ox 0.13.2 → 0.14.0

package/tempo/SignatureEnvelope.test.ts

@@ -50,16 +50,19 @@ const signature_webauthn = SignatureEnvelope.from({
 const signature_keychain_secp256k1 = SignatureEnvelope.from({
   userAddress: '0x1234567890123456789012345678901234567890',
   inner: SignatureEnvelope.from(signature_secp256k1),
+  version: 'v2',
 })
 
 const signature_keychain_p256 = SignatureEnvelope.from({
   userAddress: '0xabcdefabcdefabcdefabcdefabcdefabcdefabcd',
   inner: signature_p256,
+  version: 'v2',
 })
 
 const signature_keychain_webauthn = SignatureEnvelope.from({
   userAddress: '0xfedcbafedcbafedcbafedcbafedcbafedcbafedc',
   inner: signature_webauthn,
+  version: 'v2',
 })
 
 describe('assert', () => {
@@ -509,7 +512,7 @@ describe('deserialize', () => {
         SignatureEnvelope.deserialize('0xdeadbeef'),
       ).toThrowErrorMatchingInlineSnapshot(
         `
-        [SignatureEnvelope.InvalidSerializedError: Unable to deserialize signature envelope: Unknown signature type identifier: 0xde. Expected 0x01 (P256) or 0x02 (WebAuthn)
+        [SignatureEnvelope.InvalidSerializedError: Unable to deserialize signature envelope: Unknown signature type identifier: 0xde. Expected 0x01 (P256), 0x02 (WebAuthn), 0x03 (Keychain V1), or 0x04 (Keychain V2)
 
         Serialized: 0xdeadbeef]
       `,
@@ -669,7 +672,7 @@ describe('deserialize', () => {
         SignatureEnvelope.deserialize(unknownType),
       ).toThrowErrorMatchingInlineSnapshot(
         `
-        [SignatureEnvelope.InvalidSerializedError: Unable to deserialize signature envelope: Unknown signature type identifier: 0xff. Expected 0x01 (P256) or 0x02 (WebAuthn)
+        [SignatureEnvelope.InvalidSerializedError: Unable to deserialize signature envelope: Unknown signature type identifier: 0xff. Expected 0x01 (P256), 0x02 (WebAuthn), 0x03 (Keychain V1), or 0x04 (Keychain V2)
 
         Serialized: 0xff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000]
       `,
@@ -712,6 +715,7 @@ describe('deserialize', () => {
           },
           "type": "keychain",
           "userAddress": "0xabcdefabcdefabcdefabcdefabcdefabcdefabcd",
+          "version": "v2",
         }
       `)
     })
@@ -742,6 +746,7 @@ describe('deserialize', () => {
           },
           "type": "keychain",
           "userAddress": "0xfedcbafedcbafedcbafedcbafedcbafedcbafedc",
+          "version": "v2",
         }
       `)
     })
@@ -1250,8 +1255,8 @@ describe('serialize', () => {
       // Should be: 1 (type) + 20 (address) + 65 (secp256k1 signature)
       expect(Hex.size(serialized)).toBe(1 + 20 + 65)
 
-      // First byte should be Keychain type identifier (0x03)
-      expect(Hex.slice(serialized, 0, 1)).toBe('0x03')
+      // First byte should be Keychain V2 type identifier (0x04)
+      expect(Hex.slice(serialized, 0, 1)).toBe('0x04')
 
       // Next 20 bytes should be the user address (without '0x')
       expect(Hex.slice(serialized, 1, 21)).toBe(
@@ -1265,8 +1270,8 @@ describe('serialize', () => {
       // Should be: 1 (type) + 20 (address) + 130 (p256 signature with type)
       expect(Hex.size(serialized)).toBe(1 + 20 + 130)
 
-      // First byte should be Keychain type identifier (0x03)
-      expect(Hex.slice(serialized, 0, 1)).toBe('0x03')
+      // First byte should be Keychain V2 type identifier (0x04)
+      expect(Hex.slice(serialized, 0, 1)).toBe('0x04')
 
       // Next 20 bytes should be the user address (without '0x')
       expect(Hex.slice(serialized, 1, 21)).toBe(
@@ -1284,8 +1289,8 @@ describe('serialize', () => {
         signature_keychain_webauthn,
       )
 
