feat(wasm-utxo): add Zcash support with ZIP-243 sighash

Implement Zcash transaction support including consensus branch ID handling,
version group ID, expiry height, and ZIP-243 sighash algorithm for signatures.
Add ZcashBitGoPsbt class that handles Zcash-specific transaction fields and
simplifies PSBT creation with automatic branch ID determination from block
height.

Issue: BTC-2659

Co-authored-by: llm-git <[email protected]>

Author: OttoAllmendinger

packages/wasm-utxo/Cargo.lock

@@ -16,7 +16,7 @@ all = "warn"
 [dependencies]
 wasm-bindgen = "0.2"
 js-sys = "0.3"
-miniscript = { git = "https://github.com/BitGo/rust-miniscript", tag = "miniscript-13.0.0-opdrop-forkid" }
+miniscript = { git = "https://github.com/BitGo/rust-miniscript", tag = "miniscript-13.0.0-bitgo.1" }
 bech32 = "0.11"
 musig2 = { version = "0.3.1", default-features = false, features = ["k256"] }
 getrandom = { version = "0.2", features = ["js"] }
@@ -31,6 +31,9 @@ wasm-bindgen-test = "0.3"
 rstest = "0.26.1"
 pastey = "0.1"
 
+[target.'cfg(not(target_arch = "wasm32"))'.dev-dependencies]
+zebra-chain = { version = "3.1", default-features = false }
+
 [profile.release]
 # this is required to make webpack happy
 # https://github.com/webpack/webpack/issues/15566#issuecomment-2558347645

packages/wasm-utxo/Cargo.toml

@@ -20,7 +20,15 @@ This project is under active development.
 | Descriptor Wallet: Address Support      | ✅ Complete | 🚫          | 🚫          | 🚫          | 🚫          | 🚫          | 🚫          |
 | Descriptor Wallet: Transaction Support  | ✅ Complete | 🚫          | 🚫          | 🚫          | 🚫          | 🚫          | 🚫          |
 | FixedScript Wallet: Address Generation  | ✅ Complete | ✅ Complete | ✅ Complete | ✅ Complete | ✅ Complete | ✅ Complete | ✅ Complete |
-| FixedScript Wallet: Transaction Support | ✅ Complete | ✅ Complete | ✅ Complete | ⏳ TODO     | ⏳ TODO     | ✅ Complete | ⏳ TODO     |
+| FixedScript Wallet: Transaction Support | ✅ Complete | ✅ Complete | ✅ Complete | ⏳ TODO     | ⏳ TODO     | ✅ Complete | ✅ Complete |
+
+### Zcash Features
+
+Zcash support includes:
+- **Network Upgrade Awareness**: Automatic consensus branch ID determination based on block height
+- **All Network Upgrades**: Support for Overwinter, Sapling, Blossom, Heartwood, Canopy, Nu5, Nu6, and Nu6_1
+- **Height-Based API**: Preferred `createEmpty()` method automatically selects correct consensus rules
+- **Parity Testing**: Validated against `zebra-chain` for accuracy across all network upgrades
 
 ## Building
 

packages/wasm-utxo/README.md

@@ -16,6 +16,5 @@ base64 = "0.21"
 serde = { version = "1.0", features = ["derive"] }
 serde_json = "1.0"
 num-bigint = "0.4"
-bitcoin = { git = "https://github.com/BitGo/rust-bitcoin", tag = "bitcoin-0.32.8-forkid" }
 colored = "2.1"
 ptree = "0.5"

packages/wasm-utxo/cli/Cargo.toml

@@ -1,8 +1,8 @@
 /// This contains low-level parsing of PSBT into a node structure suitable for display
-use bitcoin::consensus::Decodable;
-use bitcoin::hashes::Hash;
-use bitcoin::psbt::Psbt;
-use bitcoin::{Network, ScriptBuf, Transaction};
+use wasm_utxo::bitcoin::consensus::Decodable;
+use wasm_utxo::bitcoin::hashes::Hash;
+use wasm_utxo::bitcoin::psbt::Psbt;
+use wasm_utxo::bitcoin::{Network, ScriptBuf, Transaction};
 use wasm_utxo::fixed_script_wallet::bitgo_psbt::{
     p2tr_musig2_input::{Musig2PartialSig, Musig2Participants, Musig2PubNonce},
     BitGoKeyValue, ProprietaryKeySubtype, BITGO,
@@ -21,8 +21,11 @@ fn script_buf_to_node(label: &str, script_buf: &ScriptBuf) -> Node {
 
