@arkade-os/sdk 0.4.33 → 0.4.35

package/dist/{chunk-DSS2GQUG.js → chunk-NOR7XOKN.js}

@@ -1,6 +1,6 @@
-import { craftToSpendTx, Transaction, OP_RETURN_EMPTY_PKSCRIPT, Intent, getArkPsbtFields, CosignerPublicKey, setArkPsbtField, VtxoTaprootTree, maybeArkError, AssetRef, AssetId, AssetOutput, AssetGroup, AssetInput, Packet, Metadata, isEventSourceError, RestArkProvider, RestIndexerProvider, ArkError, BufferReader } from './chunk-E22HEKLN.js';
-import { isMainnetDescriptor, descriptorIsOurs, contractHandlers, DelegateVtxo, WALLET_RECEIVE_SOURCE, deriveDescriptorLeafPubKey, DefaultVtxo, BoardingContractHandler } from './chunk-AOJUURHM.js';
-import { VtxoScript, timelockToSequence, DEFAULT_NETWORK, DEFAULT_NETWORK_NAME, decodeTapscript, scriptFromTapLeafScript, CLTVMultisigTapscript, ArkAddress, getSequence, CSVMultisigTapscript, getNetwork, MultisigTapscript, networks as networks$1, DEFAULT_ARKADE_SERVER_URL } from './chunk-TU3LVAPX.js';
+import { craftToSpendTx, Transaction, OP_RETURN_EMPTY_PKSCRIPT, baseFetch, Intent, getArkPsbtFields, CosignerPublicKey, setArkPsbtField, VtxoTaprootTree, maybeArkError, AssetRef, AssetId, AssetOutput, AssetGroup, AssetInput, Packet, Metadata, isEventSourceError, RestArkProvider, RestIndexerProvider, ArkError, BufferReader } from './chunk-3JR77WQ4.js';
+import { isMainnetDescriptor, descriptorIsOurs, contractHandlers, DEFAULT_PAGE_SIZE, DelegateVtxo, WALLET_RECEIVE_SOURCE, deriveDescriptorLeafPubKey, DefaultVtxo, BoardingContractHandler } from './chunk-CUSABEUQ.js';
+import { VtxoScript, timelockToSequence, DEFAULT_NETWORK, DEFAULT_NETWORK_NAME, decodeTapscript, scriptFromTapLeafScript, CLTVMultisigTapscript, ArkAddress, CSVMultisigTapscript, getSequence, getNetwork, MultisigTapscript, networks as networks$1, DEFAULT_ARKADE_SERVER_URL } from './chunk-OUVTG72A.js';
 import { sha256, hash160, sha256x2, concatBytes, randomPrivateKeyBytes, pubECDSA, pubSchnorr, equalBytes as equalBytes$1 } from '@scure/btc-signer/utils.js';
 import { SigHash, Script, p2tr, RawWitness, Address, OutScript, p2wpkh, TaprootControlBlock, DEFAULT_SEQUENCE, Transaction as Transaction$2 } from '@scure/btc-signer';
 import { hex, base58, base64 } from '@scure/base';
@@ -958,7 +958,7 @@ var RestDelegateProvider = class {
    */
   async delegate(intent, forfeitTxs, options) {
     const url = `${this.url}/v1/delegate`;
-    const response = await fetch(url, {
+    const response = await baseFetch(url, {
       method: "POST",
       headers: {
         "Content-Type": "application/json"
@@ -973,8 +973,8 @@ var RestDelegateProvider = class {
       })
     });
     if (!response.ok) {
-      const errorText = await response.text();
-      throw new Error(`Failed to delegate: ${errorText}`);
+      const errorText2 = await response.text();
+      throw new Error(`Failed to delegate: ${errorText2}`);
     }
   }
   /**
@@ -985,10 +985,10 @@ var RestDelegateProvider = class {
    */
   async getDelegateInfo() {
     const url = `${this.url}/v1/delegator/info`;
-    const response = await fetch(url);
+    const response = await baseFetch(url);
     if (!response.ok) {
-      const errorText = await response.text();
-      throw new Error(`Failed to get delegate info: ${errorText}`);
+      const errorText2 = await response.text();
+      throw new Error(`Failed to get delegate info: ${errorText2}`);
     }
     const data = await response.json();
     if (!isDelegateInfo(data)) {
@@ -1009,7 +1009,7 @@ var ESPLORA_URL = {
   testnet: "https://mempool.space/testnet/api",
   signet: "https://mempool.signet.arkade.sh/api",
   mutinynet: "https://mempool.mutinynet.arkade.sh/api",
-  regtest: "http://localhost:3000"
+  regtest: "http://localhost:3000/api"
 };
 var EsploraProvider = class {
   constructor(baseUrl = ESPLORA_URL[DEFAULT_NETWORK_NAME], opts) {
@@ -1020,14 +1020,17 @@ var EsploraProvider = class {
   pollingInterval;
   forcePolling;
   async getCoins(address) {
-    const response = await fetch(`${this.baseUrl}/address/${address}/utxo`);
+    const response = await baseFetch(`${this.baseUrl}/address/${address}/utxo`);
     if (!response.ok) {
       throw new Error(`Failed to fetch UTXOs: ${response.statusText}`);
     }
     return response.json();
   }
   async getFeeRate() {
-    const response = await fetch(`${this.baseUrl}/fee-estimates`);
+    const response = await baseFetch(`${this.baseUrl}/fee-estimates`);
+    if (response.status === 404) {
+      return void 0;
+    }
     if (!response.ok) {
       throw new Error(`Failed to fetch fee rate: ${response.statusText}`);
     }
@@ -1045,7 +1048,7 @@ var EsploraProvider = class {
     }
   }
   async getTxOutspends(txid) {
-    const response = await fetch(`${this.baseUrl}/tx/${txid}/outspends`);
+    const response = await baseFetch(`${this.baseUrl}/tx/${txid}/outspends`);
     if (!response.ok) {
       const error = await response.text();
       throw new Error(`Failed to get transaction outspends: ${error}`);
@@ -1053,7 +1056,7 @@ var EsploraProvider = class {
     return response.json();
   }
   async getTransactions(address) {
-    const response = await fetch(`${this.baseUrl}/address/${address}/txs`);
+    const response = await baseFetch(`${this.baseUrl}/address/${address}/txs`);
     if (!response.ok) {
       const error = await response.text();
       throw new Error(`Failed to get transactions: ${error}`);
@@ -1061,7 +1064,7 @@ var EsploraProvider = class {
     return response.json();
   }
   async getTxStatus(txid) {
-    const txresponse = await fetch(`${this.baseUrl}/tx/${txid}`);
+    const txresponse = await baseFetch(`${this.baseUrl}/tx/${txid}`);
     if (!txresponse.ok) {
       throw new Error(txresponse.statusText);
     }
@@ -1069,7 +1072,7 @@ var EsploraProvider = class {
     if (!tx.status.confirmed) {
       return { confirmed: false };
     }
-    const response = await fetch(`${this.baseUrl}/tx/${txid}/status`);
+    const response = await baseFetch(`${this.baseUrl}/tx/${txid}/status`);
     if (!response.ok) {
       throw new Error(`Failed to get transaction status: ${response.statusText}`);
     }
@@ -1153,7 +1156,7 @@ var EsploraProvider = class {
     return stopFunc;
   }
   async getChainTip() {
-    const tipBlocks = await fetch(`${this.baseUrl}/blocks/tip`);
+    const tipBlocks = await baseFetch(`${this.baseUrl}/blocks`);
     if (!tipBlocks.ok) {
       throw new Error(`Failed to get chain tip: ${tipBlocks.statusText}`);
     }
@@ -1172,7 +1175,7 @@ var EsploraProvider = class {
     };
   }
   async broadcastPackage(parent, child) {
-    const response = await fetch(`${this.baseUrl}/txs/package`, {
+    const response = await baseFetch(`${this.baseUrl}/txs/package`, {
       method: "POST",
       headers: {
         "Content-Type": "application/json"
@@ -1186,7 +1189,7 @@ var EsploraProvider = class {
     return response.json();
   }
   async broadcastTx(tx) {
-    const response = await fetch(`${this.baseUrl}/tx`, {
+    const response = await baseFetch(`${this.baseUrl}/tx`, {
       method: "POST",
       headers: {
         "Content-Type": "text/plain"
@@ -1776,6 +1779,45 @@ function selectedCoinsToAssetInputs(selectedCoins) {
   }
   return assetInputs;
 }
+function toXOnlySignerHex(pubkeyHex) {
+  const bytes = hex.decode(pubkeyHex);
+  if (bytes.length === 33) return hex.encode(bytes.slice(1));
+  if (bytes.length === 32) return hex.encode(bytes);
+  throw new Error(`invalid signer pubkey length: expected 32 or 33 bytes, got ${bytes.length}`);
+}
+function signerSetFromInfo(info) {
+  const active = toXOnlySignerHex(info.signerPubkey);
+  const deprecated = /* @__PURE__ */ new Map();
+  for (const signer of info.deprecatedSigners) {
+    if (!signer.pubkey) continue;
+    deprecated.set(toXOnlySignerHex(signer.pubkey), signer.cutoffDate);
+  }
+  return { active, deprecated };
+}
+function classifyAgainstSignerSet(contractServerPubKeyHex, signerSet, nowSeconds = Math.floor(Date.now() / 1e3)) {
+  const signerPubKey = toXOnlySignerHex(contractServerPubKeyHex);
+  if (signerPubKey === signerSet.active) {
+    return { status: "CURRENT", signerPubKey };
+  }
+  if (!signerSet.deprecated.has(signerPubKey)) {
+    return { status: "UNKNOWN_SIGNER", signerPubKey };
+  }
+  const cutoffDate = signerSet.deprecated.get(signerPubKey);
+  if (cutoffDate === 0n) {
+    return { status: "DUE_NOW", signerPubKey };
+  }
+  const secondsUntilCutoff = Number(cutoffDate) - nowSeconds;
+  if (secondsUntilCutoff <= 0) {
+    return { status: "EXPIRED", signerPubKey, cutoffDate, secondsUntilCutoff };
+  }
+  return { status: "MIGRATABLE", signerPubKey, cutoffDate, secondsUntilCutoff };
+}
+function classifyContractSigner(contractServerPubKeyHex, info, nowSeconds = Math.floor(Date.now() / 1e3)) {
+  return classifyAgainstSignerSet(contractServerPubKeyHex, signerSetFromInfo(info), nowSeconds);
+}
+function isCooperativelyMigratable(status) {
+  return status === "MIGRATABLE" || status === "DUE_NOW";
+}
 function buildOffchainTx(inputs, outputs, serverUnrollScript) {
   const MAX_OP_RETURN = 2;
   let countOpReturn = 0;
@@ -2258,12 +2300,12 @@ var FALLBACK_WALLET_DUST_AMOUNT = 330n;
 function getDustAmount(wallet) {
   return "dustAmount" in wallet ? wallet.dustAmount : FALLBACK_WALLET_DUST_AMOUNT;
 }
-function extendCoin(wallet, utxo) {
+function extendCoinWithTapscript(boardingTapscript, utxo) {
   return {
     ...utxo,
-    forfeitTapLeafScript: wallet.boardingTapscript.forfeit(),
-    intentTapLeafScript: wallet.boardingTapscript.forfeit(),
-    tapTree: wallet.boardingTapscript.encode()
+    forfeitTapLeafScript: boardingTapscript.forfeit(),
+    intentTapLeafScript: boardingTapscript.forfeit(),
+    tapTree: boardingTapscript.encode()
   };
 }
 function deriveContractTapscripts(contract) {
@@ -2356,13 +2398,27 @@ function validateRecipients(recipients, dustAmount) {
 }
 
 // src/wallet/vtxo-manager.ts
+function selectPendingRecoveryOutpoints(contractsWithVtxos, signerSet, nowSeconds = Math.floor(Date.now() / 1e3)) {
+  const out = /* @__PURE__ */ new Set();
+  for (const { contract, vtxos } of contractsWithVtxos) {
+    const serverPubKey = contract.params.serverPubKey;
+    if (!serverPubKey) continue;
+    if (classifyAgainstSignerSet(serverPubKey, signerSet, nowSeconds).status !== "EXPIRED") {
+      continue;
+    }
+    for (const v of vtxos) {
+      if (isSpendable(v) && !isRecoverable(v)) out.add(`${v.txid}:${v.vout}`);
+    }
+  }
+  return out;
+}
 function isSweepCapable(wallet) {
-  return "boardingTapscript" in wallet && "onchainProvider" in wallet && "arkProvider" in wallet && "network" in wallet;
+  return "boardingTapscript" in wallet && "onchainProvider" in wallet && "arkProvider" in wallet && "network" in wallet && "signOnchainBoardingTx" in wallet;
 }
 function assertSweepCapable(wallet) {
   if (!isSweepCapable(wallet)) {
     throw new Error(
-      "Boarding UTXO sweep requires a Wallet instance with boardingTapscript, onchainProvider, arkProvider, and network"
+      "Boarding UTXO sweep requires a Wallet instance with boardingTapscript, onchainProvider, arkProvider, network, and signOnchainBoardingTx"
     );
   }
 }
@@ -2378,6 +2434,33 @@ async function runWithCrossInstanceLock(name, fn) {
     await fn();
   });
 }
+var MAX_VTXOS_PER_SETTLEMENT = 50;
+function byValueDescending(vtxos) {
+  return [...vtxos].sort((a, b) => b.value - a.value);
+}
+function byExpiryAscending(vtxos) {
+  const expiryKey = (vtxo) => {
+    if (isRecoverable(vtxo)) return -Infinity;
+    const batchExpiry = vtxo.virtualStatus.batchExpiry;
+    if (isExpired(vtxo)) return batchExpiry ?? -Infinity;
+    if (!batchExpiry) return Infinity;
+    if (new Date(batchExpiry).getFullYear() < 2025) return Infinity;
+    return batchExpiry;
+  };
+  return [...vtxos].sort((a, b) => expiryKey(a) - expiryKey(b));
+}
+function capSettlementBatch(sorted, maxAmount) {
+  const batch = [];
+  let total = 0n;
+  for (const vtxo of sorted) {
+    if (batch.length >= MAX_VTXOS_PER_SETTLEMENT) break;
+    const next = total + BigInt(vtxo.value);
+    if (maxAmount >= 0n && next > maxAmount) continue;
+    batch.push(vtxo);
+    total = next;
+  }
+  return batch;
+}
 var DEFAULT_THRESHOLD_SECONDS = 259200;
 var DEFAULT_THRESHOLD_MS = DEFAULT_THRESHOLD_SECONDS * 1e3;
 var DEFAULT_RENEWAL_CONFIG = {
@@ -2387,7 +2470,8 @@ var DEFAULT_RENEWAL_CONFIG = {
 var DEFAULT_SETTLEMENT_CONFIG = {
   vtxoThreshold: DEFAULT_THRESHOLD_SECONDS,
   boardingUtxoSweep: true,
-  pollIntervalMs: 6e4
+  pollIntervalMs: 6e4,
+  deprecatedSignerMigration: true
 };
 function getRecoverableVtxos(vtxos, dustAmount) {
   return vtxos.filter((vtxo) => {
@@ -2441,6 +2525,51 @@ function getExpiringAndRecoverableVtxos(vtxos, thresholdMs, dustAmount) {
     (vtxo) => isVtxoExpiringSoon(vtxo, thresholdMs) || isRecoverable(vtxo) || isSpendable(vtxo) && isExpired(vtxo) || isSubdust(vtxo, dustAmount)
   );
 }
+function isMigrationCapable(wallet) {
+  return "arkProvider" in wallet && "arkServerPublicKey" in wallet && "onchainProvider" in wallet && typeof wallet.rotateServerSigner === "function" && typeof wallet.sendSelectedVtxosToSelf === "function" && typeof wallet.getBoardingUtxosForSigners === "function";
+}
+function classifiedToRef(c) {
+  return {
+    txid: c.vtxo.txid,
+    vout: c.vtxo.vout,
+    value: c.vtxo.value,
+    signerPubKey: c.classification.signerPubKey,
+    cutoffDate: c.classification.cutoffDate
+  };
+}
+function classifiedBoardingToRef(c) {
+  return {
+    txid: c.coin.txid,
+    vout: c.coin.vout,
+    value: c.coin.value,
+    signerPubKey: c.classification.signerPubKey,
+    cutoffDate: c.classification.cutoffDate
+  };
+}
+function mergeSignerReports(...reportLists) {
+  const bySigner = /* @__PURE__ */ new Map();
+  for (const list of reportLists) {
+    for (const r of list) {
+      const existing = bySigner.get(r.signerPubKey);
+      if (existing) {
+        existing.vtxoCount += r.vtxoCount;
+        existing.totalValue += r.totalValue;
+        existing.boardingCount += r.boardingCount;
+        existing.boardingValue += r.boardingValue;
+        existing.recoverableCount += r.recoverableCount;
+        existing.recoverableValue += r.recoverableValue;
+        existing.awaitingSweepCount += r.awaitingSweepCount;
+        existing.awaitingSweepValue += r.awaitingSweepValue;
+        if (r.nextSweepEta !== void 0) {
+          existing.nextSweepEta = existing.nextSweepEta === void 0 ? r.nextSweepEta : Math.min(existing.nextSweepEta, r.nextSweepEta);
+        }
+      } else {
+        bySigner.set(r.signerPubKey, { ...r });
+      }
+    }
+  }
+  return Array.from(bySigner.values());
+}
 var VtxoManager = class _VtxoManager {
   constructor(wallet, renewalConfig, settlementConfig) {
     this.wallet = wallet;
@@ -2456,15 +2585,9 @@ var VtxoManager = class _VtxoManager {
     } else {
       this.settlementConfig = { ...DEFAULT_SETTLEMENT_CONFIG };
     }
-    this.contractEventsSubscriptionReady = this.initializeSubscription().then(
-      (subscription) => {
-        this.contractEventsSubscription = subscription;
-        return subscription;
-      }
-    );
+    this.contractEventsSubscriptionReady = this.initializeSubscription();
   }
   settlementConfig;
-  contractEventsSubscription;
   contractEventsSubscriptionReady;
   disposePromise;
   pollTimeoutId;
@@ -2501,6 +2624,15 @@ var VtxoManager = class _VtxoManager {
   lastVtxoSpentRefreshTimestamp = 0;
   vtxoSpentRefreshPromise;
   static VTXO_SPENT_REFRESH_COOLDOWN_MS = 3e4;
+  // Cooldown/backoff for the automatic deprecated-signer migration pass.
+  // Mirrors the periodic-settle machinery so a server-side migration failure
+  // (e.g. arkd not yet accepting old-key inputs, or a closed cutoff window)
+  // backs off exponentially instead of re-submitting an identical intent on
+  // every poll. The manual migrateDeprecatedSignerVtxos() bypasses this.
+  lastMigrationTimestamp = 0;
+  consecutiveMigrationFailures = 0;
+  static MIGRATION_COOLDOWN_MS = 3e4;
+  static MIGRATION_MAX_BACKOFF_MS = 5 * 60 * 1e3;
   // ========== Recovery Methods ==========
   /**
    * Recover swept/expired virtual outputs by settling them back to the wallet's Arkade address.