-      // First byte should be Keychain type identifier (0x03)
-      expect(Hex.slice(serialized, 0, 1)).toBe('0x03')
+      // First byte should be Keychain V2 type identifier (0x04)
+      expect(Hex.slice(serialized, 0, 1)).toBe('0x04')
 
       // Should contain the user address
       expect(Hex.slice(serialized, 1, 21)).toBe(
@@ -1519,6 +1524,7 @@ describe('serialize', () => {
             },
             "type": "keychain",
             "userAddress": "0xabcdefabcdefabcdefabcdefabcdefabcdefabcd",
+            "version": "v2",
           }
         `)
       })
@@ -1549,6 +1555,7 @@ describe('serialize', () => {
             },
             "type": "keychain",
             "userAddress": "0xfedcbafedcbafedcbafedcbafedcbafedcbafedc",
+            "version": "v2",
           }
         `)
       })

package/tempo/SignatureEnvelope.ts

@@ -22,6 +22,7 @@ import * as ox_WebAuthnP256 from '../core/WebAuthnP256.js'
 const serializedP256Type = '0x01'
 const serializedWebAuthnType = '0x02'
 const serializedKeychainType = '0x03'
+const serializedKeychainV2Type = '0x04'
 
 /** Serialized magic identifier for Tempo signature envelopes. */
 export const magicBytes =
@@ -86,9 +87,10 @@ export type GetType<
  *   and clientDataJSON. Enables browser passkey authentication. The signature is also
  *   charged as calldata (16 gas/non-zero byte, 4 gas/zero byte).
  *
- * - **keychain** (type `0x03`): Access key signature that wraps an inner signature (secp256k1,
- *   p256, or webAuthn). Format: `0x03` + user_address (20 bytes) + inner signature. The
- *   protocol validates the access key authorization via the AccountKeychain precompile.
+ * - **keychain** (type `0x03` V1, `0x04` V2): Access key signature that wraps an inner signature
+ *   (secp256k1, p256, or webAuthn). Format: type byte + user_address (20 bytes) + inner signature.
+ *   V2 binds the signature to the user account via `keccak256(sigHash || userAddress)`.
+ *   The protocol validates the access key authorization via the AccountKeychain precompile.
  *
  * [Signature Types Specification](https://docs.tempo.xyz/protocol/transactions/spec-tempo-transaction#signature-types)
  */
@@ -106,18 +108,30 @@ export type SignatureEnvelopeRpc = OneOf<
   Secp256k1Rpc | P256Rpc | WebAuthnRpc | KeychainRpc
 >
 
+/**
+ * Keychain signature version.
+ *
+ * - `'v1'`: Legacy format. Inner signature signs the raw `sig_hash` directly. Deprecated at T1C.
+ * - `'v2'`: Inner signature signs `keccak256(sig_hash || user_address)`, binding the signature
+ *   to the specific user account.
+ */
+export type KeychainVersion = 'v1' | 'v2'
+
 export type Keychain<bigintType = bigint, numberType = number> = {
   /** Root account address that this transaction is being executed for */
   userAddress: Address.Address
   /** The actual signature from the access key (can be Secp256k1, P256, or WebAuthn) */
   inner: SignatureEnvelope<bigintType, numberType>
   type: 'keychain'
+  /** Keychain signature version. @default 'v1' */
+  version?: KeychainVersion | undefined
 }
 
 export type KeychainRpc = {
   type: 'keychain'
   userAddress: Address.Address
   signature: SignatureEnvelopeRpc
+  version?: KeychainVersion | undefined
 }
 
 export type P256<bigintType = bigint, numberType = number> = {
@@ -389,7 +403,8 @@ export declare namespace extractPublicKey {
  * - 65 bytes (no prefix): secp256k1 signature
  * - Type `0x01` + 129 bytes: P256 signature (r, s, pubKeyX, pubKeyY, prehash)
  * - Type `0x02` + variable: WebAuthn signature (webauthnData, r, s, pubKeyX, pubKeyY)
- * - Type `0x03` + 20 bytes + inner: Keychain signature (userAddress + inner signature)
+ * - Type `0x03` + 20 bytes + inner: Keychain V1 signature (userAddress + inner signature)
+ * - Type `0x04` + 20 bytes + inner: Keychain V2 signature (userAddress + inner signature)
  *
  * [Signature Types](https://docs.tempo.xyz/protocol/transactions/spec-tempo-transaction#signature-types)
  *
@@ -510,7 +525,10 @@ export function deserialize(value: Serialized): SignatureEnvelope {
     } satisfies WebAuthn
   }
 
