@cofhe/sdk 0.0.0-alpha-20260409113701

package/dist/web.cjs

@@ -0,0 +1,4434 @@
+'use strict';
+
+var vanilla = require('zustand/vanilla');
+var viem = require('viem');
+var chains = require('viem/chains');
+var accounts = require('viem/accounts');
+var zod = require('zod');
+var middleware = require('zustand/middleware');
+var immer = require('immer');
+var nacl = require('tweetnacl');
+var iframeSharedStorage = require('iframe-shared-storage');
+var init = require('tfhe');
+
+var _documentCurrentScript = typeof document !== 'undefined' ? document.currentScript : null;
+function _interopDefault (e) { return e && e.__esModule ? e : { default: e }; }
+
+var nacl__default = /*#__PURE__*/_interopDefault(nacl);
+var init__default = /*#__PURE__*/_interopDefault(init);
+
+// core/client.ts
+
+// core/error.ts
+var CofheError = class _CofheError extends Error {
+  code;
+  cause;
+  hint;
+  context;
+  constructor({ code, message, cause, hint, context }) {
+    const fullMessage = cause ? `${message} | Caused by: ${cause.message}` : message;
+    super(fullMessage);
+    this.name = "CofheError";
+    this.code = code;
+    this.cause = cause;
+    this.hint = hint;
+    this.context = context;
+    if (Error.captureStackTrace) {
+      Error.captureStackTrace(this, _CofheError);
+    }
+  }
+  /**
+   * Creates a CofheError from an unknown error
+   * If the error is a CofheError, it is returned unchanged, else a new CofheError is created
+   * If a wrapperError is provided, it is used to create the new CofheError, else a default is used
+   */
+  static fromError(error, wrapperError) {
+    if (isCofheError(error))
+      return error;
+    const cause = error instanceof Error ? error : new Error(`${error}`);
+    return new _CofheError({
+      code: wrapperError?.code ?? "INTERNAL_ERROR" /* InternalError */,
+      message: wrapperError?.message ?? "An internal error occurred",
+      hint: wrapperError?.hint,
+      context: wrapperError?.context,
+      cause
+    });
+  }
+  /**
+   * Serializes the error to JSON string with proper handling of Error objects
+   */
+  serialize() {
+    return bigintSafeJsonStringify({
+      name: this.name,
+      code: this.code,
+      message: this.message,
+      hint: this.hint,
+      context: this.context,
+      cause: this.cause ? {
+        name: this.cause.name,
+        message: this.cause.message,
+        stack: this.cause.stack
+      } : void 0,
+      stack: this.stack
+    });
+  }
+  /**
+   * Returns a human-readable string representation of the error
+   */
+  toString() {
+    const parts = [`${this.name} [${this.code}]: ${this.message}`];
+    if (this.hint) {
+      parts.push(`Hint: ${this.hint}`);
+    }
+    if (this.context && Object.keys(this.context).length > 0) {
+      parts.push(`Context: ${bigintSafeJsonStringify(this.context)}`);
+    }
+    if (this.stack) {
+      parts.push(`
+Stack trace:`);
+      parts.push(this.stack);
+    }
+    if (this.cause) {
+      parts.push(`
+Caused by: ${this.cause.name}: ${this.cause.message}`);
+      if (this.cause.stack) {
+        parts.push(this.cause.stack);
+      }
+    }
+    return parts.join("\n");
+  }
+};
+var bigintSafeJsonStringify = (value) => {
+  return JSON.stringify(value, (key, value2) => {
+    if (typeof value2 === "bigint") {
+      return `${value2}n`;
+    }
+    return value2;
+  });
+};
+var isCofheError = (error) => error instanceof CofheError;
+
+// core/types.ts
+var FheUintUTypes = [
+  2 /* Uint8 */,
+  3 /* Uint16 */,
+  4 /* Uint32 */,
+  5 /* Uint64 */,
+  6 /* Uint128 */
+  // [U256-DISABLED]
+  // FheTypes.Uint256,
+];
+var toHexString = (bytes) => bytes.reduce((str, byte) => str + byte.toString(16).padStart(2, "0"), "");
+var toBigIntOrThrow = (value) => {
+  if (typeof value === "bigint") {
+    return value;
+  }
+  try {
+    return BigInt(value);
+  } catch (error) {
+    throw new Error("Invalid input: Unable to convert to bigint");
+  }
+};
+var validateBigIntInRange = (value, max, min = 0n) => {
+  if (typeof value !== "bigint") {
+    throw new Error("Value must be of type bigint");
+  }
+  if (value > max || value < min) {
+    throw new Error(`Value out of range: ${max} - ${min}, try a different uint type`);
+  }
+};
+var hexToBytes = (hex) => {
+  const bytes = new Uint8Array(hex.length / 2);
+  for (let i = 0; i < hex.length; i += 2) {
+    bytes[i / 2] = parseInt(hex.substr(i, 2), 16);
+  }
+  return bytes;
+};
+var sleep = (ms) => new Promise((resolve) => setTimeout(resolve, ms));
+async function getPublicClientChainID(publicClient) {
+  let chainId = null;
+  try {
+    chainId = publicClient.chain?.id ?? await publicClient.getChainId();
+  } catch (e) {
+    throw new CofheError({
+      code: "PUBLIC_WALLET_GET_CHAIN_ID_FAILED" /* PublicWalletGetChainIdFailed */,
+      message: "getting chain ID from public client failed",
+      cause: e instanceof Error ? e : void 0
+    });
+  }
+  if (chainId === null) {
+    throw new CofheError({
+      code: "PUBLIC_WALLET_GET_CHAIN_ID_FAILED" /* PublicWalletGetChainIdFailed */,
+      message: "chain ID from public client is null"
+    });
+  }
+  return chainId;
+}
+async function getWalletClientAccount(walletClient) {
+  let address;
+  try {
+    address = walletClient.account?.address;
+    if (!address) {
+      address = (await walletClient.getAddresses())?.[0];
+    }
+  } catch (e) {
+    throw new CofheError({
+      code: "PUBLIC_WALLET_GET_ADDRESSES_FAILED" /* PublicWalletGetAddressesFailed */,
+      message: "getting address from wallet client failed",
+      cause: e instanceof Error ? e : void 0
+    });
+  }
+  if (!address) {
+    throw new CofheError({
+      code: "PUBLIC_WALLET_GET_ADDRESSES_FAILED" /* PublicWalletGetAddressesFailed */,
+      message: "address from wallet client is null"
+    });
+  }
+  return address;
+}
+function fheTypeToString(utype) {
+  switch (utype) {
+    case 0 /* Bool */:
+      return "bool";
+    case 1 /* Uint4 */:
+      return "uint4";
+    case 2 /* Uint8 */:
+      return "uint8";
+    case 3 /* Uint16 */:
+      return "uint16";
+    case 4 /* Uint32 */:
+      return "uint32";
+    case 5 /* Uint64 */:
+      return "uint64";
+    case 6 /* Uint128 */:
+      return "uint128";
+    case 7 /* Uint160 */:
+      return "uint160";
+    case 8 /* Uint256 */:
+      return "uint256";
+    case 9 /* Uint512 */:
+      return "uint512";
+    case 10 /* Uint1024 */:
+      return "uint1024";
+    case 11 /* Uint2048 */:
+      return "uint2048";
+    case 12 /* Uint2 */:
+      return "uint2";
+    case 13 /* Uint6 */:
+      return "uint6";
+    case 14 /* Uint10 */:
+      return "uint10";
+    default:
+      throw new Error(`Unknown FheType: ${utype}`);
+  }
+}
+
+// core/encrypt/zkPackProveVerify.ts
+var MAX_UINT8 = 255n;
+var MAX_UINT16 = 65535n;
+var MAX_UINT32 = 4294967295n;
+var MAX_UINT64 = 18446744073709551615n;
+var MAX_UINT128 = 340282366920938463463374607431768211455n;
+var MAX_UINT160 = 1461501637330902918203684832716283019655932542975n;
+var MAX_ENCRYPTABLE_BITS = 2048;
+var zkPack = (items, builder) => {
+  let totalBits = 0;
+  for (const item of items) {
+    switch (item.utype) {
+      case 0 /* Bool */: {
+        builder.push_boolean(item.data);
+        totalBits += 1;
+        break;
+      }
+      case 2 /* Uint8 */: {
+        const bint = toBigIntOrThrow(item.data);
+        validateBigIntInRange(bint, MAX_UINT8);
+        builder.push_u8(parseInt(bint.toString()));
+        totalBits += 8;
+        break;
+      }
+      case 3 /* Uint16 */: {
+        const bint = toBigIntOrThrow(item.data);
+        validateBigIntInRange(bint, MAX_UINT16);
+        builder.push_u16(parseInt(bint.toString()));
+        totalBits += 16;
+        break;
+      }
+      case 4 /* Uint32 */: {
+        const bint = toBigIntOrThrow(item.data);
+        validateBigIntInRange(bint, MAX_UINT32);
+        builder.push_u32(parseInt(bint.toString()));
+        totalBits += 32;
+        break;
+      }
+      case 5 /* Uint64 */: {
+        const bint = toBigIntOrThrow(item.data);
+        validateBigIntInRange(bint, MAX_UINT64);
+        builder.push_u64(bint);
+        totalBits += 64;
+        break;
+      }
+      case 6 /* Uint128 */: {
+        const bint = toBigIntOrThrow(item.data);
+        validateBigIntInRange(bint, MAX_UINT128);
+        builder.push_u128(bint);
+        totalBits += 128;
+        break;
+      }
+      case 7 /* Uint160 */: {
+        const bint = toBigIntOrThrow(item.data);
+        validateBigIntInRange(bint, MAX_UINT160);
+        builder.push_u160(bint);
+        totalBits += 160;
+        break;
+      }
+      default: {
+        throw new CofheError({
+          code: "ZK_PACK_FAILED" /* ZkPackFailed */,
+          message: `Invalid utype: ${item.utype}`,
+          hint: `Ensure that the utype is valid, using the Encryptable type, for example: Encryptable.uint128(100n)`,
+          context: {
+            item
+          }
+        });
+      }
+    }
+  }
+  if (totalBits > MAX_ENCRYPTABLE_BITS) {
+    throw new CofheError({
+      code: "ZK_PACK_FAILED" /* ZkPackFailed */,
+      message: `Total bits ${totalBits} exceeds ${MAX_ENCRYPTABLE_BITS}`,
+      hint: `Ensure that the total bits of the items to encrypt does not exceed ${MAX_ENCRYPTABLE_BITS}`,