@@ -2537,10 +2669,25 @@ var VtxoManager = class _VtxoManager {
       withUnrolled: false
     });
     const dustAmount = getDustAmount(this.wallet);
-    const { vtxosToRecover, totalAmount } = getRecoverableWithSubdust(allVtxos, dustAmount);
+    let { vtxosToRecover, totalAmount } = getRecoverableWithSubdust(allVtxos, dustAmount);
     if (vtxosToRecover.length === 0) {
       throw new Error("No recoverable VTXOs found");
     }
+    const info = await this.getInfoProvider()?.getInfo();
+    const vtxoMaxAmount = info?.vtxoMaxAmount ?? -1n;
+    const capped = capSettlementBatch(byValueDescending(vtxosToRecover), vtxoMaxAmount);
+    if (capped.length < vtxosToRecover.length) {
+      const recoverableCount = vtxosToRecover.length;
+      ({ vtxosToRecover, totalAmount } = getRecoverableWithSubdust(capped, dustAmount));
+      if (vtxosToRecover.length === 0) {
+        throw new Error(
+          `Capped recovery batch (highest-value subset of ${recoverableCount} recoverable VTXOs within the ${MAX_VTXOS_PER_SETTLEMENT}-input and ${vtxoMaxAmount}-sat limits) is below the dust threshold ${dustAmount}`
+        );
+      }
+    }
+    if (info && isMigrationCapable(this.wallet)) {
+      await this.rotateForRecoverableInputs(vtxosToRecover, info);
+    }
     const arkAddress = await this.wallet.getAddress();
     return this.wallet.settle(
       {
@@ -2690,6 +2837,25 @@ var VtxoManager = class _VtxoManager {
       if (vtxos.length === 0) {
         throw new Error("No VTXOs available to renew");
       }
+      const info = await this.getInfoProvider()?.getInfo();
+      const vtxoMaxAmount = info?.vtxoMaxAmount ?? -1n;
+      const capped = capSettlementBatch(byExpiryAscending(vtxos), vtxoMaxAmount);
+      if (vtxoMaxAmount >= 0n) {
+        const oversized = vtxos.filter((vtxo) => BigInt(vtxo.value) > vtxoMaxAmount);
+        if (oversized.length > 0) {
+          console.warn(
+            `Renewal: ${oversized.length} VTXO(s) exceed the per-output limit ${vtxoMaxAmount} and cannot be renewed; they risk unilateral exit`
+          );
+        }
+      }
+      if (capped.length < vtxos.length) {
+        vtxos = capped;
+        if (vtxos.length === 0) {
+          throw new Error(
+            `No VTXOs available to renew within the per-output limit ${vtxoMaxAmount}`
+          );
+        }
+      }
       const totalAmount = vtxos.reduce((sum, vtxo) => sum + vtxo.value, 0);
       const dustAmount = getDustAmount(this.wallet);
       if (BigInt(totalAmount) < dustAmount) {
@@ -2697,6 +2863,9 @@ var VtxoManager = class _VtxoManager {
           `Total amount ${totalAmount} is below dust threshold ${dustAmount}`
         );
       }
+      if (info && isMigrationCapable(this.wallet)) {
+        await this.rotateForRecoverableInputs(vtxos, info);
+      }
       const arkAddress = await this.wallet.getAddress();
       const txid = await this.wallet.settle(
         {
@@ -2797,7 +2966,6 @@ var VtxoManager = class _VtxoManager {
     const boardingAddress = await this.wallet.getBoardingAddress();
     const feeRate = await this.getOnchainProvider().getFeeRate() ?? 1;
     const exitTapLeafScript = this.getBoardingExitLeaf();
-    const sequence = getSequence(exitTapLeafScript);
     const leafScript = exitTapLeafScript[1];
     const leafScriptSize = leafScript.length - 1;
     const controlBlockSize = exitTapLeafScript[0].merklePath.length * 32;
@@ -2818,19 +2986,28 @@ var VtxoManager = class _VtxoManager {
     }
     const tx = new Transaction();
     for (const utxo of expiredUtxos) {
+      const utxoScript = VtxoScript.decode(utxo.tapTree);
+      const utxoExitLeaf = utxoScript.leaves.find(
+        (leaf) => CSVMultisigTapscript.isScriptValid(scriptFromTapLeafScript(leaf)) === true
+      );
+      if (!utxoExitLeaf) {
+        throw new Error(
+          `Boarding sweep: no CSV exit leaf for UTXO ${utxo.txid}:${utxo.vout}`
+        );
+      }
       tx.addInput({
         txid: utxo.txid,
         index: utxo.vout,
         witnessUtxo: {
-          script: this.getBoardingOutputScript(),
+          script: utxoScript.pkScript,
           amount: BigInt(utxo.value)
         },
-        tapLeafScript: [exitTapLeafScript],
-        sequence
+        tapLeafScript: [utxoExitLeaf],
+        sequence: getSequence(utxoExitLeaf)
       });
     }
     tx.addOutputAddress(boardingAddress, outputAmount, this.getNetwork());
-    const signedTx = await this.getIdentity().sign(tx);
+    const signedTx = await this.getSweepWallet().signOnchainBoardingTx(tx);
     signedTx.finalize();
     const txid = await this.getOnchainProvider().broadcastTransaction(signedTx.hex);
     for (const u of expiredUtxos) {
@@ -2839,6 +3016,472 @@ var VtxoManager = class _VtxoManager {
     this.knownBoardingUtxos.add(`${txid}:0`);
     return txid;
   }
+  // ========== Deprecated-Signer Migration Methods ==========
+  /**
+   * Cooperatively migrate VTXOs minted under a now-deprecated server signer
+   * to the wallet's active-signer address. See {@link IVtxoManager}.
+   */
+  async migrateDeprecatedSignerVtxos(options) {
+    return this.migrateCore(options);
+  }
+  /**
+   * Machine-readable status of every deprecated server signer the wallet
+   * currently holds funds under (Section 6), without migrating. Covers both
+   * VTXO and boarding holdings (Section 7), merged per signer.
+   *
+   * @remarks This is no longer a pure repository/info read: surfacing boarding
+   * holdings fans out per boarding address (`getCoins` round trips) and
+   * refreshes the UTXO cache via `saveUtxos`.
+   */
+  async getDeprecatedSignerStatus() {
+    const wallet = this.requireMigrationCapableWallet();
+    const info = await wallet.arkProvider.getInfo();
+    const { reports: vtxoReports } = await this.classifyDeprecatedSignerContracts(info);
+    const { reports: boardingReports } = await this.classifyDeprecatedSignerBoarding(info);
+    return mergeSignerReports(vtxoReports, boardingReports);
+  }
+  /**
+   * Core migration routine shared by the manual API and the automatic poll
+   * pass. Fetches a fresh {@link ArkInfo}, applies a mid-session signer
+   * rotation when the wallet's own snapshot signer has been deprecated,
+   * selects spendable VTXOs under deprecated-signer contracts (cutoff-first),
+   * and settles them to the active-signer Ark address.
+   */
+  async migrateCore(options) {
+    const wallet = this.requireMigrationCapableWallet();
+    const info = await wallet.arkProvider.getInfo();
+    const signerSet = signerSetFromInfo(info);
+    const nowSeconds = Math.floor(Date.now() / 1e3);
+    const walletSignerHex = hex.encode(wallet.arkServerPublicKey);
+    const walletClass = classifyAgainstSignerSet(walletSignerHex, signerSet, nowSeconds);
+    if (signerSet.deprecated.size === 0 && walletClass.status === "CURRENT") {
+      return { rotated: false, expired: [], signers: [] };
+    }
+    if (walletClass.status === "UNKNOWN_SIGNER") {
+      const { reports: vtxoReports2 } = await this.classifyDeprecatedSignerContracts(info);
+      const { reports: boardingReports2 } = await this.classifyDeprecatedSignerBoarding(info);
+      return {
+        rotated: false,
+        expired: [],
+        signers: mergeSignerReports(vtxoReports2, boardingReports2),
+        skipped: "unknown-wallet-signer"
+      };
+    }
+    const rotated = await this.ensureReceiveOnActiveSigner(info);
+    const {
+      reports: vtxoReports,
+      migratable: vtxoMigratable,
+      expired: vtxoExpired
+    } = await this.classifyDeprecatedSignerContracts(info);
+    const {
+      reports: boardingReports,
+      migratable: boardingMigratable,
+      expired: boardingExpired
+    } = await this.classifyDeprecatedSignerBoarding(info);
+    const reports = mergeSignerReports(vtxoReports, boardingReports);
+    const expiredRefs = [
+      ...vtxoExpired.map(classifiedToRef),
+      ...boardingExpired.map(classifiedBoardingToRef)
+    ];
+    if (vtxoMigratable.length === 0 && boardingMigratable.length === 0) {
+      return {
+        rotated,
+        expired: expiredRefs,
+        signers: reports,
+        skipped: "no-deprecated-vtxos"
+      };
+    }
+    const vtxoMaxAmount = info.vtxoMaxAmount;
+    const dustAmount = getDustAmount(this.wallet);
+    const report = {
+      rotated,
+      expired: expiredRefs,
+      signers: reports
+    };
+    if (vtxoMigratable.length > 0) {
+      report.vtxos = await this.runMigrationLeg(
+        vtxoMigratable,
+        (c) => c.vtxo.value,
+        classifiedToRef,
+        vtxoMaxAmount,
+        dustAmount,
+        "VTXO",
+        (capped) => wallet.sendSelectedVtxosToSelf(capped.map((c) => c.vtxo))
+      );
+    }
+    if (boardingMigratable.length > 0) {
+      report.boarding = await this.runMigrationLeg(
+        boardingMigratable,
+        (c) => c.coin.value,
+        classifiedBoardingToRef,
+        vtxoMaxAmount,
+        dustAmount,
+        "boarding",
+        async (capped) => {
+          const arkAddress = await this.wallet.getAddress();
+          const totalAmount = capped.reduce((sum, c) => sum + BigInt(c.coin.value), 0n);
+          return this.wallet.settle(
+            {
+              inputs: capped.map((c) => c.coin),
+              outputs: [{ address: arkAddress, amount: totalAmount }]
+            },
+            options?.eventCallback
+          );
+        }
+      );
+    }
+    return report;
+  }
+  /**
+   * Size and submit one migration leg. Filters inputs whose value alone
+   * exceeds the per-output ceiling (`vtxoMaxAmount`; `< 0` means no limit) —
+   * those can never form a ≤-ceiling output and must exit unilaterally — then
+   * caps the rest (highest-value first; bounded by {@link MAX_VTXOS_PER_SETTLEMENT}
+   * AND a gross total within `vtxoMaxAmount`), applies the protocol dust floor,
+   * and submits the capped batch through `submit`. A throw from `submit` lands
+   * in `error`; the caller's other leg still runs.
+   *
+   * Migration is mandatory and fee-exempt: every selected input moves at its
+   * full value, so the gross total IS the aggregated output amount (kept under
+   * the server ceiling by the cap). The dust floor guards the degenerate cases
+   * where every input was oversized or the whole holding sums below dust.
+   */
+  async runMigrationLeg(candidates, valueOf, toRef, vtxoMaxAmount, dustAmount, legName, submit) {
+    const oversizedRefs = [];
+    const sized = [];
+    for (const c of candidates) {
+      if (vtxoMaxAmount >= 0n && BigInt(valueOf(c)) > vtxoMaxAmount) {
+        oversizedRefs.push(toRef(c));
+      } else {
+        sized.push(c);
+      }
+    }
+    if (oversizedRefs.length > 0) {
+      console.warn(
+        `Deprecated-signer migration (${legName}): ${oversizedRefs.length} input(s) exceed the per-output limit ${vtxoMaxAmount} and cannot be migrated cooperatively; they require a unilateral exit.`
+      );
+    }
+    const oversizedField = oversizedRefs.length > 0 ? { oversized: oversizedRefs } : {};
+    const capped = capSettlementBatch(
+      byValueDescending(sized.map((c) => ({ value: valueOf(c), c }))),
+      vtxoMaxAmount
+    ).map((w) => w.c);
+    const deferred = sized.length - capped.length;
+    const totalAmount = capped.reduce((sum, c) => sum + BigInt(valueOf(c)), 0n);
+    if (totalAmount < dustAmount) {
+      const onlyOversized = sized.length === 0 && oversizedRefs.length > 0;
+      return {
+        migrated: [],
+        skipped: onlyOversized ? "oversized-only" : "below-dust",
+        ...oversizedField
+      };
+    }
+    try {
+      const txid = await submit(capped);
+      return {
+        txid,
+        migrated: capped.map(toRef),
+        ...deferred > 0 ? { deferred } : {},
+        ...oversizedField
+      };
+    } catch (e) {
+      return {
+        migrated: [],
+        error: e instanceof Error ? e.message : String(e),
+        ...oversizedField
+      };
+    }
+  }
+  /**
+   * Enumerate the wallet's `default`/`delegate` contracts, classify each
+   * against the fresh signer set, and split their spendable VTXOs into
+   * cooperatively-migratable and cutoff-expired sets while building the
+   * per-signer status report. Current-signer contracts are skipped; swept
+   * (recoverable) VTXOs are excluded from the settle sets — those follow the
+   * recovery path — but are still counted on EXPIRED report rows
+   * (`recoverableCount`) so post-cutoff funds in flight stay visible.
+   */
+  async classifyDeprecatedSignerContracts(info) {
+    const cm = await this.wallet.getContractManager();
+    const signerSet = signerSetFromInfo(info);
+    const nowSeconds = Math.floor(Date.now() / 1e3);
+    const contractsWithVtxos = await cm.getContractsWithVtxos({
+      type: ["default", "delegate"]
+    });
+    const reportsBySigner = /* @__PURE__ */ new Map();
+    const migratable = [];
+    const expired = [];
+    for (const { contract, vtxos } of contractsWithVtxos) {
+      const serverPubKey = contract.params.serverPubKey;
+      if (!serverPubKey) continue;
+      const cls = classifyAgainstSignerSet(serverPubKey, signerSet, nowSeconds);
+      if (cls.status === "CURRENT") continue;
+      const recoverable = vtxos.filter((v) => isRecoverable(v));
+      const spendable = vtxos.filter((v) => isSpendable(v) && !isRecoverable(v));
+      const value = spendable.reduce((sum, v) => sum + v.value, 0);
+      let recoverableCount = 0;
+      let recoverableValue = 0;
+      let awaitingSweepCount = 0;
+      let awaitingSweepValue = 0;
+      let nextSweepEta;
+      if (cls.status === "EXPIRED") {
+        recoverableCount = recoverable.length;
+        recoverableValue = recoverable.reduce((sum, v) => sum + v.value, 0);
+        awaitingSweepCount = spendable.length;
+        awaitingSweepValue = value;
+        for (const v of spendable) {
+          const exp = v.virtualStatus.batchExpiry;
+          if (exp !== void 0 && (nextSweepEta === void 0 || exp < nextSweepEta)) {
+            nextSweepEta = exp;
+          }
+        }
+      }
+      const existing = reportsBySigner.get(cls.signerPubKey);
+      if (existing) {
+        existing.vtxoCount += spendable.length;
+        existing.totalValue += value;
+        existing.recoverableCount += recoverableCount;
+        existing.recoverableValue += recoverableValue;
+        existing.awaitingSweepCount += awaitingSweepCount;
+        existing.awaitingSweepValue += awaitingSweepValue;
+        if (nextSweepEta !== void 0) {
+          existing.nextSweepEta = existing.nextSweepEta === void 0 ? nextSweepEta : Math.min(existing.nextSweepEta, nextSweepEta);
+        }
+      } else {
+        reportsBySigner.set(cls.signerPubKey, {
+          signerPubKey: cls.signerPubKey,
+          status: cls.status,
+          cutoffDate: cls.cutoffDate,
+          secondsUntilCutoff: cls.secondsUntilCutoff,
+          vtxoCount: spendable.length,
+          totalValue: value,
+          boardingCount: 0,
+          boardingValue: 0,
+          recoverableCount,
+          recoverableValue,
+          awaitingSweepCount,
+          awaitingSweepValue,
+          nextSweepEta
+        });
+      }
+      if (isCooperativelyMigratable(cls.status)) {
+        for (const v of spendable) {
+          if (!v.virtualStatus.batchExpiry) continue;
+          migratable.push({ vtxo: v, classification: cls });
+        }
+      } else if (cls.status === "EXPIRED") {
+        for (const v of spendable) expired.push({ vtxo: v, classification: cls });
+      }
+    }
+    return {
+      reports: Array.from(reportsBySigner.values()),
+      migratable,
+      expired
+    };
+  }
+  /**
+   * Boarding sibling of {@link classifyDeprecatedSignerContracts} (Section 7):
+   * fan out over the wallet's boarding addresses (current + historical), group
+   * the on-chain UTXOs per address, classify each address's signer against the
+   * fresh signer set, and split the confirmed boarding coins into cooperatively-
+   * migratable and cutoff-expired sets while building the per-signer report.
+   *
+   * Discovery sees the active signer plus EVERY deprecated key (EXPIRED
+   * included), so expired-signer boarding is still reported; migration
+   * eligibility is gated afterwards by {@link isCooperativelyMigratable} and a
+   * per-row boarding-output CSV check — never by the fetch. Current-signer
+   * coins are classified `CURRENT` and ignored; foreign-ASP rows are excluded
+   * because their keys are not in the signer set.
+   */
+  async classifyDeprecatedSignerBoarding(info) {
+    const wallet = this.requireMigrationCapableWallet();
+    const signerSet = signerSetFromInfo(info);
+    const nowSeconds = Math.floor(Date.now() / 1e3);
+    const allowed = /* @__PURE__ */ new Set([signerSet.active, ...signerSet.deprecated.keys()]);
+    const groups = await wallet.getBoardingUtxosForSigners(allowed);
+    let chainTipHeight;
+    if (groups.some((g) => g.csvTimelock.type === "blocks")) {
+      const tip = await wallet.onchainProvider.getChainTip();
+      chainTipHeight = tip.height;
+    }
+    const reportsBySigner = /* @__PURE__ */ new Map();
+    const migratable = [];
+    const expired = [];
+    for (const group of groups) {
+      const cls = classifyAgainstSignerSet(group.serverPubKey, signerSet, nowSeconds);
+      if (cls.status === "CURRENT") continue;
+      const confirmed = group.coins.filter((c) => c.status.confirmed);
+      if (confirmed.length === 0) continue;
+      const value = confirmed.reduce((sum, c) => sum + c.value, 0);
+      const existing = reportsBySigner.get(cls.signerPubKey);
+      if (existing) {
+        existing.boardingCount += confirmed.length;
+        existing.boardingValue += value;
+      } else {
+        reportsBySigner.set(cls.signerPubKey, {
+          signerPubKey: cls.signerPubKey,
+          status: cls.status,
+          cutoffDate: cls.cutoffDate,
+          secondsUntilCutoff: cls.secondsUntilCutoff,
+          vtxoCount: 0,
+          totalValue: 0,
+          boardingCount: confirmed.length,
+          boardingValue: value,
+          // Boarding UTXOs don't carry an offchain sweep lifecycle; the
+          // post-cutoff recover-on-sweep fields apply to VTXOs only and
+          // are merged in from the VTXO classifier (mergeSignerReports).
