kentucky-signer-viem 0.1.1 → 0.1.4

package/dist/index.js

@@ -20,10 +20,14 @@ var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: tru
 // src/index.ts
 var index_exports = {};
 __export(index_exports, {
+  EphemeralKeyManager: () => EphemeralKeyManager,
+  IndexedDBEphemeralKeyStorage: () => IndexedDBEphemeralKeyStorage,
   KentuckySignerClient: () => KentuckySignerClient,
   KentuckySignerError: () => KentuckySignerError,
   LocalStorageTokenStorage: () => LocalStorageTokenStorage,
+  MemoryEphemeralKeyStorage: () => MemoryEphemeralKeyStorage,
   MemoryTokenStorage: () => MemoryTokenStorage,
+  SecureKentuckySignerClient: () => SecureKentuckySignerClient,
   authenticateWithPasskey: () => authenticateWithPasskey,
   authenticateWithPassword: () => authenticateWithPassword,
   authenticateWithToken: () => authenticateWithToken,
@@ -33,17 +37,22 @@ __export(index_exports, {
   createAccountWithPassword: () => createAccountWithPassword,
   createClient: () => createClient,
   createKentuckySignerAccount: () => createKentuckySignerAccount,
+  createSecureClient: () => createSecureClient,
   createServerAccount: () => createServerAccount,
   formatError: () => formatError,
+  generateEphemeralKeyPair: () => generateEphemeralKeyPair,
   getJwtExpiration: () => getJwtExpiration,
   hexToBytes: () => hexToBytes,
   isSessionValid: () => isSessionValid,
   isValidAccountId: () => isValidAccountId,
   isValidEvmAddress: () => isValidEvmAddress,
   isWebAuthnAvailable: () => isWebAuthnAvailable,
+  isWebCryptoAvailable: () => isWebCryptoAvailable,
   parseJwt: () => parseJwt,
   refreshSessionIfNeeded: () => refreshSessionIfNeeded,
   registerPasskey: () => registerPasskey,
+  signPayload: () => signPayload,
+  verifyPayload: () => verifyPayload,
   withRetry: () => withRetry
 });
 module.exports = __toCommonJS(index_exports);
@@ -64,7 +73,7 @@ var KentuckySignerError = class extends Error {
 var KentuckySignerClient = class {
   constructor(options) {
     this.baseUrl = options.baseUrl.replace(/\/$/, "");
-    this.fetchImpl = options.fetch ?? globalThis.fetch;
+    this.fetchImpl = options.fetch ?? globalThis.fetch.bind(globalThis);
     this.timeout = options.timeout ?? 3e4;
   }
   /**
@@ -119,19 +128,24 @@ var KentuckySignerClient = class {
    *
    * @param accountId - Account ID to authenticate
    * @param credential - WebAuthn credential from navigator.credentials.get()
+   * @param ephemeralPublicKey - Optional ephemeral public key for secure mode binding
    * @returns Authentication response with JWT token
    */
-  async authenticatePasskey(accountId, credential) {
+  async authenticatePasskey(accountId, credential, ephemeralPublicKey) {
+    const body = {
+      account_id: accountId,
+      credential_id: credential.credentialId,
+      client_data_json: credential.clientDataJSON,
+      authenticator_data: credential.authenticatorData,
+      signature: credential.signature,
+      user_handle: credential.userHandle
+    };
+    if (ephemeralPublicKey) {
+      body.ephemeral_public_key = ephemeralPublicKey;
+    }
     return this.request("/api/auth/passkey", {
       method: "POST",
-      body: JSON.stringify({
-        account_id: accountId,
-        credential_id: credential.credentialId,
-        client_data_json: credential.clientDataJSON,
-        authenticator_data: credential.authenticatorData,
-        signature: credential.signature,
-        user_handle: credential.userHandle
-      })
+      body: JSON.stringify(body)
     });
   }
   /**
@@ -222,18 +236,20 @@ var KentuckySignerClient = class {
   /**
    * Create a new account with passkey authentication
    *
-   * @param credential - WebAuthn credential from navigator.credentials.create()
+   * @param attestationObject - Base64url encoded attestation object from WebAuthn
+   * @param label - Optional label for the passkey (defaults to "Owner Passkey")
    * @returns Account creation response with account ID and addresses
    */
-  async createAccountWithPasskey(credential) {
+  async createAccountWithPasskey(attestationObject, label) {
+    const body = {
+      attestation_object: attestationObject
+    };
+    if (label) {
+      body.label = label;
+    }
     return this.request("/api/accounts/create/passkey", {
       method: "POST",
-      body: JSON.stringify({
-        credential_id: credential.credentialId,
-        public_key: credential.publicKey,
-        client_data_json: credential.clientDataJSON,
-        authenticator_data: credential.authenticatorData
-      })
+      body: JSON.stringify(body)
     });
   }
   /**
@@ -260,6 +276,68 @@ var KentuckySignerClient = class {
       body: JSON.stringify(request)
     });
   }
+  /**
+   * Add password authentication to an existing account
+   *
+   * Enables password-based authentication for an account that was created
+   * with passkey-only authentication.