-  if (typeId === serializedKeychainType) {
+  if (
+    typeId === serializedKeychainType ||
+    typeId === serializedKeychainV2Type
+  ) {
     const userAddress = Hex.slice(data, 0, 20)
     const inner = deserialize(Hex.slice(data, 20))
 
@@ -518,11 +536,12 @@ export function deserialize(value: Serialized): SignatureEnvelope {
       userAddress,
       inner,
       type: 'keychain',
+      version: typeId === serializedKeychainV2Type ? 'v2' : 'v1',
     } satisfies Keychain
   }
 
   throw new InvalidSerializedError({
-    reason: `Unknown signature type identifier: ${typeId}. Expected ${serializedP256Type} (P256) or ${serializedWebAuthnType} (WebAuthn)`,
+    reason: `Unknown signature type identifier: ${typeId}. Expected ${serializedP256Type} (P256), ${serializedWebAuthnType} (WebAuthn), ${serializedKeychainType} (Keychain V1), or ${serializedKeychainV2Type} (Keychain V2)`,
     serialized,
   })
 }
@@ -660,6 +679,15 @@ export function from<const value extends from.Value>(
   return {
     ...value,
     ...(type === 'p256' ? { prehash: value.prehash } : {}),
+    ...(type === 'keychain' &&
+    !(
+      typeof value === 'object' &&
+      value !== null &&
+      'version' in value &&
+      value.version
+    )
+      ? { version: 'v1' }
+      : {}),
     type,
   } as never
 }
@@ -778,6 +806,7 @@ export function fromRpc(envelope: SignatureEnvelopeRpc): SignatureEnvelope {
       type: 'keychain',
       userAddress: envelope.userAddress,
       inner: fromRpc(envelope.signature),
+      ...(envelope.version ? { version: envelope.version } : {}),
     }
 
   throw new CoercionError({ envelope })
@@ -868,7 +897,8 @@ export function getType<
  * - secp256k1: 65 bytes (no type prefix, for backward compatibility)
  * - P256: `0x01` + r (32) + s (32) + pubKeyX (32) + pubKeyY (32) + prehash (1) = 130 bytes
  * - WebAuthn: `0x02` + webauthnData (variable) + r (32) + s (32) + pubKeyX (32) + pubKeyY (32)
- * - Keychain: `0x03` + userAddress (20) + inner signature (recursive)
+ * - Keychain V1: `0x03` + userAddress (20) + inner signature (recursive)
+ * - Keychain V2: `0x04` + userAddress (20) + inner signature (recursive)
  *
  * [Signature Types](https://docs.tempo.xyz/protocol/transactions/spec-tempo-transaction#signature-types)
  *
@@ -936,8 +966,12 @@ export function serialize(
 
   if (type === 'keychain') {
     const keychain = envelope as Keychain
+    const keychainTypeId =
+      keychain.version === 'v1'
+        ? serializedKeychainType
+        : serializedKeychainV2Type
     return Hex.concat(
-      serializedKeychainType,
+      keychainTypeId,
       keychain.userAddress,
       serialize(keychain.inner),
       options.magic ? magicBytes : '0x',
@@ -1019,6 +1053,7 @@ export function toRpc(envelope: SignatureEnvelope): SignatureEnvelopeRpc {
       type: 'keychain',
       userAddress: keychain.userAddress,
       signature: toRpc(keychain.inner),
+      ...(keychain.version ? { version: keychain.version } : {}),
     }
   }
 

package/tempo/TempoAddress.test.ts

@@ -1,4 +1,4 @@
-import { Address } from 'ox'
+import { Address, Bech32m } from 'ox'
 import { TempoAddress } from 'ox/tempo'
 import { describe, expect, test } from 'vitest'
 