+          recoverableCount: 0,
+          recoverableValue: 0,
+          awaitingSweepCount: 0,
+          awaitingSweepValue: 0
+        });
+      }
+      for (const coin of confirmed) {
+        const boardingExpired = hasBoardingTxExpired(
+          coin,
+          group.csvTimelock,
+          chainTipHeight
+        );
+        if (isCooperativelyMigratable(cls.status) && !boardingExpired) {
+          migratable.push({ coin, classification: cls });
+        } else if (cls.status === "EXPIRED") {
+          expired.push({ coin, classification: cls });
+        }
+      }
+    }
+    return {
+      reports: Array.from(reportsBySigner.values()),
+      migratable,
+      expired
+    };
+  }
+  /**
+   * Automatic migration pass invoked from the poll loop. Self-contained:
+   * respects an exponential cooldown and logs failures rather than throwing,
+   * so a persistently failing migration backs off instead of re-submitting
+   * an identical intent every cycle.
+   */
+  async runMigrationPass() {
+    const cooldownMs = Math.min(
+      _VtxoManager.MIGRATION_COOLDOWN_MS * Math.pow(2, this.consecutiveMigrationFailures),
+      _VtxoManager.MIGRATION_MAX_BACKOFF_MS
+    );
+    if (Date.now() - this.lastMigrationTimestamp < cooldownMs) return;
+    try {
+      const report = await this.migrateCore();
+      const legError = report.vtxos?.error ?? report.boarding?.error;
+      if (legError) {
+        this.consecutiveMigrationFailures++;
+        console.error("Deprecated-signer migration leg failed:", legError);
+      } else {
+        this.consecutiveMigrationFailures = 0;
+      }
+    } catch (e) {
+      this.consecutiveMigrationFailures++;
+      console.error("Error during deprecated-signer migration:", e);
+    } finally {
+      this.lastMigrationTimestamp = Date.now();
+    }
+  }
+  /** Asserts migration capability and returns the typed wallet. */
+  requireMigrationCapableWallet() {
+    if (!isMigrationCapable(this.wallet)) {
+      throw new Error(
+        "Deprecated-signer migration requires a Wallet instance with arkProvider, arkServerPublicKey, and rotateServerSigner"
+      );
+    }
+    return this.wallet;
+  }
+  /**
+   * If the wallet's own construction-time signer snapshot has been deprecated,
+   * re-derive its receive/boarding state under the active signer so any output
+   * built afterwards commits to the active key. No-op when the snapshot is
+   * already current. Returns whether a rotation was applied. Treats an
+   * unknown-signer snapshot as "do not rotate" (caller decides).
+   *
+   * Shared by the migration pass (where the wallet's own snapshot is the thing
+   * being migrated) and the recovery/renewal/periodic-settle paths (via
+   * {@link rotateForRecoverableInputs}), so a swept old-signer VTXO recovered
+   * after cutoff re-mints under the active signer rather than re-committing to
+   * the deprecated key (Section 6 / post-cutoff). `rotateServerSigner` is
+   * idempotent and serializes itself against HD receive rotation, so repeated
+   * calls across passes are safe.
+   */
+  async ensureReceiveOnActiveSigner(info) {
+    const wallet = this.requireMigrationCapableWallet();
+    const signerSet = signerSetFromInfo(info);
+    const nowSeconds = Math.floor(Date.now() / 1e3);
+    const walletClass = classifyAgainstSignerSet(
+      hex.encode(wallet.arkServerPublicKey),
+      signerSet,
+      nowSeconds
+    );
+    if (walletClass.status === "CURRENT" || walletClass.status === "UNKNOWN_SIGNER") {
+      return false;
+    }
+    await wallet.rotateServerSigner(hex.decode(info.signerPubkey), info.checkpointTapscript);
+    return true;
+  }
+  /**
+   * Rotation guard for the recovery-bearing settle paths (recover / renew /
+   * periodic settle). Pins the wallet's receive snapshot to the active signer
+   * before they build their output, but ONLY when this pass actually carries
+   * an input minted under a deprecated signer — so a routine current-signer
+   * settle on a long-lived pre-rotation instance does not eagerly rotate.
+   *
+   * Cheap in the common case: a watch-only/proxy wallet (not migration-capable)
+   * and a current/unknown wallet snapshot both short-circuit before the
+   * contract round-trip, so the only instance that pays for the input scan is
+   * the long-lived deprecated-snapshot one that genuinely needs rotating.
+   *
+   * Runs OUTSIDE any `renewalInProgress` window the caller sets, and
+   * `rotateServerSigner` does not depend on that flag, so it cannot deadlock
+   * against the receive rotator. Returns whether a rotation was applied.
+   */
+  async rotateForRecoverableInputs(inputs, info) {
+    if (!isMigrationCapable(this.wallet)) return false;
+    const signerSet = signerSetFromInfo(info);
+    const nowSeconds = Math.floor(Date.now() / 1e3);
+    const walletClass = classifyAgainstSignerSet(
+      hex.encode(this.wallet.arkServerPublicKey),
+      signerSet,
+      nowSeconds
+    );
+    if (walletClass.status === "CURRENT" || walletClass.status === "UNKNOWN_SIGNER") {
+      return false;
+    }
+    if (!await this.anyInputUnderDeprecatedSigner(inputs, signerSet, nowSeconds)) {
+      return false;
+    }
+    return this.ensureReceiveOnActiveSigner(info);
+  }
+  /**
+   * Whether any of the given input outpoints belongs to a contract whose
+   * server signer classifies as non-`CURRENT` against the fresh signer set —
+   * i.e. a deprecated-signer (incl. EXPIRED) input. Maps outpoints to their
+   * owning contract via the ContractManager so it works on the typed
+   * {@link ExtendedVirtualCoin}/{@link ExtendedCoin} inputs the recovery paths
+   * carry (which don't expose `contractScript`).
+   */
+  async anyInputUnderDeprecatedSigner(inputs, signerSet, nowSeconds) {
+    if (inputs.length === 0) return false;
+    const wanted = new Set(inputs.map((i) => `${i.txid}:${i.vout}`));
+    const cm = await this.wallet.getContractManager();
+    const contractsWithVtxos = await cm.getContractsWithVtxos({
+      type: ["default", "delegate"]
+    });
+    for (const { contract, vtxos } of contractsWithVtxos) {
+      const serverPubKey = contract.params.serverPubKey;
+      if (!serverPubKey) continue;
+      if (classifyAgainstSignerSet(serverPubKey, signerSet, nowSeconds).status === "CURRENT") {
+        continue;
+      }
+      for (const v of vtxos) {
+        if (wanted.has(`${v.txid}:${v.vout}`)) return true;
+      }
+    }
+    return false;
+  }
   // ========== Private Helpers ==========
   /** Asserts sweep capability and returns the typed wallet. */
   getSweepWallet() {
@@ -2857,10 +3500,6 @@ var VtxoManager = class _VtxoManager {
   getBoardingExitLeaf() {
     return this.getSweepWallet().boardingTapscript.exit();
   }
-  /** Returns the pkScript (output script) of the boarding tapscript. */
-  getBoardingOutputScript() {
-    return this.getSweepWallet().boardingTapscript.pkScript;
-  }
   /** Returns the onchain provider for fee estimation and broadcasting. */
   getOnchainProvider() {
     return this.getSweepWallet().onchainProvider;
@@ -2869,14 +3508,20 @@ var VtxoManager = class _VtxoManager {
   getArkProvider() {
     return this.getSweepWallet().arkProvider;
   }
+  /**
+   * Read-only access to the ark provider for fetching server limits. Unlike
+   * {@link getArkProvider}, this does not require full boarding-sweep
+   * capability — recovery and renewal only need it to read `vtxoMaxAmount`.
+   * Returns undefined when no provider is wired, which callers treat as
+   * "no limit".
+   */
+  getInfoProvider() {
+    return this.wallet.arkProvider;
+  }
   /** Returns the Bitcoin network configuration from the wallet. */
   getNetwork() {
     return this.getSweepWallet().network;
   }
-  /** Returns the wallet's identity for transaction signing. */
-  getIdentity() {
-    return this.wallet.identity;
-  }
   async initializeSubscription() {
     if (this.settlementConfig === false) {
       return void 0;
@@ -3074,6 +3719,10 @@ var VtxoManager = class _VtxoManager {
             }
           }
         }
+        const migrationEnabled = this.settlementConfig !== false && (this.settlementConfig?.deprecatedSignerMigration ?? DEFAULT_SETTLEMENT_CONFIG.deprecatedSignerMigration);
+        if (migrationEnabled && isMigrationCapable(this.wallet)) {
+          await this.runMigrationPass();
+        }
       });
     } catch (e) {
       hadError = true;
@@ -3142,7 +3791,8 @@ var VtxoManager = class _VtxoManager {
       return;
     }
     const dustAmount = getDustAmount(this.wallet);
-    const { fees } = await this.getArkProvider().getInfo();
+    const info = await this.getArkProvider().getInfo();
+    const { fees, vtxoMaxAmount } = info;
     const estimator = new Estimator(fees.intentFee);
     let totalAmount = 0n;
     const filteredBoarding = [];
@@ -3157,7 +3807,10 @@ var VtxoManager = class _VtxoManager {
       totalAmount += BigInt(u.value) - BigInt(inputFee.satoshis);
     }
     const filteredVtxos = [];
-    for (const v of expiringVtxos) {
+    for (const v of byExpiryAscending(expiringVtxos)) {
+      if (filteredVtxos.length >= MAX_VTXOS_PER_SETTLEMENT) {
+        break;
+      }
       const inputFee = estimator.evalOffchainInput({
         amount: BigInt(v.value),
         type: v.virtualStatus.state === "swept" ? "recoverable" : "vtxo",
@@ -3168,12 +3821,19 @@ var VtxoManager = class _VtxoManager {
       if (inputFee.satoshis >= v.value) {
         continue;
       }
+      const net = BigInt(v.value) - BigInt(inputFee.satoshis);
+      if (vtxoMaxAmount >= 0n && totalAmount + net > vtxoMaxAmount) {
+        continue;
+      }
       filteredVtxos.push(v);
-      totalAmount += BigInt(v.value) - BigInt(inputFee.satoshis);
+      totalAmount += net;
     }
     if (filteredBoarding.length === 0 && filteredVtxos.length === 0) {
       return;
     }
+    if (isMigrationCapable(this.wallet)) {
+      await this.rotateForRecoverableInputs([...filteredBoarding, ...filteredVtxos], info);
+    }
     const arkAddress = await this.wallet.getAddress();
     const outputFee = estimator.evalOffchainOutput({
       amount: totalAmount,
@@ -3236,7 +3896,6 @@ var VtxoManager = class _VtxoManager {
         clearTimeout(timer);
       }
       const subscription = await this.contractEventsSubscriptionReady;
-      this.contractEventsSubscription = void 0;
       subscription?.();
     })();
     return this.disposePromise;
@@ -3777,15 +4436,17 @@ async function buildTransactionHistory(vtxos, allBoardingTxs, commitmentsToIgnor
           txTime = getTxCreatedAt ? await getTxCreatedAt(vtxo.arkTxId) ?? vtxo.createdAt.getTime() + 1 : vtxo.createdAt.getTime() + 1;
         }
         const assets = subtractAssets(allSpent, changes);
-        sent.push({
-          key: { ...txKey, arkTxid: vtxo.arkTxId },
-          tag: "offchain",
-          type: "SENT" /* TxSent */,
-          amount: txAmount,
-          settled: true,
-          createdAt: txTime,
-          ...assets && { assets }
-        });
+        if (txAmount !== 0 || assets) {
+          sent.push({
+            key: { ...txKey, arkTxid: vtxo.arkTxId },
+            tag: "offchain",
+            type: "SENT" /* TxSent */,
+            amount: txAmount,
+            settled: true,
+            createdAt: txTime,
+            ...assets && { assets }
+          });
+        }
       }
       if (vtxo.settledBy && !commitmentsToIgnore.has(vtxo.settledBy) && !sent.some((s) => s.key.commitmentTxid === vtxo.settledBy)) {
         const changes = fromOldestVtxo.filter(
@@ -5958,6 +6619,16 @@ function isDiscoverable(handler) {
 }
 
 // src/contracts/contractWatcher.ts
+function computeReconnectDelay(attempt, baseMs, maxMs) {
+  return Math.min(baseMs * Math.pow(2, attempt - 1), maxMs);
+}
+var DEFAULT_CONTRACT_WATCHER_CONFIG = {
+  failsafePollIntervalMs: 2e4,
+  reconnectDelayMs: 1e3,
+  maxReconnectDelayMs: 5e3,
+  maxReconnectAttempts: 0
+  // unlimited
+};
 var ContractWatcher = class {
   config;
   contracts = /* @__PURE__ */ new Map();
@@ -5977,14 +6648,7 @@ var ContractWatcher = class {
    */
   constructor(config) {
     this.config = {
-      failsafePollIntervalMs: 6e4,
-      // 1 minute
-      reconnectDelayMs: 1e3,
-      // 1 second
-      maxReconnectDelayMs: 3e4,
-      // 30 seconds
-      maxReconnectAttempts: 0,
-      // unlimited
+      ...DEFAULT_CONTRACT_WATCHER_CONFIG,
       ...config
     };
   }
@@ -6212,8 +6876,9 @@ var ContractWatcher = class {
     }
     this.connectionState = "reconnecting";
     this.reconnectAttempts++;
-    const delay = Math.min(
-      this.config.reconnectDelayMs * Math.pow(2, this.reconnectAttempts - 1),
+    const delay = computeReconnectDelay(
+      this.reconnectAttempts,
+      this.config.reconnectDelayMs,
       this.config.maxReconnectDelayMs
     );
     this.reconnectTimeoutId = setTimeout(() => {
@@ -6515,8 +7180,11 @@ function cursorCutoff(requestStartedAt) {
 }
 
 // src/contracts/contractManager.ts
-var DEFAULT_PAGE_SIZE = 500;
+function areCoalescibleContractTypes(a, b) {
+  return a === "default" && b === "boarding" || a === "boarding" && b === "default";
+}
 var SCAN_MAX_INDEX = 1e4;
+var DEFAULT_SCAN_BATCH = 10;
 var ContractManager = class _ContractManager {
   config;
   watcher;
@@ -6640,8 +7308,11 @@ var ContractManager = class _ContractManager {
     const [existing] = await this.getContracts({ script: params.script });
     if (existing) {
       if (existing.type === params.type) return { contract: existing, persisted: false };
+      if (areCoalescibleContractTypes(existing.type, params.type)) {
+        return { contract: existing, persisted: false };
+      }
       throw new Error(
-        `Contract with script ${params.script} already exists with with type ${existing.type}.`
+        `Contract with script ${params.script} already exists with type ${existing.type}.`
       );
     }
     const contract = {
@@ -6670,6 +7341,19 @@ var ContractManager = class _ContractManager {
    *   other handler hit it).
    * - `persistAndWatchContract` rejecting is operational/fatal and
    *   propagates (only `discoverAt` is guarded).
+   * - Within an index the handler probes run concurrently (independent
+   *   network reads); their hits are persisted sequentially in
+   *   `discoverables` order to preserve the first-wins collision tie-break.
+   * - Indices are probed `batchSize` at a time (a second concurrency layer
+   *   over the per-index probes), but each window is CAPPED to
+   *   `gapLimit - unused` indices — the most a serial scan could still reach
+   *   before the gap window is guaranteed to close. So every index probed in
+   *   a window is one a one-index-at-a-time scan would also reach: nothing is
+   *   over-scanned, nothing is discarded, and `materialize`/`discoverAt` are
+   *   invoked on exactly the same index set. The window's hits are still
+   *   processed strictly in ascending index order, so the discovered set,
+   *   persisted rows, `lastIndexUsed`, and `handlerErrors` are byte-for-byte
+   *   identical to the serial path — only the wall-clock differs.
    */
   async scanContracts(opts) {
     const gapLimit = opts.gapLimit ?? 20;
@@ -6678,35 +7362,69 @@ var ContractManager = class _ContractManager {
         `scanContracts: gapLimit must be a positive integer (got ${String(opts.gapLimit)})`
       );
     }
-    const discoverables = contractHandlers.getRegisteredTypes().map((t) => contractHandlers.get(t)).filter(isDiscoverable);
+    const batchSize = opts.batchSize ?? DEFAULT_SCAN_BATCH;
+    if (!Number.isInteger(batchSize) || batchSize <= 0) {
+      throw new Error(
+        `scanContracts: batchSize must be a positive integer (got ${String(opts.batchSize)})`
+      );
+    }
+    const registered = contractHandlers.getRegisteredTypes().map((t) => contractHandlers.get(t)).filter(isDiscoverable);
+    const discoverables = [
+      ...registered.filter((h) => h.type === "boarding"),
+      ...registered.filter((h) => h.type !== "boarding")
+    ];
     const maxIdx = opts.hd ? SCAN_MAX_INDEX : 0;
     const handlerErrors = [];
     let lastIndexUsed = -1;
     let unused = 0;
     let i = 0;
+    const probeIndex = async (index) => {
+      const descriptor = opts.materialize(index);
+      return Promise.all(
+        discoverables.map(async (h) => {
+          try {
+            return {
+              ok: true,
+              found: await h.discoverAt(index, descriptor, opts.deps)
+            };
+          } catch (error) {
+            return { ok: false, error };
+          }
+        })
+      );
+    };
     while (i <= maxIdx && unused < gapLimit) {
-      const descriptor = opts.materialize(i);
-      let hitAtThisIndex = false;
-      for (const h of discoverables) {
-        let found;
-        try {
-          found = await h.discoverAt(i, descriptor, opts.deps);
-        } catch (error) {
-          handlerErrors.push({ handler: h.type, index: i, error });
-          continue;
+      const windowEnd = Math.min(maxIdx, i + Math.min(batchSize, gapLimit - unused) - 1);
+      const windowIndices = [];
+      for (let idx = i; idx <= windowEnd; idx++) windowIndices.push(idx);
+      const windowProbes = await Promise.all(windowIndices.map(probeIndex));
+      for (let w = 0; w < windowIndices.length; w++) {
+        const index = windowIndices[w];
+        const probes = windowProbes[w];
+        let hitAtThisIndex = false;
+        for (let h = 0; h < discoverables.length; h++) {
+          const probe = probes[h];
+          if (!probe.ok) {
+            handlerErrors.push({
+              handler: discoverables[h].type,
+              index,
+              error: probe.error
+            });
+            continue;
+          }
+          for (const c of probe.found) {
+            await this.persistAndWatchContract(c);
+            hitAtThisIndex = true;
+          }
         }
-        for (const c of found) {
-          await this.persistAndWatchContract(c);
-          hitAtThisIndex = true;
+        if (hitAtThisIndex) {
+          lastIndexUsed = index;
+          unused = 0;
+        } else {
+          unused += 1;
         }
       }
-      if (hitAtThisIndex) {
-        lastIndexUsed = i;
-        unused = 0;
-      } else {
-        unused += 1;
-      }
-      i += 1;
+      i = windowEnd + 1;
     }
     if (opts.hd && i > maxIdx && unused < gapLimit) {
       throw new Error(
@@ -7412,7 +8130,8 @@ var WalletReceiveRotator = class _WalletReceiveRotator {
       walletRepository: setup.walletRepository,
       contractRepository: setup.contractRepository,
       serverPubKey: setup.serverPubKey,
-      expectedContractType
+      expectedContractType,
+      baselineReceivePubKey: setup.offchainTapscript.options.pubKey
     };
     let boot;
     try {
@@ -7457,14 +8176,17 @@ var WalletReceiveRotator = class _WalletReceiveRotator {
         receivePubkey: existing.pubKey
       };
     }
-    let descriptor;
-    if (hasPeekableDescriptor(provider)) {
-      descriptor = await provider.getCurrentSigningDescriptor();
+    const current = hasPeekableDescriptor(provider) ? await provider.getCurrentSigningDescriptor() : void 0;
+    if (current === void 0) {
+      const descriptor = await provider.getNextSigningDescriptor();
+      return {
+        rotator: new _WalletReceiveRotator(provider, void 0, opts.logger),
+        receivePubkey: deriveLeafPubkey(descriptor)
+      };
     }
-    descriptor ??= await provider.getNextSigningDescriptor();
     return {
       rotator: new _WalletReceiveRotator(provider, void 0, opts.logger),
-      receivePubkey: deriveLeafPubkey(descriptor)
+      receivePubkey: opts.baselineReceivePubKey ?? deriveLeafPubkey(current)
     };
   }
   /**
@@ -7527,6 +8249,22 @@ var WalletReceiveRotator = class _WalletReceiveRotator {
   async drain() {
     await this.chain.catch(() => void 0);
   }
+  /**
+   * Run `fn` on the rotator's serialization chain, so it cannot interleave
+   * with a receive `rotate()`. Used by {@link Wallet.rotateServerSigner} to
+   * serialize server-signer rotation against HD receive rotation: both
+   * rebuild and swap `offchainTapscript`, so running them concurrently could
+   * tear the wallet's visible receive state. The chain keeps advancing even
+   * if `fn` rejects (its own caller still sees the rejection).