+   *
+   * @param accountId - Account ID
+   * @param request - Password and confirmation
+   * @param token - JWT token
+   * @returns Success response
+   */
+  async addPassword(accountId, request, token) {
+    return this.request(`/api/accounts/${accountId}/password`, {
+      method: "POST",
+      token,
+      body: JSON.stringify(request)
+    });
+  }
+  /**
+   * Get extended account information including auth config
+   *
+   * @param accountId - Account ID
+   * @param token - JWT token
+   * @returns Extended account info with auth config and passkey count
+   */
+  async getAccountInfoExtended(accountId, token) {
+    return this.request(`/api/accounts/${accountId}`, {
+      method: "GET",
+      token
+    });
+  }
+  /**
+   * Add a recovery passkey to an existing account
+   *
+   * @param accountId - Account ID
+   * @param request - Passkey data (COSE public key, credential ID, algorithm, label)
+   * @param token - JWT token
+   * @returns Success response with label
+   */
+  async addPasskey(accountId, request, token) {
+    return this.request(`/api/accounts/${accountId}/passkeys`, {
+      method: "POST",
+      token,
+      body: JSON.stringify(request)
+    });
+  }
+  /**
+   * Remove a passkey from an account
+   *
+   * Note: Cannot remove the owner passkey (index 0)
+   *
+   * @param accountId - Account ID
+   * @param passkeyIndex - Index of passkey to remove (1-3 for recovery passkeys)
+   * @param token - JWT token
+   * @returns Success response
+   */
+  async removePasskey(accountId, passkeyIndex, token) {
+    return this.request(`/api/accounts/${accountId}/passkeys/${passkeyIndex}`, {
+      method: "DELETE",
+      token
+    });
+  }
   /**
    * Health check
    *
@@ -286,6 +364,281 @@ var KentuckySignerClient = class {
     });
     return response.version;
   }
+  // ============================================================================
+  // Guardian Management
+  // ============================================================================
+  /**
+   * Add a guardian passkey to an account
+   *
+   * Guardians can participate in account recovery but cannot access the wallet.
+   * An account can have up to 3 guardians (indices 1-3).
+   *
+   * @param request - Guardian data (attestation object and optional label)
+   * @param token - JWT token
+   * @returns Success response with guardian index and count
+   */
+  async addGuardian(request, token) {
+    return this.request("/api/guardians/add", {
+      method: "POST",
+      token,
+      body: JSON.stringify(request)
+    });
+  }
+  /**
+   * Remove a guardian passkey from an account
+   *
+   * Cannot remove guardians during an active recovery.
+   *
+   * @param guardianIndex - Index of guardian to remove (1-3)
+   * @param token - JWT token
+   * @returns Success response with remaining guardian count
+   */
+  async removeGuardian(guardianIndex, token) {
+    return this.request("/api/guardians/remove", {
+      method: "POST",
+      token,
+      body: JSON.stringify({ guardian_index: guardianIndex })
+    });
+  }
+  /**
+   * Get guardians for an account
+   *
+   * @param token - JWT token
+   * @returns Guardian list with indices and labels
+   */
+  async getGuardians(token) {
+    return this.request("/api/guardians", {
+      method: "GET",
+      token
+    });
+  }
+  // ============================================================================
+  // Account Recovery
+  // ============================================================================
+  /**
+   * Initiate account recovery
+   *
+   * Call this when you've lost access to your account. You'll need to register
+   * a new passkey which will become the new owner passkey after recovery completes.
+   *
+   * @param accountId - Account ID to recover
+   * @param attestationObject - WebAuthn attestation object for new owner passkey
+   * @param label - Optional label for new owner passkey
+   * @returns Challenges for guardians to sign, threshold, and timelock info
+   */
+  async initiateRecovery(accountId, attestationObject, label) {
+    const body = {
+      account_id: accountId,
+      attestation_object: attestationObject
+    };
+    if (label) {
+      body.label = label;
+    }
+    return this.request("/api/recovery/initiate", {
+      method: "POST",
+      body: JSON.stringify(body)
+    });
+  }
+  /**
+   * Submit a guardian signature for recovery
+   *
+   * Each guardian must sign their challenge using their passkey.
