@shroud-fi/core

secp256k1 stealth-address identity layer for the ShroudFi privacy SDK.

npm i @shroud-fi/core viem

What it does

@shroud-fi/core is the identity foundation every other ShroudFi package builds on.

• Deterministic identity — derives an agent's stealth meta-address ((spendPub, scanPub)) from a single 32-byte master seed.
• EIP-5564 / 6538 primitives — canonical Base-network encoding of stealth meta-addresses (st:base:0x…), plus the secp256k1 ops used to derive one-time payment addresses.
• Constant-time + audited — built on @noble/curves (Cure53-audited) and @noble/hashes. Zero new cryptographic surface.

The same master seed yields the same meta-address whether you're using the SDK, the MCP server, or the REST API — so an agent's privacy identity is portable across runtimes.

Quick start

import { deriveAgentIdentity, encodeMetaAddress } from '@shroud-fi/core';

const identity = deriveAgentIdentity('0x' + 'a'.repeat(64) /* master seed */);

console.log(identity.metaAddressEncoded);
// → st:base:0x024fa9bb…

Exports

| Symbol | Purpose | |---|---| | deriveAgentIdentity(seed) | Domain-separated identity derivation from a master seed. | | encodeMetaAddress(id) | Encode spend + scan public keys into the canonical st:base:0x… wire format. | | decodeMetaAddress(s) | Parse st:base:0x… into spend + scan pubkeys. | | AgentIdentity | { spendPub, scanPub, metaAddressEncoded, deriveSpendingKey, deriveScanningKey } |

Full API reference: shroudfi.live/sdk#core

Privacy invariants

• The spending key never leaves agent runtime. No serialization, no logging, no transmission.
• The scanning key is separable — you can delegate it to a scanning service, but never log it alongside identity.
• No plaintext keys in error objects. All core errors are structured + key-free.

License

MIT — see LICENSE.

Part of the ShroudFi privacy SDK for AI agents on Base.