+   */
+  runExclusive(fn) {
+    const run = this.chain.catch(() => void 0).then(fn);
+    this.chain = run.then(
+      () => void 0,
+      () => void 0
+    );
+    return run;
+  }
   /**
    * Tear down the subscription first so no late `vtxo_received` event
    * can queue work on a disposing wallet, then drain any in-flight
@@ -7697,7 +8435,7 @@ var DescriptorSigningProviderMissingError = class extends Error {
 };
 
 // src/wallet/inputSignerRouter.ts
-var DESCRIPTOR_CAPABLE_CONTRACT_TYPES = /* @__PURE__ */ new Set(["default", "delegate"]);
+var DESCRIPTOR_CAPABLE_CONTRACT_TYPES = /* @__PURE__ */ new Set(["default", "delegate", "boarding"]);
 var InputSignerRouter = class {
   constructor(deps) {
     this.deps = deps;
@@ -7829,6 +8567,11 @@ function extractArkProviderUrl(provider) {
   return typeof serverUrl === "string" && serverUrl.length > 0 ? serverUrl : void 0;
 }
 var MAINNET_UNILATERAL_EXIT_DELAY = 605184n;
+function toXOnlyPubKey(pubkey) {
+  if (pubkey.length === 33) return pubkey.slice(1);
+  if (pubkey.length === 32) return pubkey;
+  throw new Error(`invalid signer pubkey length: expected 32 or 33, got ${pubkey.length}`);
+}
 function delayToTimelock(delay) {
   return {
     value: delay,
@@ -7846,20 +8589,30 @@ function dedupeTimelocks(timelocks) {
   }
   return deduped;
 }
-function areSameScriptBaselineTypesCompatible(existingType, requestedType) {
-  if (existingType === requestedType) return true;
-  return existingType === "default" && requestedType === "boarding" || existingType === "boarding" && requestedType === "default";
-}
 async function ensureWalletContract(manager, params) {
-  const [existing] = await manager.getContracts({ script: params.script });
-  if (existing && existing.type !== params.type && areSameScriptBaselineTypesCompatible(existing.type, params.type)) {
-    if (params.type === "default" && existing.type === "boarding") {
-      await manager.updateContract(params.script, { type: "default" });
-    }
-    return;
-  }
   await manager.createContract(params);
 }
+async function resolveBoardingBootTapscript(contractRepository, serverPubKey, baseline) {
+  const serverPubKeyHex = hex.encode(serverPubKey);
+  const candidates = await contractRepository.getContracts({
+    type: ["boarding"],
+    state: "active"
+  });
+  const newest = candidates.filter(
+    (c) => c.params.serverPubKey === serverPubKeyHex && c.metadata?.source === WALLET_RECEIVE_SOURCE
+  ).sort((a, b) => {
+    if (b.createdAt !== a.createdAt) return b.createdAt - a.createdAt;
+    return signingDescriptorIndex(b.metadata?.signingDescriptor) - signingDescriptorIndex(a.metadata?.signingDescriptor);
+  })[0];
+  if (!newest?.params.pubKey) return baseline;
+  try {
+    const pubKey = hex.decode(newest.params.pubKey);
+    return new DefaultVtxo.Script({ ...baseline.options, pubKey });
+  } catch (e) {
+    console.warn("Skipping malformed boarding contract at boot", newest.script, e);
+    return baseline;
+  }
+}
 function hasToReadonly(identity) {
   return typeof identity === "object" && identity !== null && "toReadonly" in identity && typeof identity.toReadonly === "function";
 }
@@ -7869,8 +8622,6 @@ var ReadonlyWallet = class _ReadonlyWallet {
     this.network = network;
     this.onchainProvider = onchainProvider;
     this.indexerProvider = indexerProvider;
-    this.arkServerPublicKey = arkServerPublicKey;
-    this.boardingTapscript = boardingTapscript;
     this.dustAmount = dustAmount;
     this.walletRepository = walletRepository;
     this.contractRepository = contractRepository;
@@ -7886,6 +8637,8 @@ var ReadonlyWallet = class _ReadonlyWallet {
       }
     }
     this._offchainTapscript = offchainTapscript;
+    this._boardingTapscript = boardingTapscript;
+    this._arkServerPublicKey = arkServerPublicKey;
     this.watcherConfig = watcherConfig;
     this._assetManager = new ReadonlyAssetManager(this.indexerProvider);
     this.walletContractTimelocks = walletContractTimelocks && walletContractTimelocks.length > 0 ? dedupeTimelocks(walletContractTimelocks) : [this.offchainTapscript.options.csvTimelock];
@@ -7894,7 +8647,6 @@ var ReadonlyWallet = class _ReadonlyWallet {
   _contractManagerInitializing;
   watcherConfig;
   _assetManager;
-  _syncVtxosInflight;
   walletContractTimelocks;
   // Outpoints ("txid:vout") committed to an in-flight settle/send. Filtered
   // from getVtxos() so concurrent callers (UI, VtxoManager auto-renewal,
@@ -7912,6 +8664,70 @@ var ReadonlyWallet = class _ReadonlyWallet {
    * {@link WalletReceiveRotator.rotate} is the sole intended caller of.
    */
   _offchainTapscript;
+  /**
+   * Backing field for the current boarding tapscript (the QR / onboarding
+   * target). Read via the public `boardingTapscript` getter; written only
+   * by {@link Wallet.setBoardingTapscriptForRotation}, the sanctioned
+   * boarding-rotation write path (analogue of `_offchainTapscript`). It is
+   * a *current value*, not a fixed setup constant, because per-derivation
+   * boarding rotation (plan §6-II) swaps it when a fresh boarding address
+   * is explicitly allocated. Static / `auto` wallets never rotate it, so
+   * it stays the index-0 baseline for their lifetime.
+   */
+  _boardingTapscript;
+  /**
+   * Backing field for the active server signer (x-only, 32 bytes). Read via
+   * the public {@link arkServerPublicKey} getter; written only by
+   * {@link Wallet.setArkServerPublicKeyForRotation}, the sanctioned
+   * server-signer rotation write path (analogue of `_offchainTapscript`). It
+   * is a *current value*, not a fixed constructor constant, because
+   * mid-session server-signer rotation (plan §4) swaps it when arkd rotates
+   * its active signer. Wallets that never span a rotation keep their
+   * construction-time snapshot for their lifetime.
+   */
+  _arkServerPublicKey;
+  /**
+   * x-only hex of the operator's deprecated signer keys (from
+   * `ArkInfo.deprecatedSigners`), cached for the OFFLINE read/watch paths.
+   * The boarding watch/history surfaces ({@link getBoardingAddresses},
+   * {@link getBoardingTxs}) fan out over {current} ∪ this set so a deposit at
+   * a boarding address minted under a now-rotated operator signer keeps being
+   * watched. Refreshed from the server-info snapshot at construction (via the
+   * create() factories) and on a detected signer change. Deliberately NOT
+   * consulted by the spend path — {@link getBoardingUtxos} stays
+   * current-signer-only (a deprecated-signer input in a plain settle() is
+   * rejected; old-signer recovery goes through the migration API).
+   */
+  _deprecatedSigners = /* @__PURE__ */ new Map();
+  /**
+   * Refresh the cached deprecated-signer set from a fresh server-info
+   * snapshot. Called by the create() factories at construction and by the
+   * server-info-change handler mid-session. Lenient: a malformed deprecated
+   * entry is skipped, never fatal to wallet creation.
+   */
+  refreshDeprecatedSigners(info) {
+    const next = /* @__PURE__ */ new Map();
+    for (const s of info.deprecatedSigners ?? []) {
+      if (!s.pubkey) continue;
+      try {
+        next.set(toXOnlySignerHex(s.pubkey), s.cutoffDate ?? 0n);
+      } catch (e) {
+        console.warn("Skipping malformed deprecated signer pubkey", s.pubkey, e);
+      }
+    }
+    this._deprecatedSigners = next;
+  }
+  /**
+   * The signer set the boarding WATCH/HISTORY paths fan out over: the wallet's
+   * current signer plus every cached deprecated signer. Distinct from the
+   * spend path, which is current-signer-only.
+   */
+  watchedBoardingSigners() {
+    return /* @__PURE__ */ new Set([
+      toXOnlySignerHex(hex.encode(this.boardingTapscript.options.serverPubKey)),
+      ...this._deprecatedSigners.keys()
+    ]);
+  }
   /**
    * Currently-active receive tapscript. Read-only from the outside;
    * mutated only via {@link Wallet.setOffchainTapscriptForRotation}
@@ -7921,13 +8737,69 @@ var ReadonlyWallet = class _ReadonlyWallet {
     return this._offchainTapscript;
   }
   /**
-   * Protected helper to set up shared wallet configuration.
-   * Extracts common logic used by both ReadonlyWallet.create() and Wallet.create().
+   * The wallet's current active server signer (x-only, 32 bytes). Read-only
+   * from the outside; mutated only via
+   * {@link Wallet.setArkServerPublicKeyForRotation} during mid-session
+   * server-signer rotation (plan §4). Single-valued for wallets that never
+   * span a rotation.
    */
-  static async setupWalletConfig(config, pubKey) {
-    const arkadeServerUrl = getArkadeServerUrl(config);
-    const arkProvider = config.arkProvider || new RestArkProvider(arkadeServerUrl);
-    let indexerProvider = config.indexerProvider;
+  get arkServerPublicKey() {
+    return this._arkServerPublicKey;
+  }
+  /**
+   * The wallet's current boarding tapscript (the on-chain onboarding
+   * target). Read-only from the outside; mutated only via
+   * {@link Wallet.setBoardingTapscriptForRotation} when a fresh boarding
+   * address is explicitly allocated. Single-valued for static / `auto`
+   * wallets.
+   */
+  get boardingTapscript() {
+    return this._boardingTapscript;
+  }
+  /**
+   * Listeners fired after the boarding tapscript rotates to a fresh index
+   * (see {@link Wallet.setBoardingTapscriptForRotation}). A live
+   * {@link notifyIncomingFunds} onchain watcher registers one so it can
+   * re-subscribe to include the newly allocated boarding address within the
+   * same session — without it, a deposit to the fresh address wouldn't fire
+   * a notification until the watcher's next re-init. Always empty for
+   * readonly / static / `auto` wallets, which never rotate boarding.
+   */
+  _boardingRotationListeners = /* @__PURE__ */ new Set();
+  /**
+   * Register a listener invoked synchronously after each boarding rotation.
+   * Returns an unsubscribe function. Protected: only internal subscribers
+   * (the incoming-funds watcher) participate.
+   */
+  onBoardingRotation(listener) {
+    this._boardingRotationListeners.add(listener);
+    return () => {
+      this._boardingRotationListeners.delete(listener);
+    };
+  }
+  /**
+   * Notify boarding-rotation listeners. Called by the boarding-rotation
+   * write path ({@link Wallet.setBoardingTapscriptForRotation}) once the new
+   * tapscript is in place. A throwing listener is isolated so it can neither
+   * break the rotation nor starve sibling listeners.
+   */
+  notifyBoardingRotation() {
+    for (const listener of this._boardingRotationListeners) {
+      try {
+        listener();
+      } catch (e) {
+        console.warn("Boarding-rotation listener failed", e);
+      }
+    }
+  }
+  /**
+   * Protected helper to set up shared wallet configuration.
+   * Extracts common logic used by both ReadonlyWallet.create() and Wallet.create().
+   */
+  static async setupWalletConfig(config, pubKey) {
+    const arkadeServerUrl = getArkadeServerUrl(config);
+    const arkProvider = config.arkProvider || new RestArkProvider(arkadeServerUrl);
+    let indexerProvider = config.indexerProvider;
     if (!indexerProvider) {
       let indexerUrl = config.indexerUrl;
       if (!indexerUrl) {
@@ -8032,7 +8904,7 @@ var ReadonlyWallet = class _ReadonlyWallet {
       throw new Error("Invalid configured public key");
     }
     const setup = await _ReadonlyWallet.setupWalletConfig(config, pubkey);
-    return new _ReadonlyWallet(
+    const wallet = new _ReadonlyWallet(
       config.identity,
       setup.network,
       setup.onchainProvider,
@@ -8047,6 +8919,8 @@ var ReadonlyWallet = class _ReadonlyWallet {
       config.watcherConfig,
       setup.walletContractTimelocks
     );
+    wallet.refreshDeprecatedSigners(setup.info);
+    return wallet;
   }
   get arkAddress() {
     return this.offchainTapscript.address(this.network.hrp, this.arkServerPublicKey);
@@ -8070,10 +8944,12 @@ var ReadonlyWallet = class _ReadonlyWallet {
    * Return the wallet's combined onchain and offchain balances.
    */
   async getBalance() {
-    const [boardingUtxos, vtxos] = await Promise.all([
+    const [boardingUtxos, vtxos, pendingOutpoints] = await Promise.all([
       this.getBoardingUtxos(),
-      this.getVtxos()
+      this.getVtxos(),
+      this.pendingRecoveryOutpoints()
     ]);
+    const isPendingRecovery = (coin) => pendingOutpoints.has(`${coin.txid}:${coin.vout}`);
     let confirmed = 0;
     let unconfirmed = 0;
     for (const utxo of boardingUtxos) {
@@ -8086,11 +8962,15 @@ var ReadonlyWallet = class _ReadonlyWallet {
     let settled = 0;
     let preconfirmed = 0;
     let recoverable = 0;
-    settled = vtxos.filter((coin) => coin.virtualStatus.state === "settled").reduce((sum, coin) => sum + coin.value, 0);
-    preconfirmed = vtxos.filter((coin) => coin.virtualStatus.state === "preconfirmed").reduce((sum, coin) => sum + coin.value, 0);
+    let pendingRecovery = 0;
+    settled = vtxos.filter((coin) => coin.virtualStatus.state === "settled" && !isPendingRecovery(coin)).reduce((sum, coin) => sum + coin.value, 0);
+    preconfirmed = vtxos.filter(
+      (coin) => coin.virtualStatus.state === "preconfirmed" && !isPendingRecovery(coin)
+    ).reduce((sum, coin) => sum + coin.value, 0);
     recoverable = vtxos.filter((coin) => isSpendable(coin) && coin.virtualStatus.state === "swept").reduce((sum, coin) => sum + coin.value, 0);
+    pendingRecovery = vtxos.filter(isPendingRecovery).reduce((sum, coin) => sum + coin.value, 0);
     const totalBoarding = confirmed + unconfirmed;
-    const totalOffchain = settled + preconfirmed + recoverable;
+    const totalOffchain = settled + preconfirmed + recoverable + pendingRecovery;
     const assetBalances = /* @__PURE__ */ new Map();
     for (const vtxo of vtxos) {
       if (!isSpendable(vtxo)) continue;
@@ -8115,6 +8995,7 @@ var ReadonlyWallet = class _ReadonlyWallet {
       preconfirmed,
       available: settled + preconfirmed,
       recoverable,
+      pendingRecovery,
       total: totalBoarding + totalOffchain,
       assets
     };
@@ -8141,6 +9022,23 @@ var ReadonlyWallet = class _ReadonlyWallet {
       return !!(f.withUnrolled && vtxo.isUnrolled);
     });
   }
+  /**
+   * Outpoints of VTXOs whose deprecated signer is past its cutoff (EXPIRED) and
+   * which have not yet been swept — unspendable until they recover. Offline:
+   * classifies the repo's contracts against the cached signer set (active +
+   * {@link _deprecatedSigners}, cutoffs included). Empty fast-path when no
+   * signer is deprecated. Consumed by {@link getBalance} (the `pendingRecovery`
+   * bucket) and the send coin-selection path so neither counts nor spends them.
+   */
+  async pendingRecoveryOutpoints() {
+    if (this._deprecatedSigners.size === 0) return /* @__PURE__ */ new Set();
+    const contractManager = await this.getContractManager();
+    const contractsWithVtxos = await contractManager.getContractsWithVtxos();
+    return selectPendingRecoveryOutpoints(contractsWithVtxos, {
+      active: toXOnlySignerHex(hex.encode(this.offchainTapscript.options.serverPubKey)),
+      deprecated: this._deprecatedSigners
+    });
+  }
   /**
    * Return wallet transaction history derived from Arkade state and boarding transactions.
    */
@@ -8160,43 +9058,59 @@ var ReadonlyWallet = class _ReadonlyWallet {
     await clearSyncCursor(this.walletRepository);
   }
   /**
-   * Build a transaction history view for the wallet's boarding address.
+   * The on-chain (P2TR) addresses of every boarding tapscript this wallet
+   * uses — the current address plus any historical rotated boarding
+   * addresses. The aggregating boarding readers (history, notifications) fan
+   * out over this set so deposits at previous boarding addresses are still
+   * surfaced (plan §6-IV); {@link getBoardingAddress} stays single-valued.
