@bsv/wallet-toolbox-client 2.1.24 → 3.0.0-alpha.0

package/out/src/WalletPermissionsManager.js

@@ -3,9 +3,9 @@ Object.defineProperty(exports, "__esModule", { value: true });
 exports.WalletPermissionsManager = void 0;
 const sdk_1 = require("@bsv/sdk");
 const brc114ActionTimeLabels_1 = require("./utility/brc114ActionTimeLabels");
-////// TODO: ADD SUPPORT FOR ADMIN COUNTERPARTIES BASED ON WALLET STORAGE
-//////       PROHIBITION OF SPECIAL OPERATIONS IS ALSO CRITICAL.
-////// !!!!!!!! SECURITY-CRITICAL ADDITION — DO NOT USE UNTIL IMPLEMENTED.
+/// /// TODO: ADD SUPPORT FOR ADMIN COUNTERPARTIES BASED ON WALLET STORAGE
+/// ///       PROHIBITION OF SPECIAL OPERATIONS IS ALSO CRITICAL.
+/// /// !!!!!!!! SECURITY-CRITICAL ADDITION — DO NOT USE UNTIL IMPLEMENTED.
 function deepEqual(object1, object2) {
     if (object1 === null || object1 === undefined || object2 === null || object2 === undefined) {
         return object1 === object2;
@@ -149,7 +149,7 @@ class WalletPermissionsManager {
         }
         const schemeID = basketOrProtocolName.split(' ')[1];
         const module = (_a = this.config.permissionModules) === null || _a === void 0 ? void 0 : _a[schemeID];
-        if (!module) {
+        if (module == null) {
             throw new Error(`Unsupported P-module scheme: p ${schemeID}`);
         }
         // Transform request with module
@@ -174,7 +174,7 @@ class WalletPermissionsManager {
         if (pModulesByScheme.has(schemeID))
             return;
         const module = (_a = this.config.permissionModules) === null || _a === void 0 ? void 0 : _a[schemeID];
-        if (!module) {
+        if (module == null) {
             throw new Error(`Unsupported P-${kind} scheme: p ${schemeID}`);
         }
         pModulesByScheme.set(schemeID, module);
@@ -198,7 +198,7 @@ class WalletPermissionsManager {
      */
     splitLabelsByPermissionModule(labels, pModulesByScheme) {
         const nonPLabels = [];
-        if (!labels)
+        if (labels == null)
             return nonPLabels;
         for (const label of labels) {
             if (label.startsWith('p ')) {
@@ -233,9 +233,9 @@ class WalletPermissionsManager {
      */
     async decryptListOutputsMetadata(results) {
         if (results.outputs) {
-            for (let i = 0; i < results.outputs.length; i++) {
-                if (results.outputs[i].customInstructions) {
-                    results.outputs[i].customInstructions = await this.maybeDecryptMetadata(results.outputs[i].customInstructions);
+            for (const output of results.outputs) {
+                if (output.customInstructions) {
+                    output.customInstructions = await this.maybeDecryptMetadata(output.customInstructions);
                 }
             }
         }
@@ -246,31 +246,37 @@ class WalletPermissionsManager {
      */
     async decryptListActionsMetadata(results) {
         if (results.actions) {
-            for (let i = 0; i < results.actions.length; i++) {
-                if (results.actions[i].description) {
-                    results.actions[i].description = await this.maybeDecryptMetadata(results.actions[i].description);
-                }
-                if (results.actions[i].inputs) {
-                    for (let j = 0; j < results.actions[i].inputs.length; j++) {
-                        if (results.actions[i].inputs[j].inputDescription) {
-                            results.actions[i].inputs[j].inputDescription = await this.maybeDecryptMetadata(results.actions[i].inputs[j].inputDescription);
-                        }
-                    }
-                }
-                if (results.actions[i].outputs) {
-                    for (let j = 0; j < results.actions[i].outputs.length; j++) {
-                        if (results.actions[i].outputs[j].outputDescription) {
-                            results.actions[i].outputs[j].outputDescription = await this.maybeDecryptMetadata(results.actions[i].outputs[j].outputDescription);
-                        }
-                        if (results.actions[i].outputs[j].customInstructions) {
-                            results.actions[i].outputs[j].customInstructions = await this.maybeDecryptMetadata(results.actions[i].outputs[j].customInstructions);
-                        }
-                    }
-                }
+            for (const action of results.actions) {
+                await this.decryptSingleActionMetadata(action);
             }
         }
         return results;
     }
+    async decryptSingleActionMetadata(action) {
+        if (action.description) {
+            action.description = await this.maybeDecryptMetadata(action.description);
+        }
+        if (action.inputs != null) {
+            for (const input of action.inputs) {
+                if (input.inputDescription) {
+                    input.inputDescription = await this.maybeDecryptMetadata(input.inputDescription);
+                }
+            }
+        }
+        if (action.outputs != null) {
+            for (const output of action.outputs) {
+                await this.decryptActionOutputMetadata(output);
+            }
+        }
+    }
+    async decryptActionOutputMetadata(output) {
+        if (output.outputDescription) {
+            output.outputDescription = await this.maybeDecryptMetadata(output.outputDescription);
+        }
+        if (output.customInstructions) {
+            output.customInstructions = await this.maybeDecryptMetadata(output.customInstructions);
+        }
+    }
     /* ---------------------------------------------------------------------
      *  1) PUBLIC API FOR REGISTERING CALLBACKS (UI PROMPTS, LOGGING, ETC.)
      * --------------------------------------------------------------------- */
@@ -295,7 +301,7 @@ class WalletPermissionsManager {
      * @returns          True if successfully unbound, false otherwise
      */
     unbindCallback(eventName, reference) {
-        if (!this.callbacks[eventName])
+        if (this.callbacks[eventName] == null)
             return false;
         const arr = this.callbacks[eventName];
         if (typeof reference === 'number') {
@@ -329,8 +335,9 @@ class WalletPermissionsManager {
                 try {
                     await cb(param);
                 }
-                catch (e) {
-                    // Intentionally swallow errors from user-provided callbacks
+                catch (_callbackError) {
+                    // Intentionally swallow errors from user-provided callbacks to prevent
+                    // a misbehaving callback from disrupting the event dispatch loop.
                 }
             }
         }
@@ -350,7 +357,7 @@ class WalletPermissionsManager {
     async grantPermission(params) {
         // 1) Identify the matching queued requests in `activeRequests`
         const matching = this.activeRequests.get(params.requestID);
-        if (!matching) {
+        if (matching == null) {
             throw new Error('Request ID not found.');
         }
         // 2) Mark all matching requests as resolved, deleting the entry
@@ -361,14 +368,14 @@ class WalletPermissionsManager {
         // 3) If `ephemeral !== true`, we create or renew an on-chain token
         if (!params.ephemeral) {
             const request = matching.request;
-            if (!request.renewal) {
-                // brand-new permission token
-                await this.createPermissionOnChain(request, params.expiry || 0, // default: never expires
+            if (request.renewal) {
+                // renewal => spend the old token, produce a new one
+                await this.renewPermissionOnChain(request.previousToken, request, params.expiry || 0, // default: never expires
                 params.amount);
             }
             else {
-                // renewal => spend the old token, produce a new one
-                await this.renewPermissionOnChain(request.previousToken, request, params.expiry || 0, // default: never expires
+                // brand-new permission token
+                await this.createPermissionOnChain(request, params.expiry || 0, // default: never expires
                 params.amount);
             }
         }
@@ -390,7 +397,7 @@ class WalletPermissionsManager {
     async denyPermission(requestID) {
         // 1) Identify the matching requests
         const matching = this.activeRequests.get(requestID);
-        if (!matching) {
+        if (matching == null) {
             throw new Error('Request ID not found.');
         }
         // 2) Reject all matching requests, deleting the entry
@@ -406,33 +413,19 @@ class WalletPermissionsManager {
      * @param params.expiry An optional expiry time (in seconds) for the new permission tokens.
      */
     async grantGroupedPermission(params) {
-        var _a, _b, _c;
         const matching = this.activeRequests.get(params.requestID);
-        if (!matching) {
+        if (matching == null) {
             throw new Error('Request ID not found.');
         }
         try {
             const originalRequest = matching.request;
             const { originator, permissions: requestedPermissions, displayOriginator } = originalRequest;
             const originLookupValues = this.buildOriginatorLookupValues(displayOriginator, originator);
-            // --- Validation: Ensure granted permissions are a subset of what was requested ---
-            if (params.granted.spendingAuthorization && !requestedPermissions.spendingAuthorization) {
-                throw new Error('Granted spending authorization was not part of the original request.');
-            }
-            if ((_a = params.granted.protocolPermissions) === null || _a === void 0 ? void 0 : _a.some(g => { var _a; return !((_a = requestedPermissions.protocolPermissions) === null || _a === void 0 ? void 0 : _a.find(r => deepEqual(r, g))); })) {
-                throw new Error('Granted protocol permissions are not a subset of the original request.');
-            }
-            if ((_b = params.granted.basketAccess) === null || _b === void 0 ? void 0 : _b.some(g => { var _a; return !((_a = requestedPermissions.basketAccess) === null || _a === void 0 ? void 0 : _a.find(r => deepEqual(r, g))); })) {
-                throw new Error('Granted basket access permissions are not a subset of the original request.');
-            }
-            if ((_c = params.granted.certificateAccess) === null || _c === void 0 ? void 0 : _c.some(g => { var _a; return !((_a = requestedPermissions.certificateAccess) === null || _a === void 0 ? void 0 : _a.find(r => deepEqual(r, g))); })) {
-                throw new Error('Granted certificate access permissions are not a subset of the original request.');
-            }
-            // --- End Validation ---
+            this.validateGrantedPermissionsSubset(params.granted, requestedPermissions);
             const expiry = params.expiry || 0; // default: never expires
             const toCreate = [];
             const toRenew = [];
-            if (params.granted.spendingAuthorization) {
+            if (params.granted.spendingAuthorization != null) {
                 toCreate.push({
                     request: {
                         type: 'spending',
@@ -460,11 +453,11 @@ class WalletPermissionsManager {
                     counterparty,
                     reason: p.description
                 };
-                if (token) {
-                    toRenew.push({ oldToken: token, request, expiry });
+                if (token == null) {
+                    toCreate.push({ request, expiry });
                 }
                 else {
-                    toCreate.push({ request, expiry });
+                    toRenew.push({ oldToken: token, request, expiry });
                 }
             }
             for (const b of params.granted.basketAccess || []) {
@@ -515,9 +508,28 @@ class WalletPermissionsManager {
      * Denies a previously requested grouped permission.
      * @param requestID The ID of the request being denied.
      */
-    async denyGroupedPermission(requestID) {
+    /**
+     * Validates that every entry in `granted` was part of the original `requested` set.
+     * Throws an error on the first mismatch.
+     */
+    validateGrantedPermissionsSubset(granted, requested) {
+        var _a, _b, _c;
+        if ((granted.spendingAuthorization != null) && (requested.spendingAuthorization == null)) {
+            throw new Error('Granted spending authorization was not part of the original request.');
+        }
+        if ((_a = granted.protocolPermissions) === null || _a === void 0 ? void 0 : _a.some(g => { var _a; return ((_a = requested.protocolPermissions) === null || _a === void 0 ? void 0 : _a.find(r => deepEqual(r, g))) == null; })) {
+            throw new Error('Granted protocol permissions are not a subset of the original request.');
+        }
+        if ((_b = granted.basketAccess) === null || _b === void 0 ? void 0 : _b.some(g => { var _a; return ((_a = requested.basketAccess) === null || _a === void 0 ? void 0 : _a.find(r => deepEqual(r, g))) == null; })) {
+            throw new Error('Granted basket access permissions are not a subset of the original request.');
+        }
+        if ((_c = granted.certificateAccess) === null || _c === void 0 ? void 0 : _c.some(g => { var _a; return ((_a = requested.certificateAccess) === null || _a === void 0 ? void 0 : _a.find(r => deepEqual(r, g))) == null; })) {
+            throw new Error('Granted certificate access permissions are not a subset of the original request.');
+        }
+    }
+    denyActiveRequest(requestID) {
         const matching = this.activeRequests.get(requestID);
-        if (!matching) {
+        if (matching == null) {
             throw new Error('Request ID not found.');
         }
         const err = new Error('The user has denied the request for permission.');
@@ -527,9 +539,12 @@ class WalletPermissionsManager {
         }
         this.activeRequests.delete(requestID);
     }
+    async denyGroupedPermission(requestID) {
+        this.denyActiveRequest(requestID);
+    }
     async dismissGroupedPermission(requestID) {
         const matching = this.activeRequests.get(requestID);
-        if (!matching) {
+        if (matching == null) {
             throw new Error('Request ID not found.');
         }
         for (const p of matching.pending) {
@@ -540,7 +555,7 @@ class WalletPermissionsManager {
     async grantCounterpartyPermission(params) {
         var _a;
         const matching = this.activeRequests.get(params.requestID);
-        if (!matching) {
+        if (matching == null) {
             throw new Error('Request ID not found.');
         }
         const originalRequest = matching.request;
@@ -585,11 +600,11 @@ class WalletPermissionsManager {
                 counterparty,
                 reason: p.description
             };
-            if (token) {
-                toRenew.push({ oldToken: token, request, expiry });
+            if (token == null) {
+                toCreate.push({ request, expiry });
             }
             else {
-                toCreate.push({ request, expiry });
+                toRenew.push({ oldToken: token, request, expiry });
             }
         }
         const created = await this.createPermissionTokensBestEffort(toCreate);
@@ -603,16 +618,7 @@ class WalletPermissionsManager {
         this.activeRequests.delete(params.requestID);
     }
     async denyCounterpartyPermission(requestID) {
-        const matching = this.activeRequests.get(requestID);
-        if (!matching) {
-            throw new Error('Request ID not found.');
-        }
-        const err = new Error('The user has denied the request for permission.');
-        err.code = 'ERR_PERMISSION_DENIED';
-        for (const p of matching.pending) {
-            p.reject(err);
-        }
-        this.activeRequests.delete(requestID);
+        this.denyActiveRequest(requestID);
     }
     /* ---------------------------------------------------------------------
      *  3) THE "ENSURE" METHODS: CHECK IF PERMISSION EXISTS, OTHERWISE PROMPT
@@ -627,99 +633,49 @@ class WalletPermissionsManager {
         // 1) adminOriginator can do anything
         if (this.isAdminOriginator(originator))
             return true;
-        // 2) If security level=0, we consider it "open" usage
+        // 2) If security level=0, we consider it “open” usage
         const [level, protoName] = protocolID;
         if (level === 0)
             return true;
-        if (level === 1) {
+        if (level === 1)
             counterparty = '';
-        }
         // 3) If protocol is admin-reserved, block
         if (this.isAdminProtocol(protocolID)) {
             throw new Error(`Protocol “${protoName}” is admin-only.`);
         }
         // Allow the configured exceptions.