+   *
+   * @param request - Guardian signature data
+   * @returns Current verification status
+   */
+  async verifyGuardian(request) {
+    return this.request("/api/recovery/verify", {
+      method: "POST",
+      body: JSON.stringify(request)
+    });
+  }
+  /**
+   * Get recovery status for an account
+   *
+   * @param accountId - Account ID to check
+   * @returns Recovery status including verification count and timelock
+   */
+  async getRecoveryStatus(accountId) {
+    return this.request("/api/recovery/status", {
+      method: "POST",
+      body: JSON.stringify({ account_id: accountId })
+    });
+  }
+  /**
+   * Complete account recovery
+   *
+   * Call this after enough guardians have verified and the timelock has expired.
+   * The new owner passkey will replace the old one.
+   *
+   * @param accountId - Account ID to complete recovery for
+   * @returns Success message
+   */
+  async completeRecovery(accountId) {
+    return this.request("/api/recovery/complete", {
+      method: "POST",
+      body: JSON.stringify({ account_id: accountId })
+    });
+  }
+  /**
+   * Cancel a pending recovery
+   *
+   * Only the current owner (with valid auth) can cancel a recovery.
+   * Use this if you regain access and want to stop an unauthorized recovery.
+   *
+   * @param token - JWT token (must be authenticated as owner)
+   * @returns Success message
+   */
+  async cancelRecovery(token) {
+    return this.request("/api/recovery/cancel", {
+      method: "POST",
+      token
+    });
+  }
+  // ============================================================================
+  // Two-Factor Authentication (2FA)
+  // ============================================================================
+  /**
+   * Get 2FA status for the authenticated account
+   *
+   * @param token - JWT token
+   * @returns 2FA status including TOTP and PIN enablement
+   */
+  async get2FAStatus(token) {
+    return this.request("/api/2fa/status", {
+      method: "GET",
+      token
+    });
+  }
+  /**
+   * Setup TOTP for the account
+   *
+   * Returns an otpauth:// URI for QR code generation and a base32 secret
+   * for manual entry. After setup, call enableTOTP with a valid code to
+   * complete the setup.
+   *
+   * @param token - JWT token
+   * @returns TOTP setup response with URI and secret
+   */
+  async setupTOTP(token) {
+    return this.request("/api/2fa/totp/setup", {
+      method: "POST",
+      token
+    });
+  }
+  /**
+   * Verify and enable TOTP for the account
+   *
+   * Call this after setupTOTP with a valid code from the authenticator app.
+   *
+   * @param code - 6-digit TOTP code from authenticator app
+   * @param token - JWT token
+   * @returns Success response
+   */
+  async enableTOTP(code, token) {
+    return this.request("/api/2fa/totp/enable", {
+      method: "POST",
+      token,
+      body: JSON.stringify({ code })
+    });
+  }
+  /**
+   * Disable TOTP for the account
+   *
+   * Requires a valid TOTP code for confirmation.
+   *
+   * @param code - Current 6-digit TOTP code
+   * @param token - JWT token
+   * @returns Success response
+   */
+  async disableTOTP(code, token) {
+    return this.request("/api/2fa/totp/disable", {
+      method: "POST",
+      token,
+      body: JSON.stringify({ code })
+    });
+  }
+  /**
+   * Verify a TOTP code
+   *
+   * Use this to verify a TOTP code without performing any other operation.
+   *
+   * @param code - 6-digit TOTP code
+   * @param token - JWT token
+   * @returns Verification result
+   */
+  async verifyTOTP(code, token) {
+    return this.request("/api/2fa/totp/verify", {
+      method: "POST",
+      token,
+      body: JSON.stringify({ code })
+    });
+  }
+  /**
+   * Setup PIN for the account
+   *
+   * Sets a 4-digit or 6-digit PIN. If a PIN is already set, this replaces it.
+   *
+   * @param pin - 4 or 6 digit PIN
+   * @param token - JWT token
+   * @returns Success response with PIN length
+   */
+  async setupPIN(pin, token) {
+    return this.request("/api/2fa/pin/setup", {
+      method: "POST",
+      token,
+      body: JSON.stringify({ pin })
+    });
+  }
+  /**
+   * Disable PIN for the account
+   *
+   * Requires the current PIN for confirmation.
+   *
+   * @param pin - Current PIN
+   * @param token - JWT token
+   * @returns Success response
+   */
+  async disablePIN(pin, token) {
+    return this.request("/api/2fa/pin/disable", {
+      method: "POST",
+      token,
+      body: JSON.stringify({ pin })
+    });
+  }
+  /**
+   * Verify a PIN
+   *
+   * Use this to verify a PIN without performing any other operation.
+   *
+   * @param pin - PIN to verify
+   * @param token - JWT token
+   * @returns Verification result
+   */
+  async verifyPIN(pin, token) {
+    return this.request("/api/2fa/pin/verify", {
+      method: "POST",
+      token,
+      body: JSON.stringify({ pin })
+    });
+  }
+  /**
+   * Sign an EVM transaction with 2FA
+   *
+   * Use this method when 2FA is enabled. If 2FA is not enabled,
+   * you can use the regular signEvmTransaction method instead.