+      context: {
+        totalBits,
+        maxBits: MAX_ENCRYPTABLE_BITS,
+        items
+      }
+    });
+  }
+  return builder;
+};
+var zkProveWithWorker = async (workerFn, fheKeyHex, crsHex, items, metadata) => {
+  return await workerFn(fheKeyHex, crsHex, items, metadata);
+};
+var zkProve = async (builder, crs, metadata) => {
+  return new Promise((resolve) => {
+    setTimeout(() => {
+      const compactList = builder.build_with_proof_packed(
+        crs,
+        metadata,
+        1
+        // ZkComputeLoad.Verify
+      );
+      resolve(compactList.serialize());
+    }, 0);
+  });
+};
+var constructZkPoKMetadata = (accountAddr, securityZone, chainId) => {
+  const accountAddrNoPrefix = accountAddr.startsWith("0x") ? accountAddr.slice(2) : accountAddr;
+  const accountBytes = hexToBytes(accountAddrNoPrefix);
+  const chainIdBytes = new Uint8Array(32);
+  let value = chainId;
+  for (let i = 31; i >= 0 && value > 0; i--) {
+    chainIdBytes[i] = value & 255;
+    value = value >>> 8;
+  }
+  const metadata = new Uint8Array(1 + accountBytes.length + 32);
+  metadata[0] = securityZone;
+  metadata.set(accountBytes, 1);
+  metadata.set(chainIdBytes, 1 + accountBytes.length);
+  return metadata;
+};
+var zkVerify = async (verifierUrl, serializedBytes, address, securityZone, chainId) => {
+  const packed_list = toHexString(serializedBytes);
+  const sz_byte = new Uint8Array([securityZone]);
+  const payload = {
+    packed_list,
+    account_addr: address,
+    security_zone: sz_byte[0],
+    chain_id: chainId
+  };
+  const body = JSON.stringify(payload);
+  try {
+    const response = await fetch(`${verifierUrl}/verify`, {
+      method: "POST",
+      headers: {
+        "Content-Type": "application/json"
+      },
+      body
+    });
+    if (!response.ok) {
+      const errorBody = await response.text();
+      throw new CofheError({
+        code: "ZK_VERIFY_FAILED" /* ZkVerifyFailed */,
+        message: `HTTP error! ZK proof verification failed - ${errorBody}`
+      });
+    }
+    const json = await response.json();
+    if (json.status !== "success") {
+      throw new CofheError({
+        code: "ZK_VERIFY_FAILED" /* ZkVerifyFailed */,
+        message: `ZK proof verification response malformed - ${json.error}`
+      });
+    }
+    return json.data.map(({ ct_hash, signature, recid }) => {
+      return {
+        ct_hash,
+        signature: concatSigRecid(signature, recid)
+      };
+    });
+  } catch (e) {
+    throw new CofheError({
+      code: "ZK_VERIFY_FAILED" /* ZkVerifyFailed */,
+      message: `ZK proof verification failed`,
+      cause: e instanceof Error ? e : void 0
+    });
+  }
+};
+var concatSigRecid = (signature, recid) => {
+  return signature + (recid + 27).toString(16).padStart(2, "0");
+};
+
+// core/encrypt/MockZkVerifierAbi.ts
+var MockZkVerifierAbi = [
+  {
+    type: "function",
+    name: "exists",
+    inputs: [],
+    outputs: [{ name: "", type: "bool", internalType: "bool" }],
+    stateMutability: "pure"
+  },
+  {
+    type: "function",
+    name: "insertCtHash",
+    inputs: [
+      { name: "ctHash", type: "uint256", internalType: "uint256" },
+      { name: "value", type: "uint256", internalType: "uint256" }
+    ],
+    outputs: [],
+    stateMutability: "nonpayable"
+  },
+  {
+    type: "function",
+    name: "insertPackedCtHashes",
+    inputs: [
+      { name: "ctHashes", type: "uint256[]", internalType: "uint256[]" },
+      { name: "values", type: "uint256[]", internalType: "uint256[]" }
+    ],
+    outputs: [],
+    stateMutability: "nonpayable"
+  },
+  {
+    type: "function",
+    name: "zkVerify",
+    inputs: [
+      { name: "value", type: "uint256", internalType: "uint256" },
+      { name: "utype", type: "uint8", internalType: "uint8" },
+      { name: "user", type: "address", internalType: "address" },
+      { name: "securityZone", type: "uint8", internalType: "uint8" },
+      { name: "", type: "uint256", internalType: "uint256" }
+    ],
+    outputs: [
+      {
+        name: "",
+        type: "tuple",
+        internalType: "struct EncryptedInput",
+        components: [
+          { name: "ctHash", type: "uint256", internalType: "uint256" },
+          { name: "securityZone", type: "uint8", internalType: "uint8" },
+          { name: "utype", type: "uint8", internalType: "uint8" },
+          { name: "signature", type: "bytes", internalType: "bytes" }
+        ]
+      }
+    ],
+    stateMutability: "nonpayable"
+  },
+  {
+    type: "function",
+    name: "zkVerifyCalcCtHash",
+    inputs: [
+      { name: "value", type: "uint256", internalType: "uint256" },
+      { name: "utype", type: "uint8", internalType: "uint8" },
+      { name: "user", type: "address", internalType: "address" },
+      { name: "securityZone", type: "uint8", internalType: "uint8" },
+      { name: "", type: "uint256", internalType: "uint256" }
+    ],
+    outputs: [{ name: "ctHash", type: "uint256", internalType: "uint256" }],
+    stateMutability: "view"
+  },
+  {
+    type: "function",
+    name: "zkVerifyCalcCtHashesPacked",
+    inputs: [
+      { name: "values", type: "uint256[]", internalType: "uint256[]" },
+      { name: "utypes", type: "uint8[]", internalType: "uint8[]" },
+      { name: "user", type: "address", internalType: "address" },
+      { name: "securityZone", type: "uint8", internalType: "uint8" },
+      { name: "chainId", type: "uint256", internalType: "uint256" }
+    ],
+    outputs: [{ name: "ctHashes", type: "uint256[]", internalType: "uint256[]" }],
+    stateMutability: "view"
+  },
+  {
+    type: "function",
+    name: "zkVerifyPacked",
+    inputs: [
+      { name: "values", type: "uint256[]", internalType: "uint256[]" },
+      { name: "utypes", type: "uint8[]", internalType: "uint8[]" },
+      { name: "user", type: "address", internalType: "address" },
+      { name: "securityZone", type: "uint8", internalType: "uint8" },
+      { name: "chainId", type: "uint256", internalType: "uint256" }
+    ],
+    outputs: [
+      {
+        name: "inputs",
+        type: "tuple[]",
+        internalType: "struct EncryptedInput[]",
+        components: [
+          { name: "ctHash", type: "uint256", internalType: "uint256" },
+          { name: "securityZone", type: "uint8", internalType: "uint8" },
+          { name: "utype", type: "uint8", internalType: "uint8" },
+          { name: "signature", type: "bytes", internalType: "bytes" }
+        ]
+      }
+    ],
+    stateMutability: "nonpayable"
+  },
+  { type: "error", name: "InvalidInputs", inputs: [] }
+];
+
+// core/consts.ts
+var TASK_MANAGER_ADDRESS = "0xeA30c4B8b44078Bbf8a6ef5b9f1eC1626C7848D9";
+var MOCKS_ZK_VERIFIER_ADDRESS = "0x0000000000000000000000000000000000005001";
+var MOCKS_THRESHOLD_NETWORK_ADDRESS = "0x0000000000000000000000000000000000005002";
+var MOCKS_ZK_VERIFIER_SIGNER_PRIVATE_KEY = "0x6C8D7F768A6BB4AAFE85E8A2F5A9680355239C7E14646ED62B044E39DE154512";
+var MOCKS_DECRYPT_RESULT_SIGNER_PRIVATE_KEY = "0x59c6995e998f97a5a0044966f0945389dc9e86dae88c7a8412f4603b6b78690d";
+
+// core/encrypt/cofheMocksZkVerifySign.ts
+function createMockZkVerifierSigner() {
+  return viem.createWalletClient({
+    chain: chains.hardhat,
+    transport: viem.http(),
+    account: accounts.privateKeyToAccount(MOCKS_ZK_VERIFIER_SIGNER_PRIVATE_KEY)
+  });
+}
+async function cofheMocksCheckEncryptableBits(items) {
+  let totalBits = 0;
+  for (const item of items) {
+    switch (item.utype) {
+      case 0 /* Bool */: {
+        totalBits += 1;
+        break;
+      }
+      case 2 /* Uint8 */: {
+        totalBits += 8;
+        break;
+      }
+      case 3 /* Uint16 */: {
+        totalBits += 16;
+        break;
+      }
+      case 4 /* Uint32 */: {
+        totalBits += 32;
+        break;
+      }
+      case 5 /* Uint64 */: {
+        totalBits += 64;
+        break;
+      }
+      case 6 /* Uint128 */: {
+        totalBits += 128;
+        break;
+      }
+      case 7 /* Uint160 */: {
+        totalBits += 160;
+        break;
+      }
+    }
+  }
+  if (totalBits > MAX_ENCRYPTABLE_BITS) {
+    throw new CofheError({
+      code: "ZK_PACK_FAILED" /* ZkPackFailed */,
+      message: `Total bits ${totalBits} exceeds ${MAX_ENCRYPTABLE_BITS}`,
+      hint: `Ensure that the total bits of the items to encrypt does not exceed ${MAX_ENCRYPTABLE_BITS}`,
+      context: {
+        totalBits,
+        maxBits: MAX_ENCRYPTABLE_BITS,
+        items
+      }
+    });
+  }
+}
+async function calcCtHashes(items, account, securityZone, publicClient) {
+  const calcCtHashesArgs = [
+    items.map(({ data }) => BigInt(data)),
+    items.map(({ utype }) => utype),
+    account,
+    securityZone,
+    BigInt(chains.hardhat.id)
+  ];
+  let ctHashes;
+  try {
+    ctHashes = await publicClient.readContract({
+      address: MOCKS_ZK_VERIFIER_ADDRESS,
+      abi: MockZkVerifierAbi,
+      functionName: "zkVerifyCalcCtHashesPacked",
+      args: calcCtHashesArgs
+    });
+  } catch (err) {
+    throw new CofheError({
+      code: "ZK_MOCKS_CALC_CT_HASHES_FAILED" /* ZkMocksCalcCtHashesFailed */,
+      message: `mockZkVerifySign calcCtHashes failed while calling zkVerifyCalcCtHashesPacked`,
+      cause: err instanceof Error ? err : void 0,
+      context: {