 fn bip32_derivations_to_nodes(
     bip32_derivation: &std::collections::BTreeMap<
-        bitcoin::secp256k1::PublicKey,
-        (bitcoin::bip32::Fingerprint, bitcoin::bip32::DerivationPath),
+        wasm_utxo::bitcoin::secp256k1::PublicKey,
+        (
+            wasm_utxo::bitcoin::bip32::Fingerprint,
+            wasm_utxo::bitcoin::bip32::DerivationPath,
+        ),
     >,
 ) -> Vec<Node> {
     bip32_derivation
@@ -100,7 +103,10 @@ fn musig2_partial_sig_to_node(sig: &Musig2PartialSig) -> Node {
     node
 }
 
-fn bitgo_proprietary_to_node(prop_key: &bitcoin::psbt::raw::ProprietaryKey, v: &[u8]) -> Node {
+fn bitgo_proprietary_to_node(
+    prop_key: &wasm_utxo::bitcoin::psbt::raw::ProprietaryKey,
+    v: &[u8],
+) -> Node {
     // Try to parse as BitGo key-value
     let v_vec = v.to_vec();
     let bitgo_kv_result = BitGoKeyValue::from_key_value(prop_key, &v_vec);
@@ -159,7 +165,7 @@ fn bitgo_proprietary_to_node(prop_key: &bitcoin::psbt::raw::ProprietaryKey, v: &
 
 fn raw_proprietary_to_node(
     label: &str,
-    prop_key: &bitcoin::psbt::raw::ProprietaryKey,
+    prop_key: &wasm_utxo::bitcoin::psbt::raw::ProprietaryKey,
     v: &[u8],
 ) -> Node {
     let mut prop_node = Node::new(label, Primitive::None);
@@ -177,7 +183,10 @@ fn raw_proprietary_to_node(
 }
 
 fn proprietary_to_nodes(
-    proprietary: &std::collections::BTreeMap<bitcoin::psbt::raw::ProprietaryKey, Vec<u8>>,
+    proprietary: &std::collections::BTreeMap<
+        wasm_utxo::bitcoin::psbt::raw::ProprietaryKey,
+        Vec<u8>,
+    >,
 ) -> Vec<Node> {
     proprietary
         .iter()
@@ -194,8 +203,11 @@ fn proprietary_to_nodes(
 
 fn xpubs_to_nodes(
     xpubs: &std::collections::BTreeMap<
-        bitcoin::bip32::Xpub,
-        (bitcoin::bip32::Fingerprint, bitcoin::bip32::DerivationPath),
+        wasm_utxo::bitcoin::bip32::Xpub,
+        (
+            wasm_utxo::bitcoin::bip32::Fingerprint,
+            wasm_utxo::bitcoin::bip32::DerivationPath,
+        ),
     >,
 ) -> Vec<Node> {
     xpubs
@@ -215,8 +227,11 @@ fn xpubs_to_nodes(
 