-        if (usageType === 'signing' && !this.config.seekProtocolPermissionsForSigning) {
-            return true;
-        }
-        if (usageType === 'encrypting' && !this.config.seekProtocolPermissionsForEncrypting) {
-            return true;
-        }
-        if (usageType === 'hmac' && !this.config.seekProtocolPermissionsForHMAC) {
-            return true;
-        }
-        if (usageType === 'publicKey' && !this.config.seekPermissionsForPublicKeyRevelation) {
-            return true;
-        }
-        if (usageType === 'identityKey' && !this.config.seekPermissionsForIdentityKeyRevelation) {
-            return true;
-        }
-        if (usageType === 'linkageRevelation' && !this.config.seekPermissionsForKeyLinkageRevelation) {
+        if (this.isProtocolUsageTypeExempted(usageType))
             return true;
-        }
-        if (!this.config.differentiatePrivilegedOperations) {
+        if (!this.config.differentiatePrivilegedOperations)
             privileged = false;
-        }
-        if (!privileged && this.isWhitelistedCounterpartyProtocol(counterparty, protocolID)) {
+        if (!privileged && this.isWhitelistedCounterpartyProtocol(counterparty, protocolID))
             return true;
-        }
-        const cacheKey = this.buildRequestKey({
-            type: 'protocol',
-            originator,
-            privileged,
-            protocolID,
-            counterparty
-        });
-        if (this.isPermissionCached(cacheKey)) {
+        const cacheKey = this.buildRequestKey({ type: 'protocol', originator, privileged, protocolID, counterparty });
+        if (this.isPermissionCached(cacheKey) || this.isRecentlyGranted(cacheKey))
             return true;
-        }
-        if (this.isRecentlyGranted(cacheKey)) {
-            return true;
-        }
         // 4) Attempt to find a valid token in the internal basket
-        const token = await this.findProtocolToken(originator, privileged, protocolID, counterparty, 
-        /*includeExpired=*/ true, lookupValues);
-        if (token) {
-            if (!this.isTokenExpired(token.expiry)) {
-                // valid and unexpired
-                this.cachePermission(cacheKey, token.expiry);
-                return true;
-            }
-            else {
-                // has a token but expired => request renewal if allowed
-                if (!seekPermission) {
-                    throw new Error(`Protocol permission expired and no further user consent allowed (seekPermission=false).`);
-                }
-                return await this.requestPermissionFlow({
-                    type: 'protocol',
-                    originator,
-                    privileged,
-                    protocolID,
-                    counterparty,
-                    usageType,
-                    reason,
-                    renewal: true,
-                    previousToken: token
-                });
-            }
-        }
-        else {
+        const token = await this.findProtocolToken(originator, privileged, protocolID, counterparty, /* includeExpired= */ true, lookupValues);
+        if (token == null) {
             // No token found => request a new one if allowed
+            if (!seekPermission)
+                throw new Error('No protocol permission token found (seekPermission=false).');
+            return await this.requestPermissionFlow({
+                type: 'protocol', originator, privileged, protocolID, counterparty, usageType, reason, renewal: false
+            });
+        }
+        if (this.isTokenExpired(token.expiry)) {
+            // has a token but expired => request renewal if allowed
             if (!seekPermission) {
-                throw new Error(`No protocol permission token found (seekPermission=false).`);
+                throw new Error('Protocol permission expired and no further user consent allowed (seekPermission=false).');
             }
-            const granted = await this.requestPermissionFlow({
-                type: 'protocol',
-                originator,
-                privileged,
-                protocolID,
-                counterparty,
-                usageType,
-                reason,
-                renewal: false
+            return await this.requestPermissionFlow({
+                type: 'protocol', originator, privileged, protocolID, counterparty, usageType, reason,
+                renewal: true, previousToken: token
             });
-            return granted;
         }
+        // valid and unexpired
+        this.cachePermission(cacheKey, token.expiry);
+        return true;
     }
     /**
      * Ensures the originator has basket usage permission for the specified basket.
@@ -730,58 +686,38 @@ class WalletPermissionsManager {
         originator = normalizedOriginator;
         if (this.isAdminOriginator(originator))
             return true;
-        if (this.isAdminBasket(basket)) {
+        if (this.isAdminBasket(basket))
             throw new Error(`Basket “${basket}” is admin-only.`);
-        }
-        if (usageType === 'insertion' && !this.config.seekBasketInsertionPermissions)
-            return true;
-        if (usageType === 'removal' && !this.config.seekBasketRemovalPermissions)
-            return true;
-        if (usageType === 'listing' && !this.config.seekBasketListingPermissions)
+        if (!this.isBasketUsageRequired(usageType))
             return true;
         const cacheKey = this.buildRequestKey({ type: 'basket', originator, basket });
-        if (this.isPermissionCached(cacheKey)) {
-            return true;
-        }
-        if (this.isRecentlyGranted(cacheKey)) {
+        if (this.isPermissionCached(cacheKey) || this.isRecentlyGranted(cacheKey))
             return true;
-        }
         const token = await this.findBasketToken(originator, basket, true, lookupValues);
-        if (token) {
-            if (!this.isTokenExpired(token.expiry)) {
-                this.cachePermission(cacheKey, token.expiry);
-                return true;
-            }
-            else {
-                if (!seekPermission) {
-                    throw new Error(`Basket permission expired (seekPermission=false).`);
-                }
-                return await this.requestPermissionFlow({
-                    type: 'basket',
-                    originator,
-                    basket,
-                    usageType,
-                    reason,
-                    renewal: true,
-                    previousToken: token
-                });
-            }
-        }
-        else {
-            // none
-            if (!seekPermission) {
-                throw new Error(`No basket permission found, and no user consent allowed (seekPermission=false).`);
-            }
-            const granted = await this.requestPermissionFlow({
-                type: 'basket',
-                originator,
-                basket,
-                usageType,
-                reason,
-                renewal: false
+        if (token == null) {
+            if (!seekPermission)
+                throw new Error('No basket permission found, and no user consent allowed (seekPermission=false).');
+            return await this.requestPermissionFlow({ type: 'basket', originator, basket, usageType, reason, renewal: false });
+        }
+        if (this.isTokenExpired(token.expiry)) {
+            if (!seekPermission)
+                throw new Error('Basket permission expired (seekPermission=false).');
+            return await this.requestPermissionFlow({
+                type: 'basket', originator, basket, usageType, reason, renewal: true, previousToken: token
             });
-            return granted;
         }
+        this.cachePermission(cacheKey, token.expiry);
+        return true;
+    }
+    /** Returns false when the basket usageType does NOT need a permission check (config-gated). */
+    isBasketUsageRequired(usageType) {
+        if (usageType === 'insertion' && !this.config.seekBasketInsertionPermissions)
+            return false;
+        if (usageType === 'removal' && !this.config.seekBasketRemovalPermissions)
+            return false;
+        if (usageType === 'listing' && !this.config.seekBasketListingPermissions)
+            return false;
+        return true;
     }
     /**
      * Ensures the originator has a valid certificate permission.
@@ -811,43 +747,38 @@ class WalletPermissionsManager {
             return true;
         }
         const token = await this.findCertificateToken(originator, privileged, verifier, certType, fields, 
-        /*includeExpired=*/ true, lookupValues);
-        if (token) {
-            if (!this.isTokenExpired(token.expiry)) {
-                this.cachePermission(cacheKey, token.expiry);
-                return true;
-            }
-            else {
-                if (!seekPermission) {
-                    throw new Error(`Certificate permission expired (seekPermission=false).`);
-                }
-                return await this.requestPermissionFlow({
-                    type: 'certificate',
-                    originator,
-                    privileged,
-                    certificate: { verifier, certType, fields },
-                    usageType,
-                    reason,
-                    renewal: true,
-                    previousToken: token
-                });
+        /* includeExpired= */ true, lookupValues);
+        if (token == null) {
+            if (!seekPermission) {
+                throw new Error('No certificate permission found (seekPermission=false).');
             }
+            return await this.requestPermissionFlow({
+                type: 'certificate',
+                originator,
+                privileged,
+                certificate: { verifier, certType, fields },
+                usageType,
+                reason,
+                renewal: false
+            });
         }
-        else {
+        if (this.isTokenExpired(token.expiry)) {
             if (!seekPermission) {
-                throw new Error(`No certificate permission found (seekPermission=false).`);
+                throw new Error('Certificate permission expired (seekPermission=false).');
             }
-            const granted = await this.requestPermissionFlow({
+            return await this.requestPermissionFlow({
                 type: 'certificate',
                 originator,
                 privileged,
                 certificate: { verifier, certType, fields },
                 usageType,
                 reason,
-                renewal: false
+                renewal: true,
+                previousToken: token
             });
-            return granted;
         }
+        this.cachePermission(cacheKey, token.expiry);
+        return true;
     }
     /**
      * Ensures the originator has spending authorization (DSAP) for a certain satoshi amount.
@@ -892,7 +823,7 @@ class WalletPermissionsManager {
         else {
             // no token
             if (!seekPermission) {
-                throw new Error(`No spending authorization found, (seekPermission=false).`);
+                throw new Error('No spending authorization found, (seekPermission=false).');
             }
             return await this.requestPermissionFlow({
                 type: 'spending',
@@ -944,9 +875,27 @@ class WalletPermissionsManager {
             usageType: 'generic'
         });
     }
+    /**
+     * Returns true when the given usageType is configured to skip permission checks.
+     */
+    isProtocolUsageTypeExempted(usageType) {
+        if (usageType === 'signing' && !this.config.seekProtocolPermissionsForSigning)
+            return true;
+        if (usageType === 'encrypting' && !this.config.seekProtocolPermissionsForEncrypting)
+            return true;
+        if (usageType === 'hmac' && !this.config.seekProtocolPermissionsForHMAC)
+            return true;
+        if (usageType === 'publicKey' && !this.config.seekPermissionsForPublicKeyRevelation)
+            return true;
+        if (usageType === 'identityKey' && !this.config.seekPermissionsForIdentityKeyRevelation)
+            return true;
+        if (usageType === 'linkageRevelation' && !this.config.seekPermissionsForKeyLinkageRevelation)
+            return true;
+        return false;
+    }
     isProtocolInCounterpartyPermissions(protocolID, counterpartyPermissions) {
         const [, name] = protocolID;
-        return !!counterpartyPermissions.protocols.find(p => p.protocolName === name);
+        return counterpartyPermissions.protocols.some(p => p.protocolName === name);
     }
     validateCounterpartyPermissions(raw) {
         if (!raw || !Array.isArray(raw.protocols) || raw.protocols.length === 0)
@@ -998,15 +947,15 @@ class WalletPermissionsManager {
     }
     async fetchManifestPermissions(originator) {
         const cached = this.manifestCache.get(originator);
-        if (cached && Date.now() - cached.fetchedAt < WalletPermissionsManager.MANIFEST_CACHE_TTL_MS) {
+        if ((cached != null) && Date.now() - cached.fetchedAt < WalletPermissionsManager.MANIFEST_CACHE_TTL_MS) {
             return {
                 groupPermissions: cached.groupPermissions,
                 counterpartyPermissions: cached.counterpartyPermissions
             };
         }
         const inProgress = this.manifestFetchInProgress.get(originator);
-        if (inProgress) {
-            return inProgress;
+        if (inProgress != null) {
+            return await inProgress;
         }
         const fetchPromise = (async () => {
             try {
@@ -1025,7 +974,9 @@ class WalletPermissionsManager {
                     return { groupPermissions, counterpartyPermissions: counterpartyPermissionsDeclared };
                 }
             }
-            catch (e) { }
+            catch (_manifestFetchError) {
+                // Manifest fetch or parse failed — fall through to return null/null defaults below
+            }
             const result = { groupPermissions: null, counterpartyPermissions: null };
             this.manifestCache.set(originator, { ...result, fetchedAt: Date.now() });
             return result;
@@ -1051,7 +1002,7 @@ class WalletPermissionsManager {
         };
         const [spendingAuthorization, protocolPermissions, basketAccess, certificateAccess] = await Promise.all([
             (async () => {
-                if (!groupPermissions.spendingAuthorization)
+                if (groupPermissions.spendingAuthorization == null)
                     return undefined;
                 const hasAuth = await this.hasSpendingAuthorization({
                     originator,
@@ -1102,7 +1053,7 @@ class WalletPermissionsManager {
                 return certChecks.filter(Boolean);
             })()
         ]);
-        if (spendingAuthorization) {
+        if (spendingAuthorization != null) {
             permissionsToRequest.spendingAuthorization = spendingAuthorization;
         }
         permissionsToRequest.protocolPermissions = protocolPermissions;
@@ -1210,27 +1161,22 @@ class WalletPermissionsManager {
             protocols: protocolsToRequest
         };
         const key = `pact:${originator}:${counterparty}`;
+        await this.joinOrCreatePactRequest(key, originator, counterparty, permissionsToRequest, currentRequest.displayOriginator);
+        this.markPactEstablished(originator, counterparty);
+        const satisfied = await this.hasProtocolPermission({
+            originator,
+            privileged: false,
+            protocolID: currentRequest.protocolID,
+            counterparty
+        });
+        return satisfied ? true : null;
+    }
+    async joinOrCreatePactRequest(key, originator, counterparty, permissionsToRequest, displayOriginator) {
         const existing = this.activeRequests.get(key);
-        if (existing) {
-            const existingRequest = existing.request;
-            for (const p of permissionsToRequest.protocols) {
-                if (!existingRequest.permissions.protocols.find(x => x.protocolName === p.protocolName)) {
-                    existingRequest.permissions.protocols.push(p);
-                }
-            }
-            await new Promise((resolve, reject) => {
-                existing.pending.push({ resolve, reject });
-            });
-        }
-        else {
+        if (existing == null) {
             const counterpartyPromise = new Promise((resolve, reject) => {
                 this.activeRequests.set(key, {
-                    request: {
-                        originator,
-                        counterparty,
-                        permissions: permissionsToRequest,
-                        displayOriginator: currentRequest.displayOriginator
-                    },
+                    request: { originator, counterparty, permissions: permissionsToRequest, displayOriginator },
                     pending: [{ resolve, reject }]
                 });
             });
@@ -1242,14 +1188,17 @@ class WalletPermissionsManager {
             });
             await counterpartyPromise;
         }
-        this.markPactEstablished(originator, counterparty);
-        const satisfied = await this.hasProtocolPermission({
-            originator,
-            privileged: false,
-            protocolID: currentRequest.protocolID,
-            counterparty
-        });
-        return satisfied ? true : null;
+        else {
+            const existingRequest = existing.request;
+            for (const p of permissionsToRequest.protocols) {