+   */
+  async getBoardingAddresses() {
+    const tapscripts = await this.getBoardingTapscripts(this.watchedBoardingSigners());
+    return tapscripts.map((t) => t.onchainAddress(this.network));
+  }
+  /**
+   * Build a transaction history view across the wallet's boarding addresses
+   * (current + historical rotated; plan §6-IV.1).
    */
   async getBoardingTxs() {
     const utxos = [];
     const commitmentsToIgnore = /* @__PURE__ */ new Set();
-    const boardingAddress = await this.getBoardingAddress();
-    const txs = await this.onchainProvider.getTransactions(boardingAddress);
+    const tapscripts = await this.getBoardingTapscripts(this.watchedBoardingSigners());
     const outspendCache = /* @__PURE__ */ new Map();
-    for (const tx of txs) {
-      for (let i = 0; i < tx.vout.length; i++) {
-        const vout = tx.vout[i];
-        if (vout.scriptpubkey_address === boardingAddress) {
-          let spentStatuses = outspendCache.get(tx.txid);
-          if (!spentStatuses) {
-            spentStatuses = await this.onchainProvider.getTxOutspends(tx.txid);
-            outspendCache.set(tx.txid, spentStatuses);
-          }
-          const spentStatus = spentStatuses[i];
-          if (spentStatus?.spent) {
-            commitmentsToIgnore.add(spentStatus.txid);
+    for (const tapscript of tapscripts) {
+      const boardingAddress = tapscript.onchainAddress(this.network);
+      const scriptHex = hex.encode(tapscript.pkScript);
+      const txs = await this.onchainProvider.getTransactions(boardingAddress);
+      for (const tx of txs) {
+        for (let i = 0; i < tx.vout.length; i++) {
+          const vout = tx.vout[i];
+          if (vout.scriptpubkey_address === boardingAddress) {
+            let spentStatuses = outspendCache.get(tx.txid);
+            if (!spentStatuses) {
+              spentStatuses = await this.onchainProvider.getTxOutspends(tx.txid);
+              outspendCache.set(tx.txid, spentStatuses);
+            }
+            const spentStatus = spentStatuses[i];
+            if (spentStatus?.spent) {
+              commitmentsToIgnore.add(spentStatus.txid);
+            }
+            utxos.push({
+              txid: tx.txid,
+              vout: i,
+              value: Number(vout.value),
+              status: {
+                confirmed: tx.status.confirmed,
+                block_time: tx.status.block_time
+              },
+              isUnrolled: true,
+              virtualStatus: {
+                state: spentStatus?.spent ? "spent" : "settled",
+                commitmentTxIds: spentStatus?.spent ? [spentStatus.txid] : void 0
+              },
+              createdAt: tx.status.confirmed ? new Date(tx.status.block_time * 1e3) : /* @__PURE__ */ new Date(0),
+              script: scriptHex
+            });
           }
-          utxos.push({
-            txid: tx.txid,
-            vout: i,
-            value: Number(vout.value),
-            status: {
-              confirmed: tx.status.confirmed,
-              block_time: tx.status.block_time
-            },
-            isUnrolled: true,
-            virtualStatus: {
-              state: spentStatus?.spent ? "spent" : "settled",
-              commitmentTxIds: spentStatus?.spent ? [spentStatus.txid] : void 0
-            },
-            createdAt: tx.status.confirmed ? new Date(tx.status.block_time * 1e3) : /* @__PURE__ */ new Date(0),
-            script: hex.encode(this.boardingTapscript.pkScript)
-          });
         }
       }
     }
@@ -8226,48 +9140,176 @@ var ReadonlyWallet = class _ReadonlyWallet {
     };
   }
   /**
-   * Fetch and cache onchain inputs (UTXOs) received at the boarding address.
+   * The set of boarding tapscripts whose on-chain UTXOs belong to this
+   * wallet — the current display tapscript plus every historical boarding
+   * address it has used. Under per-derivation rotation (plan §6-II) a wallet
+   * can hold unspent boarding UTXOs at several addresses at once, so fund
+   * discovery / spending must enumerate them all, not just the current one
+   * (plan §6-III.1). Deduplicated by scriptPubKey.
+   *
+   * Always includes the index-0 baseline (identity x-only key), which covers
+   * the degenerate equal-delay case where the index-0 boarding row is
+   * coalesced onto a `default` row and so isn't a `boarding`-typed contract.
+   *
+   * @param allowedSigners - Optional set of x-only-hex server keys whose
+   *   persisted boarding rows are included. Defaults to `{current x-only
+   *   signer}`, preserving today's current-signer-only discovery (and the
+   *   foreign-ASP guard). The deprecated-signer migration path widens this to
+   *   reach old-signer boarding addresses. The index-0 baseline and the
+   *   current display tapscript are always included regardless of the set.
    */
-  async getBoardingUtxos() {
-    const boardingAddress = await this.getBoardingAddress();
-    const boardingUtxos = await this.onchainProvider.getCoins(boardingAddress);
-    const utxos = boardingUtxos.map((utxo) => {
-      return extendCoin(this, utxo);
+  async getBoardingTapscripts(allowedSigners) {
+    const byScript = /* @__PURE__ */ new Map();
+    const add = (s) => byScript.set(hex.encode(s.pkScript), s);
+    const boardingCsv = this.boardingTapscript.options.csvTimelock ?? DefaultVtxo.Script.DEFAULT_TIMELOCK;
+    add(
+      new DefaultVtxo.Script({
+        pubKey: await this.identity.xOnlyPublicKey(),
+        serverPubKey: this.boardingTapscript.options.serverPubKey,
+        csvTimelock: boardingCsv
+      })
+    );
+    add(this.boardingTapscript);
+    const serverPubKeyHex = hex.encode(this.boardingTapscript.options.serverPubKey);
+    const allowed = allowedSigners ?? /* @__PURE__ */ new Set([toXOnlySignerHex(serverPubKeyHex)]);
+    const boardingContracts = await this.contractRepository.getContracts({
+      type: ["boarding"]
     });
-    await this.walletRepository.saveUtxos(boardingAddress, utxos);
-    return utxos;
+    for (const c of boardingContracts) {
+      if (!allowed.has(toXOnlySignerHex(c.params.serverPubKey))) continue;
+      try {
+        add(BoardingContractHandler.createScript(c.params));
+      } catch (e) {
+        console.warn("Skipping malformed boarding contract", c.script, e);
+      }
+    }
+    return [...byScript.values()];
+  }
+  /**
+   * Fetch and cache onchain inputs (UTXOs) received at the boarding addresses
+   * of the given signer set, grouped per boarding address so the caller keeps
+   * the address↔signer association that {@link ExtendedCoin} cannot carry
+   * (it retains only the encoded leaves/tapTree the spend needs, not the
+   * `DefaultVtxo.Script` and its `serverPubKey`/CSV delay).
+   *
+   * Per group it does exactly what {@link getBoardingUtxos} does per tapscript:
+   * `getCoins` → {@link extendCoinWithTapscript} → `saveUtxos`. Offline-first:
+   * it does not call `getInfo()`; the caller supplies the allowed signer set,
+   * so the only network calls are the per-address `getCoins`.
+   *
+   * @param allowedSigners - x-only-hex server keys whose boarding addresses to
+   *   fetch (passed through to {@link getBoardingTapscripts}).
+   */
+  async getBoardingUtxosForSigners(allowedSigners) {
+    const tapscripts = await this.getBoardingTapscripts(allowedSigners);
+    const groups = [];
+    for (const tapscript of tapscripts) {
+      const address = tapscript.onchainAddress(this.network);
+      const coins = await this.onchainProvider.getCoins(address);
+      const utxos = coins.map((utxo) => extendCoinWithTapscript(tapscript, utxo));
+      await this.walletRepository.saveUtxos(address, utxos);
+      groups.push({
+        tapscript,
+        // Normalize so the group key matches the axis/contract x-only
+        // form regardless of how the tapscript's key was stored.
+        serverPubKey: toXOnlySignerHex(hex.encode(tapscript.options.serverPubKey)),
+        // Per-row CSV delay decoded from THIS tapscript's exit leaf —
+        // not the wallet's current boarding timelock, which a signer
+        // rotation may have changed.
+        csvTimelock: CSVMultisigTapscript.decode(hex.decode(tapscript.exitScript)).params.timelock,
+        coins: utxos
+      });
+    }
+    return groups;
+  }
+  /**
+   * Fetch and cache onchain inputs (UTXOs) received at the wallet's boarding
+   * addresses — the current address plus any historical rotated boarding
+   * addresses that still hold unspent UTXOs (plan §6-III.1). Each UTXO is
+   * annotated with the tapscript of the address it actually sits on, so the
+   * spending path forfeits / exits it with the correct per-index leaves.
+   *
+   * Current-signer only: a flatten of {@link getBoardingUtxosForSigners} over
+   * the wallet's current signer, so the two paths cannot drift. Old-signer
+   * boarding recovery goes through the deprecated-signer migration API
+   * instead (it would otherwise pull EXPIRED-signer inputs into a plain
+   * `settle()` that the server must reject).
+   */
+  async getBoardingUtxos() {
+    const currentOnly = /* @__PURE__ */ new Set([
+      toXOnlySignerHex(hex.encode(this.boardingTapscript.options.serverPubKey))
+    ]);
+    const groups = await this.getBoardingUtxosForSigners(currentOnly);
+    return groups.flatMap((g) => g.coins);
   }
   /**
    * Subscribe to onchain and offchain notifications for newly received funds.
    *
+   * The onchain watcher tracks the full boarding-address set (current +
+   * historical rotated). When boarding rotates *after* subscribing — e.g.
+   * rotate-on-board allocates a fresh address via
+   * {@link getNewBoardingAddress} — the watcher automatically re-subscribes
+   * to widen its set, so a deposit to the new address fires a notification
+   * within the same session (no watcher re-init required). The re-subscribe
+   * is driven by {@link onBoardingRotation}; static / `auto` / readonly
+   * wallets never rotate boarding, so it never fires for them.
+   *
    * @param eventCallback - Callback invoked when matching funds are detected
    * @returns A function that stops the subscriptions
    */
   async notifyIncomingFunds(eventCallback) {
     const arkAddress = await this.getAddress();
-    const boardingAddress = await this.getBoardingAddress();
     let onchainStopFunc;
     let indexerStopFunc;
-    if (this.onchainProvider && boardingAddress) {
-      const findVoutOnTx = (tx) => {
-        return tx.vout.findIndex((v) => v.scriptpubkey_address === boardingAddress);
-      };
-      onchainStopFunc = await this.onchainProvider.watchAddresses(
-        [boardingAddress],
-        (txs) => {
-          const coins = txs.filter((tx) => findVoutOnTx(tx) !== -1).map((tx) => {
-            const { txid, status } = tx;
-            const vout = findVoutOnTx(tx);
-            const value = Number(tx.vout[vout].value);
-            return { txid, vout, value, status };
-          });
-          eventCallback({
-            type: "utxo",
-            coins
-          });
+    let boardingRotationStopFunc;
+    let stopped = false;
+    let onchainChain = Promise.resolve();
+    const subscribeOnchain = () => {
+      onchainChain = onchainChain.then(async () => {
+        if (stopped || !this.onchainProvider) return;
+        const boardingAddresses = await this.getBoardingAddresses();
+        if (boardingAddresses.length === 0) return;
+        const boardingAddressSet = new Set(boardingAddresses);
+        const previousStop = onchainStopFunc;
+        const stop = await this.onchainProvider.watchAddresses(
+          boardingAddresses,
+          (txs) => {
+            const coins = txs.flatMap((tx) => {
+              const { txid, status } = tx;
+              const matched = [];
+              tx.vout.forEach((v, vout) => {
+                if (boardingAddressSet.has(v.scriptpubkey_address)) {
+                  matched.push({
+                    txid,
+                    vout,
+                    value: Number(v.value),
+                    status
+                  });
+                }
+              });
+              return matched;
+            });
+            eventCallback({
+              type: "utxo",
+              coins
+            });
+          }
+        );
+        if (stopped) {
+          stop();
+          return;
         }
-      );
-    }
+        onchainStopFunc = stop;
+        previousStop?.();
+      }).catch((e) => {
+        console.warn("Failed to (re)subscribe boarding-funds watcher", e);
+      });
+      return onchainChain;
+    };
+    boardingRotationStopFunc = this.onBoardingRotation(() => {
+      void subscribeOnchain();
+    });
+    await subscribeOnchain();
     if (this.indexerProvider && arkAddress) {
       const cm = await this.getContractManager();
       let annotationQueue = Promise.resolve();
@@ -8296,7 +9338,10 @@ var ReadonlyWallet = class _ReadonlyWallet {
       });
     }
     const stopFunc = () => {
+      stopped = true;
+      boardingRotationStopFunc?.();
       onchainStopFunc?.();
+      onchainStopFunc = void 0;
       indexerStopFunc?.();
     };
     return stopFunc;
@@ -8402,60 +9447,82 @@ var ReadonlyWallet = class _ReadonlyWallet {
       watcherConfig: this.watcherConfig
     });
     const baselinePubkey = await this.identity.xOnlyPublicKey();
-    for (const csvTimelock of this.walletContractTimelocks) {
-      const csvTimelockStr = timelockToSequence(csvTimelock).toString();
-      const defaultScript = new DefaultVtxo.Script({
+    const delegatePubKey = this.offchainTapscript instanceof DelegateVtxo.Script ? this.offchainTapscript.options.delegatePubKey : void 0;
+    const baselineSigners = [
+      this.offchainTapscript.options.serverPubKey,
+      ...[...this._deprecatedSigners.keys()].map((h) => hex.decode(h))
+    ];
+    const seenBaselineScripts = /* @__PURE__ */ new Set();
+    for (const serverPubKey of baselineSigners) {
+      for (const csvTimelock of this.walletContractTimelocks) {
+        const csvTimelockStr = timelockToSequence(csvTimelock).toString();
+        const defaultScript = new DefaultVtxo.Script({
+          pubKey: baselinePubkey,
+          serverPubKey,
+          csvTimelock
+        });
+        const defaultScriptHex = hex.encode(defaultScript.pkScript);
+        if (!seenBaselineScripts.has(defaultScriptHex)) {
+          seenBaselineScripts.add(defaultScriptHex);
+          await ensureWalletContract(manager, {
+            type: "default",
+            params: {
+              pubKey: hex.encode(defaultScript.options.pubKey),
+              serverPubKey: hex.encode(serverPubKey),
+              csvTimelock: csvTimelockStr
+            },
+            script: defaultScriptHex,
+            address: defaultScript.address(this.network.hrp, serverPubKey).encode(),
+            state: "active"
+          });
+        }
+        if (delegatePubKey) {
+          const delegateScript = new DelegateVtxo.Script({
+            pubKey: baselinePubkey,
+            serverPubKey,
+            delegatePubKey,
+            csvTimelock
+          });
+          const delegateScriptHex = hex.encode(delegateScript.pkScript);
+          if (seenBaselineScripts.has(delegateScriptHex)) continue;
+          seenBaselineScripts.add(delegateScriptHex);
+          await manager.createContract({
+            type: "delegate",
+            params: {
+              pubKey: hex.encode(delegateScript.options.pubKey),
+              serverPubKey: hex.encode(serverPubKey),
+              delegatePubKey: hex.encode(delegateScript.options.delegatePubKey),
+              csvTimelock: csvTimelockStr
+            },
+            script: delegateScriptHex,
+            address: delegateScript.address(this.network.hrp, serverPubKey).encode(),
+            state: "active"
+          });
+        }
+      }
+    }
+    const boardingCsvTimelock = this.boardingTapscript.options.csvTimelock ?? DefaultVtxo.Script.DEFAULT_TIMELOCK;
+    for (const serverPubKey of baselineSigners) {
+      const baselineBoarding = new DefaultVtxo.Script({
         pubKey: baselinePubkey,
-        serverPubKey: this.offchainTapscript.options.serverPubKey,
-        csvTimelock
+        serverPubKey,
+        csvTimelock: boardingCsvTimelock
       });
-      const defaultScriptHex = hex.encode(defaultScript.pkScript);
+      const boardingScriptHex = hex.encode(baselineBoarding.pkScript);
+      if (seenBaselineScripts.has(boardingScriptHex)) continue;
+      seenBaselineScripts.add(boardingScriptHex);
       await ensureWalletContract(manager, {
-        type: "default",
+        type: "boarding",
         params: {
-          pubKey: hex.encode(defaultScript.options.pubKey),
-          serverPubKey: hex.encode(defaultScript.options.serverPubKey),
-          csvTimelock: csvTimelockStr
+          pubKey: hex.encode(baselineBoarding.options.pubKey),
+          serverPubKey: hex.encode(serverPubKey),
+          csvTimelock: timelockToSequence(boardingCsvTimelock).toString()
         },
-        script: defaultScriptHex,
-        address: defaultScript.address(this.network.hrp, this.arkServerPublicKey).encode(),
+        script: boardingScriptHex,
+        address: baselineBoarding.address(this.network.hrp, serverPubKey).encode(),
         state: "active"
       });
-      if (this.offchainTapscript instanceof DelegateVtxo.Script) {
-        const delegateScript = new DelegateVtxo.Script({
-          pubKey: baselinePubkey,
-          serverPubKey: this.offchainTapscript.options.serverPubKey,
-          delegatePubKey: this.offchainTapscript.options.delegatePubKey,
-          csvTimelock
-        });
-        const delegateScriptHex = hex.encode(delegateScript.pkScript);
-        await manager.createContract({
-          type: "delegate",
-          params: {
-            pubKey: hex.encode(delegateScript.options.pubKey),
-            serverPubKey: hex.encode(delegateScript.options.serverPubKey),
-            delegatePubKey: hex.encode(delegateScript.options.delegatePubKey),
-            csvTimelock: csvTimelockStr
-          },
-          script: delegateScriptHex,
-          address: delegateScript.address(this.network.hrp, this.arkServerPublicKey).encode(),
-          state: "active"
-        });
-      }
     }
-    const boardingScriptHex = hex.encode(this.boardingTapscript.pkScript);
-    const boardingCsvTimelock = this.boardingTapscript.options.csvTimelock ?? DefaultVtxo.Script.DEFAULT_TIMELOCK;
-    await ensureWalletContract(manager, {
-      type: "boarding",
-      params: {
-        pubKey: hex.encode(this.boardingTapscript.options.pubKey),
-        serverPubKey: hex.encode(this.boardingTapscript.options.serverPubKey),
-        csvTimelock: timelockToSequence(boardingCsvTimelock).toString()
-      },
-      script: boardingScriptHex,
-      address: this.boardingTapscript.address(this.network.hrp, this.arkServerPublicKey).encode(),
-      state: "active"
-    });
     return manager;
   }
   /** Dispose wallet-owned managers and release background resources. */
@@ -8488,7 +9555,6 @@ var Wallet2 = class _Wallet extends ReadonlyWallet {
       walletContractTimelocks
     );
     this.arkProvider = arkProvider;
-    this.serverUnrollScript = serverUnrollScript;
     this.forfeitOutputScript = forfeitOutputScript;
     this.forfeitPubkey = forfeitPubkey;
     this.identity = identity;
@@ -8509,6 +9575,7 @@ var Wallet2 = class _Wallet extends ReadonlyWallet {
       this.settlementConfig = { ...DEFAULT_SETTLEMENT_CONFIG };
     }
     this._delegateManager = delegateProvider ? new DelegateManagerImpl(delegateProvider, arkProvider, identity) : void 0;
+    this._serverUnrollScript = serverUnrollScript;
     this._receiveRotator = receiveRotator;
     this._descriptorProvider = descriptorProvider;
     this._signerRouter = new InputSignerRouter({
@@ -8534,6 +9601,43 @@ var Wallet2 = class _Wallet extends ReadonlyWallet {
    * the contract manager is up first.