@@ -9,27 +9,31 @@ const rawAddress = Address.checksum(
 describe('format', () => {
   test('mainnet address', () => {
     expect(TempoAddress.format(rawAddress)).toMatchInlineSnapshot(
-      `"tempo1wskntnrxxnq9x2f95wuyf0y7wk2l90fg8zd8djs"`,
+      `"tempo1qp6z6dwvvc6vq5efyk3ms39une6etu4a9qtj2kk0"`,
     )
   })
 
   test('zone address (zone ID = 1)', () => {
     expect(
       TempoAddress.format(rawAddress, { zoneId: 1 }),
-    ).toMatchInlineSnapshot(`"tempoz1q96z6dwvvc6vq5efyk3ms39une6etu4a9zeqtx3q"`)
+    ).toMatchInlineSnapshot(
+      `"tempoz1qqqhgtf4e3nrfszn9yj68wzyhj08t90jh55q74d9uj"`,
+    )
   })
 
   test('zone address (zone ID = 252)', () => {
     expect(
       TempoAddress.format(rawAddress, { zoneId: 252 }),
-    ).toMatchInlineSnapshot(`"tempoz1l36z6dwvvc6vq5efyk3ms39une6etu4a9z8vgw44"`)
+    ).toMatchInlineSnapshot(
+      `"tempoz1qr78gtf4e3nrfszn9yj68wzyhj08t90jh55q9k62jd"`,
+    )
   })
 
   test('zone address (zone ID = 253)', () => {
     expect(
       TempoAddress.format(rawAddress, { zoneId: 253 }),
     ).toMatchInlineSnapshot(
-      `"tempoz1lh7sqapdxhxxvdxq2v5jtgacgj7fuav4727jsx0032us"`,
+      `"tempoz1qr7l6qr5956uce35cpfjjfdrhpzte8n4jhet62q0j8hus"`,
     )
   })
 
@@ -37,7 +41,7 @@ describe('format', () => {
     expect(
       TempoAddress.format(rawAddress, { zoneId: 65535 }),
     ).toMatchInlineSnapshot(
-      `"tempoz1lhll7apdxhxxvdxq2v5jtgacgj7fuav4727j37cldu7q"`,
+      `"tempoz1qr7lllm5956uce35cpfjjfdrhpzte8n4jhet62q8pdj6j"`,
     )
   })
 
@@ -45,7 +49,7 @@ describe('format', () => {
     expect(
       TempoAddress.format(rawAddress, { zoneId: 65536 }),
     ).toMatchInlineSnapshot(
-      `"tempoz1lcqqqqgqwskntnrxxnq9x2f95wuyf0y7wk2l90fga965qjc"`,
+      `"tempoz1qrlqqqqpqp6z6dwvvc6vq5efyk3ms39une6etu4a9qdupk5c"`,
     )
   })
 
@@ -53,7 +57,7 @@ describe('format', () => {
     expect(
       TempoAddress.format(rawAddress, { zoneId: 4294967295 }),
     ).toMatchInlineSnapshot(
-      `"tempoz1lmllllllwskntnrxxnq9x2f95wuyf0y7wk2l90fgxg58ulq"`,
+      `"tempoz1qrl0llllla6z6dwvvc6vq5efyk3ms39une6etu4a9qnk36qy"`,
     )
   })
 
@@ -61,7 +65,7 @@ describe('format', () => {
     expect(
       TempoAddress.format(rawAddress, { zoneId: BigInt('4294967296') }),
     ).toMatchInlineSnapshot(
-      `"tempoz1luqqqqqqqyqqqqr5956uce35cpfjjfdrhpzte8n4jhet62pnyj7cc"`,
+      `"tempoz1qrlsqqqqqqqsqqqqwskntnrxxnq9x2f95wuyf0y7wk2l90fg4306kk"`,
     )
   })
 
@@ -69,6 +73,28 @@ describe('format', () => {
     const result = TempoAddress.format(rawAddress)
     expect(result).toBe(result.toLowerCase())
   })
+
+  test('spec test vectors', () => {
+    expect(TempoAddress.format(rawAddress)).toBe(
+      'tempo1qp6z6dwvvc6vq5efyk3ms39une6etu4a9qtj2kk0',
+    )
+    expect(TempoAddress.format(rawAddress, { zoneId: 1 })).toBe(
+      'tempoz1qqqhgtf4e3nrfszn9yj68wzyhj08t90jh55q74d9uj',
+    )
+    expect(TempoAddress.format(rawAddress, { zoneId: 1000 })).toBe(
+      'tempoz1qr77sqm5956uce35cpfjjfdrhpzte8n4jhet62qxx4zvx',
+    )
+    expect(TempoAddress.format(rawAddress, { zoneId: 100000 })).toBe(
+      'tempoz1qrl2ppspqp6z6dwvvc6vq5efyk3ms39une6etu4a9qg5477g',
+    )
+  })
+
+  test('address lengths match spec', () => {
+    expect(TempoAddress.format(rawAddress).length).toBe(46)
+    expect(TempoAddress.format(rawAddress, { zoneId: 1 }).length).toBe(49)
+    expect(TempoAddress.format(rawAddress, { zoneId: 1000 }).length).toBe(52)
+    expect(TempoAddress.format(rawAddress, { zoneId: 100000 }).length).toBe(55)
+  })
 })
 
 describe('parse', () => {
@@ -144,17 +170,26 @@ describe('parse', () => {
     `)
   })
 
