+} from "./chunk-ZYVGHDMU.js";
+import {
+  PAID_PROOF_TAG,
+  PEOPLE_MEMBER_IDENTIFIER_HEX,
+  PGAS_ASSET_ID,
+  PGAS_ASSET_LOCATION,
+  PROOF_BYTES
+} from "./chunk-T7EEVWNU.js";
+
+// src/personhood/bind-paid-alias.ts
+import { getSs58AddressInfo } from "polkadot-api";
+var PaidAliasBindingError = class extends Error {
+  kind;
+  dispatchError;
+  constructor(message, options = {}) {
+    super(message, options);
+    this.name = "PaidAliasBindingError";
+    this.kind = options.kind ?? "Unknown";
+    this.dispatchError = options.dispatchError;
+  }
+};
+var bindPaidAliasToAccount = async ({
+  peopleUnsafeApi,
+  ahUnsafeApi,
+  account,
+  memberKey,
+  contextBytes,
+  signCall,
+  buildRingProof,
+  progress
+}) => {
+  const people = peopleUnsafeApi;
+  const ah = ahUnsafeApi;
+  if (memberKey.length !== 32) {
+    throw new PaidAliasBindingError("memberKey must be 32 bytes", {
+      kind: "ClientError"
+    });
+  }
+  if (contextBytes.length !== 32) {
+    throw new PaidAliasBindingError("contextBytes must be 32 bytes", {
+      kind: "ClientError"
+    });
+  }
+  const fee = await ah.query.AliasAccounts.PaidAliasFee.getValue({ at: "best" });
+  if (fee === void 0) {
+    throw new PaidAliasBindingError(
+      "AliasAccounts.PaidAliasFee is unset \u2014 needs sudo `set_paid_alias_fee`",
+      { kind: "PaidAliasFeeUnset" }
+    );
+  }
+  const pgas = await ah.query.Assets.Account.getValue(
+    PGAS_ASSET_ID,
+    account,
+    { at: "best" }
+  );
+  const pgasBalance = pgas?.balance ?? 0n;
+  if (pgasBalance < fee) {
+    throw new PaidAliasBindingError(
+      `signer has ${pgasBalance.toString()} PGAS but PaidAliasFee is ${fee.toString()} \u2014 claim PGAS first`,
+      { kind: "InsufficientPgas" }
+    );
+  }
+  const position = await people.query.Members.Members.getValue(
+    PEOPLE_MEMBER_IDENTIFIER_HEX,
+    bytesToHex(memberKey),
+    { at: "best" }
+  );
+  if (!position || position.type !== "Included") {
+    throw new PaidAliasBindingError(
+      `member position is '${position?.type ?? "absent"}', expected 'Included'`,
+      { kind: "NotARecognizedPerson" }
+    );
+  }
+  const ringIndex = position.value.ring_index;
+  const allEntries = await people.query.Members.RingKeys.getEntries({
+    at: "best"
+  });
+  const pages = [];
+  const identHex = PEOPLE_MEMBER_IDENTIFIER_HEX.toLowerCase();
+  for (const entry of allEntries) {
+    if (entry.keyArgs[0].toLowerCase() !== identHex) continue;
+    if (Number(entry.keyArgs[1]) !== ringIndex) continue;
+    pages.push([Number(entry.keyArgs[2]), [...entry.value]]);
+  }
+  pages.sort((a, b) => a[0] - b[0]);
+  const ringKeys = pages.flatMap(([, ks]) => ks);
+  if (ringKeys.length === 0) {
+    throw new PaidAliasBindingError("ring has no members on People", {
+      kind: "ClientError"
+    });
+  }
+  const membersBytes = encodeMembers(ringKeys.map((k) => hexToBytes(k)));
+  const collectionId = await ah.constants.AliasAccounts.PeopleCollectionIdentifier();
+  const ringExp = await ah.constants.AliasAccounts.PeopleRingExponent();
+  const ringExponent = ringExp.type === "R2e9" ? 9 : ringExp.type === "R2e10" ? 10 : 14;
+  const ringRoots = await ah.query.MembersSubscriber.RingRoots.getValue(
+    collectionId,
+    ringIndex,
+    { at: "best" }
+  );
+  if (!ringRoots || ringRoots.length === 0) {
+    throw new PaidAliasBindingError(
+      "AH has no RingRoots for this (collection, ring_index)",
+      { kind: "RingRootNotFound" }
+    );
+  }
+  const latest = ringRoots[ringRoots.length - 1];
+  const revision = latest.revision;
+  const ss58Info = getSs58AddressInfo(account);
+  if (!ss58Info.isValid) {
+    throw new PaidAliasBindingError(`invalid SS58: ${account}`, {