 pub fn xpubs_to_node(
     xpubs: &std::collections::BTreeMap<
-        bitcoin::bip32::Xpub,
-        (bitcoin::bip32::Fingerprint, bitcoin::bip32::DerivationPath),
+        wasm_utxo::bitcoin::bip32::Xpub,
+        (
+            wasm_utxo::bitcoin::bip32::Fingerprint,
+            wasm_utxo::bitcoin::bip32::DerivationPath,
+        ),
     >,
 ) -> Node {
     let mut xpubs_node = Node::new("xpubs", Primitive::U64(xpubs.len() as u64));
@@ -267,7 +282,7 @@ pub fn psbt_to_node(psbt: &Psbt, network: Network) -> Node {
             witness_node.add_child(Node::new(
                 "address",
                 Primitive::String(
-                    bitcoin::Address::from_script(&witness_utxo.script_pubkey, network)
+                    wasm_utxo::bitcoin::Address::from_script(&witness_utxo.script_pubkey, network)
                         .map(|a| a.to_string())
                         .unwrap_or_else(|_| "<invalid address>".to_string()),
                 ),
@@ -353,7 +368,7 @@ pub fn psbt_to_node(psbt: &Psbt, network: Network) -> Node {
     psbt_node
 }
 
-pub fn tx_to_node(tx: &Transaction, network: bitcoin::Network) -> Node {
+pub fn tx_to_node(tx: &Transaction, network: wasm_utxo::bitcoin::Network) -> Node {
     let mut tx_node = Node::new("tx", Primitive::None);
 
     tx_node.add_child(Node::new("version", Primitive::I32(tx.version.0)));
@@ -425,7 +440,9 @@ pub fn tx_to_node(tx: &Transaction, network: bitcoin::Network) -> Node {
             Primitive::Buffer(output.script_pubkey.as_bytes().to_vec()),
         ));
 
-        if let Ok(address) = bitcoin::Address::from_script(&output.script_pubkey, network) {
+        if let Ok(address) =
+            wasm_utxo::bitcoin::Address::from_script(&output.script_pubkey, network)
+        {
             output_node.add_child(Node::new("address", Primitive::String(address.to_string())));
         }
 

packages/wasm-utxo/cli/src/parse/node.rs

@@ -25,9 +25,9 @@
 ///
 /// - [BIP-174: PSBT Format](https://github.com/bitcoin/bips/blob/master/bip-0174.mediawiki)
 /// - [bitcoin::psbt::raw](https://docs.rs/bitcoin/latest/bitcoin/psbt/raw/index.html)
-use bitcoin::consensus::Decodable;
-use bitcoin::psbt::raw::{Key, Pair};
-use bitcoin::{Network, Transaction, VarInt};
+use wasm_utxo::bitcoin::consensus::Decodable;
+use wasm_utxo::bitcoin::psbt::raw::{Key, Pair};
+use wasm_utxo::bitcoin::{Network, Transaction, VarInt};
 
 pub use crate::node::{Node, Primitive};
 

packages/wasm-utxo/cli/src/parse/node_raw.rs

@@ -214,3 +214,38 @@ export { BIP32 } from "./bip32";
 - Methods need to return new instances of the same type
 - Need to encapsulate underlying WASM instance
 - Examples: BIP32 keys, RootWalletKeys, BitGoPsbt
+
+### Network-Specific APIs
+
+Some UTXO networks require additional parameters that don't apply to others. The TypeScript wrappers use specialized classes and overloaded signatures to handle these cases while maintaining type safety.
+
+**Example: Zcash-specific PSBT creation**
+
+Zcash transactions require consensus-specific parameters to prevent replay attacks across network upgrades. The `ZcashBitGoPsbt` class provides a height-based API that automatically determines the correct consensus rules:
+
+```typescript
+// Non-Zcash networks: simple signature
+const btcPsbt = BitGoPsbt.createEmpty("bitcoin", walletKeys, { version: 2 });
+
+// Zcash networks: blockHeight determines consensus rules (preferred)
+const zecPsbt = ZcashBitGoPsbt.createEmpty("zcash", walletKeys, {
+  blockHeight: 1687104, // Automatically uses NU5 consensus rules
+  version: 5,
+  versionGroupId: 0x26a7270a, // optional
+  expiryHeight: 1000000, // optional
+});
+
+// Advanced: Explicit consensus branch ID (when needed)
+const zecPsbtAdvanced = ZcashBitGoPsbt.createEmptyWithConsensusBranchId("zcash", walletKeys, {
+  consensusBranchId: 0xc2d6d0b4, // NU5 branch ID
+  version: 5,
+});
+```
+
+This pattern ensures:
+
+- Automatic consensus rule selection based on block height (preferred)
+- No need to manually look up consensus branch IDs
+- Future-proof as new network upgrades activate
+- Advanced control available when explicit branch ID is needed
+- Full type safety with network-specific options

packages/wasm-utxo/js/README.md

@@ -105,14 +105,16 @@ export type AddWalletOutputOptions = {
 };
 
 export class BitGoPsbt {
-  private constructor(private wasm: WasmBitGoPsbt) {}
+  protected constructor(protected wasm: WasmBitGoPsbt) {}
 