    */
   _receiveRotator;
+  /**
+   * Unsubscribe handle for the arkProvider's `onServerInfoChanged` stream
+   * (mid-session signer-rotation detection). Torn down in {@link dispose}.
+   */
+  _serverInfoUnsub;
+  /**
+   * Tail of the serialized {@link handleServerInfoChanged} chain. Each
+   * `onServerInfoChanged` event chains onto it so handlers run one at a time,
+   * and {@link dispose} awaits it so an in-flight re-derive/rotation settles
+   * before the contract manager is torn down underneath it.
+   */
+  _serverInfoInFlight = Promise.resolve();
+  /**
+   * React to a mid-session server-info change (driven by the arkProvider's
+   * `DIGEST_MISMATCH` detection). First refresh the cached deprecated-signer
+   * set so the boarding WATCH path immediately widens to the just-deprecated
+   * signer, then — only if the active signer actually changed — rotate the
+   * wallet onto it via {@link rotateServerSigner} (re-deriving the offchain +
+   * boarding display tapscripts and registering the current-signer rows).
+   * Old-signer rows stay active, so existing funds remain watched. Failures
+   * are logged, never thrown back into the provider's emit loop.
+   */
+  async handleServerInfoChanged(info) {
+    this.refreshDeprecatedSigners(info);
+    try {
+      const newActive = toXOnlySignerHex(info.signerPubkey);
+      const current = toXOnlySignerHex(hex.encode(this.arkServerPublicKey));
+      if (newActive !== current) {
+        await this.rotateServerSigner(
+          hex.decode(info.signerPubkey),
+          info.checkpointTapscript
+        );
+      }
+    } catch (e) {
+      console.warn("server-signer rotation on info change failed", e);
+    }
+  }
   _receiveRotatorInstalled = false;
   /**
    * Descriptor-aware signer used by {@link _signerRouter} to sign
@@ -8553,6 +9657,230 @@ var Wallet2 = class _Wallet extends ReadonlyWallet {
   setOffchainTapscriptForRotation(tapscript) {
     this._offchainTapscript = tapscript;
   }
+  /**
+   * @internal Sole write path for `boardingTapscript` after construction.
+   * Called by {@link Wallet.getNewBoardingAddress} once the rotated
+   * boarding contract has been persisted. External code must treat
+   * `boardingTapscript` as read-only.
+   */
+  setBoardingTapscriptForRotation(tapscript) {
+    this._boardingTapscript = tapscript;
+    this.notifyBoardingRotation();
+  }
+  /**
+   * @internal Sole write path for `arkServerPublicKey` after construction.
+   * Called by {@link Wallet.rotateServerSigner} once the rotated offchain and
+   * boarding contract rows have been persisted. External code must treat
+   * `arkServerPublicKey` as read-only.
+   */
+  setArkServerPublicKeyForRotation(serverPubKey) {
+    this._arkServerPublicKey = serverPubKey;
+  }
+  /**
+   * Output script for checkpoint transactions, decoded from the server's
+   * `checkpointTapscript`. Server-controlled state: pinned at construction
+   * and re-sourced from a fresh `ArkInfo` on server-signer rotation. Read it
+   * through {@link serverUnrollScript}; write it only through
+   * {@link setServerUnrollScriptForRotation}.
+   */
+  _serverUnrollScript;
+  get serverUnrollScript() {
+    return this._serverUnrollScript;
+  }
+  /**
+   * @internal Sole write path for `serverUnrollScript` after construction.
+   * Called by {@link Wallet._doRotateServerSigner} with the checkpoint script
+   * sourced from the fresh `ArkInfo` that triggered the rotation, so the send
+   * path builds checkpoints against the new server epoch. External code must
+   * treat `serverUnrollScript` as read-only.
+   */
+  setServerUnrollScriptForRotation(script) {
+    this._serverUnrollScript = script;
+  }
+  /**
+   * Serializes {@link rotateServerSigner} for static / non-HD wallets (which
+   * have no {@link WalletReceiveRotator} chain to ride). Coalesces concurrent
+   * migration passes so two callers cannot both rebuild and swap the
+   * tapscripts. HD wallets serialize on the rotator's chain instead, via
+   * {@link WalletReceiveRotator.runExclusive}.
+   */
+  _serverRotationChain = Promise.resolve();
+  /**
+   * Allocate and return a *fresh* on-chain boarding address, rotating the
+   * wallet's current boarding tapscript to a new HD index.
+   *
+   * This is the explicit boarding allocator — the analogue of dotnet's
+   * `GetNextContract(NextContractPurpose.Boarding)`. Unlike
+   * {@link getBoardingAddress} (a stable read of the current display
+   * address that never burns an index), each call here:
+   *
+   * - allocates the next index from the shared HD stream (so boarding and
+   *   L2 receive interleave on one monotonic index);
+   * - builds the boarding tapscript at that index with the boarding-exit
+   *   CSV;
+   * - persists an `active` `boarding` contract tagged
+   *   {@link WALLET_RECEIVE_SOURCE} (with its `signingDescriptor`) so the
+   *   ContractWatcher monitors it, boot can restore it as the current
+   *   boarding address, and descriptor-aware signing can recover the
+   *   per-index key;
+   * - swaps the wallet's current `boardingTapscript`.
+   *
+   * Gated by `walletMode`: a static / `auto` wallet has no descriptor
+   * provider and keeps a single index-0 boarding address for its lifetime,
+   * so this returns the existing {@link getBoardingAddress} unchanged
+   * (no rotation, no index burned).
+   */
+  async getNewBoardingAddress() {
+    const provider = this._descriptorProvider;
+    if (!provider) {
+      return this.getBoardingAddress();
+    }
+    const descriptor = await provider.getNextSigningDescriptor();
+    const pubKey = deriveDescriptorLeafPubKey(descriptor);
+    const newBoarding = new DefaultVtxo.Script({
+      ...this._boardingTapscript.options,
+      pubKey
+    });
+    const csvTimelock = newBoarding.options.csvTimelock ?? DefaultVtxo.Script.DEFAULT_TIMELOCK;
+    const manager = await this.getContractManager();
+    await manager.createContract({
+      type: "boarding",
+      params: {
+        pubKey: hex.encode(pubKey),
+        serverPubKey: hex.encode(newBoarding.options.serverPubKey),
+        csvTimelock: timelockToSequence(csvTimelock).toString()
+      },
+      script: hex.encode(newBoarding.pkScript),
+      address: newBoarding.address(this.network.hrp, this.arkServerPublicKey).encode(),
+      state: "active",
+      metadata: {
+        source: WALLET_RECEIVE_SOURCE,
+        signingDescriptor: descriptor
+      }
+    });
+    this.setBoardingTapscriptForRotation(newBoarding);
+    return newBoarding.onchainAddress(this.network);
+  }
+  /**
+   * Mid-session server-signer rotation (plan §4). When arkd rotates its
+   * active signer mid-session — the case the long-lived service worker and
+   * Expo background processes that own automatic migration must handle — a
+   * wallet constructed before the rotation keeps deriving old-signer receive
+   * addresses. Building a migration output to such an address would produce a
+   * VTXO the server must reject, so the wallet must first re-derive its own
+   * receive state under the new active signer.
+   *
+   * Follows the {@link WalletReceiveRotator.rotate} write-path pattern with
+   * the server key swapped instead of the user key: build the new offchain
+   * and boarding tapscripts locally (preserving every other option),
+   * register the matching `default`/`delegate` and `boarding` contract rows
+   * through {@link ContractManager.createContract}, and only then commit the
+   * new tapscripts and server key to the wallet's visible state. The signing
+   * metadata of the current receive/boarding rows is carried onto the new
+   * rows so a rotated (descriptor-backed) receive pubkey can still sign.
+   *
+   * The old-signer contract rows are intentionally left `active` and watched
+   * — they are exactly the deprecated-signer contracts the migration pass
+   * drains. Idempotent: a no-op when the wallet already tracks `xonly`.
+   *
+   * Serialized against HD receive rotation so the two paths (both of which
+   * rebuild and swap `offchainTapscript`) cannot interleave.
+   *
+   * @internal Invoked by the {@link VtxoManager} migration pass; not part of
+   * the stable public API.
+   */
+  async rotateServerSigner(newServerPubKey, checkpointTapscript) {
+    const xonly = toXOnlyPubKey(newServerPubKey);
+    let newServerUnrollScript;
+    try {
+      newServerUnrollScript = CSVMultisigTapscript.decode(hex.decode(checkpointTapscript));
+    } catch (e) {
+      throw new Error("Invalid checkpointTapscript from server");
+    }
+    if (equalBytes$1(xonly, this.arkServerPublicKey)) return;
+    if (this._receiveRotator) {
+      await this._receiveRotator.runExclusive(
+        () => this._doRotateServerSigner(xonly, newServerUnrollScript)
+      );
+      return;
+    }
+    const run = this._serverRotationChain.catch(() => void 0).then(() => this._doRotateServerSigner(xonly, newServerUnrollScript));
+    this._serverRotationChain = run.then(
+      () => void 0,
+      () => void 0
+    );
+    return run;
+  }
+  async _doRotateServerSigner(xonly, newServerUnrollScript) {
+    if (equalBytes$1(xonly, this.arkServerPublicKey)) return;
+    const manager = await this.getContractManager();
+    const [currentOffchainRow] = await manager.getContracts({
+      script: this.defaultContractScript
+    });
+    const currentBoardingScript = hex.encode(this._boardingTapscript.pkScript);
+    const [currentBoardingRow] = await manager.getContracts({
+      script: currentBoardingScript
+    });
+    const newOffchain = this.offchainTapscript instanceof DelegateVtxo.Script ? new DelegateVtxo.Script({
+      ...this.offchainTapscript.options,
+      serverPubKey: xonly
+    }) : new DefaultVtxo.Script({
+      ...this.offchainTapscript.options,
+      serverPubKey: xonly
+    });
+    const newBoarding = new DefaultVtxo.Script({
+      ...this._boardingTapscript.options,
+      serverPubKey: xonly
+    });
+    const offchainCsv = timelockToSequence(newOffchain.options.csvTimelock).toString();
+    const newOffchainScript = hex.encode(newOffchain.pkScript);
+    const newOffchainAddress = newOffchain.address(this.network.hrp, xonly).encode();
+    if (newOffchain instanceof DelegateVtxo.Script) {
+      await manager.createContract({
+        type: "delegate",
+        params: {
+          pubKey: hex.encode(newOffchain.options.pubKey),
+          serverPubKey: hex.encode(xonly),
+          delegatePubKey: hex.encode(newOffchain.options.delegatePubKey),
+          csvTimelock: offchainCsv
+        },
+        script: newOffchainScript,
+        address: newOffchainAddress,
+        state: "active",
+        metadata: currentOffchainRow?.metadata
+      });
+    } else {
+      await manager.createContract({
+        type: "default",
+        params: {
+          pubKey: hex.encode(newOffchain.options.pubKey),
+          serverPubKey: hex.encode(xonly),
+          csvTimelock: offchainCsv
+        },
+        script: newOffchainScript,
+        address: newOffchainAddress,
+        state: "active",
+        metadata: currentOffchainRow?.metadata
+      });
+    }
+    const boardingCsv = newBoarding.options.csvTimelock ?? DefaultVtxo.Script.DEFAULT_TIMELOCK;
+    await manager.createContract({
+      type: "boarding",
+      params: {
+        pubKey: hex.encode(newBoarding.options.pubKey),
+        serverPubKey: hex.encode(xonly),
+        csvTimelock: timelockToSequence(boardingCsv).toString()
+      },
+      script: hex.encode(newBoarding.pkScript),
+      address: newBoarding.address(this.network.hrp, xonly).encode(),
+      state: "active",
+      metadata: currentBoardingRow?.metadata
+    });
+    this.setOffchainTapscriptForRotation(newOffchain);
+    this.setBoardingTapscriptForRotation(newBoarding);
+    this.setArkServerPublicKeyForRotation(xonly);
+    this.setServerUnrollScriptForRotation(newServerUnrollScript);
+  }
   /**
    * Async mutex that serializes all operations submitting VTXOs to the Arkade
    * server (`settle`, `send`, `sendBitcoin`). This prevents VtxoManager's
@@ -8637,12 +9965,25 @@ var Wallet2 = class _Wallet extends ReadonlyWallet {
     const staticDescriptor = hd ? void 0 : `tr(${hex.encode(await this.identity.xOnlyPublicKey())})`;
     const materialize = (index) => hd ? provider.materializeDescriptorAt(index) : staticDescriptor;
     const delegatePubKey = this.offchainTapscript instanceof DelegateVtxo.Script ? this.offchainTapscript.options.delegatePubKey : void 0;
+    const arkInfo = await this.arkProvider.getInfo();
+    const currentSignerPubKey = toXOnlyPubKey(hex.decode(arkInfo.signerPubkey));
+    const deprecatedSignerPubKeys = arkInfo.deprecatedSigners.map(
+      (s) => toXOnlyPubKey(hex.decode(s.pubkey))
+    );
     const deps = {
       indexerProvider: this.indexerProvider,
       onchainProvider: this.onchainProvider,
       network: { hrp: this.network.hrp },
-      serverPubKey: this.offchainTapscript.options.serverPubKey,
+      // Full network for the boarding on-chain (P2TR) probe — the
+      // `{ hrp }` shape above lacks the `bech32` data
+      // `VtxoScript.onchainAddress` needs (plan §6-I.1).
+      onchainNetwork: this.network,
+      serverPubKey: currentSignerPubKey,
+      deprecatedSignerPubKeys,
       csvTimelocks: this.walletContractTimelocks,
+      // Boarding-exit CSV so the boarding handler can build its
+      // candidate script (distinct from the unilateral-exit matrix).
+      boardingTimelock: this.boardingTapscript.options.csvTimelock ?? DefaultVtxo.Script.DEFAULT_TIMELOCK,
       delegatePubKey
     };
     const result = await manager.scanContracts({
@@ -8700,6 +10041,9 @@ var Wallet2 = class _Wallet extends ReadonlyWallet {
   }
   async dispose() {
     await this._restoreInFlight?.catch(() => void 0);
+    this._serverInfoUnsub?.();
+    this._serverInfoUnsub = void 0;
+    await this._serverInfoInFlight?.catch(() => void 0);
     let rotatorError;
     try {
       await this._receiveRotator?.dispose();
@@ -8774,6 +10118,25 @@ var Wallet2 = class _Wallet extends ReadonlyWallet {
       boot?.rotator,
       boot?.provider
     );
+    wallet.refreshDeprecatedSigners(setup.info);
+    {
+      const ap = setup.arkProvider;
+      if (typeof ap.onServerInfoChanged === "function") {
+        wallet._serverInfoUnsub = ap.onServerInfoChanged((info) => {
+          wallet._serverInfoInFlight = wallet._serverInfoInFlight.then(() => wallet.handleServerInfoChanged(info)).catch(() => void 0);
+        });
+      }
+    }
+    if (boot?.provider) {
+      const resolvedBoarding = await resolveBoardingBootTapscript(
+        setup.contractRepository,
+        setup.serverPubKey,
+        setup.boardingTapscript
+      );
+      if (resolvedBoarding !== setup.boardingTapscript) {
+        wallet.setBoardingTapscriptForRotation(resolvedBoarding);
+      }
+    }
     await wallet.getVtxoManager();
     return wallet;
   }
@@ -8796,7 +10159,7 @@ var Wallet2 = class _Wallet extends ReadonlyWallet {
    */
   async toReadonly() {
     const readonlyIdentity = hasToReadonly(this.identity) ? await this.identity.toReadonly() : this.identity;
-    return new ReadonlyWallet(
+    const readonly = new ReadonlyWallet(
       readonlyIdentity,
       this.network,
       this.onchainProvider,
@@ -8811,6 +10174,8 @@ var Wallet2 = class _Wallet extends ReadonlyWallet {
       this.watcherConfig,
       this.walletContractTimelocks
     );
+    readonly._deprecatedSigners = new Map(this._deprecatedSigners);
+    return readonly;
   }
   /** Returns the delegate manager when delegation support is configured. */
   async getDelegateManager() {
@@ -8836,10 +10201,9 @@ var Wallet2 = class _Wallet extends ReadonlyWallet {
     if (params.selectedVtxos && params.selectedVtxos.length > 0) {
       return this._withTxLock(async () => {
         const offchainTapscript = this.offchainTapscript;
-        const arkAddress = offchainTapscript.address(
-          this.network.hrp,
-          this.arkServerPublicKey
-        );
+        const serverPubKey = this.arkServerPublicKey;
+        const serverUnrollScript = this.serverUnrollScript;
+        const arkAddress = offchainTapscript.address(this.network.hrp, serverPubKey);
         const selectedVtxoSum = params.selectedVtxos.map((v) => v.value).reduce((a, b) => a + b, 0);
         if (selectedVtxoSum < params.amount) {
           throw new Error("Selected VTXOs do not cover specified amount");
@@ -8864,25 +10228,14 @@ var Wallet2 = class _Wallet extends ReadonlyWallet {
             amount: BigInt(selected.changeAmount)
           });
         }
-        this._addPendingSpends(selected.inputs);
-        try {
-          const { arkTxid, signedCheckpointTxs } = await this.buildAndSubmitOffchainTx(
-            selected.inputs,
-            outputs
-          );
-          await this.updateDbAfterOffchainTx(
-            selected.inputs,
-            arkTxid,
-            signedCheckpointTxs,
-            params.amount,
-            selected.changeAmount,
-            selected.changeAmount > 0n ? outputs.length - 1 : 0,
-            offchainTapscript
-          );
-          return arkTxid;
-        } finally {
-          this._removePendingSpends(selected.inputs);
-        }
+        return this._submitOffchainSpend(selected.inputs, outputs, {
+          sentAmount: params.amount,
+          changeAmount: selected.changeAmount,
+          changeVout: selected.changeAmount > 0n ? outputs.length - 1 : 0,
+          offchainTapscript,
+          serverPubKey,
+          serverUnrollScript
+        });
       });
     }
     return this.send({
@@ -8912,8 +10265,11 @@ var Wallet2 = class _Wallet extends ReadonlyWallet {
         }
       }
     }
+    const offchainAddress = await this.getAddress();
+    const offchainPkScript = ArkAddress.decode(offchainAddress).pkScript;
+    const offchainOutputScript = hex.encode(offchainPkScript);
     if (!params) {
-      const { fees } = await this.arkProvider.getInfo();
+      const { fees, vtxoMaxAmount } = await this.arkProvider.getInfo();
       const estimator = new Estimator(fees.intentFee);
       let amount = 0;
       const exitScript = CSVMultisigTapscript.decode(
@@ -8941,7 +10297,10 @@ var Wallet2 = class _Wallet extends ReadonlyWallet {
       }
       const vtxos = await this.getVtxos({ withRecoverable: true });
       const filteredVtxos = [];
-      for (const vtxo of vtxos) {
+      for (const vtxo of byValueDescending(vtxos)) {
+        if (filteredVtxos.length >= MAX_VTXOS_PER_SETTLEMENT) {
+          break;
+        }
         const inputFee = estimator.evalOffchainInput({
           amount: BigInt(vtxo.value),
           type: vtxo.virtualStatus.state === "swept" ? "recoverable" : "vtxo",
@@ -8952,20 +10311,31 @@ var Wallet2 = class _Wallet extends ReadonlyWallet {
         if (inputFee.satoshis >= vtxo.value) {
           continue;
         }
+        const net = vtxo.value - inputFee.satoshis;
+        if (vtxoMaxAmount >= 0n) {
+          const projectedAmount = BigInt(amount + net);
+          const projectedOutputFee = estimator.evalOffchainOutput({
+            amount: projectedAmount,
+            script: offchainOutputScript
+          });
+          if (projectedAmount - BigInt(projectedOutputFee.satoshis) > vtxoMaxAmount) {
+            continue;
+          }
+        }
         filteredVtxos.push(vtxo);
-        amount += vtxo.value - inputFee.satoshis;
+        amount += net;
       }
       const inputs = [...filteredBoardingUtxos, ...filteredVtxos];
       if (inputs.length === 0) {
         throw new Error("No inputs found");
       }
       const output = {
-        address: await this.getAddress(),
+        address: offchainAddress,
         amount: BigInt(amount)
       };
       const outputFee = estimator.evalOffchainOutput({
         amount: output.amount,
-        script: hex.encode(ArkAddress.decode(output.address).pkScript)
+        script: offchainOutputScript
       });
       output.amount -= BigInt(outputFee.satoshis);
       if (output.amount <= this.dustAmount) {
@@ -9005,8 +10375,7 @@ var Wallet2 = class _Wallet extends ReadonlyWallet {
       }
     }
     let outputAssets;
-    const destinationScript = ArkAddress.decode(await this.getAddress()).pkScript;
-    const assetOutputIndex = findDestinationOutputIndex(outputs, destinationScript);
+    const assetOutputIndex = findDestinationOutputIndex(outputs, offchainPkScript);
     if (assetInputs.size > 0) {
       if (assetOutputIndex === -1) {
         throw new Error("Cannot assign assets: no output matches the destination address");
@@ -9074,6 +10443,7 @@ var Wallet2 = class _Wallet extends ReadonlyWallet {
         eventCallback: eventCallback ? (event) => Promise.resolve(eventCallback(event)) : void 0
       });
       await this.updateDbAfterSettle(params.inputs, commitmentTxid);
+      await this.maybeRotateBoardingAfterBoard(params.inputs);
       return commitmentTxid;
     } catch (error) {
       const inputIds = params.inputs.map((i) => `${i.txid}:${i.vout}`).join(",");
@@ -9091,6 +10461,41 @@ var Wallet2 = class _Wallet extends ReadonlyWallet {
       });
     }
   }
+  /**
+   * Rotate the boarding address after a board (rotate-on-board trigger).