-  test('case insensitive', () => {
+  test('all uppercase', () => {
     const encoded = TempoAddress.format(rawAddress)
-    const upper = encoded.slice(0, 6) + encoded.slice(6).toUpperCase()
+    const upper = encoded.toUpperCase()
     expect(TempoAddress.parse(upper).address).toBe(rawAddress)
   })
 
   test('error: invalid prefix', () => {
+    const encoded = Bech32m.encode('bitcoin', new Uint8Array(20))
     expect(() =>
-      TempoAddress.parse('bitcoin1abc'),
+      TempoAddress.parse(encoded),
     ).toThrowErrorMatchingInlineSnapshot(
-      `[TempoAddress.InvalidPrefixError: Tempo address "bitcoin1abc" has an invalid prefix. Expected "tempo1" or "tempoz1".]`,
+      `[TempoAddress.InvalidPrefixError: Tempo address "${encoded}" has an invalid prefix. Expected "tempo1" or "tempoz1".]`,
+    )
+  })
+
+  test('error: unsupported version', () => {
+    const data = new Uint8Array([0x01, ...new Uint8Array(20)])
+    const encoded = Bech32m.encode('tempo', data)
+    expect(() => TempoAddress.parse(encoded)).toThrow(
+      TempoAddress.InvalidVersionError,
     )
   })
 
@@ -174,7 +209,7 @@ describe('parse', () => {
     expect(() =>
       TempoAddress.parse(swapped),
     ).toThrowErrorMatchingInlineSnapshot(
-      `[TempoAddress.InvalidLengthError: Tempo address "${swapped}" has an invalid payload length. Expected 24 bytes, got 23.]`,
+      `[TempoAddress.InvalidChecksumError: Tempo address "tempoz1qp6z6dwvvc6vq5efyk3ms39une6etu4a9qtj2kk0" has an invalid checksum.]`,
     )
   })
 })

package/tempo/TempoAddress.ts

@@ -1,9 +1,8 @@
 import * as Address from '../core/Address.js'
-import * as Base32 from '../core/Base32.js'
+import * as Bech32m from '../core/Bech32m.js'
 import * as Bytes from '../core/Bytes.js'
 import * as CompactSize from '../core/CompactSize.js'
 import * as Errors from '../core/Errors.js'
-import * as Hash from '../core/Hash.js'
 import * as Hex from '../core/Hex.js'
 
 /** Root type for a Tempo Address. */
@@ -17,7 +16,7 @@ export type TempoAddress = `tempo1${string}` | `tempoz1${string}`
  * import { TempoAddress } from 'ox/tempo'
  *
  * const address = TempoAddress.format('0x742d35Cc6634C0532925a3b844Bc9e7595f2bD28')
- * // @log: 'tempo1wskntnrxxnq9x2f95wuyf0y7wk2l90fg8zd8djs'
+ * // @log: 'tempo1qp6z6dwvvc6vq5efyk3ms39une6etu4a9qtj2kk0'
  * ```
  *
  * @example
@@ -29,7 +28,7 @@ export type TempoAddress = `tempo1${string}` | `tempoz1${string}`
  *   '0x742d35Cc6634C0532925a3b844Bc9e7595f2bD28',
  *   { zoneId: 1 },
  * )
- * // @log: 'tempoz1q96z6dwvvc6vq5efyk3ms39une6etu4a9zeqtx3q'
+ * // @log: 'tempoz1qqqhgtf4e3nrfszn9yj68wzyhj08t90jh55q74d9uj'
  * ```
  *
  * @param address - The raw 20-byte Ethereum address.
@@ -42,23 +41,18 @@ export function format(
 ): TempoAddress {
   const { zoneId } = options
 
