@bsv/sdk 1.3.32 → 1.3.34

package/docs/auth.md

@@ -463,14 +463,14 @@ export class MasterCertificate extends Certificate {
     declare signature?: HexString;
     masterKeyring: Record<CertificateFieldNameUnder50Bytes, Base64String>;
     constructor(type: Base64String, serialNumber: Base64String, subject: PubKeyHex, certifier: PubKeyHex, revocationOutpoint: OutpointString, fields: Record<CertificateFieldNameUnder50Bytes, Base64String>, masterKeyring: Record<CertificateFieldNameUnder50Bytes, Base64String>, signature?: HexString) 
-    static async createCertificateFields(creatorWallet: ProtoWallet, certifierOrSubject: WalletCounterparty, fields: Record<CertificateFieldNameUnder50Bytes, string>): Promise<CreateCertificateFieldsResult> 
-    static async createKeyringForVerifier(subjectWallet: ProtoWallet, certifier: WalletCounterparty, verifier: WalletCounterparty, fields: Record<CertificateFieldNameUnder50Bytes, Base64String>, fieldsToReveal: string[], masterKeyring: Record<CertificateFieldNameUnder50Bytes, Base64String>, serialNumber: Base64String): Promise<Record<CertificateFieldNameUnder50Bytes, string>> 
+    static async createCertificateFields(creatorWallet: ProtoWallet, certifierOrSubject: WalletCounterparty, fields: Record<CertificateFieldNameUnder50Bytes, string>, privileged?: boolean, privilegedReason?: string): Promise<CreateCertificateFieldsResult> 
+    static async createKeyringForVerifier(subjectWallet: ProtoWallet, certifier: WalletCounterparty, verifier: WalletCounterparty, fields: Record<CertificateFieldNameUnder50Bytes, Base64String>, fieldsToReveal: string[], masterKeyring: Record<CertificateFieldNameUnder50Bytes, Base64String>, serialNumber: Base64String, privileged?: boolean, privilegedReason?: string): Promise<Record<CertificateFieldNameUnder50Bytes, string>> 
     static async issueCertificateForSubject(certifierWallet: ProtoWallet, subject: WalletCounterparty, fields: Record<CertificateFieldNameUnder50Bytes, string>, certificateType: string, getRevocationOutpoint = async (_serial: string): Promise<string> => {
         void _serial;
         return "Certificate revocation not tracked.";
     }, serialNumber?: string): Promise<MasterCertificate> 
-    static async decryptFields(subjectOrCertifierWallet: ProtoWallet, masterKeyring: Record<CertificateFieldNameUnder50Bytes, Base64String>, fields: Record<CertificateFieldNameUnder50Bytes, Base64String>, counterparty: WalletCounterparty): Promise<Record<CertificateFieldNameUnder50Bytes, string>> 
-    static async decryptField(subjectOrCertifierWallet: ProtoWallet, masterKeyring: Record<CertificateFieldNameUnder50Bytes, Base64String>, fieldName: Base64String, fieldValue: Base64String, counterparty: WalletCounterparty): Promise<{
+    static async decryptFields(subjectOrCertifierWallet: ProtoWallet, masterKeyring: Record<CertificateFieldNameUnder50Bytes, Base64String>, fields: Record<CertificateFieldNameUnder50Bytes, Base64String>, counterparty: WalletCounterparty, privileged?: boolean, privilegedReason?: string): Promise<Record<CertificateFieldNameUnder50Bytes, string>> 
+    static async decryptField(subjectOrCertifierWallet: ProtoWallet, masterKeyring: Record<CertificateFieldNameUnder50Bytes, Base64String>, fieldName: Base64String, fieldValue: Base64String, counterparty: WalletCounterparty, privileged?: boolean, privilegedReason?: string): Promise<{
         fieldRevelationKey: number[];
         decryptedFieldValue: string;
     }> 
@@ -486,7 +486,7 @@ This method returns a master keyring tied to a specific certifier or subject who
 and sign off on the fields, along with the encrypted certificate fields.
 
 ```ts
-static async createCertificateFields(creatorWallet: ProtoWallet, certifierOrSubject: WalletCounterparty, fields: Record<CertificateFieldNameUnder50Bytes, string>): Promise<CreateCertificateFieldsResult> 
+static async createCertificateFields(creatorWallet: ProtoWallet, certifierOrSubject: WalletCounterparty, fields: Record<CertificateFieldNameUnder50Bytes, string>, privileged?: boolean, privilegedReason?: string): Promise<CreateCertificateFieldsResult> 
 ```
 See also: [CertificateFieldNameUnder50Bytes](./wallet.md#type-certificatefieldnameunder50bytes), [ProtoWallet](./wallet.md#class-protowallet), [WalletCounterparty](./wallet.md#type-walletcounterparty)
 