+                if (!existingRequest.permissions.protocols.some(x => x.protocolName === p.protocolName)) {
+                    existingRequest.permissions.protocols.push(p);
+                }
+            }
+            await new Promise((resolve, reject) => {
+                existing.pending.push({ resolve, reject });
+            });
+        }
     }
     async maybeRequestPeerGroupedLevel2ProtocolPermissions(currentRequest) {
         var _a, _b;
@@ -1270,7 +1219,7 @@ class WalletPermissionsManager {
         const privileged = (_a = currentRequest.privileged) !== null && _a !== void 0 ? _a : false;
         const counterparty = (_b = currentRequest.counterparty) !== null && _b !== void 0 ? _b : 'self';
         const groupPermissions = await this.fetchManifestGroupPermissions(originator);
-        if (!groupPermissions) {
+        if (groupPermissions == null) {
             return null;
         }
         const normalizeManifestCounterparty = (cp) => {
@@ -1316,40 +1265,7 @@ class WalletPermissionsManager {
             return null;
         }
         const key = `group-peer:${originator}:${privileged}:${counterparty}`;
-        const existing = this.activeRequests.get(key);
-        if (existing) {
-            const existingRequest = existing.request;
-            if (!existingRequest.permissions.protocolPermissions) {
-                existingRequest.permissions.protocolPermissions = [];
-            }
-            for (const p of permissionsToRequest.protocolPermissions || []) {
-                if (!existingRequest.permissions.protocolPermissions.find(x => deepEqual(x, p))) {
-                    existingRequest.permissions.protocolPermissions.push(p);
-                }
-            }
-            await new Promise((resolve, reject) => {
-                existing.pending.push({ resolve, reject });
-            });
-        }
-        else {
-            const permissions = permissionsToRequest;
-            const groupedPromise = new Promise((resolve, reject) => {
-                this.activeRequests.set(key, {
-                    request: {
-                        originator,
-                        permissions,
-                        displayOriginator: currentRequest.displayOriginator
-                    },
-                    pending: [{ resolve, reject }]
-                });
-            });
-            await this.callEvent('onGroupedPermissionRequested', {
-                requestID: key,
-                originator,
-                permissions
-            });
-            await groupedPromise;
-        }
+        await this.joinOrCreateGroupedRequest(key, originator, permissionsToRequest, currentRequest.displayOriginator);
         const satisfied = await this.checkSpecificPermissionAfterGroupFlow(currentRequest);
         return satisfied ? true : null;
     }
@@ -1360,7 +1276,7 @@ class WalletPermissionsManager {
         const gate = new Promise(resolve => {
             release = resolve;
         });
-        const currentTail = safePriorTail.then(() => gate);
+        const currentTail = safePriorTail.then(async () => await gate);
         this.groupedPermissionFlowTail.set(originator, currentTail);
         await safePriorTail;
         try {
@@ -1414,7 +1330,7 @@ class WalletPermissionsManager {
                 if (request.privileged)
                     return false;
                 const pid = request.protocolID;
-                if (!pid)
+                if (pid == null)
                     return false;
                 const cp = (_a = request.counterparty) !== null && _a !== void 0 ? _a : 'self';
                 return !!((_b = groupPermissions.protocolPermissions) === null || _b === void 0 ? void 0 : _b.some(p => {
@@ -1439,7 +1355,7 @@ class WalletPermissionsManager {
                 if (request.privileged)
                     return false;
                 const cert = request.certificate;
-                if (!cert)
+                if (cert == null)
                     return false;
                 return !!((_d = groupPermissions.certificateAccess) === null || _d === void 0 ? void 0 : _d.some(c => {
                     const fieldsA = new Set(c.fields || []);
@@ -1453,7 +1369,7 @@ class WalletPermissionsManager {
                 }));
             }
             case 'spending':
-                return !!groupPermissions.spendingAuthorization;
+                return groupPermissions.spendingAuthorization != null;
             default:
                 return false;
         }
@@ -1464,7 +1380,7 @@ class WalletPermissionsManager {
         }
         const originator = currentRequest.originator;
         const groupPermissions = await this.fetchManifestGroupPermissions(originator);
-        if (!groupPermissions) {
+        if (groupPermissions == null) {
             return null;
         }
         if (!this.isRequestIncludedInGroupPermissions(currentRequest, groupPermissions)) {
@@ -1475,19 +1391,22 @@ class WalletPermissionsManager {
             return null;
         }
         const key = `group:${originator}`;
-        if (this.activeRequests.has(key)) {
-            await new Promise((resolve, reject) => {
-                this.activeRequests.get(key).pending.push({ resolve, reject });
-            });
-        }
-        else {
+        await this.joinOrCreateGroupedRequest(key, originator, permissionsToRequest, currentRequest.displayOriginator);
+        const satisfied = await this.checkSpecificPermissionAfterGroupFlow(currentRequest);
+        return satisfied ? true : null;
+    }
+    /**
+     * Joins an existing grouped permission request (piggybacks on the existing promise), or creates
+     * a new one and fires the onGroupedPermissionRequested event.
+     */
+    async joinOrCreateGroupedRequest(key, originator, permissionsToRequest, displayOriginator) {
+        var _a;
+        var _b;
+        const existing = this.activeRequests.get(key);
+        if (existing == null) {
             const permPromise = new Promise((resolve, reject) => {
                 this.activeRequests.set(key, {
-                    request: {
-                        originator,
-                        permissions: permissionsToRequest,
-                        displayOriginator: currentRequest.displayOriginator
-                    },
+                    request: { originator, permissions: permissionsToRequest, displayOriginator },
                     pending: [{ resolve, reject }]
                 });
             });
@@ -1498,8 +1417,18 @@ class WalletPermissionsManager {
             });
             await permPromise;
         }
-        const satisfied = await this.checkSpecificPermissionAfterGroupFlow(currentRequest);
-        return satisfied ? true : null;
+        else {
+            const existingRequest = existing.request;
+            (_a = (_b = existingRequest.permissions).protocolPermissions) !== null && _a !== void 0 ? _a : (_b.protocolPermissions = []);
+            for (const p of permissionsToRequest.protocolPermissions || []) {
+                if (!existingRequest.permissions.protocolPermissions.some(x => deepEqual(x, p))) {
+                    existingRequest.permissions.protocolPermissions.push(p);
+                }
+            }
+            await new Promise((resolve, reject) => {
+                existing.pending.push({ resolve, reject });
+            });
+        }
     }
     /**
      * A central method that triggers the permission request flow.
@@ -1521,22 +1450,39 @@ class WalletPermissionsManager {
         }
         const key = this.buildActiveRequestKey(preparedRequest);
         // If there's already a queue for the same resource, we piggyback on it
-        const existingQueue = this.activeRequests.get(key);
-        if (existingQueue && existingQueue.pending.length > 0) {
-            return new Promise((resolve, reject) => {
-                existingQueue.pending.push({ resolve, reject });
-            });
+        if (this.isPiggybacking(key)) {
+            return await this.piggybackOnExistingQueue(key);
         }
         const pactResult = await this.maybeRequestPact(preparedRequest);
-        if (pactResult !== null) {
+        if (pactResult !== null)
             return pactResult;
-        }
         const peerGroupResult = await this.maybeRequestPeerGroupedLevel2ProtocolPermissions(preparedRequest);
-        if (peerGroupResult !== null) {
+        if (peerGroupResult !== null)
             return peerGroupResult;
-        }
+        const groupResult = await this.resolveGroupedFlow(preparedRequest, key);
+        if (groupResult !== null)
+            return groupResult;
+        // Re-check after grouped flow — another waiter may have set up a queue
+        if (this.isPiggybacking(key))
+            return await this.piggybackOnExistingQueue(key);
+        return await this.enqueueAndFireEvent(preparedRequest, key);
+    }
+    /** Returns true when an active-request queue already has pending waiters for this key. */
+    isPiggybacking(key) {
+        const q = this.activeRequests.get(key);
+        return (q != null) && q.pending.length > 0;
+    }
+    /** Appends to an existing request queue and waits for resolution. */
+    async piggybackOnExistingQueue(key) {
+        const q = this.activeRequests.get(key);
+        return await new Promise((resolve, reject) => {
+            q.pending.push({ resolve, reject });
+        });
+    }
+    /** Runs the grouped-permission flow (with or without a lock) and checks post-group satisfaction. */
+    async resolveGroupedFlow(preparedRequest, key) {
         const hadPendingGroupedFlowBefore = this.config.seekGroupedPermission && this.groupedPermissionFlowTail.has(preparedRequest.originator);
-        let groupResult = null;
+        let groupResult;
         if (this.config.seekGroupedPermission) {
             groupResult = await this.withGroupedPermissionFlowLock(preparedRequest.originator, async () => {
                 return await this.maybeRequestGroupedPermissions(preparedRequest);
@@ -1545,67 +1491,54 @@ class WalletPermissionsManager {
         else {
             groupResult = await this.maybeRequestGroupedPermissions(preparedRequest);
         }
-        if (groupResult !== null) {
+        if (groupResult !== null)
             return groupResult;
-        }
-        if (this.config.seekGroupedPermission && hadPendingGroupedFlowBefore) {
+        if (hadPendingGroupedFlowBefore) {
             const satisfiedAfterGroup = await this.checkSpecificPermissionAfterGroupFlow(preparedRequest);
-            if (satisfiedAfterGroup) {
+            if (satisfiedAfterGroup)
                 return true;
-            }
         }
-        const existingQueueAfterGroups = this.activeRequests.get(key);
-        if (existingQueueAfterGroups && existingQueueAfterGroups.pending.length > 0) {
-            return new Promise((resolve, reject) => {
-                existingQueueAfterGroups.pending.push({ resolve, reject });
-            });
+        return null;
+    }
+    /** Creates a new active-request queue entry, fires the event, and returns the promise. */
+    async enqueueAndFireEvent(preparedRequest, key) {
+        const requestPromise = new Promise((resolve, reject) => {
+            this.activeRequests.set(key, { request: preparedRequest, pending: [{ resolve, reject }] });
+        });
+        try {
+            await this.firePermissionRequestEvent(preparedRequest, key);
         }
-        return new Promise(async (resolve, reject) => {
-            var _a;
-            this.activeRequests.set(key, {
-                request: preparedRequest,
-                pending: [{ resolve, reject }]
-            });
-            try {
-                // Fire the relevant onXXXRequested event (which one depends on r.type)
-                switch (preparedRequest.type) {
-                    case 'protocol':
-                        await this.callEvent('onProtocolPermissionRequested', {
-                            ...preparedRequest,
-                            counterparty: ((_a = preparedRequest.protocolID) === null || _a === void 0 ? void 0 : _a[0]) === 1 ? undefined : preparedRequest.counterparty,
-                            requestID: key
-                        });
-                        break;
-                    case 'basket':
-                        await this.callEvent('onBasketAccessRequested', {
-                            ...preparedRequest,
-                            requestID: key
-                        });
-                        break;
-                    case 'certificate':
-                        await this.callEvent('onCertificateAccessRequested', {
-                            ...preparedRequest,
-                            requestID: key
-                        });
-                        break;
-                    case 'spending':
-                        await this.callEvent('onSpendingAuthorizationRequested', {
-                            ...preparedRequest,
-                            requestID: key
-                        });
-                        break;
-                }
-            }
-            catch (e) {
-                const matching = this.activeRequests.get(key);
-                if (matching) {
-                    for (const p of matching.pending) {
-                        p.reject(e);
-                    }
-                    this.activeRequests.delete(key);
-                }
+        catch (e) {
+            const matching = this.activeRequests.get(key);
+            if (matching != null) {
+                for (const p of matching.pending)
+                    p.reject(e);
+                this.activeRequests.delete(key);
             }
-        });
+        }
+        return await requestPromise;
+    }
+    /** Fires the appropriate onXXXRequested event based on the request type. */
+    async firePermissionRequestEvent(request, key) {
+        var _a;
+        switch (request.type) {
+            case 'protocol':
+                await this.callEvent('onProtocolPermissionRequested', {
+                    ...request,
+                    counterparty: ((_a = request.protocolID) === null || _a === void 0 ? void 0 : _a[0]) === 1 ? undefined : request.counterparty,
+                    requestID: key
+                });
+                break;
+            case 'basket':
+                await this.callEvent('onBasketAccessRequested', { ...request, requestID: key });
+                break;
+            case 'certificate':
+                await this.callEvent('onCertificateAccessRequested', { ...request, requestID: key });
+                break;
+            case 'spending':
+                await this.callEvent('onSpendingAuthorizationRequested', { ...request, requestID: key });
+                break;
+        }
     }
     /** We always use `keyID="1"` and `counterparty="self"` for these encryption ops. */
     async encryptPermissionTokenField(plaintext) {
@@ -1626,7 +1559,8 @@ class WalletPermissionsManager {
             }, this.adminOriginator);
             return plaintext;
         }
-        catch (e) {
+        catch (_decryptionError) {
+            // Decryption failed (e.g. wrong key, unencrypted legacy value) — return the raw bytes unchanged
             return ciphertext;
         }
     }
@@ -1660,7 +1594,8 @@ class WalletPermissionsManager {
             }, this.adminOriginator);
             return sdk_1.Utils.toUTF8(plaintext);
         }
-        catch (e) {
+        catch (_decryptionError) {
+            // Decryption failed (e.g. wrong key, unencrypted legacy value) — return original string unchanged
             return ciphertext;
         }
     }
@@ -1669,6 +1604,68 @@ class WalletPermissionsManager {
         const now = Math.floor(Date.now() / 1000);
         return expiry > 0 && expiry < now;
     }
+    /** Decrypts the standard 6 fields from a protocol (DPACP) PushDrop script. */
+    async decryptProtocolTokenFields(fields) {
+        const domainDecoded = sdk_1.Utils.toUTF8(await this.decryptPermissionTokenField(fields[0]));
+        const expiryDecoded = Number.parseInt(sdk_1.Utils.toUTF8(await this.decryptPermissionTokenField(fields[1])), 10);
+        const privDecoded = sdk_1.Utils.toUTF8(await this.decryptPermissionTokenField(fields[2])) === 'true';
+        const secLevelDecoded = Number.parseInt(sdk_1.Utils.toUTF8(await this.decryptPermissionTokenField(fields[3])), 10);
+        const protoNameDecoded = sdk_1.Utils.toUTF8(await this.decryptPermissionTokenField(fields[4]));
+        const cptyDecoded = sdk_1.Utils.toUTF8(await this.decryptPermissionTokenField(fields[5]));
+        return { domainDecoded, expiryDecoded, privDecoded, secLevelDecoded, protoNameDecoded, cptyDecoded };
+    }
+    /** Parses outpoint string "txid.vout" into [txid, outputIndex]. */
+    parseOutpoint(outpoint) {
+        const [txid, indexStr] = outpoint.split('.');
+        return [txid, Number.parseInt(indexStr, 10)];
+    }
+    /** Normalizes a txid string to lowercase. */
+    normalizeTxid(txid) {
+        return (txid !== null && txid !== void 0 ? txid : '').toLowerCase();
+    }
+    /** Reverses a 32-byte hex txid (for endian normalization). */
+    reverseHexTxid(txid) {
+        const hex = this.normalizeTxid(txid);
+        if (!/^[0-9a-f]{64}$/.test(hex))
+            return hex;
+        const bytes = hex.match(/../g);
+        return (bytes != null) ? bytes.reverse().join('') : hex;
+    }
+    /**
+     * Returns true when an outpoint string (e.g. "txid.vout" or "txid:vout") refers to `token`.