+   *
+   * @param request - Sign request including tx_hash, chain_id, and optional 2FA codes
+   * @param token - JWT token
+   * @returns Signature response with r, s, v components
+   */
+  async signEvmTransactionWith2FA(request, token) {
+    return this.request("/api/sign/evm", {
+      method: "POST",
+      token,
+      body: JSON.stringify(request)
+    });
+  }
 };
 function createClient(options) {
   return new KentuckySignerClient(options);
@@ -293,9 +646,9 @@ function createClient(options) {
 
 // src/account.ts
 function createKentuckySignerAccount(options) {
-  const { config, defaultChainId = 1, onSessionExpired } = options;
+  const { config, defaultChainId = 1, onSessionExpired, secureClient, on2FARequired } = options;
   let session = options.session;
-  const client = new KentuckySignerClient({ baseUrl: config.baseUrl });
+  const client = secureClient ?? new KentuckySignerClient({ baseUrl: config.baseUrl });
   async function getToken() {
     if (Date.now() + 6e4 >= session.expiresAt) {
       if (onSessionExpired) {
@@ -312,17 +665,63 @@ function createKentuckySignerAccount(options) {
   }
   async function signHash(hash, chainId) {
     const token = await getToken();
-    const response = await client.signEvmTransaction(
-      { tx_hash: hash, chain_id: chainId },
-      token
-    );
-    return response.signature.full;
+    try {
+      const response = await client.signEvmTransaction(
+        { tx_hash: hash, chain_id: chainId },
+        token
+      );
+      return response.signature.full;
+    } catch (err) {
+      if (err instanceof KentuckySignerError && err.code === "2FA_REQUIRED" && on2FARequired) {
+        const totpRequired = err.message.includes("TOTP") || (err.details?.includes("totp_code") ?? false);
+        const pinRequired = err.message.includes("PIN") || (err.details?.includes("pin") ?? false);
+        const pinLength = err.details?.match(/(\d)-digit/)?.[1] ? parseInt(err.details.match(/(\d)-digit/)[1]) : 6;
+        const codes = await on2FARequired({ totpRequired, pinRequired, pinLength });
+        if (!codes) {
+          throw new KentuckySignerError("2FA verification cancelled", "2FA_CANCELLED", "User cancelled 2FA input");
+        }
+        const response = await client.signEvmTransactionWith2FA(
+          { tx_hash: hash, chain_id: chainId, totp_code: codes.totpCode, pin: codes.pin },
+          token
+        );
+        return response.signature.full;
+      }
+      throw err;
+    }
   }
-  function parseSignature(signature) {
-    const r = `0x${signature.slice(2, 66)}`;
-    const s = `0x${signature.slice(66, 130)}`;
-    const v = BigInt(`0x${signature.slice(130, 132)}`);
-    return { r, s, v };
+  async function signHashWithComponents(hash, chainId) {
+    const token = await getToken();
+    try {
+      const response = await client.signEvmTransaction(
+        { tx_hash: hash, chain_id: chainId },
+        token
+      );
+      return {
+        r: response.signature.r,
+        s: response.signature.s,
+        v: response.signature.v
+      };
+    } catch (err) {
+      if (err instanceof KentuckySignerError && err.code === "2FA_REQUIRED" && on2FARequired) {
+        const totpRequired = err.message.includes("TOTP") || (err.details?.includes("totp_code") ?? false);
+        const pinRequired = err.message.includes("PIN") || (err.details?.includes("pin") ?? false);
+        const pinLength = err.details?.match(/(\d)-digit/)?.[1] ? parseInt(err.details.match(/(\d)-digit/)[1]) : 6;
+        const codes = await on2FARequired({ totpRequired, pinRequired, pinLength });
+        if (!codes) {
+          throw new KentuckySignerError("2FA verification cancelled", "2FA_CANCELLED", "User cancelled 2FA input");
+        }
+        const response = await client.signEvmTransactionWith2FA(
+          { tx_hash: hash, chain_id: chainId, totp_code: codes.totpCode, pin: codes.pin },
+          token
+        );
+        return {
+          r: response.signature.r,
+          s: response.signature.s,
+          v: response.signature.v
+        };
+      }
+      throw err;
+    }
   }
   const account = (0, import_accounts.toAccount)({
     address: session.evmAddress,
@@ -345,13 +744,12 @@ function createKentuckySignerAccount(options) {
       const chainId = transaction.chainId ?? defaultChainId;
       const serializedUnsigned = (0, import_viem.serializeTransaction)(transaction);
       const txHash = (0, import_viem.keccak256)(serializedUnsigned);
-      const signature = await signHash(txHash, chainId);
-      const { r, s, v } = parseSignature(signature);
+      const { r, s, v } = await signHashWithComponents(txHash, chainId);
       let yParity;
       if (transaction.type === "eip1559" || transaction.type === "eip2930" || transaction.type === "eip4844" || transaction.type === "eip7702") {