@@ -506,6 +506,10 @@ Argument Details
   + The certifier or subject who will validate the certificate fields.
 + **fields**
   + A record of certificate field names (under 50 bytes) mapped to their values.
++ **privileged**
+  + Whether this is a privileged request.
++ **privilegedReason**
+  + Reason provided for privileged access, required if this is a privileged operation.   *
 
 #### Method createKeyringForVerifier
 
@@ -515,7 +519,7 @@ for the verifier's identity key. The result is a keyring containing the keys nec
 for the verifier to access the designated fields.
 
 ```ts
-static async createKeyringForVerifier(subjectWallet: ProtoWallet, certifier: WalletCounterparty, verifier: WalletCounterparty, fields: Record<CertificateFieldNameUnder50Bytes, Base64String>, fieldsToReveal: string[], masterKeyring: Record<CertificateFieldNameUnder50Bytes, Base64String>, serialNumber: Base64String): Promise<Record<CertificateFieldNameUnder50Bytes, string>> 
+static async createKeyringForVerifier(subjectWallet: ProtoWallet, certifier: WalletCounterparty, verifier: WalletCounterparty, fields: Record<CertificateFieldNameUnder50Bytes, Base64String>, fieldsToReveal: string[], masterKeyring: Record<CertificateFieldNameUnder50Bytes, Base64String>, serialNumber: Base64String, privileged?: boolean, privilegedReason?: string): Promise<Record<CertificateFieldNameUnder50Bytes, string>> 
 ```
 See also: [Base64String](./wallet.md#type-base64string), [CertificateFieldNameUnder50Bytes](./wallet.md#type-certificatefieldnameunder50bytes), [ProtoWallet](./wallet.md#class-protowallet), [WalletCounterparty](./wallet.md#type-walletcounterparty)
 
@@ -533,6 +537,10 @@ Argument Details
   + An array of field names to be revealed to the verifier. Must be a subset of the certificate's fields.
 + **originator**
   + Optional originator identifier, used if additional context is needed for decryption and encryption operations.
++ **privileged**
+  + Whether this is a privileged request.
++ **privilegedReason**
+  + Reason provided for privileged access, required if this is a privileged operation.   *
 
 Throws
 
@@ -552,7 +560,7 @@ The counterparty used for decryption depends on how the certificate fields were
 - Otherwise, the counterparty should always be the other party involved in the certificate issuance process (the subject or certifier).
 
 ```ts
-static async decryptFields(subjectOrCertifierWallet: ProtoWallet, masterKeyring: Record<CertificateFieldNameUnder50Bytes, Base64String>, fields: Record<CertificateFieldNameUnder50Bytes, Base64String>, counterparty: WalletCounterparty): Promise<Record<CertificateFieldNameUnder50Bytes, string>> 
+static async decryptFields(subjectOrCertifierWallet: ProtoWallet, masterKeyring: Record<CertificateFieldNameUnder50Bytes, Base64String>, fields: Record<CertificateFieldNameUnder50Bytes, Base64String>, counterparty: WalletCounterparty, privileged?: boolean, privilegedReason?: string): Promise<Record<CertificateFieldNameUnder50Bytes, string>> 
 ```
 See also: [Base64String](./wallet.md#type-base64string), [CertificateFieldNameUnder50Bytes](./wallet.md#type-certificatefieldnameunder50bytes), [ProtoWallet](./wallet.md#class-protowallet), [WalletCounterparty](./wallet.md#type-walletcounterparty)
 
@@ -570,6 +578,10 @@ Argument Details
   + A record of encrypted field names and their values.
 + **counterparty**
   + The counterparty responsible for creating or signing the certificate. For self-signed certificates, use 'self'.
++ **privileged**
+  + Whether this is a privileged request.
++ **privilegedReason**
+  + Reason provided for privileged access, required if this is a privileged operation.
 