+     */
+    tokenMatchesOutpointString(outpoint, token) {
+        const dot = outpoint.lastIndexOf('.');
+        const colon = outpoint.lastIndexOf(':');
+        const sep = Math.max(dot, colon);
+        if (sep === -1)
+            return false;
+        const txidPart = outpoint.slice(0, sep);
+        const vout = Number(outpoint.slice(sep + 1));
+        if (!Number.isFinite(vout))
+            return false;
+        return this.normalizeTxid(txidPart) === this.normalizeTxid(token.txid) && vout === token.outputIndex;
+    }
+    /**
+     * Finds the index of the tx input that spends the given permission token.
+     * Handles multiple potential field names for TXID and vout.
+     */
+    findInputIndexForToken(tx, token) {
+        return tx.inputs.findIndex((input) => {
+            var _a, _b, _c, _d, _e, _f, _g, _h, _j, _k, _l, _m, _o;
+            const txidCandidate = (_g = (_f = (_e = (_d = (_c = (_b = (_a = input === null || input === void 0 ? void 0 : input.sourceTXID) !== null && _a !== void 0 ? _a : input === null || input === void 0 ? void 0 : input.sourceTxid) !== null && _b !== void 0 ? _b : input === null || input === void 0 ? void 0 : input.sourceTxId) !== null && _c !== void 0 ? _c : input === null || input === void 0 ? void 0 : input.prevTxId) !== null && _d !== void 0 ? _d : input === null || input === void 0 ? void 0 : input.prevTxid) !== null && _e !== void 0 ? _e : input === null || input === void 0 ? void 0 : input.prevTXID) !== null && _f !== void 0 ? _f : input === null || input === void 0 ? void 0 : input.txid) !== null && _g !== void 0 ? _g : input === null || input === void 0 ? void 0 : input.txID;
+            const voutCandidate = (_l = (_k = (_j = (_h = input === null || input === void 0 ? void 0 : input.sourceOutputIndex) !== null && _h !== void 0 ? _h : input === null || input === void 0 ? void 0 : input.sourceOutput) !== null && _j !== void 0 ? _j : input === null || input === void 0 ? void 0 : input.outputIndex) !== null && _k !== void 0 ? _k : input === null || input === void 0 ? void 0 : input.vout) !== null && _l !== void 0 ? _l : input === null || input === void 0 ? void 0 : input.prevOutIndex;
+            if (typeof txidCandidate === 'string' && typeof voutCandidate === 'number') {
+                const cand = this.normalizeTxid(txidCandidate);
+                if (cand === this.normalizeTxid(token.txid) && voutCandidate === token.outputIndex)
+                    return true;
+                if (cand === this.reverseHexTxid(token.txid) && voutCandidate === token.outputIndex)
+                    return true;
+            }
+            const outpointCandidate = (_o = (_m = input === null || input === void 0 ? void 0 : input.outpoint) !== null && _m !== void 0 ? _m : input === null || input === void 0 ? void 0 : input.sourceOutpoint) !== null && _o !== void 0 ? _o : input === null || input === void 0 ? void 0 : input.prevOutpoint;
+            return typeof outpointCandidate === 'string' && this.tokenMatchesOutpointString(outpointCandidate, token);
+        });
+    }
     /** Looks for a DPACP permission token matching origin/domain, privileged, protocol, cpty. */
     async findProtocolToken(originator, privileged, protocolID, counterparty, includeExpired, originatorLookupValues) {
         const [secLevel, protoName] = protocolID;
@@ -1690,49 +1687,35 @@ class WalletPermissionsManager {
                 include: 'entire transactions'
             }, this.adminOriginator);
             for (const out of result.outputs) {
-                const [txid, outputIndexStr] = out.outpoint.split('.');
+                const [txid, outputIndex] = this.parseOutpoint(out.outpoint);
                 const tx = sdk_1.Transaction.fromBEEF(result.BEEF, txid);
-                const dec = sdk_1.PushDrop.decode(tx.outputs[Number(outputIndexStr)].lockingScript);
-                if (!dec || !dec.fields || dec.fields.length < 6)
+                const dec = sdk_1.PushDrop.decode(tx.outputs[outputIndex].lockingScript);
+                if ((dec === null || dec === void 0 ? void 0 : dec.fields) == null || dec.fields.length < 6)
                     continue;
-                const domainRaw = dec.fields[0];
-                const expiryRaw = dec.fields[1];
-                const privRaw = dec.fields[2];
-                const secLevelRaw = dec.fields[3];
-                const protoNameRaw = dec.fields[4];
-                const counterpartyRaw = dec.fields[5];
-                const domainDecoded = sdk_1.Utils.toUTF8(await this.decryptPermissionTokenField(domainRaw));
-                const normalizedDomain = this.normalizeOriginator(domainDecoded);
-                if (normalizedDomain !== originator) {
+                const f = await this.decryptProtocolTokenFields(dec.fields);
+                if (this.normalizeOriginator(f.domainDecoded) !== originator)
                     continue;
-                }
-                const expiryDecoded = parseInt(sdk_1.Utils.toUTF8(await this.decryptPermissionTokenField(expiryRaw)), 10);
-                const privDecoded = sdk_1.Utils.toUTF8(await this.decryptPermissionTokenField(privRaw)) === 'true';
-                const secLevelDecoded = parseInt(sdk_1.Utils.toUTF8(await this.decryptPermissionTokenField(secLevelRaw)), 10);
-                const protoNameDecoded = sdk_1.Utils.toUTF8(await this.decryptPermissionTokenField(protoNameRaw));
-                const cptyDecoded = sdk_1.Utils.toUTF8(await this.decryptPermissionTokenField(counterpartyRaw));
-                if (privDecoded !== !!privileged ||
-                    secLevelDecoded !== secLevel ||
-                    protoNameDecoded !== protoName ||
-                    (secLevelDecoded === 2 && cptyDecoded !== counterparty)) {
+                if (f.privDecoded !== !!privileged ||
+                    f.secLevelDecoded !== secLevel ||
+                    f.protoNameDecoded !== protoName ||
+                    (f.secLevelDecoded === 2 && f.cptyDecoded !== counterparty)) {
                     continue;
                 }
-                if (!includeExpired && this.isTokenExpired(expiryDecoded)) {
+                if (!includeExpired && this.isTokenExpired(f.expiryDecoded))
                     continue;
-                }
                 return {
                     tx: tx.toBEEF(),
-                    txid: out.outpoint.split('.')[0],
-                    outputIndex: parseInt(out.outpoint.split('.')[1], 10),
-                    outputScript: tx.outputs[Number(outputIndexStr)].lockingScript.toHex(),
+                    txid,
+                    outputIndex,
+                    outputScript: tx.outputs[outputIndex].lockingScript.toHex(),
                     satoshis: out.satoshis,
                     originator,
-                    rawOriginator: domainDecoded,
+                    rawOriginator: f.domainDecoded,
                     privileged,
                     protocol: protoName,
                     securityLevel: secLevel,
-                    expiry: expiryDecoded,
-                    counterparty: cptyDecoded
+                    expiry: f.expiryDecoded,
+                    counterparty: f.cptyDecoded
                 };
             }
         }
@@ -1763,32 +1746,18 @@ class WalletPermissionsManager {
             for (const out of result.outputs) {
                 if (seen.has(out.outpoint))
                     continue;
-                const [txid, outputIndexStr] = out.outpoint.split('.');
+                const [txid, vout] = this.parseOutpoint(out.outpoint);
                 const tx = sdk_1.Transaction.fromBEEF(result.BEEF, txid);
-                const vout = Number(outputIndexStr);
                 const dec = sdk_1.PushDrop.decode(tx.outputs[vout].lockingScript);
-                if (!dec || !dec.fields || dec.fields.length < 6)
+                if ((dec === null || dec === void 0 ? void 0 : dec.fields) == null || dec.fields.length < 6)
                     continue;
-                const domainRaw = dec.fields[0];
-                const expiryRaw = dec.fields[1];
-                const privRaw = dec.fields[2];
-                const secLevelRaw = dec.fields[3];
-                const protoNameRaw = dec.fields[4];
-                const counterpartyRaw = dec.fields[5];
-                const domainDecoded = sdk_1.Utils.toUTF8(await this.decryptPermissionTokenField(domainRaw));
-                const normalizedDomain = this.normalizeOriginator(domainDecoded);
-                if (normalizedDomain !== originator) {
+                const f = await this.decryptProtocolTokenFields(dec.fields);
+                if (this.normalizeOriginator(f.domainDecoded) !== originator)
                     continue;
-                }
-                const expiryDecoded = parseInt(sdk_1.Utils.toUTF8(await this.decryptPermissionTokenField(expiryRaw)), 10);
-                const privDecoded = sdk_1.Utils.toUTF8(await this.decryptPermissionTokenField(privRaw)) === 'true';
-                const secLevelDecoded = parseInt(sdk_1.Utils.toUTF8(await this.decryptPermissionTokenField(secLevelRaw)), 10);
-                const protoNameDecoded = sdk_1.Utils.toUTF8(await this.decryptPermissionTokenField(protoNameRaw));
-                const cptyDecoded = sdk_1.Utils.toUTF8(await this.decryptPermissionTokenField(counterpartyRaw));
-                if (privDecoded !== !!privileged ||
-                    secLevelDecoded !== secLevel ||
-                    protoNameDecoded !== protoName ||
-                    (secLevelDecoded === 2 && cptyDecoded !== counterparty)) {
+                if (f.privDecoded !== !!privileged ||
+                    f.secLevelDecoded !== secLevel ||
+                    f.protoNameDecoded !== protoName ||
+                    (f.secLevelDecoded === 2 && f.cptyDecoded !== counterparty)) {
                     continue;
                 }
                 seen.add(out.outpoint);
@@ -1799,12 +1768,12 @@ class WalletPermissionsManager {
                     outputScript: tx.outputs[vout].lockingScript.toHex(),
                     satoshis: out.satoshis,
                     originator,
-                    rawOriginator: domainDecoded,
+                    rawOriginator: f.domainDecoded,
                     privileged,
                     protocol: protoName,
                     securityLevel: secLevel,
-                    expiry: expiryDecoded,
-                    counterparty: cptyDecoded
+                    expiry: f.expiryDecoded,
+                    counterparty: f.cptyDecoded
                 });
             }
         }
@@ -1821,30 +1790,25 @@ class WalletPermissionsManager {
                 include: 'entire transactions'
             }, this.adminOriginator);
             for (const out of result.outputs) {
-                const [txid, outputIndexStr] = out.outpoint.split('.');
+                const [txid, outputIndex] = this.parseOutpoint(out.outpoint);
                 const tx = sdk_1.Transaction.fromBEEF(result.BEEF, txid);
-                const dec = sdk_1.PushDrop.decode(tx.outputs[Number(outputIndexStr)].lockingScript);
+                const dec = sdk_1.PushDrop.decode(tx.outputs[outputIndex].lockingScript);
                 if (!(dec === null || dec === void 0 ? void 0 : dec.fields) || dec.fields.length < 3)
                     continue;
-                const domainRaw = dec.fields[0];
-                const expiryRaw = dec.fields[1];
-                const basketRaw = dec.fields[2];
-                const domainDecoded = sdk_1.Utils.toUTF8(await this.decryptPermissionTokenField(domainRaw));
-                const normalizedDomain = this.normalizeOriginator(domainDecoded);
-                if (normalizedDomain !== originator) {
+                const domainDecoded = sdk_1.Utils.toUTF8(await this.decryptPermissionTokenField(dec.fields[0]));
+                if (this.normalizeOriginator(domainDecoded) !== originator)
                     continue;
-                }
-                const expiryDecoded = parseInt(sdk_1.Utils.toUTF8(await this.decryptPermissionTokenField(expiryRaw)), 10);
-                const basketDecoded = sdk_1.Utils.toUTF8(await this.decryptPermissionTokenField(basketRaw));
+                const expiryDecoded = Number.parseInt(sdk_1.Utils.toUTF8(await this.decryptPermissionTokenField(dec.fields[1])), 10);
+                const basketDecoded = sdk_1.Utils.toUTF8(await this.decryptPermissionTokenField(dec.fields[2]));
                 if (basketDecoded !== basket)
                     continue;
                 if (!includeExpired && this.isTokenExpired(expiryDecoded))
                     continue;
                 return {
-                    tx: tx.toBEEF(),
-                    txid: out.outpoint.split('.')[0],
-                    outputIndex: parseInt(out.outpoint.split('.')[1], 10),
-                    outputScript: tx.outputs[Number(outputIndexStr)].lockingScript.toHex(),
+                    tx: tx.toBEEF(),
+                    txid,
+                    outputIndex,
+                    outputScript: tx.outputs[outputIndex].lockingScript.toHex(),
                     satoshis: out.satoshis,
                     originator,
                     rawOriginator: domainDecoded,
@@ -1866,39 +1830,33 @@ class WalletPermissionsManager {
                 include: 'entire transactions'
             }, this.adminOriginator);
             for (const out of result.outputs) {
-                const [txid, outputIndexStr] = out.outpoint.split('.');
+                const [txid, outputIndex] = this.parseOutpoint(out.outpoint);
                 const tx = sdk_1.Transaction.fromBEEF(result.BEEF, txid);
-                const dec = sdk_1.PushDrop.decode(tx.outputs[Number(outputIndexStr)].lockingScript);
+                const dec = sdk_1.PushDrop.decode(tx.outputs[outputIndex].lockingScript);
                 if (!(dec === null || dec === void 0 ? void 0 : dec.fields) || dec.fields.length < 6)
                     continue;
                 const [domainRaw, expiryRaw, privRaw, typeRaw, fieldsRaw, verifierRaw] = dec.fields;