-        yParity = Number(v) - 27;
+        yParity = v >= 27 ? v - 27 : v;
       } else {
-        yParity = Number(v);
+        yParity = v;
       }
       const serializedSigned = (0, import_viem.serializeTransaction)(transaction, {
         r,
@@ -488,6 +886,520 @@ function formatError(error) {
   return "An unknown error occurred";
 }
 
+// src/ephemeral.ts
+function isWebCryptoAvailable() {
+  return typeof crypto !== "undefined" && typeof crypto.subtle !== "undefined" && typeof crypto.getRandomValues !== "undefined";
+}
+async function generateEphemeralKeyPair() {
+  if (!isWebCryptoAvailable()) {
+    throw new Error("WebCrypto is not available in this environment");
+  }
+  const keyPair = await crypto.subtle.generateKey(
+    {
+      name: "ECDSA",
+      namedCurve: "P-256"
+    },
+    true,
+    // extractable (only for public key export)
+    ["sign", "verify"]
+  );
+  const publicKeyBuffer = await crypto.subtle.exportKey("spki", keyPair.publicKey);
+  const publicKeyBase64 = base64UrlEncode(new Uint8Array(publicKeyBuffer));
+  return {
+    publicKey: publicKeyBase64,
+    privateKey: keyPair.privateKey,
+    algorithm: "ES256",
+    createdAt: Date.now()
+  };
+}
+async function signPayload(payload, keyPair) {
+  const payloadString = typeof payload === "string" ? payload : JSON.stringify(payload);
+  const timestamp = Date.now();
+  const message = `${timestamp}.${payloadString}`;
+  const messageBytes = new TextEncoder().encode(message);
+  const signatureBuffer = await crypto.subtle.sign(
+    {
+      name: "ECDSA",
+      hash: "SHA-256"
+    },
+    keyPair.privateKey,
+    messageBytes
+  );
+  const signatureBase64 = base64UrlEncode(new Uint8Array(signatureBuffer));
+  return {
+    payload: payloadString,
+    signature: signatureBase64,
+    timestamp
+  };
+}
+async function verifyPayload(signedPayload, publicKeyBase64) {
+  try {
+    const publicKeyBytes = base64UrlDecode(publicKeyBase64);
+    const publicKey = await crypto.subtle.importKey(
+      "spki",
+      publicKeyBytes.buffer,
+      {
+        name: "ECDSA",
+        namedCurve: "P-256"
+      },
+      false,
+      ["verify"]
+    );
+    const message = `${signedPayload.timestamp}.${signedPayload.payload}`;
+    const messageBytes = new TextEncoder().encode(message);
+    const signatureBytes = base64UrlDecode(signedPayload.signature);
+    return await crypto.subtle.verify(
+      {
+        name: "ECDSA",
+        hash: "SHA-256"
+      },
+      publicKey,
+      signatureBytes.buffer,
+      messageBytes
+    );
+  } catch {
+    return false;
+  }
+}
+var EPHEMERAL_KEY_STORAGE_KEY = "kentucky_signer_ephemeral";
+var MemoryEphemeralKeyStorage = class {
+  constructor() {
+    this.keyPair = null;
+  }
+  async save(keyPair) {
+    this.keyPair = keyPair;
+  }
+  async load() {
+    return this.keyPair;
+  }
+  async clear() {
+    this.keyPair = null;
+  }
+};
+var IndexedDBEphemeralKeyStorage = class {
+  constructor() {
+    this.dbName = "kentucky_signer_ephemeral_keys";
+    this.storeName = "keys";
+  }
+  async getDB() {
+    return new Promise((resolve, reject) => {
+      const request = indexedDB.open(this.dbName, 1);
+      request.onerror = () => reject(request.error);
+      request.onsuccess = () => resolve(request.result);
+      request.onupgradeneeded = () => {
+        const db = request.result;
+        if (!db.objectStoreNames.contains(this.storeName)) {
+          db.createObjectStore(this.storeName);
+        }
+      };
+    });
+  }
+  async save(keyPair) {
+    const db = await this.getDB();
+    return new Promise((resolve, reject) => {
+      const tx = db.transaction(this.storeName, "readwrite");
+      const store = tx.objectStore(this.storeName);
+      const data = {
+        publicKey: keyPair.publicKey,
+        privateKey: keyPair.privateKey,
+        algorithm: keyPair.algorithm,
+        createdAt: keyPair.createdAt
+      };
+      const request = store.put(data, EPHEMERAL_KEY_STORAGE_KEY);
+      request.onerror = () => reject(request.error);
+      request.onsuccess = () => resolve();
+    });
+  }
+  async load() {
+    const db = await this.getDB();
+    return new Promise((resolve, reject) => {
+      const tx = db.transaction(this.storeName, "readonly");
+      const store = tx.objectStore(this.storeName);
+      const request = store.get(EPHEMERAL_KEY_STORAGE_KEY);
+      request.onerror = () => reject(request.error);
+      request.onsuccess = () => {
+        if (request.result) {
+          resolve({
+            publicKey: request.result.publicKey,
+            privateKey: request.result.privateKey,
+            algorithm: request.result.algorithm,
+            createdAt: request.result.createdAt
+          });
+        } else {
+          resolve(null);
+        }
+      };
+    });
+  }
+  async clear() {