 Throws
 
@@ -1094,7 +1106,7 @@ export class VerifiableCertificate extends Certificate {
     keyring: Record<CertificateFieldNameUnder50Bytes, string>;
     decryptedFields?: Record<CertificateFieldNameUnder50Bytes, Base64String>;
     constructor(type: Base64String, serialNumber: Base64String, subject: PubKeyHex, certifier: PubKeyHex, revocationOutpoint: OutpointString, fields: Record<CertificateFieldNameUnder50Bytes, string>, keyring: Record<CertificateFieldNameUnder50Bytes, string>, signature?: HexString, decryptedFields?: Record<CertificateFieldNameUnder50Bytes, Base64String>) 
-    async decryptFields(verifierWallet: ProtoWallet): Promise<Record<CertificateFieldNameUnder50Bytes, string>> 
+    async decryptFields(verifierWallet: ProtoWallet, privileged?: boolean, privilegedReason?: string): Promise<Record<CertificateFieldNameUnder50Bytes, string>> 
 }
 ```
 
@@ -1105,7 +1117,7 @@ See also: [Base64String](./wallet.md#type-base64string), [Certificate](./auth.md
 Decrypts selectively revealed certificate fields using the provided keyring and verifier wallet
 
 ```ts
-async decryptFields(verifierWallet: ProtoWallet): Promise<Record<CertificateFieldNameUnder50Bytes, string>> 
+async decryptFields(verifierWallet: ProtoWallet, privileged?: boolean, privilegedReason?: string): Promise<Record<CertificateFieldNameUnder50Bytes, string>> 
 ```
 See also: [CertificateFieldNameUnder50Bytes](./wallet.md#type-certificatefieldnameunder50bytes), [ProtoWallet](./wallet.md#class-protowallet)
 
@@ -1117,6 +1129,10 @@ Argument Details
 
 + **verifierWallet**
   + The wallet instance of the certificate's verifier, used to decrypt field keys.
++ **privileged**
+  + Whether this is a privileged request.
++ **privilegedReason**
+  + Reason provided for privileged access, required if this is a privileged operation.
 
 Throws
 

package/docs/overlay-tools.md

@@ -95,6 +95,7 @@ Configuration options for the Lookup resolver.
 
 ```ts
 export interface LookupResolverConfig {
+    networkPreset?: "mainnet" | "testnet" | "local";
     facilitator?: OverlayLookupFacilitator;
     slapTrackers?: string[];
     hostOverrides?: Record<string, string[]>;
@@ -129,6 +130,17 @@ Map of lookup service names to arrays of hosts to use in place of resolving via
 hostOverrides?: Record<string, string[]>
 ```
 
+#### Property networkPreset
+
+The network preset to use, unless other options override it.
+- mainnet: use mainnet SLAP trackers and HTTPS facilitator
+- testnet: use testnet SLAP trackers and HTTPS facilitator
+- local: directly query from localhost:8080 and a facilitator that permits plain HTTP
+
+```ts
+networkPreset?: "mainnet" | "testnet" | "local"
+```
+
 #### Property slapTrackers
 
 The list of SLAP trackers queried to resolve Overlay Services hosts for a given lookup service.
@@ -185,8 +197,9 @@ Configuration options for the SHIP broadcaster.
 
 ```ts
 export interface SHIPBroadcasterConfig {
+    networkPreset?: "mainnet" | "testnet" | "local";
     facilitator?: OverlayBroadcastFacilitator;
-    resolver: LookupResolver;
+    resolver?: LookupResolver;
     requireAcknowledgmentFromAllHostsForTopics?: "all" | "any" | string[];
     requireAcknowledgmentFromAnyHostForTopics?: "all" | "any" | string[];
     requireAcknowledgmentFromSpecificHostsForTopics?: Record<string, "all" | "any" | string[]>;
@@ -204,6 +217,17 @@ facilitator?: OverlayBroadcastFacilitator
 ```
 See also: [OverlayBroadcastFacilitator](./overlay-tools.md#interface-overlaybroadcastfacilitator)
 
+#### Property networkPreset
+
+The network preset to use, unless other options override it.
+- mainnet: use mainnet resolver and HTTPS facilitator
+- testnet: use testnet resolver and HTTPS facilitator
+- local: directly send to localhost:8080 and a facilitator that permits plain HTTP
+
+```ts
+networkPreset?: "mainnet" | "testnet" | "local"
+```
+
 #### Property requireAcknowledgmentFromAllHostsForTopics
 
 Determines which topics (all, any, or a specific list) must be present within all STEAKs received from every host for the broadcast to be considered a success. By default, all hosts must acknowledge all topics.
@@ -233,7 +257,7 @@ requireAcknowledgmentFromSpecificHostsForTopics?: Record<string, "all" | "any" |
 The resolver used to locate suitable hosts with SHIP
 