                 const domainDecoded = sdk_1.Utils.toUTF8(await this.decryptPermissionTokenField(domainRaw));
-                const normalizedDomain = this.normalizeOriginator(domainDecoded);
-                if (normalizedDomain !== originator) {
+                if (this.normalizeOriginator(domainDecoded) !== originator)
                     continue;
-                }
-                const expiryDecoded = parseInt(sdk_1.Utils.toUTF8(await this.decryptPermissionTokenField(expiryRaw)), 10);
+                const expiryDecoded = Number.parseInt(sdk_1.Utils.toUTF8(await this.decryptPermissionTokenField(expiryRaw)), 10);
                 const privDecoded = sdk_1.Utils.toUTF8(await this.decryptPermissionTokenField(privRaw)) === 'true';
                 const typeDecoded = sdk_1.Utils.toUTF8(await this.decryptPermissionTokenField(typeRaw));
                 const verifierDec = sdk_1.Utils.toUTF8(await this.decryptPermissionTokenField(verifierRaw));
-                const fieldsJson = await this.decryptPermissionTokenField(fieldsRaw);
-                const allFields = JSON.parse(sdk_1.Utils.toUTF8(fieldsJson));
-                if (privDecoded !== !!privileged || typeDecoded !== certType || verifierDec !== verifier) {
+                const allFields = JSON.parse(sdk_1.Utils.toUTF8(await this.decryptPermissionTokenField(fieldsRaw)));
+                if (privDecoded !== !!privileged || typeDecoded !== certType || verifierDec !== verifier)
                     continue;
-                }
                 // Check if 'fields' is a subset of 'allFields'
                 const setAll = new Set(allFields);
-                if (fields.some(f => !setAll.has(f))) {
+                if (fields.some(f => !setAll.has(f)))
                     continue;
-                }
-                if (!includeExpired && this.isTokenExpired(expiryDecoded)) {
+                if (!includeExpired && this.isTokenExpired(expiryDecoded))
                     continue;
-                }
                 return {
                     tx: tx.toBEEF(),
-                    txid: out.outpoint.split('.')[0],
-                    outputIndex: parseInt(out.outpoint.split('.')[1], 10),
-                    outputScript: tx.outputs[Number(outputIndexStr)].lockingScript.toHex(),
+                    txid,
+                    outputIndex,
+                    outputScript: tx.outputs[outputIndex].lockingScript.toHex(),
                     satoshis: out.satoshis,
                     originator,
                     rawOriginator: domainDecoded,
@@ -1935,11 +1893,11 @@ class WalletPermissionsManager {
                 if (normalizedDomain !== originator)
                     continue;
                 const amtDecodedStr = sdk_1.Utils.toUTF8(await this.decryptPermissionTokenField(amtRaw));
-                const authorizedAmount = parseInt(amtDecodedStr, 10);
+                const authorizedAmount = Number.parseInt(amtDecodedStr, 10);
                 return {
                     tx: tx.toBEEF(),
                     txid: out.outpoint.split('.')[0],
-                    outputIndex: parseInt(out.outpoint.split('.')[1], 10),
+                    outputIndex: Number.parseInt(out.outpoint.split('.')[1], 10),
                     outputScript: tx.outputs[Number(outputIndexStr)].lockingScript.toHex(),
                     satoshis: out.satoshis,
                     originator,
@@ -2021,7 +1979,7 @@ class WalletPermissionsManager {
         }, this.adminOriginator);
     }
     async mapWithConcurrency(items, concurrency, fn) {
-        if (!items.length)
+        if (items.length === 0)
             return [];
         const results = new Array(items.length);
         let i = 0;
@@ -2033,11 +1991,11 @@ class WalletPermissionsManager {
                 results[idx] = await fn(items[idx]);
             }
         };
-        await Promise.all(Array.from({ length: Math.min(concurrency, items.length) }, () => worker()));
+        await Promise.all(Array.from({ length: Math.min(concurrency, items.length) }, async () => await worker()));
         return results;
     }
     async runBestEffortBatches(items, chunkSize, runChunk) {
-        if (!items.length)
+        if (items.length === 0)
             return [];
         const out = [];
         for (let i = 0; i < items.length; i += chunkSize) {
@@ -2084,8 +2042,8 @@ class WalletPermissionsManager {
     }
     async createPermissionTokensBestEffort(items) {
         const CHUNK = 25;
-        return this.runBestEffortBatches(items, CHUNK, async (chunk) => {
-            const built = await this.mapWithConcurrency(chunk, 8, c => this.buildPermissionOutput(c.request, c.expiry, c.amount));
+        return await this.runBestEffortBatches(items, CHUNK, async (chunk) => {
+            const built = await this.mapWithConcurrency(chunk, 8, async (c) => await this.buildPermissionOutput(c.request, c.expiry, c.amount));
             await this.createAction({
                 description: `Grant ${built.length} permissions`,
                 outputs: built.map(b => b.output),
@@ -2096,8 +2054,8 @@ class WalletPermissionsManager {
     }
     async renewPermissionTokensBestEffort(items) {
         const CHUNK = 15;
-        return this.runBestEffortBatches(items, CHUNK, async (chunk) => {
-            const built = await this.mapWithConcurrency(chunk, 8, c => this.buildPermissionOutput(c.request, c.expiry, c.amount));
+        return await this.runBestEffortBatches(items, CHUNK, async (chunk) => {
+            const built = await this.mapWithConcurrency(chunk, 8, async (c) => await this.buildPermissionOutput(c.request, c.expiry, c.amount));
             const inputBeef = new sdk_1.Beef();
             for (const c of chunk) {
                 inputBeef.mergeBeef(sdk_1.Beef.fromBinary(c.oldToken.tx));
@@ -2164,7 +2122,7 @@ class WalletPermissionsManager {
                     satoshis: 1,
                     outputDescription: 'Renewed permission token',
                     ...((opts === null || opts === void 0 ? void 0 : opts.basket) ? { basket: opts.basket } : {}),
-                    ...((opts === null || opts === void 0 ? void 0 : opts.tags) ? { tags: opts.tags } : {})
+                    ...(((opts === null || opts === void 0 ? void 0 : opts.tags) == null) ? {} : { tags: opts.tags })
                 }
             ],
             options: {
@@ -2319,9 +2277,7 @@ class WalletPermissionsManager {
         const tags = [`originator ${r.originator}`];
         switch (r.type) {
             case 'protocol': {
-                tags.push(`privileged ${!!r.privileged}`);
-                tags.push(`protocolName ${r.protocolID[1]}`);
-                tags.push(`protocolSecurityLevel ${r.protocolID[0]}`);
+                tags.push(`privileged ${!!r.privileged}`, `protocolName ${r.protocolID[1]}`, `protocolSecurityLevel ${r.protocolID[0]}`);
                 if (r.protocolID[0] === 2) {
                     tags.push(`counterparty ${(_a = r.counterparty) !== null && _a !== void 0 ? _a : 'self'}`);
                 }
@@ -2332,9 +2288,7 @@ class WalletPermissionsManager {
                 break;
             }
             case 'certificate': {
-                tags.push(`privileged ${!!r.privileged}`);
-                tags.push(`type ${r.certificate.certType}`);
-                tags.push(`verifier ${r.certificate.verifier}`);
+                tags.push(`privileged ${!!r.privileged}`, `type ${r.certificate.certType}`, `verifier ${r.certificate.verifier}`);
                 break;
             }
             case 'spending': {
@@ -2357,74 +2311,55 @@ class WalletPermissionsManager {
      * @returns Array of permission tokens that match the filter criteria
      */
     async listProtocolPermissions({ originator, privileged, protocolName, protocolSecurityLevel, counterparty } = {}) {
-        const basketName = BASKET_MAP.protocol;
-        const baseTags = [];
-        if (privileged !== undefined) {
-            baseTags.push(`privileged ${!!privileged}`);
-        }
-        if (protocolName) {
-            baseTags.push(`protocolName ${protocolName}`);
-        }
-        if (protocolSecurityLevel !== undefined) {
-            baseTags.push(`protocolSecurityLevel ${protocolSecurityLevel}`);
-        }
-        if (counterparty) {
-            baseTags.push(`counterparty ${counterparty}`);
-        }
+        const baseTags = this.buildProtocolFilterTags({ privileged, protocolName, protocolSecurityLevel, counterparty });
         const originFilter = originator ? this.prepareOriginator(originator) : undefined;
-        const originVariants = originFilter ? originFilter.lookupValues : [undefined];
+        const originVariants = (originFilter == null) ? [undefined] : originFilter.lookupValues;
         const seen = new Set();
         const tokens = [];
         for (const originTag of originVariants) {
-            const tags = [...baseTags];
-            if (originTag) {
-                tags.push(`originator ${originTag}`);
-            }
-            const result = await this.underlying.listOutputs({
-                basket: basketName,
-                tags,
-                tagQueryMode: 'all',
-                include: 'entire transactions',
-                limit: 10000
-            }, this.adminOriginator);
-            for (const out of result.outputs) {
-                if (seen.has(out.outpoint))
-                    continue;
-                const [txid, outputIndexStr] = out.outpoint.split('.');
-                const tx = sdk_1.Transaction.fromBEEF(result.BEEF, txid);
-                const dec = sdk_1.PushDrop.decode(tx.outputs[Number(outputIndexStr)].lockingScript);
-                if (!(dec === null || dec === void 0 ? void 0 : dec.fields) || dec.fields.length < 6)
-                    continue;
-                const [domainRaw, expiryRaw, privRaw, secRaw, protoRaw, cptyRaw] = dec.fields;
-                const domainDec = sdk_1.Utils.toUTF8(await this.decryptPermissionTokenField(domainRaw));
-                const normalizedDomain = this.normalizeOriginator(domainDec);
-                if (originFilter && normalizedDomain !== originFilter.normalized) {
-                    continue;
-                }
-                const expiryDec = parseInt(sdk_1.Utils.toUTF8(await this.decryptPermissionTokenField(expiryRaw)), 10);
-                const privDec = sdk_1.Utils.toUTF8(await this.decryptPermissionTokenField(privRaw)) === 'true';
-                const secDec = parseInt(sdk_1.Utils.toUTF8(await this.decryptPermissionTokenField(secRaw)), 10);
-                const protoDec = sdk_1.Utils.toUTF8(await this.decryptPermissionTokenField(protoRaw));
-                const cptyDec = sdk_1.Utils.toUTF8(await this.decryptPermissionTokenField(cptyRaw));
-                seen.add(out.outpoint);
-                tokens.push({
-                    tx: tx.toBEEF(),
-                    txid: out.outpoint.split('.')[0],
-                    outputIndex: parseInt(out.outpoint.split('.')[1], 10),
-                    outputScript: tx.outputs[Number(outputIndexStr)].lockingScript.toHex(),
-                    satoshis: out.satoshis,
-                    originator: normalizedDomain,
-                    rawOriginator: domainDec,
-                    expiry: expiryDec,
-                    privileged: privDec,
-                    securityLevel: secDec,
-                    protocol: protoDec,
-                    counterparty: cptyDec
-                });
-            }
+            const tags = originTag != null ? [...baseTags, `originator ${originTag}`] : [...baseTags];
+            const result = await this.underlying.listOutputs({ basket: BASKET_MAP.protocol, tags, tagQueryMode: 'all', include: 'entire transactions', limit: 10000 }, this.adminOriginator);
+            await this.collectProtocolTokens(result, originFilter, seen, tokens);
         }
         return tokens;
     }
+    /** Builds the base tag array for protocol permission listing. */
+    buildProtocolFilterTags({ privileged, protocolName, protocolSecurityLevel, counterparty }) {
+        const tags = [];
+        if (privileged !== undefined)
+            tags.push(`privileged ${!!privileged}`);
+        if (protocolName)
+            tags.push(`protocolName ${protocolName}`);
+        if (protocolSecurityLevel !== undefined)
+            tags.push(`protocolSecurityLevel ${protocolSecurityLevel}`);
+        if (counterparty)
+            tags.push(`counterparty ${counterparty}`);
+        return tags;
+    }
+    /** Decodes and appends protocol permission tokens from a listOutputs result. */
+    async collectProtocolTokens(result, originFilter, seen, tokens) {
+        for (const out of result.outputs) {
+            if (seen.has(out.outpoint))
+                continue;
+            const [txid, outputIndex] = this.parseOutpoint(out.outpoint);
+            const tx = sdk_1.Transaction.fromBEEF(result.BEEF, txid);
+            const dec = sdk_1.PushDrop.decode(tx.outputs[outputIndex].lockingScript);
+            if (!(dec === null || dec === void 0 ? void 0 : dec.fields) || dec.fields.length < 6)
+                continue;
+            const f = await this.decryptProtocolTokenFields(dec.fields);
+            const normalizedDomain = this.normalizeOriginator(f.domainDecoded);
+            if ((originFilter != null) && normalizedDomain !== originFilter.normalized)
+                continue;
+            seen.add(out.outpoint);
+            tokens.push({
+                tx: tx.toBEEF(), txid, outputIndex,
+                outputScript: tx.outputs[outputIndex].lockingScript.toHex(),
+                satoshis: out.satoshis, originator: normalizedDomain, rawOriginator: f.domainDecoded,
+                expiry: f.expiryDecoded, privileged: f.privDecoded,
+                securityLevel: f.secLevelDecoded, protocol: f.protoNameDecoded, counterparty: f.cptyDecoded
+            });
+        }
+    }
     /**
      * Returns true if the originator already holds a valid unexpired protocol permission.