+    const db = await this.getDB();
+    return new Promise((resolve, reject) => {
+      const tx = db.transaction(this.storeName, "readwrite");
+      const store = tx.objectStore(this.storeName);
+      const request = store.delete(EPHEMERAL_KEY_STORAGE_KEY);
+      request.onerror = () => reject(request.error);
+      request.onsuccess = () => resolve();
+    });
+  }
+};
+var EphemeralKeyManager = class {
+  constructor(storage) {
+    this.keyPair = null;
+    this.storage = storage ?? new MemoryEphemeralKeyStorage();
+  }
+  /**
+   * Get or generate ephemeral key pair
+   */
+  async getKeyPair() {
+    if (!this.keyPair) {
+      this.keyPair = await this.storage.load();
+    }
+    if (!this.keyPair) {
+      this.keyPair = await generateEphemeralKeyPair();
+      await this.storage.save(this.keyPair);
+    }
+    return this.keyPair;
+  }
+  /**
+   * Get the public key for authentication
+   */
+  async getPublicKey() {
+    const keyPair = await this.getKeyPair();
+    return keyPair.publicKey;
+  }
+  /**
+   * Sign a request payload
+   */
+  async signPayload(payload) {
+    const keyPair = await this.getKeyPair();
+    return signPayload(payload, keyPair);
+  }
+  /**
+   * Rotate the key pair (generate new keys)
+   */
+  async rotate() {
+    await this.storage.clear();
+    this.keyPair = await generateEphemeralKeyPair();
+    await this.storage.save(this.keyPair);
+    return this.keyPair;
+  }
+  /**
+   * Clear the key pair (logout)
+   */
+  async clear() {
+    await this.storage.clear();
+    this.keyPair = null;
+  }
+  /**
+   * Check if a key pair exists
+   */
+  async hasKeyPair() {
+    if (this.keyPair) return true;
+    const loaded = await this.storage.load();
+    return loaded !== null;
+  }
+  /**
+   * Migrate key pair to a new storage backend
+   *
+   * This preserves the existing key pair while switching storage.
+   * The key is saved to the new storage and removed from the old storage.
+   *
+   * @param newStorage - The new storage backend to migrate to
+   */
+  async migrateStorage(newStorage) {
+    const currentKeyPair = this.keyPair ?? await this.storage.load();
+    await this.storage.clear();
+    this.storage = newStorage;
+    if (currentKeyPair) {
+      await this.storage.save(currentKeyPair);
+      this.keyPair = currentKeyPair;
+    }
+  }
+  /**
+   * Get the current storage backend
+   */
+  getStorage() {
+    return this.storage;
+  }
+};
+
+// src/secure-client.ts
+var SecureKentuckySignerClient = class {
+  constructor(options) {
+    this.baseUrl = options.baseUrl.replace(/\/$/, "");
+    this.fetchImpl = options.fetch ?? globalThis.fetch.bind(globalThis);
+    this.timeout = options.timeout ?? 3e4;
+    this.keyManager = options.ephemeralKeyManager ?? new EphemeralKeyManager(
+      options.ephemeralKeyStorage ?? new MemoryEphemeralKeyStorage()
+    );
+    this.requireSigning = options.requireEphemeralSigning ?? true;
+  }
+  /**
+   * Get the ephemeral key manager for advanced usage
+   */
+  getKeyManager() {
+    return this.keyManager;
+  }
+  /**
+   * Make a signed request to the API
+   */
+  async request(path, options = {}) {
+    const { token, skipSigning, ...fetchOptions } = options;
+    const headers = {
+      "Content-Type": "application/json",
+      ...options.headers
+    };
+    if (token) {
+      ;
+      headers["Authorization"] = `Bearer ${token}`;
+    }
+    let body = options.body;
+    if (token && !skipSigning && this.requireSigning && body) {
+      const signedPayload = await this.keyManager.signPayload(body);
+      headers["X-Ephemeral-Signature"] = signedPayload.signature;
+      headers["X-Ephemeral-Timestamp"] = signedPayload.timestamp.toString();
+    }
+    const controller = new AbortController();
+    const timeoutId = setTimeout(() => controller.abort(), this.timeout);
+    try {
+      const response = await this.fetchImpl(`${this.baseUrl}${path}`, {
+        ...fetchOptions,
+        headers,
+        body,
+        signal: controller.signal
+      });
+      const data = await response.json();
+      if (!response.ok || data.success === false) {
+        const error = data;
+        throw new KentuckySignerError(
+          error.error?.message ?? "Unknown error",
+          error.error?.code ?? "UNKNOWN_ERROR",
+          error.error?.details
+        );
+      }
+      return data;
+    } finally {
+      clearTimeout(timeoutId);
+    }
+  }
+  /**
+   * Get a challenge for passkey authentication
+   */
+  async getChallenge(accountId) {
+    return this.request("/api/auth/challenge", {
+      method: "POST",
+      body: JSON.stringify({ account_id: accountId }),
+      skipSigning: true
+      // No token yet
+    });
+  }
+  /**
+   * Authenticate with a passkey credential
+   *
+   * Automatically sends the ephemeral public key for binding.
