feat: migrate from @zama-fhe/relayer-sdk to @fhevm/sdk

.size-limit.json

@@ -2,12 +2,12 @@
   {
     "name": "@zama-fhe/sdk (ESM)",
     "path": "packages/sdk/dist/esm/**/*.js",
-    "limit": "49 KB"
+    "limit": "6 MB"
   },
   {
     "name": "@zama-fhe/sdk (CJS)",
     "path": "packages/sdk/dist/cjs/**/*.cjs",
-    "limit": "40 KB"
+    "limit": "2 MB"
   },
   {
     "name": "@zama-fhe/react-sdk (all JS)",

SECURITY.md

@@ -34,7 +34,6 @@ The following areas are in scope for security reports:
 
 ### Web Worker / WASM
 
-- **CDN integrity** — WASM loaded from CDN for FHE operations
 - **Worker isolation** — message passing between main thread and Web Worker
 
 ## Out of Scope

docs/gitbook/src/concepts/security-model.md

@@ -87,27 +87,6 @@ Wallet addresses are hashed before use as storage keys. The storage backend (Ind
 
 </details>
 
-## WASM bundle integrity
-
-`RelayerWeb` loads the TFHE WASM bundle from Zama's CDN (`cdn.zama.org`). Before execution, the SDK computes a SHA-384 digest of the fetched payload and compares it to a hash pinned in the library's source code. If the hashes do not match, initialization fails with a clear error.
-
-![WASM Bundle Integrity Check](../images/security-wasm-integrity.svg)
-
-This protects against CDN compromise or man-in-the-middle injection of modified WASM.
-
-Integrity checking is enabled by default. Disable it only in test environments:
-
-```ts
-const relayer = new RelayerWeb({
-  // ...
-  security: { integrityCheck: false },
-});
-```
-
-{% hint style="warning" %}
-Disabling integrity checks in production removes a critical defense layer. A compromised WASM bundle could exfiltrate FHE private keys or manipulate encrypted values.
-{% endhint %}
-
 ## Browser security headers
 
 ### COOP/COEP headers
@@ -190,8 +169,7 @@ The token is refreshed before each encrypt/decrypt call. Only POST, PUT, DELETE,
 | Credential encryption | AES-256-GCM         | 256-bit            | Web Crypto API                |
 | Key derivation        | PBKDF2-SHA-256      | 600,000 iterations | Web Crypto API                |
 | Storage key hashing   | SHA-256 (truncated) | 128-bit output     | Web Crypto API                |
-| CDN integrity         | SHA-384             | --                 | Web Crypto API                |
-| FHE encryption        | TFHE                | Network key        | WASM (`@zama-fhe/sdk (WASM)`) |
+| FHE encryption        | TFHE                | Network key        | WASM (`@fhevm/sdk`)           |
 | ZK proofs             | WASM prover         | --                 | WASM (`@zama-fhe/sdk (WASM)`) |
 | Wallet signing        | ECDSA secp256k1     | 256-bit            | User wallet                   |
 | Request tracking      | UUID v4             | 128-bit            | `crypto.randomUUID()`         |

docs/gitbook/src/reference/sdk/RelayerWeb.md

@@ -141,9 +141,9 @@ Without these headers, the browser blocks `SharedArrayBuffer` and the relayer fa
 
 ### security
 
-`{ integrityCheck?: boolean; getCsrfToken?: () => string } | undefined`
+`{ getCsrfToken?: () => string } | undefined`
 
-Security options for the WASM bundle and relayer requests.
+Security options for relayer requests.
 
 ```ts
 const relayer = new RelayerWeb({
@@ -152,16 +152,14 @@ const relayer = new RelayerWeb({
     /* ... */
   },
   security: {
-    integrityCheck: true, // SHA-384 verification of WASM bundle (default: true)
     getCsrfToken: () => document.cookie.match(/csrf=(\w+)/)?.[1] ?? "",
   },
 });
 ```
 