+        address: MOCKS_ZK_VERIFIER_ADDRESS,
+        items,
+        account,
+        securityZone,
+        publicClient,
+        calcCtHashesArgs
+      }
+    });
+  }
+  if (ctHashes.length !== items.length) {
+    throw new CofheError({
+      code: "ZK_MOCKS_CALC_CT_HASHES_FAILED" /* ZkMocksCalcCtHashesFailed */,
+      message: `mockZkVerifySign calcCtHashes returned incorrect number of ctHashes`,
+      context: {
+        items,
+        account,
+        securityZone,
+        publicClient,
+        calcCtHashesArgs,
+        ctHashes
+      }
+    });
+  }
+  return items.map((item, index) => ({
+    ...item,
+    ctHash: ctHashes[index]
+  }));
+}
+async function insertCtHashes(items, walletClient) {
+  const insertPackedCtHashesArgs = [items.map(({ ctHash }) => ctHash), items.map(({ data }) => BigInt(data))];
+  try {
+    const account = walletClient.account;
+    await walletClient.writeContract({
+      address: MOCKS_ZK_VERIFIER_ADDRESS,
+      abi: MockZkVerifierAbi,
+      functionName: "insertPackedCtHashes",
+      args: insertPackedCtHashesArgs,
+      chain: chains.hardhat,
+      account
+    });
+  } catch (err) {
+    throw new CofheError({
+      code: "ZK_MOCKS_INSERT_CT_HASHES_FAILED" /* ZkMocksInsertCtHashesFailed */,
+      message: `mockZkVerifySign insertPackedCtHashes failed while calling insertPackedCtHashes`,
+      cause: err instanceof Error ? err : void 0,
+      context: {
+        items,
+        walletClient,
+        insertPackedCtHashesArgs
+      }
+    });
+  }
+}
+async function createProofSignatures(items, securityZone, account) {
+  let signatures = [];
+  let encInputSignerClient;
+  try {
+    encInputSignerClient = createMockZkVerifierSigner();
+  } catch (err) {
+    throw new CofheError({
+      code: "ZK_MOCKS_CREATE_PROOF_SIGNATURE_FAILED" /* ZkMocksCreateProofSignatureFailed */,
+      message: `mockZkVerifySign createProofSignatures failed while creating wallet client`,
+      cause: err instanceof Error ? err : void 0,
+      context: {
+        MOCKS_ZK_VERIFIER_SIGNER_PRIVATE_KEY
+      }
+    });
+  }
+  try {
+    for (const item of items) {
+      const packedData = viem.encodePacked(
+        ["uint256", "uint8", "uint8", "address", "uint256"],
+        [BigInt(item.ctHash), item.utype, securityZone, account, BigInt(chains.hardhat.id)]
+      );
+      const messageHash = viem.keccak256(packedData);
+      const signature = await accounts.sign({
+        hash: messageHash,
+        privateKey: MOCKS_ZK_VERIFIER_SIGNER_PRIVATE_KEY,
+        to: "hex"
+      });
+      signatures.push(signature);
+    }
+  } catch (err) {
+    throw new CofheError({
+      code: "ZK_MOCKS_CREATE_PROOF_SIGNATURE_FAILED" /* ZkMocksCreateProofSignatureFailed */,
+      message: `mockZkVerifySign createProofSignatures failed while calling signMessage`,
+      cause: err instanceof Error ? err : void 0,
+      context: {
+        items,
+        securityZone
+      }
+    });
+  }
+  if (signatures.length !== items.length) {
+    throw new CofheError({
+      code: "ZK_MOCKS_CREATE_PROOF_SIGNATURE_FAILED" /* ZkMocksCreateProofSignatureFailed */,
+      message: `mockZkVerifySign createProofSignatures returned incorrect number of signatures`,
+      context: {
+        items,
+        securityZone
+      }
+    });
+  }
+  return signatures;
+}
+async function cofheMocksZkVerifySign(items, account, securityZone, publicClient, walletClient, zkvWalletClient) {
+  const _walletClient = zkvWalletClient ?? createMockZkVerifierSigner();
+  const encryptableItems = await calcCtHashes(items, account, securityZone, publicClient);
+  await insertCtHashes(encryptableItems, _walletClient);
+  const signatures = await createProofSignatures(encryptableItems, securityZone, account);
+  return encryptableItems.map((item, index) => ({
+    ct_hash: item.ctHash.toString(),
+    signature: signatures[index]
+  }));
+}
+var EnvironmentSchema = zod.z.enum(["MOCK", "TESTNET", "MAINNET"]);
+var CofheChainSchema = zod.z.object({
+  /** Chain ID */
+  id: zod.z.number().int().positive(),
+  /** Human-readable chain name */
+  name: zod.z.string().min(1),
+  /** Network identifier */
+  network: zod.z.string().min(1),
+  /** coFhe service URL */
+  coFheUrl: zod.z.url(),
+  /** Verifier service URL */
+  verifierUrl: zod.z.url(),
+  /** Threshold network service URL */
+  thresholdNetworkUrl: zod.z.url(),
+  /** Environment type */
+  environment: EnvironmentSchema
+});
+function defineChain(chainConfig) {
+  const result = CofheChainSchema.safeParse(chainConfig);
+  if (!result.success) {
+    throw new Error(`Invalid chain configuration: ${zod.z.prettifyError(result.error)}`, { cause: result.error });
+  }
+  return result.data;
+}
+
+// chains/chains/hardhat.ts
+var hardhat2 = defineChain({
+  id: 31337,
+  name: "Hardhat",
+  network: "localhost",
+  // These are unused in the mock environment
+  coFheUrl: "http://127.0.0.1:8448",
+  verifierUrl: "http://127.0.0.1:3001",
+  thresholdNetworkUrl: "http://127.0.0.1:3000",
+  environment: "MOCK"
+});
+var CofheConfigSchema = zod.z.object({
+  /** Environment that the SDK is running in */
+  environment: zod.z.enum(["node", "hardhat", "web", "react"]).optional().default("node"),
+  /** List of supported chain configurations */
+  supportedChains: zod.z.array(zod.z.custom()),
+  /** Default permit expiration in seconds, default is 30 days */
+  defaultPermitExpiration: zod.z.number().optional().default(60 * 60 * 24 * 30),
+  /** Storage method for fhe keys (defaults to indexedDB on web, filesystem on node) */
+  fheKeyStorage: zod.z.object({
+    getItem: zod.z.custom((val) => typeof val === "function", {
+      message: "getItem must be a function"
+    }),
+    setItem: zod.z.custom((val) => typeof val === "function", {
+      message: "setItem must be a function"
+    }),
+    removeItem: zod.z.custom((val) => typeof val === "function", {
+      message: "removeItem must be a function"
+    })
+  }).or(zod.z.null()).default(null),
+  /** Whether to use Web Workers for ZK proof generation (web platform only) */
+  useWorkers: zod.z.boolean().optional().default(true),
+  /** Mocks configs */
+  mocks: zod.z.object({
+    decryptDelay: zod.z.number().optional().default(0),
+    encryptDelay: zod.z.union([zod.z.number(), zod.z.tuple([zod.z.number(), zod.z.number(), zod.z.number(), zod.z.number(), zod.z.number()])]).optional().default([100, 100, 100, 500, 500])
+  }).optional().default({ decryptDelay: 0, encryptDelay: [100, 100, 100, 500, 500] }),
+  /** Internal configuration */
+  _internal: zod.z.object({
+    zkvWalletClient: zod.z.any().optional()
+  }).optional()
+});
+function createCofheConfigBase(config) {
+  const result = CofheConfigSchema.safeParse(config);
+  if (!result.success) {
+    throw new Error(`Invalid cofhe configuration: ${zod.z.prettifyError(result.error)}`, { cause: result.error });
+  }
+  return result.data;
+}
+function getSupportedChainOrThrow(config, chainId) {
+  const supportedChain = config.supportedChains.find((chain) => chain.id === chainId);
+  if (!supportedChain) {
+    throw new CofheError({
+      code: "UNSUPPORTED_CHAIN" /* UnsupportedChain */,
+      message: `Config does not support chain <${chainId}>`,
+      hint: "Ensure config passed to client has been created with this chain in the config.supportedChains array.",
+      context: {
+        chainId,
+        supportedChainIds: config.supportedChains.map((c) => c.id)
+      }
+    });
+  }
+  return supportedChain;
+}
+function getCoFheUrlOrThrow(config, chainId) {
+  const supportedChain = getSupportedChainOrThrow(config, chainId);
+  const url = supportedChain.coFheUrl;
+  if (!url) {
+    throw new CofheError({
+      code: "MISSING_CONFIG" /* MissingConfig */,
+      message: `CoFHE URL is not configured for chain <${chainId}>`,
+      hint: "Ensure this chain config includes a coFheUrl property.",
+      context: { chainId }
+    });
+  }
+  return url;
+}
+function getZkVerifierUrlOrThrow(config, chainId) {
+  const supportedChain = getSupportedChainOrThrow(config, chainId);
+  const url = supportedChain.verifierUrl;
+  if (!url) {
+    throw new CofheError({
+      code: "ZK_VERIFIER_URL_UNINITIALIZED" /* ZkVerifierUrlUninitialized */,
+      message: `ZK verifier URL is not configured for chain <${chainId}>`,
+      hint: "Ensure this chain config includes a verifierUrl property.",
+      context: { chainId }
+    });
+  }
+  return url;
+}
+function getThresholdNetworkUrlOrThrow(config, chainId) {
+  const supportedChain = getSupportedChainOrThrow(config, chainId);
+  const url = supportedChain.thresholdNetworkUrl;
+  if (!url) {
+    throw new CofheError({
+      code: "THRESHOLD_NETWORK_URL_UNINITIALIZED" /* ThresholdNetworkUrlUninitialized */,
+      message: `Threshold network URL is not configured for chain <${chainId}>`,
+      hint: "Ensure this chain config includes a thresholdNetworkUrl property.",
+      context: { chainId }
+    });
+  }
+  return url;
+}
+function isValidPersistedState(state) {
+  if (state && typeof state === "object") {
+    if ("fhe" in state && "crs" in state) {
+      return true;
+    } else {
+      throw new Error(
+        "Invalid persisted state structure for KeysStore. Is object but doesn't contain required fields 'fhe' and 'crs'."