 ```ts
-resolver: LookupResolver
+resolver?: LookupResolver
 ```
 See also: [LookupResolver](./overlay-tools.md#class-lookupresolver)
 
@@ -262,7 +286,7 @@ Links: [API](#api), [Interfaces](#interfaces), [Classes](#classes), [Functions](
 | [HTTPSOverlayLookupFacilitator](#class-httpsoverlaylookupfacilitator) |
 | [LookupResolver](#class-lookupresolver) |
 | [OverlayAdminTokenTemplate](#class-overlayadmintokentemplate) |
-| [SHIPBroadcaster](#class-shipbroadcaster) |
+| [TopicBroadcaster](#class-topicbroadcaster) |
 
 Links: [API](#api), [Interfaces](#interfaces), [Classes](#classes), [Functions](#functions), [Types](#types), [Enums](#enums), [Variables](#variables)
 
@@ -273,7 +297,8 @@ Links: [API](#api), [Interfaces](#interfaces), [Classes](#classes), [Functions](
 ```ts
 export class HTTPSOverlayBroadcastFacilitator implements OverlayBroadcastFacilitator {
     httpClient: typeof fetch;
-    constructor(httpClient = fetch) 
+    allowHTTP: boolean;
+    constructor(httpClient = fetch, allowHTTP: boolean = false) 
     async send(url: string, taggedBEEF: TaggedBEEF): Promise<STEAK> 
 }
 ```
@@ -288,7 +313,8 @@ Links: [API](#api), [Interfaces](#interfaces), [Classes](#classes), [Functions](
 ```ts
 export class HTTPSOverlayLookupFacilitator implements OverlayLookupFacilitator {
     fetchClient: typeof fetch;
-    constructor(httpClient = fetch) 
+    allowHTTP: boolean;
+    constructor(httpClient = fetch, allowHTTP: boolean = false) 
     async lookup(url: string, question: LookupQuestion, timeout: number = 5000): Promise<LookupAnswer> 
 }
 ```
@@ -304,7 +330,7 @@ Represents an SHIP transaction broadcaster.
 
 ```ts
 export default class LookupResolver {
-    constructor(config?: LookupResolverConfig) 
+    constructor(config: LookupResolverConfig = {}) 
     async query(question: LookupQuestion, timeout?: number): Promise<LookupAnswer> 
 }
 ```
@@ -430,13 +456,13 @@ Argument Details
 Links: [API](#api), [Interfaces](#interfaces), [Classes](#classes), [Functions](#functions), [Types](#types), [Enums](#enums), [Variables](#variables)
 
 ---
-### Class: SHIPBroadcaster
+### Class: TopicBroadcaster
 
-Represents a SHIP transaction broadcaster.
+Broadcasts transactions to one or more overlay topics.
 
 ```ts
-export default class SHIPBroadcaster implements Broadcaster {
-    constructor(topics: string[], config?: SHIPBroadcasterConfig) 
+export default class TopicBroadcaster implements Broadcaster {
+    constructor(topics: string[], config: SHIPBroadcasterConfig = {}) 
     async broadcast(tx: Transaction): Promise<BroadcastResponse | BroadcastFailure> 
 }
 ```
@@ -448,7 +474,7 @@ See also: [BroadcastFailure](./transaction.md#interface-broadcastfailure), [Broa
 Constructs an instance of the SHIP broadcaster.
 