-| Field            | Type           | Description                                         |
-| ---------------- | -------------- | --------------------------------------------------- |
-| `integrityCheck` | `boolean`      | Verify SHA-384 of the WASM bundle. Default: `true`. |
-| `getCsrfToken`   | `() => string` | Returns a CSRF token to attach to relayer requests. |
+| Field          | Type           | Description                                         |
+| -------------- | -------------- | --------------------------------------------------- |
+| `getCsrfToken` | `() => string` | Returns a CSRF token to attach to relayer requests. |
 
 ## Related
 

docs/llm/corpus-manifest.json

@@ -1220,7 +1220,7 @@
       "source_type": "api-report",
       "category": "api-reports",
       "logical_path": "packages/sdk/etc/sdk.api",
-      "description": "import { Abi } from 'viem'; import { Address } from 'viem'; import { Bytes32Hex } from '@zama-fhe/relayer-sdk/bundle'; import { ClearValueType } from '@zama-fhe/relayer-sdk/bundle'; import { ContractFunctionArgs } from 'viem'; import { ContractFunctionName } from 'viem'; import { ContractFunctionReturnType } from 'viem'; import { FheTypeName } from '@zama-fhe/relayer-sdk/bundle'; import { FhevmInstanceConfig } from '@zama-fhe/relayer-sdk/bundle'; import { Hex } from 'viem'; import { InputProofBytesType } from '@zama-fhe/relayer-sdk/bundle'; import { KeypairType } from '@zama-fhe/relayer-sdk/bundle'; import { KmsDelegatedUserDecryptEIP712Type } from '@zama-fhe/relayer-sdk/bundle'; import { KmsUserDecryptEIP712Type } from '@zama-fhe/relayer-sdk/bundle'; import { PublicDecryptResults } from '@zama-fhe/relayer-sdk/bundle'; import * as SDK from '@zama-fhe/relayer-sdk/bundle'; import { UserDecryptResults } from '@zama-fhe/relayer-sdk/bundle'; import { ZKProofLike } from '@zama-fhe/relayer-sdk/bundle';",
+      "description": "import { Abi } from 'viem'; import { Address } from 'viem'; import { ContractFunctionArgs } from 'viem'; import { ContractFunctionName } from 'viem'; import { ContractFunctionReturnType } from 'viem'; import { Hex } from 'viem';",
       "include_in_llms_txt": false,
       "include_in_llms_full": false
     },
@@ -1232,7 +1232,7 @@
       "source_type": "api-report",
       "category": "api-reports",
       "logical_path": "packages/sdk/etc/sdk-ethers.api",
-      "description": "import { Abi } from 'viem'; import { Address } from 'viem'; import { Bytes32Hex } from '@zama-fhe/relayer-sdk/bundle'; import { ContractFunctionArgs } from 'viem'; import { ContractFunctionName } from 'viem'; import { ContractFunctionReturnType } from 'viem'; import { EIP1193EventMap } from 'viem'; import { EIP1193Events } from 'viem'; import { EIP1193Provider } from 'viem'; import { ethers } from 'ethers'; import { Hex } from 'viem'; import { KmsDelegatedUserDecryptEIP712Type } from '@zama-fhe/relayer-sdk/bundle'; import { KmsUserDecryptEIP712Type } from '@zama-fhe/relayer-sdk/bundle'; import { ProviderConnectInfo } from 'viem'; import { ProviderMessage } from 'viem'; import { ProviderRpcError } from 'viem'; import { Signer } from 'ethers';",
+      "description": "import { Abi } from 'viem'; import { Address } from 'viem'; import { ContractFunctionArgs } from 'viem'; import { ContractFunctionName } from 'viem'; import { ContractFunctionReturnType } from 'viem'; import { EIP1193EventMap } from 'viem'; import { EIP1193Events } from 'viem'; import { EIP1193Provider } from 'viem'; import { ethers } from 'ethers'; import { Hex } from 'viem'; import { ProviderConnectInfo } from 'viem'; import { ProviderMessage } from 'viem'; import { ProviderRpcError } from 'viem'; import { Signer } from 'ethers';",