+   */
+  async authenticatePasskey(accountId, credential) {
+    const ephemeralPublicKey = await this.keyManager.getPublicKey();
+    return this.request("/api/auth/passkey", {
+      method: "POST",
+      body: JSON.stringify({
+        account_id: accountId,
+        credential_id: credential.credentialId,
+        client_data_json: credential.clientDataJSON,
+        authenticator_data: credential.authenticatorData,
+        signature: credential.signature,
+        user_handle: credential.userHandle,
+        ephemeral_public_key: ephemeralPublicKey
+      }),
+      skipSigning: true
+      // No token yet
+    });
+  }
+  /**
+   * Authenticate with password
+   *
+   * Automatically sends the ephemeral public key for binding.
+   */
+  async authenticatePassword(request) {
+    const ephemeralPublicKey = await this.keyManager.getPublicKey();
+    return this.request("/api/auth/password", {
+      method: "POST",
+      body: JSON.stringify({
+        ...request,
+        ephemeral_public_key: ephemeralPublicKey
+      }),
+      skipSigning: true
+      // No token yet
+    });
+  }
+  /**
+   * Refresh an authentication token
+   *
+   * Generates a new ephemeral key pair and binds it to the new token.
+   */
+  async refreshToken(token) {
+    await this.keyManager.rotate();
+    const ephemeralPublicKey = await this.keyManager.getPublicKey();
+    return this.request("/api/auth/refresh", {
+      method: "POST",
+      token,
+      body: JSON.stringify({
+        ephemeral_public_key: ephemeralPublicKey
+      }),
+      skipSigning: true
+      // Use old token, but send new key
+    });
+  }
+  /**
+   * Logout and invalidate token
+   *
+   * Clears the ephemeral key pair.
+   */
+  async logout(token) {
+    await this.request("/api/auth/logout", {
+      method: "POST",
+      token,
+      skipSigning: true
+    });
+    await this.keyManager.clear();
+  }
+  /**
+   * Get account information (signed request)
+   */
+  async getAccountInfo(accountId, token) {
+    return this.request(`/api/accounts/${accountId}`, {
+      method: "GET",
+      token,
+      skipSigning: true
+    });
+  }
+  /**
+   * Get extended account information (signed request)
+   */
+  async getAccountInfoExtended(accountId, token) {
+    return this.request(
+      `/api/accounts/${accountId}`,
+      {
+        method: "GET",
+        token,
+        skipSigning: true
+      }
+    );
+  }
+  /**
+   * Sign an EVM transaction hash (signed request)
+   */
+  async signEvmTransaction(request, token) {
+    return this.request("/api/sign/evm", {
+      method: "POST",
+      token,
+      body: JSON.stringify(request)
+    });
+  }
+  /**
+   * Sign an EVM transaction hash with 2FA (signed request)
+   */
+  async signEvmTransactionWith2FA(request, token) {
+    return this.request("/api/sign/evm", {
+      method: "POST",
+      token,
+      body: JSON.stringify(request)
+    });
+  }
+  /**
+   * Sign a raw hash for EVM (signed request)
+   */
+  async signHash(hash, chainId, token) {
+    const response = await this.signEvmTransaction(
+      { tx_hash: hash, chain_id: chainId },
+      token
+    );
+    return response.signature.full;
+  }
+  /**
+   * Add password to account (signed request)
+   */
+  async addPassword(accountId, request, token) {
+    return this.request(
+      `/api/accounts/${accountId}/password`,
+      {
+        method: "POST",
+        token,
+        body: JSON.stringify(request)
+      }
+    );
+  }
+  /**
+   * Add passkey to account (signed request)
+   */
+  async addPasskey(accountId, request, token) {
+    return this.request(
+      `/api/accounts/${accountId}/passkeys`,
+      {
+        method: "POST",
+        token,
+        body: JSON.stringify(request)
+      }
+    );
+  }
+  /**
+   * Remove passkey from account (signed request)
+   */
+  async removePasskey(accountId, passkeyIndex, token) {
+    return this.request(
+      `/api/accounts/${accountId}/passkeys/${passkeyIndex}`,