 ```ts
-constructor(topics: string[], config?: SHIPBroadcasterConfig) 
+constructor(topics: string[], config: SHIPBroadcasterConfig = {}) 
 ```
 See also: [SHIPBroadcasterConfig](./overlay-tools.md#interface-shipbroadcasterconfig)
 
@@ -531,13 +557,31 @@ Links: [API](#api), [Interfaces](#interfaces), [Classes](#classes), [Functions](
 
 ## Variables
 
+| |
+| --- |
+| [DEFAULT_SLAP_TRACKERS](#variable-default_slap_trackers) |
+| [DEFAULT_TESTNET_SLAP_TRACKERS](#variable-default_testnet_slap_trackers) |
+
+Links: [API](#api), [Interfaces](#interfaces), [Classes](#classes), [Functions](#functions), [Types](#types), [Enums](#enums), [Variables](#variables)
+
+---
+
 ### Variable: DEFAULT_SLAP_TRACKERS
 
 ```ts
 DEFAULT_SLAP_TRACKERS: string[] = [
-    "https://overlay.babbage.systems",
-    "https://overlay-example.babbage.systems",
-    "https://office.babbage.systems"
+    "https://users.bapp.dev"
+]
+```
+
+Links: [API](#api), [Interfaces](#interfaces), [Classes](#classes), [Functions](#functions), [Types](#types), [Enums](#enums), [Variables](#variables)
+
+---
+### Variable: DEFAULT_TESTNET_SLAP_TRACKERS
+
+```ts
+DEFAULT_TESTNET_SLAP_TRACKERS: string[] = [
+    "https://testnet-users.bapp.dev"
 ]
 ```
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@bsv/sdk",
-  "version": "1.3.32",
+  "version": "1.3.34",
   "type": "module",
   "description": "BSV Blockchain Software Development Kit",
   "main": "dist/cjs/mod.js",

package/src/auth/certificates/MasterCertificate.ts

@@ -76,6 +76,8 @@ export class MasterCertificate extends Certificate {
    * @param {ProtoWallet} creatorWallet - The wallet of the creator responsible for encrypting the fields.
    * @param {WalletCounterparty} certifierOrSubject - The certifier or subject who will validate the certificate fields.
    * @param {Record<CertificateFieldNameUnder50Bytes, string>} fields - A record of certificate field names (under 50 bytes) mapped to their values.
+   * @param {BooleanDefaultFalse} [privileged] - Whether this is a privileged request.
+   * @param {DescriptionString5to50Bytes} [privilegedReason] - Reason provided for privileged access, required if this is a privileged operation.   * 
    * @returns {Promise<CreateCertificateFieldsResult>} A promise resolving to an object containing:
    *   - `certificateFields` {Record<CertificateFieldNameUnder50Bytes, Base64String>}:
    *     The encrypted certificate fields.
@@ -85,7 +87,9 @@ export class MasterCertificate extends Certificate {
   static async createCertificateFields(
     creatorWallet: ProtoWallet,
     certifierOrSubject: WalletCounterparty,
-    fields: Record<CertificateFieldNameUnder50Bytes, string>
+    fields: Record<CertificateFieldNameUnder50Bytes, string>,
+    privileged?: boolean,
+    privilegedReason?: string
   ): Promise<CreateCertificateFieldsResult> {
     const certificateFields: Record<
       CertificateFieldNameUnder50Bytes,
@@ -109,7 +113,9 @@ export class MasterCertificate extends Certificate {
           {
             plaintext: fieldSymmetricKey.toArray(),
             ...Certificate.getCertificateFieldEncryptionDetails(fieldName), // Only fieldName used on MasterCertificate
-            counterparty: certifierOrSubject
+            counterparty: certifierOrSubject,
+            privileged,
+            privilegedReason
           }
         )
       masterKeyring[fieldName] = Utils.toBase64(encryptedFieldRevelationKey)
@@ -132,6 +138,8 @@ export class MasterCertificate extends Certificate {
    * @param {string[]} fieldsToReveal - An array of field names to be revealed to the verifier. Must be a subset of the certificate's fields.
    * @param {string} [originator] - Optional originator identifier, used if additional context is needed for decryption and encryption operations.
    * @returns {Promise<Record<CertificateFieldNameUnder50Bytes, string>>} - A keyring mapping field names to encrypted field revelation keys, allowing the verifier to decrypt specified fields.
+   * @param {BooleanDefaultFalse} [privileged] - Whether this is a privileged request.
+   * @param {DescriptionString5to50Bytes} [privilegedReason] - Reason provided for privileged access, required if this is a privileged operation.   * 