       "include_in_llms_txt": false,
       "include_in_llms_full": false
     },
@@ -1244,7 +1244,7 @@
       "source_type": "api-report",
       "category": "api-reports",
       "logical_path": "packages/sdk/etc/sdk-node.api",
-      "description": "import { Address } from 'viem'; import { Bytes32Hex } from '@zama-fhe/relayer-sdk/bundle'; import { ClearValueType } from '@zama-fhe/relayer-sdk/bundle'; import { FhevmInstanceConfig } from '@zama-fhe/relayer-sdk/bundle'; import { FhevmInstanceConfig as FhevmInstanceConfig_2 } from '@zama-fhe/relayer-sdk/node'; import { Hex } from 'viem'; import { InputProofBytesType } from '@zama-fhe/relayer-sdk/bundle'; import { InputProofBytesType as InputProofBytesType_2 } from '@zama-fhe/relayer-sdk/node'; import { KeypairType } from '@zama-fhe/relayer-sdk/bundle'; import { KeypairType as KeypairType_2 } from '@zama-fhe/relayer-sdk/node'; import { KmsDelegatedUserDecryptEIP712Type } from '@zama-fhe/relayer-sdk/bundle'; import { KmsDelegatedUserDecryptEIP712Type as KmsDelegatedUserDecryptEIP712Type_2 } from '@zama-fhe/relayer-sdk/node'; import { KmsUserDecryptEIP712Type } from '@zama-fhe/relayer-sdk/bundle'; import { PublicDecryptResults } from '@zama-fhe/relayer-sdk/bundle'; import * as SDK from '@zama-fhe/relayer-sdk/bundle'; import { Worker as Worker_2 } from 'node:worker_threads'; import { ZKProofLike } from '@zama-fhe/relayer-sdk/bundle'; import { ZKProofLike as ZKProofLike_2 } from '@zama-fhe/relayer-sdk/node';",
+      "description": "import { Address } from 'viem'; import { Hex } from 'viem'; import { Worker as Worker_2 } from 'node:worker_threads';",
       "include_in_llms_txt": false,
       "include_in_llms_full": false
     },
@@ -1256,7 +1256,7 @@
       "source_type": "api-report",
       "category": "api-reports",
       "logical_path": "packages/sdk/etc/sdk-query.api",
-      "description": "import { Abi } from 'viem'; import { Address } from 'viem'; import { Bytes32Hex } from '@zama-fhe/relayer-sdk/bundle'; import { ClearValueType } from '@zama-fhe/relayer-sdk/bundle'; import { ContractFunctionArgs } from 'viem'; import { ContractFunctionName } from 'viem'; import { ContractFunctionReturnType } from 'viem'; import { Hex } from 'viem'; import { InputProofBytesType } from '@zama-fhe/relayer-sdk/bundle'; import { KeypairType } from '@zama-fhe/relayer-sdk/bundle'; import { KmsDelegatedUserDecryptEIP712Type } from '@zama-fhe/relayer-sdk/bundle'; import { KmsUserDecryptEIP712Type } from '@zama-fhe/relayer-sdk/bundle'; import { KmsUserDecryptEIP712UserArgsType } from '@zama-fhe/relayer-sdk/bundle'; import { MutationFunctionContext } from '@tanstack/query-core'; import { PublicDecryptResults } from '@zama-fhe/relayer-sdk/bundle'; import { QueryKey } from '@tanstack/query-core'; import { QueryObserverOptions } from '@tanstack/query-core'; import * as SDK from '@zama-fhe/relayer-sdk/bundle'; import { skipToken } from '@tanstack/query-core'; import { UserDecryptResults } from '@zama-fhe/relayer-sdk/bundle'; import { ZKProofLike } from '@zama-fhe/relayer-sdk/bundle';",
+      "description": "import { Abi } from 'viem'; import { Address } from 'viem'; import { ContractFunctionArgs } from 'viem'; import { ContractFunctionName } from 'viem'; import { ContractFunctionReturnType } from 'viem'; import { Hex } from 'viem'; import { MutationFunctionContext } from '@tanstack/query-core'; import { QueryKey } from '@tanstack/query-core'; import { QueryObserverOptions } from '@tanstack/query-core'; import { skipToken } from '@tanstack/query-core';",