   /**
    * Create an empty PSBT for the given network with wallet keys
    *
    * The wallet keys are used to set global xpubs in the PSBT, which identifies
    * the keys that will be used for signing.
    *
+   * For Zcash networks, use ZcashBitGoPsbt.createEmpty() instead.
+   *
    * @param network - Network name (utxolib name like "bitcoin" or coin name like "btc")
    * @param walletKeys - The wallet's root keys (sets global xpubs in the PSBT)
    * @param options - Optional transaction parameters (version, lockTime)

packages/wasm-utxo/js/fixedScriptWallet/BitGoPsbt.ts

@@ -0,0 +1,163 @@
+import { BitGoPsbt as WasmBitGoPsbt } from "../wasm/wasm_utxo.js";
+import { type WalletKeysArg, RootWalletKeys } from "./RootWalletKeys.js";
+import { BitGoPsbt, type CreateEmptyOptions } from "./BitGoPsbt.js";
+
+/** Zcash network names */
+export type ZcashNetworkName = "zcash" | "zcashTest" | "zec" | "tzec";
+
+/** Options for creating an empty Zcash PSBT (preferred method using block height) */
+export type CreateEmptyZcashOptions = CreateEmptyOptions & {
+  /** Block height to determine consensus branch ID automatically */
+  blockHeight: number;
+  /** Zcash version group ID (defaults to Sapling: 0x892F2085) */
+  versionGroupId?: number;
+  /** Zcash transaction expiry height */
+  expiryHeight?: number;
+};
+
+/** Options for creating an empty Zcash PSBT with explicit consensus branch ID (advanced use) */
+export type CreateEmptyZcashWithConsensusBranchIdOptions = CreateEmptyOptions & {
+  /** Zcash consensus branch ID (required, e.g., 0xC2D6D0B4 for NU5, 0x76B809BB for Sapling) */
+  consensusBranchId: number;
+  /** Zcash version group ID (defaults to Sapling: 0x892F2085) */
+  versionGroupId?: number;
+  /** Zcash transaction expiry height */
+  expiryHeight?: number;
+};
+
+/**
+ * Zcash-specific PSBT implementation
+ *
+ * This class extends BitGoPsbt with Zcash-specific functionality:
+ * - Required consensus branch ID for sighash computation
+ * - Version group ID for Zcash transaction format
+ * - Expiry height for transaction validity
+ *
+ * All Zcash-specific getters return non-optional types since they're
+ * guaranteed to be present for Zcash PSBTs.
+ *
+ * @example
+ * ```typescript
+ * // Create a new Zcash PSBT
+ * const psbt = ZcashBitGoPsbt.createEmpty("zcash", walletKeys, {
+ *   consensusBranchId: 0x76B809BB,  // Sapling
+ * });
+ *
+ * // Deserialize from bytes
+ * const psbt = ZcashBitGoPsbt.fromBytes(bytes, "zcash");
+ * ```
+ */
+export class ZcashBitGoPsbt extends BitGoPsbt {
+  /**
+   * Create an empty Zcash PSBT with consensus branch ID determined from block height
+   *
+   * **This is the preferred method for creating Zcash PSBTs.** It automatically determines
+   * the correct consensus branch ID based on the network and block height using Zcash
+   * network upgrade activation heights, eliminating the need to manually look up branch IDs.
+   *
+   * @param network - Zcash network name ("zcash", "zcashTest", "zec", "tzec")
+   * @param walletKeys - The wallet's root keys (sets global xpubs in the PSBT)
+   * @param options - Options including blockHeight to determine consensus rules
+   * @returns A new ZcashBitGoPsbt instance
+   * @throws Error if block height is before Overwinter activation