    * @throws {Error} Throws an error if:
    *   - fieldsToReveal is not an array of strings.
    *   - A field in `fieldsToReveal` does not exist in the certificate.
@@ -144,7 +152,9 @@ export class MasterCertificate extends Certificate {
     fields: Record<CertificateFieldNameUnder50Bytes, Base64String>,
     fieldsToReveal: string[],
     masterKeyring: Record<CertificateFieldNameUnder50Bytes, Base64String>,
-    serialNumber: Base64String
+    serialNumber: Base64String,
+    privileged?: boolean,
+    privilegedReason?: string
   ): Promise<Record<CertificateFieldNameUnder50Bytes, string>> {
     if (!Array.isArray(fieldsToReveal)) {
       throw new Error('fieldsToReveal must be an array of strings')
@@ -165,7 +175,9 @@ export class MasterCertificate extends Certificate {
           masterKeyring,
           fieldName,
           fields[fieldName],
-          certifier
+          certifier,
+          privileged,
+          privilegedReason
         )
       ).fieldRevelationKey
 
@@ -178,7 +190,9 @@ export class MasterCertificate extends Certificate {
               fieldName,
               serialNumber
             ),
-            counterparty: verifier
+            counterparty: verifier,
+            privileged,
+            privilegedReason
           }
         )
 
@@ -220,22 +234,22 @@ export class MasterCertificate extends Certificate {
       void _serial // Explicitly acknowledge unused parameter
       return 'Certificate revocation not tracked.'
     },
-    serialNumber?: string // ✅ Optional parameter
+    serialNumber?: string
   ): Promise<MasterCertificate> {
     // 1. Generate a random serialNumber if not provided
-    const finalSerialNumber = serialNumber ?? Utils.toBase64(Random(32)) // ✅ Explicit nullish check
+    const finalSerialNumber = serialNumber ?? Utils.toBase64(Random(32))
 
     // 2. Create encrypted certificate fields and associated master keyring
     const { certificateFields, masterKeyring } =
       await this.createCertificateFields(certifierWallet, subject, fields)
 
     // 3. Obtain a revocation outpoint
-    const revocationOutpoint = await getRevocationOutpoint(finalSerialNumber) // ✅ Use `finalSerialNumber`
+    const revocationOutpoint = await getRevocationOutpoint(finalSerialNumber)
 
     // 4. Create new MasterCertificate instance
     const certificate = new MasterCertificate(
       certificateType,
-      finalSerialNumber, // ✅ Use `finalSerialNumber`
+      finalSerialNumber,
       subject,
       (await certifierWallet.getPublicKey({ identityKey: true })).publicKey,
       revocationOutpoint,
@@ -261,6 +275,8 @@ export class MasterCertificate extends Certificate {
    * @param {Record<CertificateFieldNameUnder50Bytes, Base64String>} masterKeyring - A record containing encrypted keys for each field.
    * @param {Record<CertificateFieldNameUnder50Bytes, Base64String>} fields - A record of encrypted field names and their values.
    * @param {WalletCounterparty} counterparty - The counterparty responsible for creating or signing the certificate. For self-signed certificates, use 'self'.
+   * @param {BooleanDefaultFalse} [privileged] - Whether this is a privileged request.
+   * @param {DescriptionString5to50Bytes} [privilegedReason] - Reason provided for privileged access, required if this is a privileged operation.
    * @returns {Promise<Record<CertificateFieldNameUnder50Bytes, string>>} A promise resolving to a record of field names and their decrypted values in plaintext.
    *
    * @throws {Error} Throws an error if the `masterKeyring` is invalid or if decryption fails for any field.
@@ -269,7 +285,9 @@ export class MasterCertificate extends Certificate {
     subjectOrCertifierWallet: ProtoWallet,
     masterKeyring: Record<CertificateFieldNameUnder50Bytes, Base64String>,
     fields: Record<CertificateFieldNameUnder50Bytes, Base64String>,
-    counterparty: WalletCounterparty
+    counterparty: WalletCounterparty,
+    privileged?: boolean,
+    privilegedReason?: string
   ): Promise<Record<CertificateFieldNameUnder50Bytes, string>> {
     if (masterKeyring == null || Object.keys(masterKeyring).length === 0) {