+      );
+    }
+  }
+  return false;
+}
+var DEFAULT_KEYS_STORE = {
+  fhe: {},
+  crs: {}
+};
+function isStoreWithPersist(store) {
+  return "persist" in store;
+}
+function createKeysStore(storage) {
+  const keysStore = storage ? createStoreWithPersit(storage) : vanilla.createStore()(() => ({
+    fhe: {},
+    crs: {}
+  }));
+  const getFheKey = (chainId, securityZone = 0) => {
+    if (chainId == null || securityZone == null)
+      return void 0;
+    const stored = keysStore.getState().fhe[chainId]?.[securityZone];
+    return stored;
+  };
+  const getCrs = (chainId) => {
+    if (chainId == null)
+      return void 0;
+    const stored = keysStore.getState().crs[chainId];
+    return stored;
+  };
+  const setFheKey = (chainId, securityZone, key) => {
+    keysStore.setState(
+      immer.produce((state) => {
+        if (state.fhe[chainId] == null)
+          state.fhe[chainId] = {};
+        state.fhe[chainId][securityZone] = key;
+      })
+    );
+  };
+  const setCrs = (chainId, crs) => {
+    keysStore.setState(
+      immer.produce((state) => {
+        state.crs[chainId] = crs;
+      })
+    );
+  };
+  const clearKeysStorage = async () => {
+    if (storage) {
+      await storage.removeItem("cofhesdk-keys");
+    }
+  };
+  const rehydrateKeysStore = async () => {
+    if (!isStoreWithPersist(keysStore))
+      return;
+    if (keysStore.persist.hasHydrated())
+      return;
+    await keysStore.persist.rehydrate();
+  };
+  return {
+    store: keysStore,
+    getFheKey,
+    getCrs,
+    setFheKey,
+    setCrs,
+    clearKeysStorage,
+    rehydrateKeysStore
+  };
+}
+function createStoreWithPersit(storage) {
+  const result = vanilla.createStore()(
+    middleware.persist(() => DEFAULT_KEYS_STORE, {
+      // because earleir tests were written with on-init hydration skipped (due to the error suppression in zustand), returning this flag to fix test (i.e. KeyStore > Storage Utilities > should rehydrate keys store)
+      skipHydration: true,
+      // if onRehydrateStorage is not passed here, the errors thrown by storage layer are swallowed by zustand here: https://github.com/pmndrs/zustand/blob/39a391b6c1ff9aa89b81694d9bdb21da37dd4ac6/src/middleware/persist.ts#L321
+      onRehydrateStorage: () => (_state, _error) => {
+        if (_error)
+          throw new Error(`onRehydrateStorage: Error rehydrating keys store: ${_error}`);
+      },
+      name: "cofhesdk-keys",
+      storage: middleware.createJSONStorage(() => storage),
+      merge: (persistedState, currentState) => {
+        const persisted = isValidPersistedState(persistedState) ? persistedState : DEFAULT_KEYS_STORE;
+        const current = currentState;
+        const mergedFhe = { ...persisted.fhe };
+        const allChainIds = /* @__PURE__ */ new Set([...Object.keys(current.fhe), ...Object.keys(persisted.fhe)]);
+        for (const chainId of allChainIds) {
+          const persistedZones = persisted.fhe[chainId] || {};
+          const currentZones = current.fhe[chainId] || {};
+          mergedFhe[chainId] = { ...persistedZones, ...currentZones };
+        }
+        const mergedCrs = { ...persisted.crs, ...current.crs };
+        return {
+          fhe: mergedFhe,
+          crs: mergedCrs
+        };
+      }
+    })
+  );
+  return result;
+}
+
+// core/fetchKeys.ts
+var PUBLIC_KEY_LENGTH_MIN = 15e3;
+var checkKeyValidity = (key, serializer) => {
+  if (key == null || key.length === 0)
+    return [false, `Key is null or empty <${key}>`];
+  try {
+    serializer(key);
+    return [true, `Key is valid`];
+  } catch (err) {
+    return [false, `Serialization failed <${err}> key length <${key.length}>`];
+  }
+};
+var fetchFhePublicKey = async (coFheUrl, chainId, securityZone, tfhePublicKeyDeserializer2, keysStorage) => {
+  const storedKey = keysStorage?.getFheKey(chainId, securityZone);
+  const [storedKeyValid] = checkKeyValidity(storedKey, tfhePublicKeyDeserializer2);
+  if (storedKeyValid)
+    return [storedKey, false];
+  let pk_data = void 0;
+  try {
+    const pk_res = await fetch(`${coFheUrl}/GetNetworkPublicKey`, {
+      method: "POST",
+      headers: {
+        "Content-Type": "application/json"
+      },
+      body: JSON.stringify({ securityZone })
+    });
+    const json = await pk_res.json();
+    pk_data = json.publicKey;
+  } catch (err) {
+    throw new Error(`Error fetching FHE publicKey; fetching from CoFHE failed with error ${err}`);
+  }
+  if (pk_data == null || typeof pk_data !== "string") {
+    throw new Error(`Error fetching FHE publicKey; fetched result invalid: missing or not a string`);
+  }
+  if (pk_data === "0x") {
+    throw new Error("Error fetching FHE publicKey; provided chain is not FHE enabled / not found");
+  }
+  if (pk_data.length < PUBLIC_KEY_LENGTH_MIN) {
+    throw new Error(
+      `Error fetching FHE publicKey; got shorter than expected key length: ${pk_data.length}. Expected length >= ${PUBLIC_KEY_LENGTH_MIN}`
+    );
+  }
+  try {
+    tfhePublicKeyDeserializer2(pk_data);
+  } catch (err) {
+    throw new Error(`Error serializing FHE publicKey; ${err}`);
+  }
+  keysStorage?.setFheKey(chainId, securityZone, pk_data);
+  return [pk_data, true];
+};
+var fetchCrs = async (coFheUrl, chainId, securityZone, compactPkeCrsDeserializer2, keysStorage) => {
+  const storedKey = keysStorage?.getCrs(chainId);
+  const [storedKeyValid] = checkKeyValidity(storedKey, compactPkeCrsDeserializer2);
+  if (storedKeyValid)
+    return [storedKey, false];
+  let crs_data = void 0;
+  try {
+    const crs_res = await fetch(`${coFheUrl}/GetCrs`, {
+      method: "POST",
+      headers: {
+        "Content-Type": "application/json"
+      },
+      body: JSON.stringify({ securityZone })
+    });
+    const json = await crs_res.json();
+    crs_data = json.crs;
+  } catch (err) {
+    throw new Error(`Error fetching CRS; fetching failed with error ${err}`);
+  }
+  if (crs_data == null || typeof crs_data !== "string") {
+    throw new Error(`Error fetching CRS; invalid: missing or not a string`);
+  }
+  try {
+    compactPkeCrsDeserializer2(crs_data);
+  } catch (err) {
+    console.error(`Error serializing CRS ${err}`);
+    throw new Error(`Error serializing CRS; ${err}`);
+  }
+  keysStorage?.setCrs(chainId, crs_data);
+  return [crs_data, true];
+};
+var fetchKeys = async (config, chainId, securityZone = 0, tfhePublicKeyDeserializer2, compactPkeCrsDeserializer2, keysStorage) => {
+  const coFheUrl = getCoFheUrlOrThrow(config, chainId);
+  return await Promise.all([
+    fetchFhePublicKey(coFheUrl, chainId, securityZone, tfhePublicKeyDeserializer2, keysStorage),
+    fetchCrs(coFheUrl, chainId, securityZone, compactPkeCrsDeserializer2, keysStorage)
+  ]);
+};
+var BaseBuilder = class {
+  config;
+  publicClient;
+  walletClient;
+  chainId;
+  account;
+  constructor(params) {
+    if (!params.config) {
+      throw new CofheError({
+        code: "MISSING_CONFIG" /* MissingConfig */,
+        message: "Builder config is undefined",
+        hint: "Ensure client has been created with a config.",
+        context: {
+          config: params.config
+        }
+      });
+    }
+    this.config = params.config;
+    this.publicClient = params.publicClient;
+    this.walletClient = params.walletClient;
+    this.chainId = params.chainId;
+    this.account = params.account;
+    params.requireConnected?.();
+  }
+  /**
+   * Asserts that this.chainId is populated
+   * @throws {CofheError} If chainId is not set
+   */
+  assertChainId() {
+    if (this.chainId)
+      return;
+    throw new CofheError({
+      code: "CHAIN_ID_UNINITIALIZED" /* ChainIdUninitialized */,
+      message: "Chain ID is not set",
+      hint: "Ensure client.connect() has been called and awaited, or use setChainId(...) to set the chainId explicitly.",
+      context: {
+        chainId: this.chainId
+      }
+    });
+  }
+  /**
+   * Asserts that this.account is populated
+   * @throws {CofheError} If account is not set
+   */
+  assertAccount() {
+    if (this.account)
+      return;
+    throw new CofheError({
+      code: "ACCOUNT_UNINITIALIZED" /* AccountUninitialized */,
+      message: "Account is not set",
+      hint: "Ensure client.connect() has been called and awaited, or use setAccount(...) to set the account explicitly.",
+      context: {
+        account: this.account
+      }
+    });
+  }
+  /**
+   * Asserts that this.publicClient is populated
+   * @throws {CofheError} If publicClient is not set
+   */
+  assertPublicClient() {
+    if (this.publicClient)
+      return;
+    throw new CofheError({
+      code: "MISSING_PUBLIC_CLIENT" /* MissingPublicClient */,
+      message: "Public client not found",
+      hint: "Ensure client.connect() has been called with a publicClient.",
+      context: {
+        publicClient: this.publicClient
+      }
+    });
+  }
+  /**
+   * Asserts that this.walletClient is populated
+   * @throws {CofheError} If walletClient is not set
+   */
+  assertWalletClient() {
+    if (this.walletClient)
+      return;
+    throw new CofheError({
+      code: "MISSING_WALLET_CLIENT" /* MissingWalletClient */,
+      message: "Wallet client not found",
+      hint: "Ensure client.connect() has been called with a walletClient.",
+      context: {
+        walletClient: this.walletClient
+      }
+    });
+  }
+};
+
+// core/encrypt/encryptInputsBuilder.ts
+var EncryptInputsBuilder = class extends BaseBuilder {
+  securityZone;
+  stepCallback;
+  inputItems;
+  zkvWalletClient;
+  tfhePublicKeyDeserializer;
+  compactPkeCrsDeserializer;
+  zkBuilderAndCrsGenerator;
+  initTfhe;
+  zkProveWorkerFn;
+  keysStorage;
+  // Worker configuration (from config, overrideable)
+  useWorker;
+  stepTimestamps = {
+    ["initTfhe" /* InitTfhe */]: 0,
+    ["fetchKeys" /* FetchKeys */]: 0,
+    ["pack" /* Pack */]: 0,
+    ["prove" /* Prove */]: 0,
+    ["verify" /* Verify */]: 0
+  };
+  constructor(params) {
+    super({
+      config: params.config,
+      publicClient: params.publicClient,
+      walletClient: params.walletClient,
+      chainId: params.chainId,
+      account: params.account,
+      requireConnected: params.requireConnected
+    });
+    this.inputItems = params.inputs;
+    this.securityZone = params.securityZone ?? 0;
+    this.zkvWalletClient = params.zkvWalletClient;
+    if (!params.tfhePublicKeyDeserializer) {
+      throw new CofheError({
+        code: "MISSING_TFHE_PUBLIC_KEY_DESERIALIZER" /* MissingTfhePublicKeyDeserializer */,
+        message: "EncryptInputsBuilder tfhePublicKeyDeserializer is undefined",
+        hint: "Ensure client has been created with a tfhePublicKeyDeserializer.",
+        context: {
+          tfhePublicKeyDeserializer: params.tfhePublicKeyDeserializer
+        }
+      });
+    }
+    this.tfhePublicKeyDeserializer = params.tfhePublicKeyDeserializer;
+    if (!params.compactPkeCrsDeserializer) {
+      throw new CofheError({
+        code: "MISSING_COMPACT_PKE_CRS_DESERIALIZER" /* MissingCompactPkeCrsDeserializer */,
+        message: "EncryptInputsBuilder compactPkeCrsDeserializer is undefined",
+        hint: "Ensure client has been created with a compactPkeCrsDeserializer.",
+        context: {
+          compactPkeCrsDeserializer: params.compactPkeCrsDeserializer
+        }
+      });
+    }
+    this.compactPkeCrsDeserializer = params.compactPkeCrsDeserializer;
+    if (!params.zkBuilderAndCrsGenerator) {
+      throw new CofheError({
+        code: "MISSING_ZK_BUILDER_AND_CRS_GENERATOR" /* MissingZkBuilderAndCrsGenerator */,
+        message: "EncryptInputsBuilder zkBuilderAndCrsGenerator is undefined",
+        hint: "Ensure client has been created with a zkBuilderAndCrsGenerator.",
+        context: {
+          zkBuilderAndCrsGenerator: params.zkBuilderAndCrsGenerator
+        }
+      });
+    }
+    this.zkBuilderAndCrsGenerator = params.zkBuilderAndCrsGenerator;
+    this.initTfhe = params.initTfhe;
+    this.zkProveWorkerFn = params.zkProveWorkerFn;
+    this.keysStorage = params.keysStorage;
+    this.useWorker = params.config?.useWorkers ?? true;
+  }
+  /**
+   * @param account - Account that will create the tx using the encrypted inputs.