-  const prefix = zoneId != null ? 'tempoz1' : 'tempo1'
+  const hrp = zoneId != null ? 'tempoz' : 'tempo'
+  const version = new Uint8Array([0x00])
   const zone = zoneId != null ? CompactSize.toBytes(zoneId) : new Uint8Array()
-  const address_bytes = Bytes.fromHex(address)
+  const data = Bytes.concat(version, zone, Bytes.fromHex(address))
 
-  const input = Bytes.concat(Bytes.fromString(prefix), zone, address_bytes)
-  const checksum = Hash.sha256(Hash.sha256(input, { as: 'Bytes' }), {
-    as: 'Bytes',
-  }).slice(0, 4)
-
-  const payload = Bytes.concat(zone, address_bytes, checksum)
-  return `${prefix}${Base32.fromBytes(payload)}` as TempoAddress
+  return Bech32m.encode(hrp, data) as TempoAddress
 }
 
 export declare namespace format {
   type Options = {
     /** Zone ID for zone addresses. */
-    zoneId?: bigint | number | undefined
+    zoneId?: number | bigint | undefined
   }
 
   type ErrorType = Errors.GlobalErrorType
@@ -73,9 +67,9 @@ export declare namespace format {
  * import { TempoAddress } from 'ox/tempo'
  *
  * const result = TempoAddress.parse(
- *   'tempo1wst8d6qejxtdg4y5r3zarvary0c5xw7kvmgh8pm',
+ *   'tempo1qp6z6dwvvc6vq5efyk3ms39une6etu4a9qtj2kk0',
  * )
- * // { address: '0x742d35Cc6634C0532925a3b844Bc9e7595f2bD28' }
+ * // @log: { address: '0x742d35CC6634c0532925a3B844bc9e7595F2Bd28', zoneId: undefined }
  * ```
  *
  * @example
@@ -84,66 +78,54 @@ export declare namespace format {
  * import { TempoAddress } from 'ox/tempo'
  *
  * const result = TempoAddress.parse(
- *   'tempoz1qwst8d6qejxtdg4y5r3zarvary0c5xw7kvmgh8pm',
+ *   'tempoz1qqqhgtf4e3nrfszn9yj68wzyhj08t90jh55q74d9uj',
  * )
- * // { address: '0x742d35Cc6634C0532925a3b844Bc9e7595f2bD28', zoneId: 1 }
+ * // @log: { address: '0x742d35CC6634c0532925a3B844bc9e7595F2Bd28', zoneId: 1 }
  * ```
  *
  * @param tempoAddress - The Tempo address string to parse.
  * @returns The parsed raw address and optional zone ID.
  */
 export function parse(tempoAddress: string): parse.ReturnType {
-  const lower = tempoAddress.toLowerCase()
-
-  let prefix: string
-  let hasZone: boolean
-  if (lower.startsWith('tempoz1')) {
-    prefix = 'tempoz1'
-    hasZone = true
-  } else if (lower.startsWith('tempo1')) {
-    prefix = 'tempo1'
-    hasZone = false
-  } else {
-    throw new InvalidPrefixError({ address: tempoAddress })
+  let hrp: string
+  let data: Uint8Array
+  try {
+    const decoded = Bech32m.decode(tempoAddress)
+    hrp = decoded.hrp
+    data = decoded.data
+  } catch {
+    throw new InvalidChecksumError({ address: tempoAddress })
   }
 
-  const payload = Base32.toBytes(lower.slice(prefix.length))
+  if (hrp !== 'tempo' && hrp !== 'tempoz')
+    throw new InvalidPrefixError({ address: tempoAddress })
+
+  if (data.length < 1 || data[0] !== 0x00)
+    throw new InvalidVersionError({
+      address: tempoAddress,
+      version: data.length > 0 ? data[0]! : undefined,
+    })
+
+  const payload = data.slice(1)
 
-  let zoneId: bigint | undefined
-  let remaining: Uint8Array
-  if (hasZone) {
+  let zoneId: number | bigint | undefined
+  let rawAddress: Uint8Array
+  if (hrp === 'tempoz') {
     const { value, size } = CompactSize.fromBytes(payload)
     zoneId = value
-    remaining = payload.slice(size)
+    rawAddress = payload.slice(size)
   } else {
     zoneId = undefined
-    remaining = payload
+    rawAddress = payload
   }
 
-  if (remaining.length !== 24)
+  if (rawAddress.length !== 20)
     throw new InvalidLengthError({
       address: tempoAddress,
-      expected: 24,
-      actual: remaining.length,
+      expected: 20,
+      actual: rawAddress.length,
     })
 