       throw new Error('A MasterCertificate must have a valid masterKeyring!')
@@ -285,7 +303,9 @@ export class MasterCertificate extends Certificate {
             masterKeyring,
             fieldName,
             fields[fieldName],
-            counterparty
+            counterparty,
+            privileged,
+            privilegedReason
           )
         ).decryptedFieldValue
       }
@@ -300,7 +320,9 @@ export class MasterCertificate extends Certificate {
     masterKeyring: Record<CertificateFieldNameUnder50Bytes, Base64String>,
     fieldName: Base64String,
     fieldValue: Base64String,
-    counterparty: WalletCounterparty
+    counterparty: WalletCounterparty,
+    privileged?: boolean,
+    privilegedReason?: string
   ): Promise<{ fieldRevelationKey: number[], decryptedFieldValue: string }> {
     if (masterKeyring == null || Object.keys(masterKeyring).length === 0) {
       throw new Error('A MasterCertificate must have a valid masterKeyring!')
@@ -311,7 +333,9 @@ export class MasterCertificate extends Certificate {
           {
             ciphertext: Utils.toArray(masterKeyring[fieldName], 'base64'),
             ...Certificate.getCertificateFieldEncryptionDetails(fieldName), // Only fieldName used on MasterCertificate
-            counterparty
+            counterparty,
+            privileged,
+            privilegedReason
           }
         )
 

package/src/auth/certificates/VerifiableCertificate.ts

@@ -54,10 +54,14 @@ export class VerifiableCertificate extends Certificate {
    * Decrypts selectively revealed certificate fields using the provided keyring and verifier wallet
    * @param {ProtoWallet} verifierWallet - The wallet instance of the certificate's verifier, used to decrypt field keys.
    * @returns {Promise<Record<CertificateFieldNameUnder50Bytes, string>>} - A promise that resolves to an object where each key is a field name and each value is the decrypted field value as a string.
+   * @param {BooleanDefaultFalse} [privileged] - Whether this is a privileged request.
+   * @param {DescriptionString5to50Bytes} [privilegedReason] - Reason provided for privileged access, required if this is a privileged operation.
    * @throws {Error} Throws an error if any of the decryption operations fail, with a message indicating the failure context.
    */
   async decryptFields(
-    verifierWallet: ProtoWallet
+    verifierWallet: ProtoWallet,
+    privileged?: boolean,
+    privilegedReason?: string
   ): Promise<Record<CertificateFieldNameUnder50Bytes, string>> {
     if (this.keyring == null || Object.keys(this.keyring).length === 0) { // ✅ Explicitly check null and empty object
       throw new Error(
@@ -75,7 +79,9 @@ export class VerifiableCertificate extends Certificate {
             fieldName,
             this.serialNumber
           ),
-          counterparty: this.subject
+          counterparty: this.subject,
+          privileged,
+          privilegedReason
         })
 
         const fieldValue = new SymmetricKey(fieldRevelationKey).decrypt(

package/src/overlay-tools/LookupResolver.ts

@@ -37,11 +37,7 @@ export type LookupAnswer =
 /** Default SLAP trackers */
 export const DEFAULT_SLAP_TRACKERS: string[] = [
   // Babbage primary overlay service
-  'https://overlay.babbage.systems',
-  // Babbage example overlay
-  'https://overlay-example.babbage.systems',
-  // The Babbage office building
-  'https://office.babbage.systems'
+  'https://users.bapp.dev'
 
   // NOTE: Other entities may submit pull requests to the library if they maintain SLAP overlay services.
   // Additional trackers run by different entities contribute to greater network resiliency.
@@ -51,10 +47,23 @@ export const DEFAULT_SLAP_TRACKERS: string[] = [
   // Trackers known to host invalid or illegal records will be removed at the discretion of the BSV Association.
 ]
 
+/** Default testnet SLAP trackers */
+export const DEFAULT_TESTNET_SLAP_TRACKERS: string[] = [
+  // Babbage primary testnet overlay service
+  'https://testnet-users.bapp.dev'
+]
+
 const MAX_TRACKER_WAIT_TIME = 1000
 
 /** Configuration options for the Lookup resolver. */
 export interface LookupResolverConfig {
+  /**