+   *
+   * @example
+   * ```typescript
+   * // Create PSBT for a specific block height (recommended)
+   * const psbt = ZcashBitGoPsbt.createEmpty("zcash", walletKeys, {
+   *   blockHeight: 1687104,  // Automatically uses Nu5 branch ID
+   * });
+   *
+   * // Create PSBT for current block height
+   * const currentHeight = await getBlockHeight();
+   * const psbt = ZcashBitGoPsbt.createEmpty("zcash", walletKeys, {
+   *   blockHeight: currentHeight,
+   * });
+   * ```
+   */
+  static override createEmpty(
+    network: ZcashNetworkName,
+    walletKeys: WalletKeysArg,
+    options: CreateEmptyZcashOptions,
+  ): ZcashBitGoPsbt {
+    const keys = RootWalletKeys.from(walletKeys);
+    const wasm = WasmBitGoPsbt.create_empty_zcash_at_height(
+      network,
+      keys.wasm,
+      options.blockHeight,
+      options.version,
+      options.lockTime,
+      options.versionGroupId,
+      options.expiryHeight,
+    );
+    return new ZcashBitGoPsbt(wasm);
+  }
+
+  /**
+   * Create an empty Zcash PSBT with explicit consensus branch ID
+   *
+   * **Advanced use only.** This method requires manually specifying the consensus branch ID.
+   * In most cases, you should use `createEmpty()` instead, which automatically determines
+   * the correct branch ID from the block height.
+   *
+   * @param network - Zcash network name ("zcash", "zcashTest", "zec", "tzec")
+   * @param walletKeys - The wallet's root keys (sets global xpubs in the PSBT)
+   * @param options - Zcash-specific options including required consensusBranchId
+   * @returns A new ZcashBitGoPsbt instance
+   *
+   * @example
+   * ```typescript
+   * // Only use this if you need explicit control over the branch ID
+   * const psbt = ZcashBitGoPsbt.createEmptyWithConsensusBranchId("zcash", walletKeys, {
+   *   consensusBranchId: 0xC2D6D0B4,  // Nu5 branch ID
+   * });
+   * ```
+   */
+  static createEmptyWithConsensusBranchId(
+    network: ZcashNetworkName,
+    walletKeys: WalletKeysArg,
+    options: CreateEmptyZcashWithConsensusBranchIdOptions,
+  ): ZcashBitGoPsbt {
+    const keys = RootWalletKeys.from(walletKeys);
+    const wasm = WasmBitGoPsbt.create_empty_zcash(
+      network,
+      keys.wasm,
+      options.consensusBranchId,
+      options.version,
+      options.lockTime,
+      options.versionGroupId,
+      options.expiryHeight,
+    );
+    return new ZcashBitGoPsbt(wasm);
+  }
+
+  /**
+   * Deserialize a Zcash PSBT from bytes
+   *
+   * @param bytes - The PSBT bytes
+   * @param network - Zcash network name ("zcash", "zcashTest", "zec", "tzec")
+   * @returns A ZcashBitGoPsbt instance
+   */
+  static override fromBytes(bytes: Uint8Array, network: ZcashNetworkName): ZcashBitGoPsbt {
+    const wasm = WasmBitGoPsbt.from_bytes(bytes, network);
+    return new ZcashBitGoPsbt(wasm);
+  }
+
+  // --- Zcash-specific getters ---
+
+  /**
+   * Get the Zcash version group ID
+   * @returns The version group ID (e.g., 0x892F2085 for Sapling)
+   */
+  get versionGroupId(): number {
+    return this.wasm.version_group_id();
+  }
+
+  /**
+   * Get the Zcash expiry height
+   * @returns The expiry height (0 if not set)
+   */
+  get expiryHeight(): number {
+    return this.wasm.expiry_height();
+  }
+}