      * This calls `ensureProtocolPermission` with `seekPermission=false`, so it won't prompt.
@@ -2456,7 +2391,7 @@ class WalletPermissionsManager {
             baseTags.push(`basket ${params.basket}`);
         }
         const originFilter = params.originator ? this.prepareOriginator(params.originator) : undefined;
-        const originVariants = originFilter ? originFilter.lookupValues : [undefined];
+        const originVariants = (originFilter == null) ? [undefined] : originFilter.lookupValues;
         const seen = new Set();
         const tokens = [];
         for (const originTag of originVariants) {
@@ -2474,26 +2409,25 @@ class WalletPermissionsManager {
             for (const out of result.outputs) {
                 if (seen.has(out.outpoint))
                     continue;
-                const [txid, outputIndexStr] = out.outpoint.split('.');
+                const [txid, outputIndex] = this.parseOutpoint(out.outpoint);
                 const tx = sdk_1.Transaction.fromBEEF(result.BEEF, txid);
-                const dec = sdk_1.PushDrop.decode(tx.outputs[Number(outputIndexStr)].lockingScript);
+                const dec = sdk_1.PushDrop.decode(tx.outputs[outputIndex].lockingScript);
                 if (!(dec === null || dec === void 0 ? void 0 : dec.fields) || dec.fields.length < 3)
                     continue;
                 const [domainRaw, expiryRaw, basketRaw] = dec.fields;
                 const domainDecoded = sdk_1.Utils.toUTF8(await this.decryptPermissionTokenField(domainRaw));
                 const normalizedDomain = this.normalizeOriginator(domainDecoded);
-                if (originFilter && normalizedDomain !== originFilter.normalized) {
+                if ((originFilter != null) && normalizedDomain !== originFilter.normalized)
                     continue;
-                }
-                const expiryDecoded = parseInt(sdk_1.Utils.toUTF8(await this.decryptPermissionTokenField(expiryRaw)), 10);
+                const expiryDecoded = Number.parseInt(sdk_1.Utils.toUTF8(await this.decryptPermissionTokenField(expiryRaw)), 10);
                 const basketDecoded = sdk_1.Utils.toUTF8(await this.decryptPermissionTokenField(basketRaw));
                 seen.add(out.outpoint);
                 tokens.push({
                     tx: tx.toBEEF(),
-                    txid: out.outpoint.split('.')[0],
-                    outputIndex: parseInt(out.outpoint.split('.')[1], 10),
+                    txid,
+                    outputIndex,
                     satoshis: out.satoshis,
-                    outputScript: tx.outputs[Number(outputIndexStr)].lockingScript.toHex(),
+                    outputScript: tx.outputs[outputIndex].lockingScript.toHex(),
                     originator: normalizedDomain,
                     rawOriginator: domainDecoded,
                     basketName: basketDecoded,
@@ -2512,7 +2446,7 @@ class WalletPermissionsManager {
                 originator: params.originator,
                 basket: params.basket,
                 seekPermission: false,
-                usageType: 'insertion' // TODO: Consider a generic case for "has"
+                usageType: 'insertion'
             });
             return true;
         }
@@ -2546,11 +2480,11 @@ class WalletPermissionsManager {
             const [domainRaw, amtRaw] = dec.fields;
             const domainDecoded = sdk_1.Utils.toUTF8(await this.decryptPermissionTokenField(domainRaw));
             const amtDecodedStr = sdk_1.Utils.toUTF8(await this.decryptPermissionTokenField(amtRaw));
-            const authorizedAmount = parseInt(amtDecodedStr, 10);
+            const authorizedAmount = Number.parseInt(amtDecodedStr, 10);
             tokens.push({
                 tx: tx.toBEEF(),
                 txid: out.outpoint.split('.')[0],
-                outputIndex: parseInt(out.outpoint.split('.')[1], 10),
+                outputIndex: Number.parseInt(out.outpoint.split('.')[1], 10),
                 satoshis: out.satoshis,
                 outputScript: tx.outputs[Number(outputIndexStr)].lockingScript.toHex(),
                 originator: domainDecoded,
@@ -2586,72 +2520,54 @@ class WalletPermissionsManager {
      * @returns Array of permission tokens that match the filter criteria
      */
     async listCertificateAccess(params = {}) {
-        const basketName = BASKET_MAP.certificate;
         const baseTags = [];
-        if (params.privileged !== undefined) {
+        if (params.privileged !== undefined)
             baseTags.push(`privileged ${!!params.privileged}`);
-        }
-        if (params.certType) {
+        if (params.certType)
             baseTags.push(`type ${params.certType}`);
-        }
-        if (params.verifier) {
+        if (params.verifier)
             baseTags.push(`verifier ${params.verifier}`);
-        }
         const originFilter = params.originator ? this.prepareOriginator(params.originator) : undefined;
-        const originVariants = originFilter ? originFilter.lookupValues : [undefined];
+        const originVariants = (originFilter == null) ? [undefined] : originFilter.lookupValues;
         const seen = new Set();
         const tokens = [];
         for (const originTag of originVariants) {
-            const tags = [...baseTags];
-            if (originTag) {
-                tags.push(`originator ${originTag}`);
-            }
-            const result = await this.underlying.listOutputs({
-                basket: basketName,
-                tags,
-                tagQueryMode: 'all',
-                include: 'entire transactions',
-                limit: 10000
-            }, this.adminOriginator);
-            for (const out of result.outputs) {
-                if (seen.has(out.outpoint))
-                    continue;
-                const [txid, outputIndexStr] = out.outpoint.split('.');
-                const tx = sdk_1.Transaction.fromBEEF(result.BEEF, txid);
-                const dec = sdk_1.PushDrop.decode(tx.outputs[Number(outputIndexStr)].lockingScript);
-                if (!(dec === null || dec === void 0 ? void 0 : dec.fields) || dec.fields.length < 6)
-                    continue;
-                const [domainRaw, expiryRaw, privRaw, typeRaw, fieldsRaw, verifierRaw] = dec.fields;
-                const domainDecoded = sdk_1.Utils.toUTF8(await this.decryptPermissionTokenField(domainRaw));
-                const normalizedDomain = this.normalizeOriginator(domainDecoded);
-                if (originFilter && normalizedDomain !== originFilter.normalized) {
-                    continue;
-                }
-                const expiryDecoded = parseInt(sdk_1.Utils.toUTF8(await this.decryptPermissionTokenField(expiryRaw)), 10);
-                const privDecoded = sdk_1.Utils.toUTF8(await this.decryptPermissionTokenField(privRaw)) === 'true';
-                const typeDecoded = sdk_1.Utils.toUTF8(await this.decryptPermissionTokenField(typeRaw));
-                const verifierDec = sdk_1.Utils.toUTF8(await this.decryptPermissionTokenField(verifierRaw));
-                const fieldsJson = await this.decryptPermissionTokenField(fieldsRaw);
-                const allFields = JSON.parse(sdk_1.Utils.toUTF8(fieldsJson));
-                seen.add(out.outpoint);
-                tokens.push({
-                    tx: tx.toBEEF(),
-                    txid: out.outpoint.split('.')[0],
-                    outputIndex: parseInt(out.outpoint.split('.')[1], 10),
-                    satoshis: out.satoshis,
-                    outputScript: tx.outputs[Number(outputIndexStr)].lockingScript.toHex(),
-                    originator: normalizedDomain,
-                    rawOriginator: domainDecoded,
-                    privileged: privDecoded,
-                    certType: typeDecoded,
-                    certFields: allFields,
-                    verifier: verifierDec,
-                    expiry: expiryDecoded
-                });
-            }
+            const tags = originTag != null ? [...baseTags, `originator ${originTag}`] : [...baseTags];
+            const result = await this.underlying.listOutputs({ basket: BASKET_MAP.certificate, tags, tagQueryMode: 'all', include: 'entire transactions', limit: 10000 }, this.adminOriginator);
+            await this.collectCertificateTokens(result, originFilter, seen, tokens);
         }
         return tokens;
     }
+    /** Decodes and appends certificate permission tokens from a listOutputs result. */
+    async collectCertificateTokens(result, originFilter, seen, tokens) {
+        for (const out of result.outputs) {
+            if (seen.has(out.outpoint))
+                continue;
+            const [txid, outputIndex] = this.parseOutpoint(out.outpoint);
+            const tx = sdk_1.Transaction.fromBEEF(result.BEEF, txid);
+            const dec = sdk_1.PushDrop.decode(tx.outputs[outputIndex].lockingScript);
+            if (!(dec === null || dec === void 0 ? void 0 : dec.fields) || dec.fields.length < 6)
+                continue;
+            const [domainRaw, expiryRaw, privRaw, typeRaw, fieldsRaw, verifierRaw] = dec.fields;
+            const domainDecoded = sdk_1.Utils.toUTF8(await this.decryptPermissionTokenField(domainRaw));
+            const normalizedDomain = this.normalizeOriginator(domainDecoded);
+            if ((originFilter != null) && normalizedDomain !== originFilter.normalized)
+                continue;
+            const expiryDecoded = Number.parseInt(sdk_1.Utils.toUTF8(await this.decryptPermissionTokenField(expiryRaw)), 10);
+            const privDecoded = sdk_1.Utils.toUTF8(await this.decryptPermissionTokenField(privRaw)) === 'true';
+            const typeDecoded = sdk_1.Utils.toUTF8(await this.decryptPermissionTokenField(typeRaw));
+            const verifierDec = sdk_1.Utils.toUTF8(await this.decryptPermissionTokenField(verifierRaw));
+            const allFields = JSON.parse(sdk_1.Utils.toUTF8(await this.decryptPermissionTokenField(fieldsRaw)));
+            seen.add(out.outpoint);
+            tokens.push({
+                tx: tx.toBEEF(), txid, outputIndex, satoshis: out.satoshis,
+                outputScript: tx.outputs[outputIndex].lockingScript.toHex(),
+                originator: normalizedDomain, rawOriginator: domainDecoded,
+                privileged: privDecoded, certType: typeDecoded, certFields: allFields,
+                verifier: verifierDec, expiry: expiryDecoded
+            });
+        }
+    }
     /**
      * Returns `true` if the originator already holds a valid unexpired certificate access
      * for the given certType/fields. Does not prompt the user.