+      kind: "ClientError"
+    });
+  }
+  const paidMsg = blake2_256(concatBytes(PAID_PROOF_TAG, ss58Info.publicKey));
+  const { proof, alias } = await buildRingProof({
+    ringExponent,
+    members: membersBytes,
+    context: contextBytes,
+    msg: paidMsg
+  });
+  if (proof.length !== PROOF_BYTES) {
+    throw new PaidAliasBindingError(
+      `ring proof must be ${PROOF_BYTES} bytes, got ${proof.length}`,
+      { kind: "ClientError" }
+    );
+  }
+  const tx = ah.tx.AliasAccounts.set_paid_alias_account({
+    proof: bytesToHex(proof),
+    collection: collectionId,
+    ring_index: ringIndex,
+    ring_revision: revision,
+    context: bytesToHex(contextBytes)
+  });
+  const submitOptions = {
+    customSignedExtensions: {
+      ChargeAssetTxPayment: {
+        value: { tip: 0n, asset_id: PGAS_ASSET_LOCATION }
+      }
+    }
+  };
+  const blockHash = await new Promise((resolve, reject) => {
+    let settled = false;
+    const fail = (err) => {
+      if (settled) return;
+      settled = true;
+      reject(err);
+    };
+    const succeed = (h) => {
+      if (settled) return;
+      settled = true;
+      resolve(h);
+    };
+    tx.signSubmitAndWatch(signCall, submitOptions).subscribe({
+      next: (event) => {
+        if (settled) return;
+        const ev = event;
+        if (ev.type === "broadcasted") {
+          progress?.onBroadcasted?.();
+          return;
+        }
+        if (ev.type === "txBestBlocksState" && ev.found) {
+          if (ev.ok === false) {
+            fail(
+              new PaidAliasBindingError(
+                "set_paid_alias_account dispatched but failed in-block",
+                {
+                  kind: narrowDispatchError(ev.dispatchError),
+                  dispatchError: ev.dispatchError
+                }
+              )
+            );
+            return;
+          }
+          if (ev.block) progress?.onBestBlock?.(ev.block.hash);
+          return;
+        }
+        if (ev.type === "finalized") {
+          if (ev.ok === false) {
+            fail(
+              new PaidAliasBindingError(
+                "set_paid_alias_account failed at finalization",
+                {
+                  kind: narrowDispatchError(ev.dispatchError),
+                  dispatchError: ev.dispatchError
+                }
+              )
+            );
+            return;
+          }
+          if (ev.block) succeed(ev.block.hash);
+        }
+      },
+      error: (err) => {
+        fail(
+          err instanceof PaidAliasBindingError ? err : new PaidAliasBindingError(
+            err instanceof Error ? `RPC rejected extrinsic: ${err.message}` : "RPC error during submitAndWatch",
+            { cause: err, kind: "RpcError" }
+          )
+        );
+      }
+    });
+  });
+  return { blockHash, alias };
+};
+var narrowDispatchError = (dispatchError) => {
+  if (typeof dispatchError === "object" && dispatchError !== null && "type" in dispatchError) {
+    const d = dispatchError;
+    if (d.type === "Module" && typeof d.value === "object" && d.value !== null) {
+      const v = d.value;
+      if (v.type === "AliasAccounts" && v.value?.type === "BadProof") {
+        return "BadProof";
+      }
+      if (v.type === "AliasAccounts" && v.value?.type === "PaidAliasFeeUnset") {
+        return "PaidAliasFeeUnset";
+      }
+    }
+  }
+  return "DispatchError";
+};
+
+export {
+  PaidAliasBindingError,
+  bindPaidAliasToAccount
+};

package/dist/{chunk-RJAFD4LO.js → chunk-SL7LV4DS.js}

@@ -1,6 +1,6 @@
 import {
   VERSION
-} from "./chunk-2VNGK2MU.js";
+} from "./chunk-3LGLMHQI.js";
 
 // src/version-check.ts
 import { execSync, execFileSync } from "child_process";