       "include_in_llms_txt": false,
       "include_in_llms_full": false
     },
@@ -1268,7 +1268,7 @@
       "source_type": "api-report",
       "category": "api-reports",
       "logical_path": "packages/sdk/etc/sdk-viem.api",
-      "description": "import { Abi } from 'viem'; import { Address } from 'viem'; import { Bytes32Hex } from '@zama-fhe/relayer-sdk/bundle'; import { ContractFunctionArgs } from 'viem'; import { ContractFunctionName } from 'viem'; import { ContractFunctionReturnType } from 'viem'; import { EIP1193Provider } from 'viem'; import { Hex } from 'viem'; import { KmsDelegatedUserDecryptEIP712Type } from '@zama-fhe/relayer-sdk/bundle'; import { KmsUserDecryptEIP712Type } from '@zama-fhe/relayer-sdk/bundle'; import { PublicClient } from 'viem'; import { WalletClient } from 'viem';",
+      "description": "import { Abi } from 'viem'; import { Address } from 'viem'; import { ContractFunctionArgs } from 'viem'; import { ContractFunctionName } from 'viem'; import { ContractFunctionReturnType } from 'viem'; import { EIP1193Provider } from 'viem'; import { Hex } from 'viem'; import { PublicClient } from 'viem'; import { WalletClient } from 'viem';",
       "include_in_llms_txt": false,
       "include_in_llms_full": false
     },
@@ -1280,7 +1280,7 @@
       "source_type": "api-report",
       "category": "api-reports",
       "logical_path": "packages/react-sdk/etc/react-sdk.api",
-      "description": "import * as _$_tanstack_react_query0 from '@tanstack/react-query'; import * as _$_zama_fhe_relayer_sdk_web0 from '@zama-fhe/relayer-sdk/web'; import * as _$_zama_fhe_sdk0 from '@zama-fhe/sdk'; import * as _$react_jsx_runtime0 from 'react/jsx-runtime'; import { Address } from '@zama-fhe/sdk'; import { ApproveUnderlyingParams } from '@zama-fhe/sdk/query'; import { BatchBalancesResult } from '@zama-fhe/sdk'; import { BatchDecryptBalancesAsParams } from '@zama-fhe/sdk/query'; import { ClearValueType } from '@zama-fhe/sdk'; import { ConfidentialApproveParams } from '@zama-fhe/sdk/query'; import { ConfidentialTransferFromParams } from '@zama-fhe/sdk/query'; import { ConfidentialTransferParams } from '@zama-fhe/sdk/query'; import { CreateDelegatedUserDecryptEIP712Params } from '@zama-fhe/sdk/query'; import { CreateEIP712Params } from '@zama-fhe/sdk/query'; import { DecryptBalanceAsParams } from '@zama-fhe/sdk/query'; import { DecryptResult } from '@zama-fhe/sdk/query'; import { DelegateDecryptionParams } from '@zama-fhe/sdk/query'; import { DelegatedUserDecryptParams } from '@zama-fhe/sdk'; import { DelegationStatusData } from '@zama-fhe/sdk/query'; import { EIP712TypedData } from '@zama-fhe/sdk'; import { EncryptParams } from '@zama-fhe/sdk'; import { FinalizeUnwrapParams } from '@zama-fhe/sdk/query'; import { GenericProvider } from '@zama-fhe/sdk'; import { GenericSigner } from '@zama-fhe/sdk'; import { GenericStorage } from '@zama-fhe/sdk'; import { PaginatedResult } from '@zama-fhe/sdk'; import { PropsWithChildren } from 'react'; import { PublicKeyData } from '@zama-fhe/sdk'; import { ReadonlyToken } from '@zama-fhe/sdk'; import { RelayerSDK } from '@zama-fhe/sdk'; import { ResumeUnshieldParams } from '@zama-fhe/sdk/query'; import { RevokeDelegationParams } from '@zama-fhe/sdk/query'; import { ShieldParams } from '@zama-fhe/sdk/query'; import { Token } from '@zama-fhe/sdk'; import { TokenMetadata } from '@zama-fhe/sdk/query'; import { TokenWrapperPair } from '@zama-fhe/sdk'; import { TokenWrapperPairWithMetadata } from '@zama-fhe/sdk'; import { TransactionResult } from '@zama-fhe/sdk'; import { UnshieldAllParams } from '@zama-fhe/sdk/query'; import { UnshieldParams } from '@zama-fhe/sdk/query'; import { UnwrapParams } from '@zama-fhe/sdk/query'; import { UseMutationOptions } from '@tanstack/react-query'; import { UseMutationResult } from '@tanstack/react-query'; import { UseQueryOptions } from '@tanstack/react-query'; import { UseQueryResult } from '@tanstack/react-query'; import { UserDecryptQueryConfig } from '@zama-fhe/sdk/query'; import { ZamaSDK } from '@zama-fhe/sdk'; import { ZamaSDKEventListener } from '@zama-fhe/sdk'; import { ZKProofLike } from '@zama-fhe/sdk';",
+      "description": "import * as _$_tanstack_react_query0 from '@tanstack/react-query'; import * as _$_zama_fhe_sdk0 from '@zama-fhe/sdk'; import * as _$react_jsx_runtime0 from 'react/jsx-runtime'; import * as _$viem from 'viem'; import { Address } from '@zama-fhe/sdk'; import { ApproveUnderlyingParams } from '@zama-fhe/sdk/query'; import { BatchBalancesResult } from '@zama-fhe/sdk'; import { BatchDecryptBalancesAsParams } from '@zama-fhe/sdk/query'; import { ClearValueType } from '@zama-fhe/sdk'; import { ConfidentialApproveParams } from '@zama-fhe/sdk/query'; import { ConfidentialTransferFromParams } from '@zama-fhe/sdk/query'; import { ConfidentialTransferParams } from '@zama-fhe/sdk/query'; import { CreateDelegatedUserDecryptEIP712Params } from '@zama-fhe/sdk/query'; import { CreateEIP712Params } from '@zama-fhe/sdk/query'; import { DecryptBalanceAsParams } from '@zama-fhe/sdk/query'; import { DecryptResult } from '@zama-fhe/sdk/query'; import { DelegateDecryptionParams } from '@zama-fhe/sdk/query'; import { DelegatedUserDecryptParams } from '@zama-fhe/sdk'; import { DelegationStatusData } from '@zama-fhe/sdk/query'; import { EIP712TypedData } from '@zama-fhe/sdk'; import { EncryptParams } from '@zama-fhe/sdk'; import { EncryptResult } from '@zama-fhe/sdk'; import { FinalizeUnwrapParams } from '@zama-fhe/sdk/query'; import { GenericProvider } from '@zama-fhe/sdk'; import { GenericSigner } from '@zama-fhe/sdk'; import { GenericStorage } from '@zama-fhe/sdk'; import { PaginatedResult } from '@zama-fhe/sdk'; import { PropsWithChildren } from 'react'; import { PublicDecryptResult } from '@zama-fhe/sdk'; import { PublicKeyData } from '@zama-fhe/sdk'; import { PublicParamsData } from '@zama-fhe/sdk'; import { ReadonlyToken } from '@zama-fhe/sdk'; import { RelayerSDK } from '@zama-fhe/sdk'; import { ResumeUnshieldParams } from '@zama-fhe/sdk/query'; import { RevokeDelegationParams } from '@zama-fhe/sdk/query'; import { ShieldParams } from '@zama-fhe/sdk/query'; import { Token } from '@zama-fhe/sdk'; import { TokenMetadata } from '@zama-fhe/sdk/query'; import { TokenWrapperPair } from '@zama-fhe/sdk'; import { TokenWrapperPairWithMetadata } from '@zama-fhe/sdk'; import { TransactionResult } from '@zama-fhe/sdk'; import { UnshieldAllParams } from '@zama-fhe/sdk/query'; import { UnshieldParams } from '@zama-fhe/sdk/query'; import { UnwrapParams } from '@zama-fhe/sdk/query'; import { UseMutationOptions } from '@tanstack/react-query'; import { UseMutationResult } from '@tanstack/react-query'; import { UseQueryOptions } from '@tanstack/react-query'; import { UseQueryResult } from '@tanstack/react-query'; import { UserDecryptQueryConfig } from '@zama-fhe/sdk/query'; import { ZamaSDK } from '@zama-fhe/sdk'; import { ZamaSDKEventListener } from '@zama-fhe/sdk';",
       "include_in_llms_txt": false,
       "include_in_llms_full": false
     },