@@ -2683,7 +2599,7 @@ class WalletPermissionsManager {
             basket: true,
             certificate: true,
             spending: true,
-            ...(opts || {})
+            ...opts
         };
         const [protocolTokens, basketTokens, certificateTokens, spendingTokens] = await Promise.all([
             include.protocol ? this.listProtocolPermissions({ originator }) : Promise.resolve([]),
@@ -2693,7 +2609,7 @@ class WalletPermissionsManager {
                 ? this.listSpendingAuthorizations({ originator: preparedOriginator.normalized })
                 : Promise.resolve([])
         ]);
-        const spendingTokenList = spendingTokens.length ? [spendingTokens[0]] : [];
+        const spendingTokenList = (spendingTokens.length > 0) ? [spendingTokens[0]] : [];
         const allTokens = [...protocolTokens, ...basketTokens, ...certificateTokens, ...spendingTokenList];
         const seen = new Set();
         const deduped = allTokens.filter(t => {
@@ -2707,13 +2623,13 @@ class WalletPermissionsManager {
     }
     async revokePermissionTokensBestEffort(items) {
         const CHUNK = 15;
-        return this.runBestEffortBatches(items, CHUNK, async (chunk) => {
+        return await this.runBestEffortBatches(items, CHUNK, async (chunk) => {
             await this.revokePermissionTokensChunk(chunk);
             return chunk;
         });
     }
     async revokePermissionTokensChunk(oldTokens) {
-        if (!oldTokens.length)
+        if (oldTokens.length === 0)
             return;
         const inputBeef = new sdk_1.Beef();
         for (const token of oldTokens) {
@@ -2737,48 +2653,8 @@ class WalletPermissionsManager {
             throw new Error('Failed to create signable transaction');
         }
         const tx = sdk_1.Transaction.fromAtomicBEEF(signableTransaction.tx);
-        const normalizeTxid = (txid) => (txid !== null && txid !== void 0 ? txid : '').toLowerCase();
-        const reverseHexTxid = (txid) => {
-            const hex = normalizeTxid(txid);
-            if (!/^[0-9a-f]{64}$/.test(hex))
-                return hex;
-            const bytes = hex.match(/../g);
-            return bytes ? bytes.reverse().join('') : hex;
-        };
-        const matchesOutpointString = (outpoint, token) => {
-            const dot = outpoint.lastIndexOf('.');
-            const colon = outpoint.lastIndexOf(':');
-            const sep = dot > colon ? dot : colon;
-            if (sep === -1)
-                return false;
-            const txidPart = outpoint.slice(0, sep);
-            const indexPart = outpoint.slice(sep + 1);
-            const vout = Number(indexPart);
-            if (!Number.isFinite(vout))
-                return false;
-            return normalizeTxid(txidPart) === normalizeTxid(token.txid) && vout === token.outputIndex;
-        };
-        const findInputIndexForToken = (token) => {
-            return tx.inputs.findIndex((input) => {
-                var _a, _b, _c, _d, _e, _f, _g, _h, _j, _k, _l, _m, _o;
-                const txidCandidate = (_g = (_f = (_e = (_d = (_c = (_b = (_a = input === null || input === void 0 ? void 0 : input.sourceTXID) !== null && _a !== void 0 ? _a : input === null || input === void 0 ? void 0 : input.sourceTxid) !== null && _b !== void 0 ? _b : input === null || input === void 0 ? void 0 : input.sourceTxId) !== null && _c !== void 0 ? _c : input === null || input === void 0 ? void 0 : input.prevTxId) !== null && _d !== void 0 ? _d : input === null || input === void 0 ? void 0 : input.prevTxid) !== null && _e !== void 0 ? _e : input === null || input === void 0 ? void 0 : input.prevTXID) !== null && _f !== void 0 ? _f : input === null || input === void 0 ? void 0 : input.txid) !== null && _g !== void 0 ? _g : input === null || input === void 0 ? void 0 : input.txID;
-                const voutCandidate = (_l = (_k = (_j = (_h = input === null || input === void 0 ? void 0 : input.sourceOutputIndex) !== null && _h !== void 0 ? _h : input === null || input === void 0 ? void 0 : input.sourceOutput) !== null && _j !== void 0 ? _j : input === null || input === void 0 ? void 0 : input.outputIndex) !== null && _k !== void 0 ? _k : input === null || input === void 0 ? void 0 : input.vout) !== null && _l !== void 0 ? _l : input === null || input === void 0 ? void 0 : input.prevOutIndex;
-                if (typeof txidCandidate === 'string' && typeof voutCandidate === 'number') {
-                    const cand = normalizeTxid(txidCandidate);
-                    const target = normalizeTxid(token.txid);
-                    if (cand === target && voutCandidate === token.outputIndex)
-                        return true;
-                    if (cand === reverseHexTxid(token.txid) && voutCandidate === token.outputIndex)
-                        return true;
-                }
-                const outpointCandidate = (_o = (_m = input === null || input === void 0 ? void 0 : input.outpoint) !== null && _m !== void 0 ? _m : input === null || input === void 0 ? void 0 : input.sourceOutpoint) !== null && _o !== void 0 ? _o : input === null || input === void 0 ? void 0 : input.prevOutpoint;
-                if (typeof outpointCandidate === 'string' && matchesOutpointString(outpointCandidate, token))
-                    return true;
-                return false;
-            });
-        };
         const inputsToSign = oldTokens.map(token => {
-            let permInputIndex = findInputIndexForToken(token);
+            let permInputIndex = this.findInputIndexForToken(tx, token);
             if (permInputIndex === -1 && tx.inputs.length === 1) {
                 permInputIndex = 0;
             }
@@ -2811,13 +2687,13 @@ class WalletPermissionsManager {
     async revokePermission(oldToken) {
         const oldOutpoint = `${oldToken.txid}.${oldToken.outputIndex}`;
         const { signableTransaction } = await this.createAction({
-            description: `Revoke permission`,
+            description: 'Revoke permission',
             inputBEEF: oldToken.tx,
             inputs: [
                 {
                     outpoint: oldOutpoint,
                     unlockingScriptLength: 73, // length of signature
-                    inputDescription: `Consume old permission token`
+                    inputDescription: 'Consume old permission token'
                 }
             ],
             options: {
@@ -2825,44 +2701,7 @@ class WalletPermissionsManager {
             }
         }, this.adminOriginator);
         const tx = sdk_1.Transaction.fromBEEF(signableTransaction.tx);
-        const normalizeTxid = (txid) => (txid !== null && txid !== void 0 ? txid : '').toLowerCase();
-        const reverseHexTxid = (txid) => {
-            const hex = normalizeTxid(txid);
-            if (!/^[0-9a-f]{64}$/.test(hex))
-                return hex;
-            const bytes = hex.match(/../g);
-            return bytes ? bytes.reverse().join('') : hex;
-        };
-        const matchesOutpointString = (outpoint) => {
-            const dot = outpoint.lastIndexOf('.');
-            const colon = outpoint.lastIndexOf(':');
-            const sep = dot > colon ? dot : colon;
-            if (sep === -1)
-                return false;
-            const txidPart = outpoint.slice(0, sep);
-            const indexPart = outpoint.slice(sep + 1);
-            const vout = Number(indexPart);
-            if (!Number.isFinite(vout))
-                return false;
-            return normalizeTxid(txidPart) === normalizeTxid(oldToken.txid) && vout === oldToken.outputIndex;
-        };
-        let permInputIndex = tx.inputs.findIndex((input) => {
-            var _a, _b, _c, _d, _e, _f, _g, _h, _j, _k, _l, _m, _o;
-            const txidCandidate = (_g = (_f = (_e = (_d = (_c = (_b = (_a = input === null || input === void 0 ? void 0 : input.sourceTXID) !== null && _a !== void 0 ? _a : input === null || input === void 0 ? void 0 : input.sourceTxid) !== null && _b !== void 0 ? _b : input === null || input === void 0 ? void 0 : input.sourceTxId) !== null && _c !== void 0 ? _c : input === null || input === void 0 ? void 0 : input.prevTxId) !== null && _d !== void 0 ? _d : input === null || input === void 0 ? void 0 : input.prevTxid) !== null && _e !== void 0 ? _e : input === null || input === void 0 ? void 0 : input.prevTXID) !== null && _f !== void 0 ? _f : input === null || input === void 0 ? void 0 : input.txid) !== null && _g !== void 0 ? _g : input === null || input === void 0 ? void 0 : input.txID;
-            const voutCandidate = (_l = (_k = (_j = (_h = input === null || input === void 0 ? void 0 : input.sourceOutputIndex) !== null && _h !== void 0 ? _h : input === null || input === void 0 ? void 0 : input.sourceOutput) !== null && _j !== void 0 ? _j : input === null || input === void 0 ? void 0 : input.outputIndex) !== null && _k !== void 0 ? _k : input === null || input === void 0 ? void 0 : input.vout) !== null && _l !== void 0 ? _l : input === null || input === void 0 ? void 0 : input.prevOutIndex;
-            if (typeof txidCandidate === 'string' && typeof voutCandidate === 'number') {
-                const cand = normalizeTxid(txidCandidate);
-                const target = normalizeTxid(oldToken.txid);
-                if (cand === target && voutCandidate === oldToken.outputIndex)
-                    return true;
-                if (cand === reverseHexTxid(oldToken.txid) && voutCandidate === oldToken.outputIndex)
-                    return true;
-            }
-            const outpointCandidate = (_o = (_m = input === null || input === void 0 ? void 0 : input.outpoint) !== null && _m !== void 0 ? _m : input === null || input === void 0 ? void 0 : input.sourceOutpoint) !== null && _o !== void 0 ? _o : input === null || input === void 0 ? void 0 : input.prevOutpoint;
-            if (typeof outpointCandidate === 'string' && matchesOutpointString(outpointCandidate))
-                return true;
-            return false;
-        });
+        let permInputIndex = this.findInputIndexForToken(tx, oldToken);
         if (permInputIndex === -1 && tx.inputs.length === 1) {
             permInputIndex = 0;
         }
@@ -2886,56 +2725,81 @@ class WalletPermissionsManager {
     async createAction(args, originator) {
         // 1) Identify unique P-modules involved (one per schemeID) from both baskets and labels
         const pModulesByScheme = new Map();
-        const nonPBaskets = [];
-        // Check baskets for p modules
-        if (args.outputs) {
-            for (const out of args.outputs) {
-                if (out.basket) {
-                    if (out.basket.startsWith('p ')) {
-                        const schemeID = out.basket.split(' ')[1];
-                        this.addPModuleByScheme(schemeID, 'basket', pModulesByScheme);
-                    }
-                    else {
-                        // Track non-P baskets for normal permission checks
-                        nonPBaskets.push(out.basket);
-                    }
-                }
-            }
-        }
-        // Check labels for p modules
+        const nonPBaskets = this.collectNonPBaskets(args.outputs, pModulesByScheme);
         const nonPLabels = this.splitLabelsByPermissionModule(args.labels, pModulesByScheme);
         // 2) Check permissions for non-P baskets
         for (const basket of nonPBaskets) {
-            await this.ensureBasketAccess({
-                originator: originator,
-                basket,
-                reason: args.description,
-                usageType: 'insertion'
-            });
+            await this.ensureBasketAccess({ originator: originator, basket, reason: args.description, usageType: 'insertion' });
         }
         // 3) Check permissions for non-P labels
         for (const lbl of nonPLabels) {
-            await this.ensureLabelAccess({
-                originator: originator,
-                label: lbl,
-                reason: args.description,
-                usageType: 'apply'
-            });
+            await this.ensureLabelAccess({ originator: originator, label: lbl, reason: args.description, usageType: 'apply' });
         }
-        /**
-         * 4) Force signAndProcess=false unless the originator is admin and explicitly sets it to true.
-         *    This ensures the underlying wallet returns a signableTransaction, letting us parse the transaction
-         *    to determine net spending and request authorization if needed.
-         */
-        const modifiedOptions = { ...(args.options || {}) };
+        // 4) Force signAndProcess=false unless the originator is admin and explicitly sets it to true.
+        const modifiedOptions = this.enforceSignAndProcess(args.options, originator);
+        // 5) Encrypt transaction metadata, saving originals for spending auth and line items.
+        const originalDescription = args.description;
+        const { originalInputDescriptions, originalOutputDescriptions } = await this.encryptActionMetadata(args);
+        // 6) Call the underlying wallet's createAction with P-module chaining as needed.
+        const finalArgs = {
+            ...args,
+            options: modifiedOptions,
+            labels: [...(args.labels || []), `admin originator ${originator}`, `admin month ${this.getCurrentMonthYearUTC()}`]
+        };
+        let createResult = await this.callCreateActionWithPModules(finalArgs, pModulesByScheme, originator);
+        if (createResult.signableTransaction == null)
+            return createResult;
+        // 7) Parse the signable tx to determine net spend, then gate on spending authorization.
+        const tx = sdk_1.Transaction.fromAtomicBEEF(createResult.signableTransaction.tx);
+        const reference = createResult.signableTransaction.reference;
+        const { netSpent, lineItems } = this.computeNetSpend(tx, args, originalInputDescriptions, originalOutputDescriptions);
+        // 8) If netSpent > 0, require spending authorization. Abort if denied.
+        if (netSpent > 0) {
+            try {
+                await this.ensureSpendingAuthorization({ originator: originator, satoshis: netSpent, lineItems, reason: originalDescription });
+            }
+            catch (err) {
+                await this.underlying.abortAction({ reference });
+                throw err;
+            }
+        }
+        // 9) Finalize or return the signable transaction based on whether more signatures are needed.
+        const vargs = sdk_1.Validation.validateCreateActionArgs(args);
+        if (vargs.isSignAction)
+            return createResult;
+        const signResult = await this.underlying.signAction({ reference, spends: {}, options: args.options }, originator);
+        return { ...createResult, ...signResult, signableTransaction: undefined };
+    }
+    /** Scans outputs to split P-scheme baskets from regular baskets; registers P-modules as a side effect. */
+    collectNonPBaskets(outputs, pModulesByScheme) {
+        const nonPBaskets = [];
+        if (outputs == null)
+            return nonPBaskets;
+        for (const out of outputs) {
+            if (!out.basket)
+                continue;
+            if (out.basket.startsWith('p ')) {
+                this.addPModuleByScheme(out.basket.split(' ')[1], 'basket', pModulesByScheme);
+            }
+            else {
+                nonPBaskets.push(out.basket);
+            }
+        }
+        return nonPBaskets;
+    }
+    /** Enforces signAndProcess=false for non-admin originators; throws if admin override is missing. */
+    enforceSignAndProcess(options, originator) {
+        const modifiedOptions = { ...options };
         if (modifiedOptions.signAndProcess !== true) {
             modifiedOptions.signAndProcess = false;
         }
         else if (!this.isAdminOriginator(originator)) {
             throw new Error('Only the admin originator can set signAndProcess=true explicitly.');
         }
-        // 5) Encrypt transaction metadata, saving originals for use in permissions and line items.
-        const originalDescription = args.description;
+        return modifiedOptions;
+    }
+    /** Encrypts all description/instruction fields in args in-place; returns original (plaintext) copies. */
+    async encryptActionMetadata(args) {
         const originalInputDescriptions = {};
         const originalOutputDescriptions = {};
         const inputEncryptionTasks = (args.inputs || []).map(async (input, i) => {
@@ -2954,64 +2818,34 @@ class WalletPermissionsManager {
             }
         });
         await Promise.all([
-            (async () => {
-                args.description = await this.maybeEncryptMetadata(args.description);
-            })(),
+            (async () => { args.description = await this.maybeEncryptMetadata(args.description); })(),
             ...inputEncryptionTasks,
             ...outputEncryptionTasks
         ]);
-        /**
-         * 6) Call the underlying wallet's createAction.
-         *    - If P-modules are involved, chain request transformations through them first
-         *    - Add two "admin" labels for tracking: "admin originator <domain>" and "admin month YYYY-MM"
-         *    - If P-modules are involved, chain response transformations back through them
-         */
-        const finalArgs = {
-            ...args,
-            options: modifiedOptions,
-            labels: [...(args.labels || []), `admin originator ${originator}`, `admin month ${this.getCurrentMonthYearUTC()}`]
-        };
-        let createResult;
-        if (pModulesByScheme.size > 0) {
-            // P-modules are involved - chain transformations
-            const pModules = Array.from(pModulesByScheme.values());
-            // Chain onRequest calls through all modules
-            let transformedArgs = finalArgs;
-            for (const module of pModules) {
-                const transformed = await module.onRequest({
-                    method: 'createAction',
-                    args: transformedArgs,
-                    originator: originator
-                });
-                transformedArgs = transformed.args;
-            }
-            // Call underlying wallet with transformed args
-            createResult = await this.underlying.createAction(transformedArgs, originator);
-            // Chain onResponse calls in reverse order
-            for (let i = pModules.length - 1; i >= 0; i--) {
-                createResult = await pModules[i].onResponse(createResult, {
-                    method: 'createAction',
-                    originator: originator
-                });
-            }
-        }
-        else {
-            // No P-modules - call underlying wallet directly
-            createResult = await this.underlying.createAction(finalArgs, originator);
+        return { originalInputDescriptions, originalOutputDescriptions };
+    }
+    /** Calls underlying createAction, chaining P-module request/response transforms when needed. */
+    async callCreateActionWithPModules(finalArgs, pModulesByScheme, originator) {
+        if (pModulesByScheme.size === 0)
+            return await this.underlying.createAction(finalArgs, originator);
+        const pModules = Array.from(pModulesByScheme.values());
+        let transformedArgs = finalArgs;
+        for (const module of pModules) {
+            const transformed = await module.onRequest({ method: 'createAction', args: transformedArgs, originator: originator });
+            transformedArgs = transformed.args;
         }
-        // If there's no signableTransaction, the underlying wallet must have fully finalized it. Return as is.