+   *
+   * If not provided, the account will be fetched from the connected walletClient.
+   *
+   * Example:
+   * ```typescript
+   * const encrypted = await encryptInputs([Encryptable.uint128(10n)])
+   *   .setAccount("0x123")
+   *   .execute();
+   * ```
+   *
+   * @returns The chainable EncryptInputsBuilder instance.
+   */
+  setAccount(account) {
+    this.account = account;
+    return this;
+  }
+  getAccount() {
+    return this.account;
+  }
+  /**
+   * @param chainId - Chain that will consume the encrypted inputs.
+   *
+   * If not provided, the chainId will be fetched from the connected publicClient.
+   *
+   * Example:
+   * ```typescript
+   * const encrypted = await encryptInputs([Encryptable.uint128(10n)])
+   *   .setChainId(11155111)
+   *   .execute();
+   * ```
+   *
+   * @returns The chainable EncryptInputsBuilder instance.
+   */
+  setChainId(chainId) {
+    this.chainId = chainId;
+    return this;
+  }
+  getChainId() {
+    return this.chainId;
+  }
+  /**
+   * @param securityZone - Security zone to encrypt the inputs for.
+   *
+   * If not provided, the default securityZone 0 will be used.
+   *
+   * Example:
+   * ```typescript
+   * const encrypted = await encryptInputs([Encryptable.uint128(10n)])
+   *   .setSecurityZone(1)
+   *   .execute();
+   * ```
+   *
+   * @returns The chainable EncryptInputsBuilder instance.
+   */
+  setSecurityZone(securityZone) {
+    this.securityZone = securityZone;
+    return this;
+  }
+  getSecurityZone() {
+    return this.securityZone;
+  }
+  /**
+   * @param useWorker - Whether to use Web Workers for ZK proof generation.
+   *
+   * Overrides the config-level useWorkers setting for this specific encryption.
+   *
+   * Example:
+   * ```typescript
+   * const encrypted = await encryptInputs([Encryptable.uint128(10n)])
+   *   .setUseWorker(false)
+   *   .execute();
+   * ```
+   *
+   * @returns The chainable EncryptInputsBuilder instance.
+   */
+  setUseWorker(useWorker) {
+    this.useWorker = useWorker;
+    return this;
+  }
+  /**
+   * Gets the current worker configuration.
+   *
+   * @returns Whether Web Workers are enabled for this encryption.
+   *
+   * Example:
+   * ```typescript
+   * const builder = encryptInputs([Encryptable.uint128(10n)]);
+   * console.log(builder.getUseWorker()); // true (from config)
+   * builder.setUseWorker(false);
+   * console.log(builder.getUseWorker()); // false (overridden)
+   * ```
+   */
+  getUseWorker() {
+    return this.useWorker;
+  }
+  /**
+   * @param callback - Function to be called with the encryption step.
+   *
+   * Useful for debugging and tracking the progress of the encryption process.
+   * Useful for a UI element that shows the progress of the encryption process.
+   *
+   * Example:
+   * ```typescript
+   * const encrypted = await encryptInputs([Encryptable.uint128(10n)])
+   *   .onStep((step: EncryptStep) => console.log(step))
+   *   .execute();
+   * ```
+   *
+   * @returns The EncryptInputsBuilder instance.
+   */
+  onStep(callback) {
+    this.stepCallback = callback;
+    return this;
+  }
+  getStepCallback() {
+    return this.stepCallback;
+  }
+  /**
+   * Fires the step callback if set
+   */
+  fireStepStart(step, context = {}) {
+    if (!this.stepCallback)
+      return;
+    this.stepTimestamps[step] = Date.now();
+    this.stepCallback(step, { ...context, isStart: true, isEnd: false, duration: 0 });
+  }
+  fireStepEnd(step, context = {}) {
+    if (!this.stepCallback)
+      return;
+    const duration = Date.now() - this.stepTimestamps[step];
+    this.stepCallback(step, { ...context, isStart: false, isEnd: true, duration });
+  }
+  /**
+   * zkVerifierUrl is included in the chains exported from @cofhe/sdk/chains for use in CofheConfig.supportedChains
+   * Users should generally not set this manually.
+   */
+  async getZkVerifierUrl() {
+    this.assertChainId();
+    return getZkVerifierUrlOrThrow(this.config, this.chainId);
+  }
+  /**
+   * initTfhe is a platform-specific dependency injected into core/createCofheClientBase by web/createCofheClient and node/createCofheClient
+   * web/ uses zama "tfhe"
+   * node/ uses zama "node-tfhe"
+   * Users should not set this manually.
+   */
+  async initTfheOrThrow() {
+    if (!this.initTfhe)
+      return false;
+    try {
+      return await this.initTfhe();
+    } catch (error) {
+      throw CofheError.fromError(error, {
+        code: "INIT_TFHE_FAILED" /* InitTfheFailed */,
+        message: `Failed to initialize TFHE`,
+        context: {
+          initTfhe: this.initTfhe
+        }
+      });
+    }
+  }
+  /**
+   * Fetches the FHE key and CRS from the CoFHE API
+   * If the key/crs already exists in the store it is returned, else it is fetched, stored, and returned
+   */
+  async fetchFheKeyAndCrs() {
+    this.assertChainId();
+    const securityZone = this.getSecurityZone();
+    try {
+      await this.keysStorage?.rehydrateKeysStore();
+    } catch (error) {
+      throw CofheError.fromError(error, {
+        code: "REHYDRATE_KEYS_STORE_FAILED" /* RehydrateKeysStoreFailed */,
+        message: `Failed to rehydrate keys store`,
+        context: {
+          keysStorage: this.keysStorage
+        }
+      });
+    }
+    let fheKey;
+    let fheKeyFetchedFromCoFHE = false;
+    let crs;
+    let crsFetchedFromCoFHE = false;
+    try {
+      [[fheKey, fheKeyFetchedFromCoFHE], [crs, crsFetchedFromCoFHE]] = await fetchKeys(
+        this.config,
+        this.chainId,
+        securityZone,
+        this.tfhePublicKeyDeserializer,
+        this.compactPkeCrsDeserializer,
+        this.keysStorage
+      );
+    } catch (error) {
+      throw CofheError.fromError(error, {
+        code: "FETCH_KEYS_FAILED" /* FetchKeysFailed */,
+        message: `Failed to fetch FHE key and CRS`,
+        context: {
+          config: this.config,
+          chainId: this.chainId,
+          securityZone,
+          compactPkeCrsDeserializer: this.compactPkeCrsDeserializer,
+          tfhePublicKeyDeserializer: this.tfhePublicKeyDeserializer
+        }
+      });
+    }
+    if (!fheKey) {
+      throw new CofheError({
+        code: "MISSING_FHE_KEY" /* MissingFheKey */,
+        message: `FHE key not found`,
+        context: {
+          chainId: this.chainId,
+          securityZone
+        }
+      });
+    }
+    if (!crs) {
+      throw new CofheError({
+        code: "MISSING_CRS" /* MissingCrs */,
+        message: `CRS not found for chainId <${this.chainId}>`,
+        context: {
+          chainId: this.chainId
+        }
+      });
+    }
+    return { fheKey, fheKeyFetchedFromCoFHE, crs, crsFetchedFromCoFHE };
+  }
+  /**
+   * Resolves the encryptDelay config into an array of 5 per-step delays.
+   * A single number is broadcast to all steps; a tuple is used as-is.
+   */
+  resolveEncryptDelays() {
+    const encryptDelay = this.config?.mocks?.encryptDelay ?? [100, 100, 100, 500, 500];
+    if (typeof encryptDelay === "number") {
+      return [encryptDelay, encryptDelay, encryptDelay, encryptDelay, encryptDelay];
+    }
+    return encryptDelay;
+  }
+  /**
+   * @dev Encrypt against the cofheMocks instead of CoFHE
+   *
+   * In the cofheMocks, the MockZkVerifier contract is deployed on hardhat to a fixed address, this contract handles mocking the zk verifying.
+   * cofheMocksInsertPackedHashes - stores the ctHashes and their plaintext values for on-chain mocking of FHE operations.
+   * cofheMocksZkCreateProofSignatures - creates signatures to be included in the encrypted inputs. The signers address is known and verified in the mock contracts.
+   */
+  async mocksExecute() {
+    this.assertAccount();
+    this.assertPublicClient();
+    this.assertWalletClient();
+    const [initTfheDelay, fetchKeysDelay, packDelay, proveDelay, verifyDelay] = this.resolveEncryptDelays();
+    this.fireStepStart("initTfhe" /* InitTfhe */);
+    await sleep(initTfheDelay);
+    this.fireStepEnd("initTfhe" /* InitTfhe */, {
+      tfheInitializationExecuted: false,
+      isMocks: true,
+      mockSleep: initTfheDelay
+    });
+    this.fireStepStart("fetchKeys" /* FetchKeys */);
+    await sleep(fetchKeysDelay);
+    this.fireStepEnd("fetchKeys" /* FetchKeys */, {
+      fheKeyFetchedFromCoFHE: false,
+      crsFetchedFromCoFHE: false,
+      isMocks: true,
+      mockSleep: fetchKeysDelay
+    });
+    this.fireStepStart("pack" /* Pack */);
+    await cofheMocksCheckEncryptableBits(this.inputItems);
+    await sleep(packDelay);
+    this.fireStepEnd("pack" /* Pack */, { isMocks: true, mockSleep: packDelay });
+    this.fireStepStart("prove" /* Prove */);
+    await sleep(proveDelay);
+    this.fireStepEnd("prove" /* Prove */, { isMocks: true, mockSleep: proveDelay });
+    this.fireStepStart("verify" /* Verify */);
+    await sleep(verifyDelay);
+    const signedResults = await cofheMocksZkVerifySign(
+      this.inputItems,
+      this.account,
+      this.securityZone,
+      this.publicClient,
+      this.walletClient,
+      this.zkvWalletClient
+    );
+    const encryptedInputs = signedResults.map(({ ct_hash, signature }, index) => ({
+      ctHash: BigInt(ct_hash),
+      securityZone: this.securityZone,
+      utype: this.inputItems[index].utype,
+      signature
+    }));
+    this.fireStepEnd("verify" /* Verify */, { isMocks: true, mockSleep: verifyDelay });
+    return encryptedInputs;
+  }
+  /**
+   * In the production context, perform a true encryption with the CoFHE coprocessor.