+   * The network preset to use, unless other options override it.
+   * - mainnet: use mainnet SLAP trackers and HTTPS facilitator
+   * - testnet: use testnet SLAP trackers and HTTPS facilitator
+   * - local: directly query from localhost:8080 and a facilitator that permits plain HTTP
+   */
+  networkPreset?: 'mainnet' | 'testnet' | 'local'
   /** The facilitator used to make requests to Overlay Services hosts. */
   facilitator?: OverlayLookupFacilitator
   /** The list of SLAP trackers queried to resolve Overlay Services hosts for a given lookup service. */
@@ -83,9 +92,11 @@ export interface OverlayLookupFacilitator {
 
 export class HTTPSOverlayLookupFacilitator implements OverlayLookupFacilitator {
   fetchClient: typeof fetch
+  allowHTTP: boolean
 
-  constructor (httpClient = fetch) {
+  constructor (httpClient = fetch, allowHTTP: boolean = false) {
     this.fetchClient = httpClient
+    this.allowHTTP = allowHTTP
   }
 
   async lookup (
@@ -93,7 +104,7 @@ export class HTTPSOverlayLookupFacilitator implements OverlayLookupFacilitator {
     question: LookupQuestion,
     timeout: number = 5000
   ): Promise<LookupAnswer> {
-    if (!url.startsWith('https:')) {
+    if (!url.startsWith('https:') && !this.allowHTTP) {
       throw new Error(
         'HTTPS facilitator can only use URLs that start with "https:"'
       )
@@ -134,26 +145,14 @@ export default class LookupResolver {
   private readonly slapTrackers: string[]
   private readonly hostOverrides: Record<string, string[]>
   private readonly additionalHosts: Record<string, string[]>
-
-  constructor (config?: LookupResolverConfig) {
-    const defaultConfig: LookupResolverConfig = {
-      facilitator: new HTTPSOverlayLookupFacilitator(),
-      slapTrackers: DEFAULT_SLAP_TRACKERS,
-      hostOverrides: {},
-      additionalHosts: {}
-    }
-
-    const {
-      facilitator = defaultConfig.facilitator,
-      slapTrackers = defaultConfig.slapTrackers,
-      hostOverrides = defaultConfig.hostOverrides,
-      additionalHosts = defaultConfig.additionalHosts
-    } = config ?? defaultConfig // ✅ Use a default object directly
-
-    this.facilitator = facilitator ?? new HTTPSOverlayLookupFacilitator()
-    this.slapTrackers = slapTrackers ?? []
-    this.hostOverrides = hostOverrides ?? {}
-    this.additionalHosts = additionalHosts ?? {}
+  private readonly networkPreset: 'mainnet' | 'testnet' | 'local'
+
+  constructor (config: LookupResolverConfig = {}) {
+    this.networkPreset = config.networkPreset ?? 'mainnet'
+    this.facilitator = config.facilitator ?? new HTTPSOverlayLookupFacilitator(undefined, this.networkPreset === 'local')
+    this.slapTrackers = config.slapTrackers ?? (this.networkPreset === 'mainnet' ? DEFAULT_SLAP_TRACKERS : DEFAULT_TESTNET_SLAP_TRACKERS)
+    this.hostOverrides = config.hostOverrides ?? {}
+    this.additionalHosts = config.additionalHosts ?? {}
   }
 
   /**
@@ -165,9 +164,11 @@ export default class LookupResolver {
   ): Promise<LookupAnswer> {
     let competentHosts: string[] = []
     if (question.service === 'ls_slap') {
-      competentHosts = this.slapTrackers
+      competentHosts = this.networkPreset === 'local' ? ['http://localhost:8080'] : this.slapTrackers
     } else if (this.hostOverrides[question.service] != null) {
       competentHosts = this.hostOverrides[question.service]
+    } else if (this.networkPreset === 'local') {
+      competentHosts = ['http://localhost:8080']
     } else {
       competentHosts = await this.findCompetentHosts(question.service)
     }
@@ -179,7 +180,7 @@ export default class LookupResolver {
     }
     if (competentHosts.length < 1) {
       throw new Error(
-        `No competent hosts found by the SLAP trackers for lookup service: ${question.service}`
+        `No competent ${this.networkPreset} hosts found by the SLAP trackers for lookup service: ${question.service}`
       )
     }
 
@@ -230,7 +231,6 @@ export default class LookupResolver {
         console.error('Error processing response outputs:', error)
       }
     }
-    // ✅ Ensure function always returns a value
     return {
       type: 'output-list',
       outputs: Array.from(outputs.values())