+      {
+        method: "DELETE",
+        token,
+        body: JSON.stringify({ passkey_index: passkeyIndex })
+      }
+    );
+  }
+  /**
+   * Create account with passkey (public endpoint, no signing)
+   */
+  async createAccountWithPasskey(attestationObject, label) {
+    const body = {
+      attestation_object: attestationObject
+    };
+    if (label) {
+      body.label = label;
+    }
+    return this.request("/api/accounts/create/passkey", {
+      method: "POST",
+      body: JSON.stringify(body),
+      skipSigning: true
+    });
+  }
+  /**
+   * Create account with password (public endpoint, no signing)
+   */
+  async createAccountWithPassword(request) {
+    return this.request("/api/accounts/create/password", {
+      method: "POST",
+      body: JSON.stringify(request),
+      skipSigning: true
+    });
+  }
+  /**
+   * Health check (public endpoint)
+   */
+  async healthCheck() {
+    try {
+      const response = await this.request("/api/health", {
+        method: "GET",
+        skipSigning: true
+      });
+      return response.status === "ok";
+    } catch {
+      return false;
+    }
+  }
+};
+function createSecureClient(options) {
+  return new SecureKentuckySignerClient(options);
+}
+
 // src/auth.ts
 function isWebAuthnAvailable() {
   return typeof window !== "undefined" && typeof window.PublicKeyCredential !== "undefined" && typeof navigator.credentials !== "undefined";
@@ -582,7 +1494,8 @@ async function authenticateWithPasskey(options) {
   const passkeyCredential = credentialToPasskey(credential);
   const authResponse = await client.authenticatePasskey(
     options.accountId,
-    passkeyCredential
+    passkeyCredential,
+    options.ephemeralPublicKey
   );
   const accountInfo = await client.getAccountInfo(
     options.accountId,
@@ -670,6 +1583,7 @@ async function registerPasskey(options) {
     credentialId: base64UrlEncode(new Uint8Array(credential.rawId)),
     clientDataJSON: base64UrlEncode(new Uint8Array(response.clientDataJSON)),
     authenticatorData: base64UrlEncode(new Uint8Array(response.getAuthenticatorData())),
+    attestationObject: base64UrlEncode(new Uint8Array(response.attestationObject)),
     signature: "",
     // Not applicable for registration
     publicKey: base64UrlEncode(new Uint8Array(publicKeyBytes))
@@ -692,10 +1606,14 @@ async function refreshSessionIfNeeded(session, baseUrl, bufferMs = 6e4) {
 }
 async function authenticateWithPassword(options) {
   const client = new KentuckySignerClient({ baseUrl: options.baseUrl });
-  const authResponse = await client.authenticatePassword({
+  const authRequest = {
     account_id: options.accountId,
     password: options.password
-  });
+  };
+  if (options.ephemeralPublicKey) {
+    authRequest.ephemeral_public_key = options.ephemeralPublicKey;
+  }
+  const authResponse = await client.authenticatePassword(authRequest);
   const accountInfo = await client.getAccountInfo(
     options.accountId,
     authResponse.token
@@ -731,10 +1649,14 @@ async function createAccountWithPassword(options) {
 }
 // Annotate the CommonJS export names for ESM import in node:
 0 && (module.exports = {
+  EphemeralKeyManager,
+  IndexedDBEphemeralKeyStorage,
   KentuckySignerClient,
   KentuckySignerError,
   LocalStorageTokenStorage,
+  MemoryEphemeralKeyStorage,
   MemoryTokenStorage,
+  SecureKentuckySignerClient,
   authenticateWithPasskey,
   authenticateWithPassword,
   authenticateWithToken,
@@ -744,17 +1666,22 @@ async function createAccountWithPassword(options) {
   createAccountWithPassword,
   createClient,
   createKentuckySignerAccount,
+  createSecureClient,
   createServerAccount,
   formatError,
+  generateEphemeralKeyPair,
   getJwtExpiration,
   hexToBytes,
   isSessionValid,
   isValidAccountId,
   isValidEvmAddress,
   isWebAuthnAvailable,
+  isWebCryptoAvailable,
   parseJwt,
   refreshSessionIfNeeded,
   registerPasskey,
+  signPayload,
+  verifyPayload,
   withRetry
 });
 //# sourceMappingURL=index.js.map