+   */
+  async productionExecute() {
+    this.assertAccount();
+    this.assertChainId();
+    this.fireStepStart("initTfhe" /* InitTfhe */);
+    const tfheInitializationExecuted = await this.initTfheOrThrow();
+    this.fireStepEnd("initTfhe" /* InitTfhe */, { tfheInitializationExecuted });
+    this.fireStepStart("fetchKeys" /* FetchKeys */);
+    const { fheKey, fheKeyFetchedFromCoFHE, crs, crsFetchedFromCoFHE } = await this.fetchFheKeyAndCrs();
+    let { zkBuilder, zkCrs } = this.zkBuilderAndCrsGenerator(fheKey, crs);
+    this.fireStepEnd("fetchKeys" /* FetchKeys */, { fheKeyFetchedFromCoFHE, crsFetchedFromCoFHE });
+    this.fireStepStart("pack" /* Pack */);
+    zkBuilder = zkPack(this.inputItems, zkBuilder);
+    this.fireStepEnd("pack" /* Pack */);
+    this.fireStepStart("prove" /* Prove */);
+    const metadata = constructZkPoKMetadata(this.account, this.securityZone, this.chainId);
+    let proof = null;
+    let usedWorker = false;
+    let workerFailedError;
+    if (this.useWorker && this.zkProveWorkerFn) {
+      try {
+        proof = await zkProveWithWorker(this.zkProveWorkerFn, fheKey, crs, this.inputItems, metadata);
+        usedWorker = true;
+      } catch (error) {
+        workerFailedError = error instanceof Error ? error.message : String(error);
+      }
+    }
+    if (proof == null) {
+      proof = await zkProve(zkBuilder, zkCrs, metadata);
+      usedWorker = false;
+    }
+    this.fireStepEnd("prove" /* Prove */, {
+      useWorker: this.useWorker,
+      usedWorker,
+      workerFailedError
+    });
+    this.fireStepStart("verify" /* Verify */);
+    const zkVerifierUrl = await this.getZkVerifierUrl();
+    const verifyResults = await zkVerify(zkVerifierUrl, proof, this.account, this.securityZone, this.chainId);
+    const encryptedInputs = verifyResults.map(
+      ({ ct_hash, signature }, index) => ({
+        ctHash: BigInt(ct_hash),
+        securityZone: this.securityZone,
+        utype: this.inputItems[index].utype,
+        signature
+      })
+    );
+    this.fireStepEnd("verify" /* Verify */);
+    return encryptedInputs;
+  }
+  /**
+   * Final step of the encryption process. MUST BE CALLED LAST IN THE CHAIN.
+   *
+   * This will:
+   * - Pack the encryptable items into a zk proof
+   * - Prove the zk proof
+   * - Verify the zk proof with CoFHE
+   * - Package and return the encrypted inputs
+   *
+   * Example:
+   * ```typescript
+   * const encrypted = await encryptInputs([Encryptable.uint128(10n)])
+   *   .setAccount('0x123...890') // optional
+   *   .setChainId(11155111)      // optional
+   *   .execute();                // execute
+   * ```
+   *
+   * @returns The encrypted inputs.
+   */
+  async execute() {
+    if (this.chainId === chains.hardhat.id)
+      return this.mocksExecute();
+    return this.productionExecute();
+  }
+};
+
+// permits/utils.ts
+var fromHexString = (hexString) => {
+  const cleanString = hexString.length % 2 === 1 ? `0${hexString}` : hexString;
+  const arr = cleanString.replace(/^0x/, "").match(/.{1,2}/g);
+  if (!arr)
+    return new Uint8Array();
+  return new Uint8Array(arr.map((byte) => parseInt(byte, 16)));
+};
+var toHexString2 = (bytes) => bytes.reduce((str, byte) => str + byte.toString(16).padStart(2, "0"), "");
+function toBigInt(value) {
+  if (typeof value === "string") {
+    return BigInt(value);
+  } else if (typeof value === "number") {
+    return BigInt(value);
+  } else if (typeof value === "object") {
+    return BigInt("0x" + toHexString2(value));
+  } else {
+    return value;
+  }
+}
+function toBeArray(value) {
+  const bigIntValue = typeof value === "number" ? BigInt(value) : value;
+  const hex = bigIntValue.toString(16);
+  const paddedHex = hex.length % 2 === 0 ? hex : "0" + hex;
+  return fromHexString(paddedHex);
+}
+function isString(value) {
+  if (typeof value !== "string") {
+    throw new Error(`Expected value which is \`string\`, received value of type \`${typeof value}\`.`);
+  }
+}
+function isNumber(value) {
+  const is = typeof value === "number" && !Number.isNaN(value);
+  if (!is) {
+    throw new Error(`Expected value which is \`number\`, received value of type \`${typeof value}\`.`);
+  }
+}
+function isBigIntOrNumber(value) {
+  const is = typeof value === "bigint";
+  if (!is) {
+    try {
+      isNumber(value);
+    } catch (e) {
+      throw new Error(`Value ${value} is not a number or bigint: ${typeof value}`);
+    }
+  }
+}
+
+// permits/sealing.ts
+var PRIVATE_KEY_LENGTH = 64;
+var PUBLIC_KEY_LENGTH = 64;
+var SealingKey = class _SealingKey {
+  /**
+   * The private key used for decryption.
+   */
+  privateKey;
+  /**
+   * The public key used for encryption.
+   */
+  publicKey;
+  /**
+   * Constructs a SealingKey instance with the given private and public keys.
+   *
+   * @param {string} privateKey - The private key used for decryption.
+   * @param {string} publicKey - The public key used for encryption.
+   * @throws Will throw an error if the provided keys lengths do not match
+   *         the required lengths for private and public keys.
+   */
+  constructor(privateKey, publicKey) {
+    if (privateKey.length !== PRIVATE_KEY_LENGTH) {
+      throw new Error(`Private key must be of length ${PRIVATE_KEY_LENGTH}`);
+    }
+    if (publicKey.length !== PUBLIC_KEY_LENGTH) {
+      throw new Error(`Public key must be of length ${PUBLIC_KEY_LENGTH}`);
+    }
+    this.privateKey = privateKey;
+    this.publicKey = publicKey;
+  }
+  unseal = (parsedData) => {
+    const nonce = parsedData.nonce instanceof Uint8Array ? parsedData.nonce : new Uint8Array(parsedData.nonce);
+    const ephemPublicKey = parsedData.public_key instanceof Uint8Array ? parsedData.public_key : new Uint8Array(parsedData.public_key);
+    const dataToDecrypt = parsedData.data instanceof Uint8Array ? parsedData.data : new Uint8Array(parsedData.data);
+    const privateKeyBytes = fromHexString(this.privateKey);
+    const decryptedMessage = nacl__default.default.box.open(dataToDecrypt, nonce, ephemPublicKey, privateKeyBytes);
+    if (!decryptedMessage) {
+      throw new Error("Failed to decrypt message");
+    }
+    return toBigInt(decryptedMessage);
+  };
+  /**
+   * Serializes the SealingKey to a JSON object.
+   */
+  serialize = () => {
+    return {
+      privateKey: this.privateKey,
+      publicKey: this.publicKey
+    };
+  };
+  /**
+   * Deserializes the SealingKey from a JSON object.
+   */
+  static deserialize = (privateKey, publicKey) => {
+    return new _SealingKey(privateKey, publicKey);
+  };
+  /**
+   * Seals (encrypts) the provided message for a receiver with the specified public key.
+   *
+   * @param {bigint | number} value - The message to be encrypted.
+   * @param {string} publicKey - The public key of the intended recipient.
+   * @returns string - The encrypted message in hexadecimal format.
+   * @static
+   * @throws Will throw if the provided publicKey or value do not meet defined preconditions.