+   *
+   * Mirrors {@link WalletReceiveRotator}'s L2 rotation, but driven by a
+   * board instead of a `vtxo_received` event: when a settle consumes at
+   * least one boarding (on-chain) UTXO, the current boarding address has
+   * served its purpose, so we allocate a fresh one via
+   * {@link getNewBoardingAddress}. A settle that consumed only VTXOs (a
+   * renewal / offboard) is not a board and leaves the boarding address
+   * untouched.
+   *
+   * Boarding inputs are the non-VTXO coins (no `virtualStatus`), the same
+   * discriminator {@link handleSettlementFinalizationEvent} uses; the
+   * `typeof` guard skips arknote string inputs before the `in` test.
+   *
+   * No-ops for static / `auto` wallets (no descriptor provider — boarding
+   * stays on its fixed index-0 address). Best-effort and non-fatal: the
+   * settle has already committed and its txid must be returned, so a
+   * rotation failure is logged and swallowed rather than thrown. Funds at
+   * the retired boarding address remain discoverable — the old `boarding`
+   * contract stays active and {@link getBoardingUtxos} fans out over the
+   * full historical boarding set.
+   */
+  async maybeRotateBoardingAfterBoard(inputs) {
+    if (!this._descriptorProvider) return;
+    const consumedBoarding = inputs.some(
+      (input) => typeof input !== "string" && !("virtualStatus" in input)
+    );
+    if (!consumedBoarding) return;
+    try {
+      await this.getNewBoardingAddress();
+    } catch (e) {
+      console.warn("Failed to rotate boarding address after board", e);
+    }
+  }
   async handleSettlementFinalizationEvent(event, inputs, forfeitOutputScript, connectorsGraph) {
     const signedForfeits = [];
     const isVtxo = (input) => "virtualStatus" in input;
@@ -9301,6 +10706,19 @@ var Wallet2 = class _Wallet extends ReadonlyWallet {
     }
     return jobs;
   }
+  /**
+   * @internal Sign an on-chain boarding exit / sweep transaction, routing
+   * each input to the correct key by its `witnessUtxo.script`: the identity
+   * for index-0 / static boarding, the per-index descriptor for a rotated
+   * boarding UTXO (plan §6-III.3). Used by
+   * {@link VtxoManager.sweepExpiredBoardingUtxos}; without it, the
+   * unilateral exit of a rotated boarding UTXO would be signed with the
+   * wrong (index-0) key and rejected.
+   */
+  async signOnchainBoardingTx(tx) {
+    const signed = await this._signerRouter.sign(tx, this.inputSigningJobsFromWitnessUtxos(tx));
+    return signed;
+  }
   async safeRegisterIntent(intent, inputs) {
     try {
       return await this.arkProvider.registerIntent(intent);
@@ -9496,12 +10914,16 @@ var Wallet2 = class _Wallet extends ReadonlyWallet {
       throw new Error("At least one receiver is required");
     }
     const offchainTapscript = this.offchainTapscript;
-    const outputAddress = offchainTapscript.address(this.network.hrp, this.arkServerPublicKey);
+    const serverPubKey = this.arkServerPublicKey;
+    const serverUnrollScript = this.serverUnrollScript;
+    const outputAddress = offchainTapscript.address(this.network.hrp, serverPubKey);
     const address = outputAddress.encode();
     const recipients = validateRecipients(args, Number(this.dustAmount));
-    const virtualCoins = await this.getVtxos({
+    const allVirtualCoins = await this.getVtxos({
       withRecoverable: false
     });
+    const pendingRecovery = await this.pendingRecoveryOutpoints();
+    const virtualCoins = pendingRecovery.size ? allVirtualCoins.filter((c) => !pendingRecovery.has(`${c.txid}:${c.vout}`)) : allVirtualCoins;
     const assetChanges = /* @__PURE__ */ new Map();
     let selectedCoins = [];
     let btcAmountToSelect = 0;
@@ -9623,33 +11045,128 @@ var Wallet2 = class _Wallet extends ReadonlyWallet {
       outputs.push(Extension.create([assetPacket]).txOut());
     }
     const sentAmount = recipients.reduce((sum, r) => sum + r.amount, 0);
-    this._addPendingSpends(selectedCoins);
+    return this._submitOffchainSpend(selectedCoins, outputs, {
+      sentAmount,
+      changeAmount: BigInt(changeAmount),
+      changeVout: changeReceiver ? changeIndex : 0,
+      offchainTapscript,
+      serverPubKey,
+      serverUnrollScript,
+      changeAssets: changeReceiver?.assets
+    });
+  }
+  /**
+   * Shared tail of every Ark-transaction spend path (`send`, selected-VTXO
+   * `sendBitcoin`, and {@link sendSelectedVtxosToSelf}): hide the inputs from
+   * concurrent `getVtxos()`, build+submit the offchain tx, persist the spent
+   * inputs and any wallet-owned (change / self) output, then release the
+   * pending-spend hold. Callers own coin selection, output construction, and
+   * the synchronous epoch snapshot; this owns the submit/persist sequence.
+   */
+  async _submitOffchainSpend(inputs, outputs, persist) {
+    this._addPendingSpends(inputs);
     try {
       const { arkTxid, signedCheckpointTxs } = await this.buildAndSubmitOffchainTx(
-        selectedCoins,
-        outputs
+        inputs,
+        outputs,
+        persist.serverUnrollScript
       );
       await this.updateDbAfterOffchainTx(
-        selectedCoins,
+        inputs,
         arkTxid,
         signedCheckpointTxs,
-        sentAmount,
-        BigInt(changeAmount),
-        changeReceiver ? changeIndex : 0,
-        offchainTapscript,
-        changeReceiver?.assets
+        persist.sentAmount,
+        persist.changeAmount,
+        persist.changeVout,
+        persist.offchainTapscript,
+        persist.serverPubKey,
+        persist.changeAssets,
+        persist.recordSentHistory ?? true
       );
       return arkTxid;
     } finally {
-      this._removePendingSpends(selectedCoins);
-    }
+      this._removePendingSpends(inputs);
+    }
+  }
+  /**
+   * @internal Migration primitive (deprecated-signer plan, step 1). Spend an
+   * explicit set of the wallet's own deprecated-signer VTXOs into a single
+   * full-value output on the wallet's *active* signer, through the Ark send
+   * path (not `settle`) so arkd builds checkpoints against the active server
+   * epoch. Consumed in-process by {@link VtxoManager}'s migration pass; not
+   * part of the public `IWallet` API and never accepts boarding `ExtendedCoin`
+   * inputs.
+   *
+   * The caller (`migrateCore`) must have already moved the wallet onto the
+   * active signer (`ensureReceiveOnActiveSigner`) and sized the batch (caps +
+   * dust floor); this method validates the inputs, preserves all input assets
+   * on the self output, and persists the new active-signer VTXO even though
+   * there is no separate change output. It records no `TxSent` history — the
+   * funds never leave the wallet.
+   */
+  async sendSelectedVtxosToSelf(inputs) {
+    if (inputs.length === 0) {
+      throw new Error("sendSelectedVtxosToSelf: no inputs");
+    }
+    return this._withTxLock(async () => {
+      const offchainTapscript = this.offchainTapscript;
+      const serverPubKey = this.arkServerPublicKey;
+      const serverUnrollScript = this.serverUnrollScript;
+      const arkAddress = offchainTapscript.address(this.network.hrp, serverPubKey);
+      for (const input of inputs) {
+        if (!isSpendable(input) || isRecoverable(input)) {
+          throw new Error(
+            `sendSelectedVtxosToSelf: input ${input.txid}:${input.vout} is not cooperatively spendable`
+          );
+        }
+        if (!input.virtualStatus.batchExpiry) {
+          throw new Error(
+            `sendSelectedVtxosToSelf: input ${input.txid}:${input.vout} has no batchExpiry`
+          );
+        }
+      }
+      const total = inputs.reduce((sum, c) => sum + BigInt(c.value), 0n);
+      const outputs = [
+        {
+          script: total < this.dustAmount ? arkAddress.subdustPkScript : arkAddress.pkScript,
+          amount: total
+        }
+      ];
+      const assetInputs = selectedCoinsToAssetInputs(inputs);
+      let selfAssets;
+      if (assetInputs.size > 0) {
+        const totals = /* @__PURE__ */ new Map();
+        for (const [, assets] of assetInputs) {
+          for (const a of assets) {
+            totals.set(a.assetId, (totals.get(a.assetId) ?? 0n) + a.amount);
+          }
+        }
+        selfAssets = [...totals].map(([assetId, amount]) => ({ assetId, amount }));
+        const selfReceiver = {
+          address: arkAddress.encode(),
+          assets: selfAssets
+        };
+        const packet = createAssetPacket(assetInputs, [], selfReceiver);
+        outputs.push(Extension.create([packet]).txOut());
+      }
+      return this._submitOffchainSpend(inputs, outputs, {
+        sentAmount: 0,
+        changeAmount: total,
+        changeVout: 0,
+        offchainTapscript,
+        serverPubKey,
+        changeAssets: selfAssets,
+        recordSentHistory: false,
+        serverUnrollScript
+      });
+    });
   }
   /**
    * Build an offchain transaction from the given inputs and outputs,
    * sign it, submit to the Arkade provider, and finalize.
    * @returns The Arkade transaction id and server-signed checkpoint PSBTs (for bookkeeping)
    */
-  async buildAndSubmitOffchainTx(inputs, outputs) {
+  async buildAndSubmitOffchainTx(inputs, outputs, serverUnrollScript = this.serverUnrollScript) {
     const offchainTx = buildOffchainTx(
       inputs.map((input) => {
         return {
@@ -9658,7 +11175,7 @@ var Wallet2 = class _Wallet extends ReadonlyWallet {
         };
       }),
       outputs,
-      this.serverUnrollScript
+      serverUnrollScript
     );
     const arkTxJobs = inputs.map((input, index) => ({
       index,
@@ -9732,14 +11249,14 @@ var Wallet2 = class _Wallet extends ReadonlyWallet {
     return { arkTxid, signedCheckpointTxs };
   }
   // mark virtual outputs as spent, save change outputs if any.
-  // `offchainTapscript` is the snapshot the caller captured under
-  // `_txLock` before any `await`; deriving both the change-VTXO
-  // metadata and `primaryAddress` from it here guarantees the local
-  // record matches the pkScript the server saw on the inbound
-  // transaction, even if `WalletReceiveRotator.rotate` swaps
-  // `this.offchainTapscript` mid-flight.
-  async updateDbAfterOffchainTx(inputs, arkTxid, signedCheckpointTxs, sentAmount, changeAmount, changeVout, offchainTapscript, changeAssets) {
-    const primaryAddress = offchainTapscript.address(this.network.hrp, this.arkServerPublicKey).encode();
+  // `offchainTapscript` and `serverPubKey` are the epoch snapshot the
+  // caller captured under `_txLock` before any `await`; deriving both the
+  // change-VTXO metadata and `primaryAddress` from them here guarantees the
+  // local record matches the address/pkScript the server saw on the inbound
+  // transaction, even if `rotateServerSigner` swaps `this.offchainTapscript`
+  // / `this.arkServerPublicKey` mid-flight.
+  async updateDbAfterOffchainTx(inputs, arkTxid, signedCheckpointTxs, sentAmount, changeAmount, changeVout, offchainTapscript, serverPubKey, changeAssets, recordSentHistory = true) {
+    const primaryAddress = offchainTapscript.address(this.network.hrp, serverPubKey).encode();
     try {
       const spentVtxos = [];
       const commitmentTxIds = /* @__PURE__ */ new Set();
@@ -9846,19 +11363,21 @@ var Wallet2 = class _Wallet extends ReadonlyWallet {
           [changeVtxo]
         );
       }
-      await this.walletRepository.saveTransactions(primaryAddress, [
-        {
-          key: {
-            boardingTxid: "",
-            commitmentTxid: "",
-            arkTxid
-          },
-          amount: sentAmount,
-          type: "SENT" /* TxSent */,
-          settled: false,
-          createdAt
-        }
-      ]);
+      if (recordSentHistory) {
+        await this.walletRepository.saveTransactions(primaryAddress, [
+          {
+            key: {
+              boardingTxid: "",
+              commitmentTxid: "",
+              arkTxid
+            },
+            amount: sentAmount,
+            type: "SENT" /* TxSent */,
+            settled: false,
+            createdAt
+          }
+        ]);
+      }
     } catch (e) {
       console.warn("error saving offchain tx to repository", e);
       throw e;
@@ -9867,10 +11386,9 @@ var Wallet2 = class _Wallet extends ReadonlyWallet {
   // mark virtual outputs as spent/settled, remove boarding inputs
   async updateDbAfterSettle(inputs, commitmentTxid) {
     try {
-      const boardingAddress = await this.getBoardingAddress();
       const spentVtxos = [];
       const inputArkTxIds = /* @__PURE__ */ new Set();
-      const boardingUtxoToRemove = /* @__PURE__ */ new Set();
+      const boardingRemovalsByAddress = /* @__PURE__ */ new Map();
       const isVtxo = (input) => "virtualStatus" in input;
       const vtxoInputs = inputs.filter(isVtxo);
       const cm = await this.getContractManager();
@@ -9892,7 +11410,20 @@ var Wallet2 = class _Wallet extends ReadonlyWallet {
             isSpent: true
           });
         } else {
-          boardingUtxoToRemove.add(`${input.txid}:${input.vout}`);
+          let sourceAddress;
+          try {
+            sourceAddress = VtxoScript.decode(input.tapTree).onchainAddress(
+              this.network
+            );
+          } catch {
+            sourceAddress = this.boardingTapscript.onchainAddress(this.network);
+          }
+          let set = boardingRemovalsByAddress.get(sourceAddress);
+          if (!set) {
+            set = /* @__PURE__ */ new Set();
+            boardingRemovalsByAddress.set(sourceAddress, set);
+          }
+          set.add(`${input.txid}:${input.vout}`);
         }
       }
       if (spentVtxos.length > 0) {
@@ -9924,14 +11455,12 @@ var Wallet2 = class _Wallet extends ReadonlyWallet {
           );
         }
       }
-      if (boardingUtxoToRemove.size > 0) {
-        const currentUtxos = await this.walletRepository.getUtxos(boardingAddress);
-        const filtered = currentUtxos.filter(
-          (u) => !boardingUtxoToRemove.has(`${u.txid}:${u.vout}`)
-        );
-        await this.walletRepository.deleteUtxos(boardingAddress);
+      for (const [address, toRemove] of boardingRemovalsByAddress) {
+        const currentUtxos = await this.walletRepository.getUtxos(address);
+        const filtered = currentUtxos.filter((u) => !toRemove.has(`${u.txid}:${u.vout}`));
+        await this.walletRepository.deleteUtxos(address);
         if (filtered.length > 0) {
-          await this.walletRepository.saveUtxos(boardingAddress, filtered);
+          await this.walletRepository.saveUtxos(address, filtered);
         }
       }
     } catch (e) {
@@ -10706,6 +12235,82 @@ var DelegateNotConfiguredError = class extends Error {
 };
 var DelegatorNotConfiguredError = DelegateNotConfiguredError;
 var DEFAULT_MESSAGE_TAG = "WALLET_UPDATER";
+var serializeMigrationVtxoRef = (ref) => ({
+  txid: ref.txid,
+  vout: ref.vout,
+  value: ref.value,
+  signerPubKey: ref.signerPubKey,
+  cutoffDate: ref.cutoffDate?.toString()
+});
+var deserializeMigrationVtxoRef = (ref) => ({
+  txid: ref.txid,
+  vout: ref.vout,
+  value: ref.value,
+  signerPubKey: ref.signerPubKey,
+  cutoffDate: ref.cutoffDate != null ? BigInt(ref.cutoffDate) : void 0
+});
+var serializeDeprecatedSignerReport = (report) => ({
+  signerPubKey: report.signerPubKey,
+  status: report.status,
+  cutoffDate: report.cutoffDate?.toString(),
+  secondsUntilCutoff: report.secondsUntilCutoff,
+  vtxoCount: report.vtxoCount,
+  totalValue: report.totalValue,
+  boardingCount: report.boardingCount,
+  boardingValue: report.boardingValue,
+  recoverableCount: report.recoverableCount,
+  recoverableValue: report.recoverableValue,
+  awaitingSweepCount: report.awaitingSweepCount,
+  awaitingSweepValue: report.awaitingSweepValue,
+  nextSweepEta: report.nextSweepEta
+});
+var deserializeDeprecatedSignerReport = (report) => ({
+  signerPubKey: report.signerPubKey,
+  status: report.status,
+  cutoffDate: report.cutoffDate != null ? BigInt(report.cutoffDate) : void 0,
+  secondsUntilCutoff: report.secondsUntilCutoff,
+  vtxoCount: report.vtxoCount,
+  totalValue: report.totalValue,
+  boardingCount: report.boardingCount,
+  boardingValue: report.boardingValue,
+  recoverableCount: report.recoverableCount,
+  recoverableValue: report.recoverableValue,
+  awaitingSweepCount: report.awaitingSweepCount,
+  awaitingSweepValue: report.awaitingSweepValue,
+  nextSweepEta: report.nextSweepEta
+});
+var serializeMigrationLegReport = (leg) => ({
+  txid: leg.txid,
+  migrated: leg.migrated.map(serializeMigrationVtxoRef),
+  skipped: leg.skipped,
+  deferred: leg.deferred,
+  oversized: leg.oversized?.map(serializeMigrationVtxoRef),
+  error: leg.error
+});
+var deserializeMigrationLegReport = (leg) => ({
+  txid: leg.txid,
+  migrated: leg.migrated.map(deserializeMigrationVtxoRef),
+  skipped: leg.skipped,
+  deferred: leg.deferred,
+  oversized: leg.oversized?.map(deserializeMigrationVtxoRef),
+  error: leg.error
+});
+var serializeMigrationReport = (report) => ({
+  rotated: report.rotated,
+  skipped: report.skipped,
+  vtxos: report.vtxos ? serializeMigrationLegReport(report.vtxos) : void 0,
+  boarding: report.boarding ? serializeMigrationLegReport(report.boarding) : void 0,
+  expired: report.expired.map(serializeMigrationVtxoRef),
+  signers: report.signers.map(serializeDeprecatedSignerReport)
+});
+var deserializeMigrationReport = (report) => ({
+  rotated: report.rotated,
+  skipped: report.skipped,
+  vtxos: report.vtxos ? deserializeMigrationLegReport(report.vtxos) : void 0,
+  boarding: report.boarding ? deserializeMigrationLegReport(report.boarding) : void 0,
+  expired: report.expired.map(deserializeMigrationVtxoRef),
+  signers: report.signers.map(deserializeDeprecatedSignerReport)
+});
 var WalletMessageHandler = class {
   messageTag;
   wallet;
@@ -10787,7 +12392,9 @@ var WalletMessageHandler = class {
   // page-side PING / MESSAGE_BUS_NOT_INITIALIZED path triggered by concurrent
   // short requests (GET_STATUS, GET_BALANCE, ...).