-        if (!createResult.signableTransaction) {
-            return createResult;
+        let createResult = await this.underlying.createAction(transformedArgs, originator);
+        for (let i = pModules.length - 1; i >= 0; i--) {
+            createResult = await pModules[i].onResponse(createResult, { method: 'createAction', originator: originator });
         }
-        /**
-         * 7) We have a signable transaction. Parse it to determine how much the originator is actually spending.
-         *    We only consider inputs the originator explicitly listed in args.inputs.
-         *    netSpent = (sum of originator-requested outputs) - (sum of matching originator inputs).
-         *    If netSpent > 0, we need spending authorization.
-         */
-        const tx = sdk_1.Transaction.fromAtomicBEEF(createResult.signableTransaction.tx);
-        const reference = createResult.signableTransaction.reference;
-        let netSpent = 0;
+        return createResult;
+    }
+    /**
+     * Computes the net satoshis the originator is spending in a createAction call,
+     * accounting for foreign (originator-provided) inputs and outputs plus the fee.
+     * Also builds the line items list for the spending authorization request.
+     */
+    computeNetSpend(tx, args, originalInputDescriptions, originalOutputDescriptions) {
         const lineItems = [];
         // Sum originator-provided inputs:
         let totalInputSatoshis = 0;
@@ -3024,7 +2858,7 @@ class WalletPermissionsManager {
                 lineItems.push({
                     type: 'input',
                     description: originalInputDescriptions[matchingIndex] || 'No input description provided',
-                    satoshis: satoshis
+                    satoshis
                 });
             }
         }
@@ -3039,68 +2873,20 @@ class WalletPermissionsManager {
             });
         }
         // Add an entry for the transaction fee:
-        lineItems.push({
-            type: 'fee',
-            satoshis: tx.getFee(),
-            description: 'Network fee'
-        });
-        /**
-         * When it comes to spending authorizations, and the computation of net spend, there are
-         * two types of inputs and two types of outputs:
-         *
-         * There are foreign (originator-requested) ones, and domestic (internally-provided) ones.
-         * The net spend is always calculated from the domestic, internal perspective. Therefore, the
-         * cost of funding the foreign outputs is the base cost to the domestic user, unless this is
-         * somehow offset.
-         *
-         * The only way to offset this cost is when the foreign inputs help carry some of the burden.
-         * This is why we can subtract the sum of the foreign inputs from the sum of foreign outputs,
-         * to gague how much of that cost needs to be born domestically by the user.
-         *
-         * The logic does not need to account for whatever domestic inputs are provided, or whatever
-         * domestic outputs are re-captured by the wallet back as change. The wallet could conceivably
-         * provide 21e8 satoshis as input and re-capture the same amount as change, but the net effect
-         * on actual spending would be zero. Therefore, we base net spend on total foreign outflows
-         * minus total foreign inflows. Fees are also considered.
-         */
-        netSpent = totalOutputSatoshis + tx.getFee() - totalInputSatoshis;
-        // 8) If netSpent > 0, require spending authorization. Abort if denied.
-        if (netSpent > 0) {
-            try {
-                await this.ensureSpendingAuthorization({
-                    originator: originator,
-                    satoshis: netSpent,
-                    lineItems,
-                    reason: originalDescription
-                });
-            }
-            catch (err) {
-                await this.underlying.abortAction({ reference });
-                throw err;
-            }
-        }
+        const fee = tx.getFee();
+        lineItems.push({ type: 'fee', satoshis: fee, description: 'Network fee' });
         /**
-         * 9) Decide whether to finalize the transaction automatically or return the signableTransaction:
-         *    - If the user originally wanted signAndProcess (the default when undefined), we forcibly set it to false earlier, so check if we should now finalize it.
-         *    - If the transaction still needs more signatures, we must return the signableTransaction.
+         * Net spend = total foreign outflows minus total foreign inflows plus fee.
+         * Domestic wallet inputs/change outputs are not counted — they are internal.
          */
-        const vargs = sdk_1.Validation.validateCreateActionArgs(args);
-        if (vargs.isSignAction) {
-            return createResult;
-        }
-        const signResult = await this.underlying.signAction({ reference, spends: {}, options: args.options }, originator);
-        // Merge signResult into createResult and remove signableTransaction:
-        return {
-            ...createResult,
-            ...signResult,
-            signableTransaction: undefined
-        };
+        const netSpent = totalOutputSatoshis + fee - totalInputSatoshis;
+        return { netSpent, lineItems };
     }
     async signAction(...args) {
-        return this.underlying.signAction(...args);
+        return await this.underlying.signAction(...args);
     }
     async abortAction(...args) {
-        return this.underlying.abortAction(...args);
+        return await this.underlying.abortAction(...args);
     }
     async listActions(...args) {
         const [requestArgs, originator] = args;
@@ -3231,7 +3017,7 @@ class WalletPermissionsManager {
             return results;
         }
         // No P-modules - call underlying wallet directly
-        return this.underlying.internalizeAction(...args);
+        return await this.underlying.internalizeAction(...args);
     }
     async listOutputs(...args) {
         const [requestArgs, originator] = args;
@@ -3270,11 +3056,11 @@ class WalletPermissionsManager {
             reason: 'relinquishOutput',
             usageType: 'removal'
         });
-        return this.underlying.relinquishOutput(...args);
+        return await this.underlying.relinquishOutput(...args);
     }
     async getPublicKey(...args) {
         const [requestArgs, originator] = args;
-        if (requestArgs.protocolID) {
+        if (requestArgs.protocolID != null) {
             // Delegate to permission module if needed
             const pModuleResult = await this.delegateToPModuleIfNeeded(requestArgs.protocolID[1], 'getPublicKey', requestArgs, originator, async (transformedArgs) => {
                 return await this.underlying.getPublicKey(transformedArgs, originator);
@@ -3303,7 +3089,7 @@ class WalletPermissionsManager {
                 usageType: 'identityKey'
             });
         }
-        return this.underlying.getPublicKey(...args);
+        return await this.underlying.getPublicKey(...args);
     }
     async revealCounterpartyKeyLinkage(...args) {
         const [requestArgs, originator] = args;
@@ -3315,7 +3101,7 @@ class WalletPermissionsManager {
             reason: requestArgs.privilegedReason,
             usageType: 'linkageRevelation'
         });
-        return this.underlying.revealCounterpartyKeyLinkage(...args);
+        return await this.underlying.revealCounterpartyKeyLinkage(...args);
     }
     async revealSpecificKeyLinkage(...args) {
         const [requestArgs, originator] = args;
@@ -3330,7 +3116,7 @@ class WalletPermissionsManager {
             reason: requestArgs.privilegedReason,
             usageType: 'linkageRevelation'
         });
-        return this.underlying.revealSpecificKeyLinkage(...args);
+        return await this.underlying.revealSpecificKeyLinkage(...args);
     }
     async encrypt(...args) {
         const [requestArgs, originator] = args;
@@ -3349,7 +3135,7 @@ class WalletPermissionsManager {
             reason: requestArgs.privilegedReason,
             usageType: 'encrypting'
         });
-        return this.underlying.encrypt(...args);
+        return await this.underlying.encrypt(...args);
     }
     async decrypt(...args) {
         const [requestArgs, originator] = args;
@@ -3368,7 +3154,7 @@ class WalletPermissionsManager {
             reason: requestArgs.privilegedReason,
             usageType: 'encrypting'
         });
-        return this.underlying.decrypt(...args);
+        return await this.underlying.decrypt(...args);
     }
     async createHmac(...args) {
         const [requestArgs, originator] = args;
@@ -3387,7 +3173,7 @@ class WalletPermissionsManager {
             reason: requestArgs.privilegedReason,
             usageType: 'hmac'
         });
-        return this.underlying.createHmac(...args);
+        return await this.underlying.createHmac(...args);
     }
     async verifyHmac(...args) {
         const [requestArgs, originator] = args;
@@ -3406,7 +3192,7 @@ class WalletPermissionsManager {
             reason: requestArgs.privilegedReason,
             usageType: 'hmac'
         });
-        return this.underlying.verifyHmac(...args);
+        return await this.underlying.verifyHmac(...args);
     }
     async createSignature(...args) {
         const [requestArgs, originator] = args;
@@ -3425,7 +3211,7 @@ class WalletPermissionsManager {
             reason: requestArgs.privilegedReason,
             usageType: 'signing'
         });
-        return this.underlying.createSignature(...args);
+        return await this.underlying.createSignature(...args);
     }
     async verifySignature(...args) {
         const [requestArgs, originator] = args;
@@ -3444,7 +3230,7 @@ class WalletPermissionsManager {
             reason: requestArgs.privilegedReason,
             usageType: 'signing'
         });
-        return this.underlying.verifySignature(...args);
+        return await this.underlying.verifySignature(...args);
     }
     async acquireCertificate(...args) {
         const [requestArgs, originator] = args;
@@ -3458,7 +3244,7 @@ class WalletPermissionsManager {
                 usageType: 'generic'
             });
         }
-        return this.underlying.acquireCertificate(...args);
+        return await this.underlying.acquireCertificate(...args);
     }
     async listCertificates(...args) {
         const [requestArgs, originator] = args;
@@ -3466,13 +3252,13 @@ class WalletPermissionsManager {
             await this.ensureProtocolPermission({
                 originator: originator,
                 privileged: requestArgs.privileged,
-                protocolID: [1, `certificate list`],
+                protocolID: [1, 'certificate list'],
                 counterparty: 'self',
                 reason: requestArgs.privilegedReason,
                 usageType: 'generic'
             });
         }
-        return this.underlying.listCertificates(...args);
+        return await this.underlying.listCertificates(...args);
     }
     async proveCertificate(...args) {
         const [requestArgs, originator] = args;
@@ -3485,21 +3271,21 @@ class WalletPermissionsManager {
             reason: 'proveCertificate',
             usageType: 'disclosure'
         });
-        return this.underlying.proveCertificate(...args);
+        return await this.underlying.proveCertificate(...args);
     }
     async relinquishCertificate(...args) {
         const [requestArgs, originator] = args;
         if (this.config.seekCertificateRelinquishmentPermissions) {
             await this.ensureProtocolPermission({
                 originator: originator,
-                privileged: requestArgs.privileged ? true : false,
+                privileged: !!requestArgs.privileged,
                 protocolID: [1, `certificate relinquishment ${requestArgs.type}`],
                 counterparty: 'self',
                 reason: requestArgs.privilegedReason || 'relinquishCertificate',
                 usageType: 'generic'
             });
         }
-        return this.underlying.relinquishCertificate(...args);
+        return await this.underlying.relinquishCertificate(...args);
     }
     async discoverByIdentityKey(...args) {
         const [_, originator] = args;
@@ -3507,13 +3293,13 @@ class WalletPermissionsManager {
             await this.ensureProtocolPermission({
                 originator: originator,
                 privileged: false,
-                protocolID: [1, `identity resolution`],
+                protocolID: [1, 'identity resolution'],
                 counterparty: 'self',
                 reason: 'discoverByIdentityKey',
                 usageType: 'generic'
             });
         }
-        return this.underlying.discoverByIdentityKey(...args);
+        return await this.underlying.discoverByIdentityKey(...args);
     }
     async discoverByAttributes(...args) {
         const [_, originator] = args;
@@ -3521,26 +3307,26 @@ class WalletPermissionsManager {
             await this.ensureProtocolPermission({
                 originator: originator,
                 privileged: false,
-                protocolID: [1, `identity resolution`],
+                protocolID: [1, 'identity resolution'],
                 counterparty: 'self',
                 reason: 'discoverByAttributes',
                 usageType: 'generic'
             });
         }
-        return this.underlying.discoverByAttributes(...args);
+        return await this.underlying.discoverByAttributes(...args);
     }
     async isAuthenticated(...args) {
-        return this.underlying.isAuthenticated(...args);
+        return await this.underlying.isAuthenticated(...args);
     }
     async waitForAuthentication(...args) {
-        let [_, originator] = args;
+        const [_, originator] = args;
         if (this.config.seekGroupedPermission && originator) {
             const { normalized: normalizedOriginator } = this.prepareOriginator(originator);
             const normalized = normalizedOriginator;
             await this.withGroupedPermissionFlowLock(normalized, async () => {
                 // 1. Fetch manifest.json from the originator
                 const groupPermissions = await this.fetchManifestGroupPermissions(normalized);
-                if (groupPermissions) {
+                if (groupPermissions != null) {
                     // 2. Filter out already-granted permissions
                     const permissionsToRequest = await this.filterAlreadyGrantedPermissions(normalized, groupPermissions);
                     // 3. If any permissions are left to request, start the flow
@@ -3573,19 +3359,19 @@ class WalletPermissionsManager {
             });
         }
         // Finally, after handling grouped permissions, call the underlying method.
-        return this.underlying.waitForAuthentication(...args);
+        return await this.underlying.waitForAuthentication(...args);
     }
     async getHeight(...args) {
-        return this.underlying.getHeight(...args);
+        return await this.underlying.getHeight(...args);
     }
     async getHeaderForHeight(...args) {
-        return this.underlying.getHeaderForHeight(...args);
+        return await this.underlying.getHeaderForHeight(...args);
     }
     async getNetwork(...args) {
-        return this.underlying.getNetwork(...args);
+        return await this.underlying.getNetwork(...args);
     }
     async getVersion(...args) {
-        return this.underlying.getVersion(...args);
+        return await this.underlying.getVersion(...args);
     }
     /* ---------------------------------------------------------------------
      *  8) INTERNAL HELPER UTILITIES
@@ -3646,7 +3432,7 @@ class WalletPermissionsManager {
      */
     isPermissionCached(key) {
         const entry = this.permissionCache.get(key);
-        if (!entry)
+        if (entry == null)
             return false;
         if (Date.now() - entry.cachedAt > WalletPermissionsManager.CACHE_TTL_MS) {
             this.permissionCache.delete(key);
@@ -3715,7 +3501,7 @@ class WalletPermissionsManager {
     isWhitelistedCounterpartyProtocol(counterparty, protocolID) {
         var _a;
         const whitelist = this.config.whitelistedCounterparties;
-        if (!whitelist)
+        if (whitelist == null)
             return false;
         if (!counterparty || counterparty === 'self' || counterparty === 'anyone')
             return false;