+   */
+  static seal = (value, publicKey) => {
+    isString(publicKey);
+    isBigIntOrNumber(value);
+    const ephemeralKeyPair = nacl__default.default.box.keyPair();
+    const nonce = nacl__default.default.randomBytes(nacl__default.default.box.nonceLength);
+    const encryptedMessage = nacl__default.default.box(toBeArray(value), nonce, fromHexString(publicKey), ephemeralKeyPair.secretKey);
+    return {
+      data: encryptedMessage,
+      public_key: ephemeralKeyPair.publicKey,
+      nonce
+    };
+  };
+};
+var GenerateSealingKey = () => {
+  const sodiumKeypair = nacl__default.default.box.keyPair();
+  return new SealingKey(toHexString2(sodiumKeypair.secretKey), toHexString2(sodiumKeypair.publicKey));
+};
+var SerializedSealingPair = zod.z.object({
+  privateKey: zod.z.string(),
+  publicKey: zod.z.string()
+});
+var addressSchema = zod.z.string().refine((val) => viem.isAddress(val), {
+  error: "Invalid address"
+}).transform((val) => viem.getAddress(val));
+var addressNotZeroSchema = addressSchema.refine((val) => val !== viem.zeroAddress, {
+  error: "Must not be zeroAddress"
+});
+var bytesSchema = zod.z.custom(
+  (val) => {
+    return typeof val === "string" && viem.isHex(val);
+  },
+  {
+    message: "Invalid hex value"
+  }
+);
+var bytesNotEmptySchema = bytesSchema.refine((val) => val !== "0x", {
+  error: "Must not be empty"
+});
+var DEFAULT_EXPIRATION_FN = () => Math.round(Date.now() / 1e3) + 7 * 24 * 60 * 60;
+var zPermitWithDefaults = zod.z.object({
+  name: zod.z.string().optional().default("Unnamed Permit"),
+  type: zod.z.enum(["self", "sharing", "recipient"]),
+  issuer: addressNotZeroSchema,
+  expiration: zod.z.int().optional().default(DEFAULT_EXPIRATION_FN),
+  recipient: addressSchema.optional().default(viem.zeroAddress),
+  validatorId: zod.z.int().optional().default(0),
+  validatorContract: addressSchema.optional().default(viem.zeroAddress),
+  issuerSignature: bytesSchema.optional().default("0x"),
+  recipientSignature: bytesSchema.optional().default("0x")
+});
+var zPermitWithSealingPair = zPermitWithDefaults.extend({
+  sealingPair: SerializedSealingPair.optional()
+});
+var ExternalValidatorRefinement = [
+  (data) => data.validatorId !== 0 && data.validatorContract !== viem.zeroAddress || data.validatorId === 0 && data.validatorContract === viem.zeroAddress,
+  {
+    error: "Permit external validator :: validatorId and validatorContract must either both be set or both be unset.",
+    path: ["validatorId", "validatorContract"]
+  }
+];
+var RecipientRefinement = [
+  (data) => data.issuer !== data.recipient,
+  {
+    error: "Sharing permit :: issuer and recipient must not be the same",
+    path: ["issuer", "recipient"]
+  }
+];
+var SelfPermitOptionsValidator = zod.z.object({
+  type: zod.z.literal("self").optional().default("self"),
+  issuer: addressNotZeroSchema,
+  name: zod.z.string().optional().default("Unnamed Permit"),
+  expiration: zod.z.int().optional().default(DEFAULT_EXPIRATION_FN),
+  recipient: addressSchema.optional().default(viem.zeroAddress),
+  validatorId: zod.z.int().optional().default(0),
+  validatorContract: addressSchema.optional().default(viem.zeroAddress),
+  issuerSignature: bytesSchema.optional().default("0x"),
+  recipientSignature: bytesSchema.optional().default("0x")
+}).refine(...ExternalValidatorRefinement);
+var SelfPermitValidator = zPermitWithSealingPair.refine((data) => data.type === "self", {
+  error: "Type must be 'self'"
+}).refine((data) => data.recipient === viem.zeroAddress, {
+  error: "Recipient must be zeroAddress"
+}).refine((data) => data.issuerSignature !== "0x", {
+  error: "IssuerSignature must be populated"
+}).refine((data) => data.recipientSignature === "0x", {
+  error: "RecipientSignature must be empty"
+}).refine(...ExternalValidatorRefinement);
+var SharingPermitOptionsValidator = zod.z.object({
+  type: zod.z.literal("sharing").optional().default("sharing"),
+  issuer: addressNotZeroSchema,
+  recipient: addressNotZeroSchema,
+  name: zod.z.string().optional().default("Unnamed Permit"),
+  expiration: zod.z.int().optional().default(DEFAULT_EXPIRATION_FN),
+  validatorId: zod.z.int().optional().default(0),
+  validatorContract: addressSchema.optional().default(viem.zeroAddress),
+  issuerSignature: bytesSchema.optional().default("0x"),
+  recipientSignature: bytesSchema.optional().default("0x")
+}).refine(...RecipientRefinement).refine(...ExternalValidatorRefinement);
+var SharingPermitValidator = zPermitWithSealingPair.refine((data) => data.type === "sharing", {
+  error: "Type must be 'sharing'"
+}).refine((data) => data.recipient !== viem.zeroAddress, {
+  error: "Recipient must not be zeroAddress"
+}).refine((data) => data.issuerSignature !== "0x", {
+  error: "IssuerSignature must be populated"
+}).refine((data) => data.recipientSignature === "0x", {
+  error: "RecipientSignature must be empty"
+}).refine(...ExternalValidatorRefinement);
+var ImportPermitOptionsValidator = zod.z.object({
+  type: zod.z.literal("recipient").optional().default("recipient"),
+  issuer: addressNotZeroSchema,
+  recipient: addressNotZeroSchema,
+  name: zod.z.string().optional().default("Unnamed Permit"),
+  expiration: zod.z.int(),
+  validatorId: zod.z.int().optional().default(0),
+  validatorContract: addressSchema.optional().default(viem.zeroAddress),
+  issuerSignature: bytesNotEmptySchema,
+  recipientSignature: bytesSchema.optional().default("0x")
+}).refine(...ExternalValidatorRefinement);
+var ImportPermitValidator = zPermitWithSealingPair.refine((data) => data.type === "recipient", {
+  error: "Type must be 'recipient'"
+}).refine((data) => data.recipient !== viem.zeroAddress, {
+  error: "Recipient must not be zeroAddress"
+}).refine((data) => data.issuerSignature !== "0x", {
+  error: "IssuerSignature must be populated"
+}).refine((data) => data.recipientSignature !== "0x", {
+  error: "RecipientSignature must be populated"
+}).refine(...ExternalValidatorRefinement);
+var safeParseAndThrowFormatted = (schema, data, message) => {
+  const result = schema.safeParse(data);
+  if (!result.success) {
+    throw new Error(`${message}: ${zod.z.prettifyError(result.error)}`, { cause: result.error });
+  }
+  return result.data;
+};
+var validateSelfPermitOptions = (options) => {
+  return safeParseAndThrowFormatted(SelfPermitOptionsValidator, options, "Invalid self permit options");
+};
+var validateSharingPermitOptions = (options) => {
+  return safeParseAndThrowFormatted(SharingPermitOptionsValidator, options, "Invalid sharing permit options");
+};
+var validateImportPermitOptions = (options) => {
+  return safeParseAndThrowFormatted(ImportPermitOptionsValidator, options, "Invalid import permit options");
+};
+var validateSelfPermit = (permit) => {
+  return safeParseAndThrowFormatted(SelfPermitValidator, permit, "Invalid self permit");
+};
+var validateSharingPermit = (permit) => {
+  return safeParseAndThrowFormatted(SharingPermitValidator, permit, "Invalid sharing permit");
+};
+var validateImportPermit = (permit) => {
+  return safeParseAndThrowFormatted(ImportPermitValidator, permit, "Invalid import permit");
+};
+var ValidationUtils = {
+  /**
+   * Check if permit is expired
+   */
+  isExpired: (permit) => {
+    return permit.expiration < Math.floor(Date.now() / 1e3);
+  },
+  /**
+   * Check if permit is signed by the active party
+   */
+  isSigned: (permit) => {
+    if (permit.type === "self" || permit.type === "sharing") {
+      return permit.issuerSignature !== "0x";
+    }
+    if (permit.type === "recipient") {
+      return permit.recipientSignature !== "0x";
+    }
+    return false;
+  },
+  /**
+   * Checks that a permit is signed and not expired.
+   */
+  isSignedAndNotExpired: (permit) => {
+    if (ValidationUtils.isExpired(permit)) {
+      return { valid: false, error: "expired" };
+    }
+    if (!ValidationUtils.isSigned(permit)) {
+      return { valid: false, error: "not-signed" };
+    }
+    return { valid: true, error: null };
+  },
+  /**
+   * Asserts that a permit is signed and not expired.
+   *
+   * Throws `Error` with message:
+   * - `Permit is expired`
+   * - `Permit is not signed`
+   */
+  assertSignedAndNotExpired: (permit) => {
+    const result = ValidationUtils.isSignedAndNotExpired(permit);
+    if (result.valid)
+      return;
+    if (result.error === "expired") {
+      throw new Error("Permit is expired");
+    }
+    if (result.error === "not-signed") {
+      throw new Error("Permit is not signed");
+    }
+    throw new Error("Permit is invalid");
+  },
+  isValid: (permit) => {
+    const schema = permit.type === "self" ? SelfPermitValidator : permit.type === "sharing" ? SharingPermitValidator : permit.type === "recipient" ? ImportPermitValidator : null;
+    if (schema == null)
+      return { valid: false, error: "invalid-schema" };
+    const schemaResult = schema.safeParse(permit);
+    if (!schemaResult.success)
+      return { valid: false, error: "invalid-schema" };
+    return ValidationUtils.isSignedAndNotExpired(permit);
+  }
+};
+
+// permits/signature.ts
+var PermitSignatureAllFields = [
+  { name: "issuer", type: "address" },
+  { name: "expiration", type: "uint64" },
+  { name: "recipient", type: "address" },
+  { name: "validatorId", type: "uint256" },
+  { name: "validatorContract", type: "address" },
+  { name: "sealingKey", type: "bytes32" },
+  { name: "issuerSignature", type: "bytes" }
+];
+var SignatureTypes = {
+  PermissionedV2IssuerSelf: [
+    "issuer",
+    "expiration",
+    "recipient",
+    "validatorId",
+    "validatorContract",
+    "sealingKey"
+  ],
+  PermissionedV2IssuerShared: [
+    "issuer",
+    "expiration",
+    "recipient",
+    "validatorId",
+    "validatorContract"
+  ],
+  PermissionedV2Recipient: ["sealingKey", "issuerSignature"]
+};
+var getSignatureTypesAndMessage = (primaryType, fields, values) => {
+  const types = {
+    [primaryType]: PermitSignatureAllFields.filter((fieldType) => fields.includes(fieldType.name))
+  };
+  const message = {};
+  fields.forEach((field) => {
+    if (field in values) {
+      message[field] = values[field];
+    }
+  });
+  return { types, primaryType, message };
+};
+var SignatureUtils = {
+  /**
+   * Get signature parameters for a permit
+   */
+  getSignatureParams: (permit, primaryType) => {
+    return getSignatureTypesAndMessage(primaryType, SignatureTypes[primaryType], permit);
+  },
+  /**
+   * Determine the required signature type based on permit type
+   */
+  getPrimaryType: (permitType) => {
+    if (permitType === "self")
+      return "PermissionedV2IssuerSelf";
+    if (permitType === "sharing")
+      return "PermissionedV2IssuerShared";
+    if (permitType === "recipient")
+      return "PermissionedV2Recipient";
+    throw new Error(`Unknown permit type: ${permitType}`);
+  }
+};
+var getAclAddress = async (publicClient) => {
+  const ACL_IFACE = "function acl() view returns (address)";
+  const aclAbi = viem.parseAbi([ACL_IFACE]);
+  return await publicClient.readContract({
+    address: TASK_MANAGER_ADDRESS,
+    abi: aclAbi,
+    functionName: "acl"
+  });
+};
+var getAclEIP712Domain = async (publicClient) => {
+  const aclAddress = await getAclAddress(publicClient);
+  const EIP712_DOMAIN_IFACE = "function eip712Domain() public view returns (bytes1 fields, string name, string version, uint256 chainId, address verifyingContract, bytes32 salt, uint256[] extensions)";
+  const domainAbi = viem.parseAbi([EIP712_DOMAIN_IFACE]);
+  const domain = await publicClient.readContract({