-  const rawAddress = remaining.slice(0, 20)
-  const checksum = remaining.slice(20, 24)
-
-  const zoneBytes =
-    zoneId != null ? CompactSize.toBytes(zoneId) : new Uint8Array()
-  const checksumInput = Bytes.concat(
-    Bytes.fromString(prefix),
-    zoneBytes,
-    rawAddress,
-  )
-  const expected = Hash.sha256(Hash.sha256(checksumInput, { as: 'Bytes' }), {
-    as: 'Bytes',
-  }).slice(0, 4)
-
-  if (!Bytes.isEqual(checksum, expected))
-    throw new InvalidChecksumError({ address: tempoAddress })
-
   const address = Address.checksum(Hex.fromBytes(rawAddress) as Address.Address)
 
   return { address, zoneId }
@@ -154,11 +136,12 @@ export declare namespace parse {
     /** The raw 20-byte Ethereum address. */
     address: Address.Address
     /** The zone ID, or `undefined` for mainnet addresses. */
-    zoneId: bigint | undefined
+    zoneId: number | bigint | undefined
   }
 
   type ErrorType =
     | InvalidPrefixError
+    | InvalidVersionError
     | InvalidLengthError
     | InvalidChecksumError
     | Errors.GlobalErrorType
@@ -172,9 +155,9 @@ export declare namespace parse {
  * import { TempoAddress } from 'ox/tempo'
  *
  * const valid = TempoAddress.validate(
- *   'tempo1wst8d6qejxtdg4y5r3zarvary0c5xw7kvmgh8pm',
+ *   'tempo1qp6z6dwvvc6vq5efyk3ms39une6etu4a9qtj2kk0',
  * )
- * // true
+ * // @log: true
  * ```
  *
  * @param tempoAddress - The Tempo address string to validate.
@@ -200,6 +183,20 @@ export class InvalidPrefixError extends Errors.BaseError {
   }
 }
 
+/** Thrown when a Tempo address has an unsupported version byte. */
+export class InvalidVersionError extends Errors.BaseError {
+  override readonly name = 'TempoAddress.InvalidVersionError'
+
+  constructor({
+    address,
+    version,
+  }: { address: string; version: number | undefined }) {
+    super(
+      `Tempo address "${address}" has unsupported version ${version === undefined ? '(missing)' : `0x${version.toString(16).padStart(2, '0')}`}. Only version 0x00 is supported.`,
+    )
+  }
+}
+
 /** Thrown when a Tempo address has an invalid payload length. */
 export class InvalidLengthError extends Errors.BaseError {
   override readonly name = 'TempoAddress.InvalidLengthError'

package/tempo/Transaction.test.ts

@@ -164,6 +164,7 @@ describe('fromRpc', () => {
         },
       ],
       keyAuthorization: {
+        chainId: '0x1',
         expiry: '0xffffffffffff',
         keyId: '0xbe95c3f554e9fc85ec51be69a3d807a0d55bcf2c',
         keyType: 'secp256k1',
@@ -224,7 +225,7 @@ describe('fromRpc', () => {
         "hash": "0x353fdfc38a2f26115daadee9f5b8392ce62b84f410957967e2ed56b35338cdd0",
         "keyAuthorization": {
           "address": "0xbe95c3f554e9fc85ec51be69a3d807a0d55bcf2c",
-          "chainId": 0n,
+          "chainId": 1n,
           "expiry": 281474976710655,
           "limits": [
             {
@@ -431,6 +432,7 @@ describe('toRpc', () => {
       data: undefined,
       keyAuthorization: {
         address: '0xbe95c3f554e9fc85ec51be69a3d807a0d55bcf2c',
+        chainId: 1n,
         expiry: 281474976710655,
         type: 'secp256k1',
         limits: [
@@ -487,7 +489,7 @@ describe('toRpc', () => {
         "hash": "0x353fdfc38a2f26115daadee9f5b8392ce62b84f410957967e2ed56b35338cdd0",
         "input": undefined,
         "keyAuthorization": {
-          "chainId": "0x",
+          "chainId": "0x1",
           "expiry": "0xffffffffffff",
           "keyId": "0xbe95c3f554e9fc85ec51be69a3d807a0d55bcf2c",
           "keyType": "secp256k1",