   isLongRunning(message) {
-    return message.type === "SETTLE" || message.type === "RECOVER_VTXOS" || message.type === "RENEW_VTXOS" || // HD restore walks the index range with one indexer round-trip per
+    return message.type === "SETTLE" || message.type === "RECOVER_VTXOS" || message.type === "RENEW_VTXOS" || // Migration may apply a server-signer rotation and then run a full
+    // settle, so it streams settlement events like RENEW_VTXOS.
+    message.type === "MIGRATE_DEPRECATED_SIGNER_VTXOS" || // HD restore walks the index range with one indexer round-trip per
     // step until it hits gapLimit consecutive unused indices. The bus
     // deadline must not race the scan; liveness stays covered by PING.
     message.type === "RESTORE_WALLET";
@@ -11153,6 +12760,36 @@ var WalletMessageHandler = class {
             payload: { txid }
           });
         }
+        case "MIGRATE_DEPRECATED_SIGNER_VTXOS": {
+          const wallet = this.requireWallet();
+          const vtxoManager = await wallet.getVtxoManager();
+          const report = await vtxoManager.migrateDeprecatedSignerVtxos({
+            eventCallback: (e) => {
+              this.scheduleForNextTick(
+                () => this.tagged({
+                  id,
+                  type: "MIGRATE_DEPRECATED_SIGNER_VTXOS_EVENT",
+                  payload: e
+                })
+              );
+            }
+          });
+          return this.tagged({
+            id,
+            type: "MIGRATE_DEPRECATED_SIGNER_VTXOS_SUCCESS",
+            payload: { report: serializeMigrationReport(report) }
+          });
+        }
+        case "GET_DEPRECATED_SIGNER_STATUS": {
+          const wallet = this.requireWallet();
+          const vtxoManager = await wallet.getVtxoManager();
+          const signers = await vtxoManager.getDeprecatedSignerStatus();
+          return this.tagged({
+            id,
+            type: "DEPRECATED_SIGNER_STATUS",
+            payload: { signers: signers.map(serializeDeprecatedSignerReport) }
+          });
+        }
         case "RESTORE_WALLET": {
           const wallet = this.requireWallet();
           try {
@@ -11186,9 +12823,10 @@ var WalletMessageHandler = class {
     await this.onWalletInitialized();
   }
   async handleGetBalance() {
-    const [boardingUtxos, allVtxos] = await Promise.all([
+    const [boardingUtxos, allVtxos, pendingOutpoints] = await Promise.all([
       this.getAllBoardingUtxos(),
-      this.getVtxosFromRepo()
+      this.getVtxosFromRepo(),
+      this.readonlyWallet ? this.readonlyWallet.pendingRecoveryOutpoints() : Promise.resolve(/* @__PURE__ */ new Set())
     ]);
     let confirmed = 0;
     let unconfirmed = 0;
@@ -11204,8 +12842,11 @@ var WalletMessageHandler = class {
     let settled = 0;
     let preconfirmed = 0;
     let recoverable = 0;
+    let pendingRecovery = 0;
     for (const vtxo of spendableVtxos) {
-      if (vtxo.virtualStatus.state === "settled") {
+      if (pendingOutpoints.has(`${vtxo.txid}:${vtxo.vout}`)) {
+        pendingRecovery += vtxo.value;
+      } else if (vtxo.virtualStatus.state === "settled") {
         settled += vtxo.value;
       } else if (vtxo.virtualStatus.state === "preconfirmed") {
         preconfirmed += vtxo.value;
@@ -11217,7 +12858,7 @@ var WalletMessageHandler = class {
       }
     }
     const totalBoarding = confirmed + unconfirmed;
-    const totalOffchain = settled + preconfirmed + recoverable;
+    const totalOffchain = settled + preconfirmed + recoverable + pendingRecovery;
     const assetBalances = /* @__PURE__ */ new Map();
     for (const vtxo of spendableVtxos) {
       if (vtxo.assets) {
@@ -11241,6 +12882,7 @@ var WalletMessageHandler = class {
       preconfirmed,
       available: settled + preconfirmed,
       recoverable,
+      pendingRecovery,
       total: totalBoarding + totalOffchain,
       assets
     };
@@ -11331,9 +12973,7 @@ var WalletMessageHandler = class {
           );
         }
         if (funds.type === "utxo") {
-          const utxos = funds.coins.map((utxo) => extendCoin(this.readonlyWallet, utxo));
-          const boardingAddress = await this.readonlyWallet.getBoardingAddress();
-          await this.walletRepository?.saveUtxos(boardingAddress, utxos);
+          const utxos = await this.readonlyWallet.getBoardingUtxos();
           this.scheduleForNextTick(
             () => this.tagged({
               type: "UTXO_UPDATE",
@@ -11362,13 +13002,16 @@ var WalletMessageHandler = class {
       return;
     }
     const vtxos = await this.getVtxosFromRepo();
-    const boardingAddress = await this.readonlyWallet.getBoardingAddress();
-    const coins = await this.readonlyWallet.onchainProvider.getCoins(boardingAddress);
-    await this.walletRepository.deleteUtxos(boardingAddress);
-    await this.walletRepository.saveUtxos(
-      boardingAddress,
-      coins.map((utxo) => extendCoin(this.readonlyWallet, utxo))
-    );
+    const boardingAddresses = await this.readonlyWallet.getBoardingAddresses();
+    const fresh = await this.readonlyWallet.getBoardingUtxos();
+    const freshKeys = new Set(fresh.map((u) => `${u.txid}:${u.vout}`));
+    for (const addr of boardingAddresses) {
+      const cached = await this.walletRepository.getUtxos(addr);
+      const kept = cached.filter((u) => freshKeys.has(`${u.txid}:${u.vout}`));
+      if (kept.length === cached.length) continue;
+      await this.walletRepository.deleteUtxos(addr);
+      if (kept.length > 0) await this.walletRepository.saveUtxos(addr, kept);
+    }
     const address = await this.readonlyWallet.getAddress();
     const txs = await this.buildTransactionHistoryFromCache(vtxos);
     if (txs) await this.walletRepository.saveTransactions(address, txs);
@@ -11625,6 +13268,7 @@ var DEFAULT_MESSAGE_TIMEOUTS = {
   GET_EXPIRING_VTXOS: 2e4,
   GET_EXPIRED_BOARDING_UTXOS: 2e4,
   GET_RECOVERABLE_BALANCE: 2e4,
+  GET_DEPRECATED_SIGNER_STATUS: 2e4,
   RELOAD_WALLET: 2e4,
   // Transactions — need more headroom.
   // SETTLE / RECOVER_VTXOS / RENEW_VTXOS go through the streaming path and
@@ -11640,6 +13284,9 @@ var DEFAULT_MESSAGE_TIMEOUTS = {
   RECOVER_VTXOS: 5e4,
   RENEW_VTXOS: 5e4,
   SWEEP_EXPIRED_BOARDING_UTXOS: 5e4,
+  // Streaming/long-running like RENEW_VTXOS (rotation + settle); the value is
+  // kept for type completeness and is never enforced as an inactivity deadline.
+  MIGRATE_DEPRECATED_SIGNER_VTXOS: 5e4,
   // RESTORE_WALLET is a streaming/long-running path (sendMessageWithEvents)
   // like SETTLE; the value here is kept for type completeness and is never
   // enforced as an inactivity deadline.
@@ -11665,6 +13312,7 @@ var DEDUPABLE_REQUEST_TYPES = /* @__PURE__ */ new Set([
   "GET_DELEGATE_INFO",
   "GET_RECOVERABLE_BALANCE",
   "GET_EXPIRED_BOARDING_UTXOS",
+  "GET_DEPRECATED_SIGNER_STATUS",
   "GET_VTXOS",
   "GET_CONTRACTS",
   "GET_CONTRACTS_WITH_VTXOS",
@@ -12787,6 +14435,42 @@ var ServiceWorkerWallet = class _ServiceWorkerWallet extends ServiceWorkerReadon
           throw new Error(`Failed to sweep expired boarding utxos: ${e}`);
         }
       },
+      async migrateDeprecatedSignerVtxos(options) {
+        const message = {
+          tag: messageTag,
+          type: "MIGRATE_DEPRECATED_SIGNER_VTXOS",
+          id: getRandomId()
+        };
+        try {
+          const response = await wallet.sendMessageWithEvents(
+            message,
+            (resp) => options?.eventCallback?.(
+              resp.payload
+            ),
+            (resp) => resp.type === "MIGRATE_DEPRECATED_SIGNER_VTXOS_SUCCESS"
+          );
+          return deserializeMigrationReport(
+            response.payload.report
+          );
+        } catch (e) {
+          throw new Error(`Failed to migrate deprecated-signer vtxos: ${e}`);
+        }
+      },
+      async getDeprecatedSignerStatus() {
+        const message = {
+          tag: messageTag,
+          type: "GET_DEPRECATED_SIGNER_STATUS",
+          id: getRandomId()
+        };
+        try {
+          const response = await wallet.sendMessage(message);
+          return response.payload.signers.map(
+            deserializeDeprecatedSignerReport
+          );
+        } catch (e) {
+          throw new Error(`Failed to get deprecated-signer status: ${e}`);
+        }
+      },
       async dispose() {
         return;
       }
@@ -13692,13 +15376,19 @@ function isHeaderSubscribeResult(v) {
   const obj = v;
   return typeof obj.height === "number" && typeof obj.hex === "string";
 }
+function errorText(err) {
+  if (typeof err === "string") return err;
+  if (err && typeof err === "object") {
+    const e = err;
+    return [e.message, e.str].filter((v) => typeof v === "string").join(" ");
+  }
+  return "";
+}
 function isMissingHeightError(err) {
-  const msg = err instanceof Error ? err.message : typeof err === "string" ? err : "";
-  return msg.toLowerCase().includes("missingheight");
+  return errorText(err).toLowerCase().includes("missingheight");
 }
 function isTxNotInBlockError(err) {
-  const msg = err instanceof Error ? err.message : typeof err === "string" ? err : "";
-  const normalized = msg.toLowerCase();
+  const normalized = errorText(err).toLowerCase();
   return normalized.includes("not yet in a block") || normalized.includes("not in a block") || normalized.includes("not in block") || normalized.includes("no confirmed transaction");
 }
 function childTxidFromHex(txHex) {
@@ -14158,6 +15848,6 @@ function isArkContract(str) {
   return str.startsWith(ARKCONTRACT_PREFIX + "=");
 }
 
-export { ArkNote, AssetManager, BIP322, Batch, ContractManager, ContractRepositoryImpl, ContractWatcher, DB_VERSION, DEFAULT_MESSAGE_TIMEOUTS, DelegateManagerImpl, DelegateNotConfiguredError, DelegatorManagerImpl, DelegatorNotConfiguredError, DescriptorSigningProviderMissingError, DustChangeError, ELECTRUM_TCP_HOST, ELECTRUM_WS_URL, ESPLORA_URL, ElectrumOnchainProvider, EsploraProvider, Estimator, HDDescriptorProvider, InMemoryContractRepository, InMemoryWalletRepository, IndexedDBContractRepository, IndexedDBWalletRepository, MESSAGE_BUS_NOT_INITIALIZED, MIGRATION_KEY, MessageBus, MessageBusNotInitializedError, MissingSigningDescriptorError, MnemonicIdentity, OnchainWallet, P2A, Ramps, ReadonlyAssetManager, ReadonlyDescriptorIdentity, ReadonlySingleKey, ReadonlyWallet, ReadonlyWalletError, RestDelegateProvider, RestDelegatorProvider, SeedIdentity, ServiceWorkerReadonlyWallet, ServiceWorkerTimeoutError, ServiceWorkerWallet, SingleKey, TxTree, TxType, TxWeightEstimator, Unroll, VtxoManager, Wallet2 as Wallet, WalletMessageHandler, WalletNotInitializedError, WalletRepositoryImpl, WsElectrumChainSource, buildForfeitTx, buildOffchainTx, closeDatabase, combineTapscriptSigs, contractFromArkContract, contractFromArkContractWithAddress, decodeArkContract, deserializeAssets, deserializeUtxo, deserializeVtxo, encodeArkContract, extendVirtualCoinForContract, getMigrationStatus, getRandomId, hasBoardingTxExpired, isArkContract, isBatchSignable, isDiscoverable, isExpired, isRecoverable, isSpendable, isSubdust, isValidArkAddress, isVtxoExpiringSoon, isVtxoForScript, migrateWalletRepository, openDatabase, requiresMigration, rollbackMigration, saveVtxosForContract, scriptFromArkAddress, serializeAssets, serializeUtxo, serializeVtxo, setupServiceWorker, validateConnectorsTxGraph, validateVtxoTxGraph, verifyTapscriptSignatures, waitForIncomingFunds, warnAndFilterVtxosForScript };
-//# sourceMappingURL=chunk-DSS2GQUG.js.map
-//# sourceMappingURL=chunk-DSS2GQUG.js.map
+export { ArkNote, AssetManager, BIP322, Batch, ContractManager, ContractRepositoryImpl, ContractWatcher, DB_VERSION, DEFAULT_MESSAGE_TIMEOUTS, DelegateManagerImpl, DelegateNotConfiguredError, DelegatorManagerImpl, DelegatorNotConfiguredError, DescriptorSigningProviderMissingError, DustChangeError, ELECTRUM_TCP_HOST, ELECTRUM_WS_URL, ESPLORA_URL, ElectrumOnchainProvider, EsploraProvider, Estimator, HDDescriptorProvider, InMemoryContractRepository, InMemoryWalletRepository, IndexedDBContractRepository, IndexedDBWalletRepository, MESSAGE_BUS_NOT_INITIALIZED, MIGRATION_KEY, MessageBus, MessageBusNotInitializedError, MissingSigningDescriptorError, MnemonicIdentity, OnchainWallet, P2A, Ramps, ReadonlyAssetManager, ReadonlyDescriptorIdentity, ReadonlySingleKey, ReadonlyWallet, ReadonlyWalletError, RestDelegateProvider, RestDelegatorProvider, SeedIdentity, ServiceWorkerReadonlyWallet, ServiceWorkerTimeoutError, ServiceWorkerWallet, SingleKey, TxTree, TxType, TxWeightEstimator, Unroll, VtxoManager, Wallet2 as Wallet, WalletMessageHandler, WalletNotInitializedError, WalletRepositoryImpl, WsElectrumChainSource, buildForfeitTx, buildOffchainTx, classifyAgainstSignerSet, classifyContractSigner, closeDatabase, combineTapscriptSigs, contractFromArkContract, contractFromArkContractWithAddress, decodeArkContract, deserializeAssets, deserializeUtxo, deserializeVtxo, encodeArkContract, extendVirtualCoinForContract, getMigrationStatus, getRandomId, hasBoardingTxExpired, isArkContract, isBatchSignable, isCooperativelyMigratable, isDiscoverable, isExpired, isRecoverable, isSpendable, isSubdust, isValidArkAddress, isVtxoExpiringSoon, isVtxoForScript, migrateWalletRepository, openDatabase, requiresMigration, rollbackMigration, saveVtxosForContract, scriptFromArkAddress, serializeAssets, serializeUtxo, serializeVtxo, setupServiceWorker, signerSetFromInfo, toXOnlySignerHex, validateConnectorsTxGraph, validateVtxoTxGraph, verifyTapscriptSignatures, waitForIncomingFunds, warnAndFilterVtxosForScript };
+//# sourceMappingURL=chunk-NOR7XOKN.js.map
+//# sourceMappingURL=chunk-NOR7XOKN.js.map