+    address: aclAddress,
+    abi: domainAbi,
+    functionName: "eip712Domain"
+  });
+  const [_fields, name, version, chainId, verifyingContract, _salt, _extensions] = domain;
+  return {
+    name,
+    version,
+    chainId: Number(chainId),
+    verifyingContract
+  };
+};
+var checkPermitValidityOnChain = async (permission, publicClient) => {
+  const aclAddress = await getAclAddress(publicClient);
+  try {
+    await publicClient.simulateContract({
+      address: aclAddress,
+      abi: checkPermitValidityAbi,
+      functionName: "checkPermitValidity",
+      args: [
+        {
+          issuer: permission.issuer,
+          expiration: BigInt(permission.expiration),
+          recipient: permission.recipient,
+          validatorId: BigInt(permission.validatorId),
+          validatorContract: permission.validatorContract,
+          sealingKey: permission.sealingKey,
+          issuerSignature: permission.issuerSignature,
+          recipientSignature: permission.recipientSignature
+        }
+      ]
+    });
+    return true;
+  } catch (err) {
+    if (err instanceof viem.BaseError) {
+      const revertError = err.walk((err2) => err2 instanceof viem.ContractFunctionRevertedError);
+      if (revertError instanceof viem.ContractFunctionRevertedError) {
+        const errorName = revertError.data?.errorName ?? "";
+        throw new Error(errorName);
+      }
+    }
+    const customErrorName = extractCustomErrorFromDetails(err, checkPermitValidityAbi);
+    if (customErrorName) {
+      throw new Error(customErrorName);
+    }
+    const hhDetailsData = extractReturnData(err);
+    if (hhDetailsData != null) {
+      const decoded = viem.decodeErrorResult({
+        abi: checkPermitValidityAbi,
+        data: hhDetailsData
+      });
+      throw new Error(decoded.errorName);
+    }
+    throw err;
+  }
+};
+function extractCustomErrorFromDetails(err, abi) {
+  const anyErr = err;
+  const details = anyErr?.details ?? anyErr?.cause?.details;
+  if (typeof details === "string") {
+    const customErrorMatch = details.match(/reverted with custom error '(\w+)\(\)'/);
+    if (customErrorMatch) {
+      const errorName = customErrorMatch[1];
+      const errorExists = abi.some((item) => item.type === "error" && item.name === errorName);
+      if (errorExists) {
+        return errorName;
+      }
+    }
+  }
+  return void 0;
+}
+function extractReturnData(err) {
+  const anyErr = err;
+  const s = anyErr?.details ?? anyErr?.cause?.details ?? anyErr?.shortMessage ?? anyErr?.message ?? String(err);
+  return s.match(/return data:\s*(0x[a-fA-F0-9]+)/)?.[1];
+}
+var checkPermitValidityAbi = [
+  {
+    type: "function",
+    name: "checkPermitValidity",
+    inputs: [
+      {
+        name: "permission",
+        type: "tuple",
+        internalType: "struct Permission",
+        components: [
+          {
+            name: "issuer",
+            type: "address",
+            internalType: "address"
+          },
+          {
+            name: "expiration",
+            type: "uint64",
+            internalType: "uint64"
+          },
+          {
+            name: "recipient",
+            type: "address",
+            internalType: "address"
+          },
+          {
+            name: "validatorId",
+            type: "uint256",
+            internalType: "uint256"
+          },
+          {
+            name: "validatorContract",
+            type: "address",
+            internalType: "address"
+          },
+          {
+            name: "sealingKey",
+            type: "bytes32",
+            internalType: "bytes32"
+          },
+          {
+            name: "issuerSignature",
+            type: "bytes",
+            internalType: "bytes"
+          },
+          {
+            name: "recipientSignature",
+            type: "bytes",
+            internalType: "bytes"
+          }
+        ]
+      }
+    ],
+    outputs: [
+      {
+        name: "",
+        type: "bool",
+        internalType: "bool"
+      }
+    ],
+    stateMutability: "view"
+  },
+  {
+    type: "error",
+    name: "PermissionInvalid_Disabled",
+    inputs: []
+  },
+  {
+    type: "error",
+    name: "PermissionInvalid_Expired",
+    inputs: []
+  },
+  {
+    type: "error",
+    name: "PermissionInvalid_IssuerSignature",
+    inputs: []
+  },
+  {
+    type: "error",
+    name: "PermissionInvalid_RecipientSignature",
+    inputs: []
+  }
+];
+
+// permits/permit.ts
+var PermitUtils = {
+  /**
+   * Create a self permit for personal use
+   */
+  createSelf: (options) => {
+    const validation = validateSelfPermitOptions(options);
+    const sealingPair = GenerateSealingKey();
+    const permit = {
+      hash: PermitUtils.getHash(validation),
+      ...validation,
+      sealingPair,
+      _signedDomain: void 0
+    };
+    return permit;
+  },
+  /**
+   * Create a sharing permit to be shared with another user
+   */
+  createSharing: (options) => {
+    const validation = validateSharingPermitOptions(options);
+    const sealingPair = GenerateSealingKey();
+    const permit = {
+      hash: PermitUtils.getHash(validation),
+      ...validation,
+      sealingPair,
+      _signedDomain: void 0
+    };
+    return permit;
+  },
+  /**
+   * Import a shared permit from various input formats
+   */
+  importShared: (options) => {
+    let parsedOptions;
+    if (typeof options === "string") {
+      try {
+        parsedOptions = JSON.parse(options);
+      } catch (error) {
+        throw new Error(`Failed to parse JSON string: ${error}`);
+      }
+    } else if (typeof options === "object" && options !== null) {
+      parsedOptions = options;
+    } else {
+      throw new Error("Invalid input type, expected ImportSharedPermitOptions, object, or string");
+    }
+    if (parsedOptions.type != null && parsedOptions.type !== "sharing") {
+      throw new Error(`Invalid permit type <${parsedOptions.type}>, must be "sharing"`);
+    }
+    const validation = validateImportPermitOptions({ ...parsedOptions, type: "recipient" });
+    const sealingPair = GenerateSealingKey();
+    const permit = {
+      hash: PermitUtils.getHash(validation),
+      ...validation,
+      sealingPair,
+      _signedDomain: void 0
+    };
+    return permit;
+  },
+  /**
+   * Sign a permit with the provided wallet client
+   */
+  sign: async (permit, publicClient, walletClient) => {
+    if (walletClient == null || walletClient.account == null) {
+      throw new Error(
+        "Missing walletClient, you must pass in a `walletClient` for the connected user to create a permit signature"
+      );
+    }
+    const primaryType = SignatureUtils.getPrimaryType(permit.type);
+    const domain = await getAclEIP712Domain(publicClient);
+    const { types, message } = SignatureUtils.getSignatureParams(PermitUtils.getPermission(permit, true), primaryType);
+    const signature = await walletClient.signTypedData({
+      domain,
+      types,
+      primaryType,
+      message,
+      account: walletClient.account
+    });
+    let updatedPermit;
+    if (permit.type === "self" || permit.type === "sharing") {
+      updatedPermit = {
+        ...permit,
+        issuerSignature: signature,
+        _signedDomain: domain
+      };
+    } else {
+      updatedPermit = {
+        ...permit,
+        recipientSignature: signature,
+        _signedDomain: domain
+      };
+    }
+    return updatedPermit;
+  },
+  /**
+   * Create and sign a self permit in one operation
+   */
+  createSelfAndSign: async (options, publicClient, walletClient) => {
+    const permit = PermitUtils.createSelf(options);
+    return PermitUtils.sign(permit, publicClient, walletClient);
+  },
+  /**
+   * Create and sign a sharing permit in one operation
+   */
+  createSharingAndSign: async (options, publicClient, walletClient) => {
+    const permit = PermitUtils.createSharing(options);
+    return PermitUtils.sign(permit, publicClient, walletClient);
+  },
+  /**
+   * Import and sign a shared permit in one operation from various input formats
+   */
+  importSharedAndSign: async (options, publicClient, walletClient) => {
+    const permit = PermitUtils.importShared(options);
+    return PermitUtils.sign(permit, publicClient, walletClient);
+  },
+  /**
+   * Deserialize a permit from serialized data
+   */
+  deserialize: (data) => {
+    return {
+      ...data,
+      sealingPair: SealingKey.deserialize(data.sealingPair.privateKey, data.sealingPair.publicKey)
+    };
+  },
+  /**
+   * Serialize a permit for storage
+   */
+  serialize: (permit) => {
+    return {
+      hash: permit.hash,
+      name: permit.name,
+      type: permit.type,
+      issuer: permit.issuer,
+      expiration: permit.expiration,
+      recipient: permit.recipient,
+      validatorId: permit.validatorId,
+      validatorContract: permit.validatorContract,
+      issuerSignature: permit.issuerSignature,
+      recipientSignature: permit.recipientSignature,
+      _signedDomain: permit._signedDomain,
+      sealingPair: permit.sealingPair.serialize()
+    };
+  },
+  /**
+   * Validate a permit (schema-level validation)
+   */
+  validateSchema: (permit) => {
+    if (permit.type === "self") {
+      return validateSelfPermit(permit);
+    } else if (permit.type === "sharing") {
+      return validateSharingPermit(permit);
+    } else if (permit.type === "recipient") {
+      return validateImportPermit(permit);
+    } else {
+      throw new Error("Invalid permit type");
+    }
+  },
+  /**
+   * Validate a permit (holistic validation).
+   *
+   * This validates:
+   * - Permit schema (shape + invariants)
+   * - Permit is signed
+   * - Permit is not expired
+   *
+   * For schema-only validation, use `validateSchema(permit)`.
+   */
+  validate: (permit) => {
+    const validated = PermitUtils.validateSchema(permit);
+    ValidationUtils.assertSignedAndNotExpired(validated);
+    return validated;
+  },
+  /**
+   * Get the permission object from a permit (for use in contracts)
+   */
+  getPermission: (permit, skipValidation = false) => {
+    if (!skipValidation) {
+      PermitUtils.validateSchema(permit);
+    }
+    return {
+      issuer: permit.issuer,
+      expiration: permit.expiration,
+      recipient: permit.recipient,
+      validatorId: permit.validatorId,
+      validatorContract: permit.validatorContract,
+      sealingKey: `0x${permit.sealingPair.publicKey}`,
+      issuerSignature: permit.issuerSignature,
+      recipientSignature: permit.recipientSignature
+    };
+  },
+  /**
+   * Get a stable hash for the permit (used as key in storage)
+   */
+  getHash: (permit) => {
+    const data = JSON.stringify({
+      type: permit.type,
+      issuer: permit.issuer,
+      expiration: permit.expiration,
+      recipient: permit.recipient,
+      validatorId: permit.validatorId,
+      validatorContract: permit.validatorContract
+    });
+    return viem.keccak256(viem.toHex(data));
+  },
+  /**
+   * Export permit data for sharing (removes sensitive fields)
+   */
+  export: (permit) => {
+    const cleanedPermit = {
+      name: permit.name,
+      type: permit.type,
+      issuer: permit.issuer,
+      expiration: permit.expiration
+    };
+    if (permit.recipient !== viem.zeroAddress)
+      cleanedPermit.recipient = permit.recipient;
+    if (permit.validatorId !== 0)
+      cleanedPermit.validatorId = permit.validatorId;
+    if (permit.validatorContract !== viem.zeroAddress)
+      cleanedPermit.validatorContract = permit.validatorContract;
+    if (permit.type === "sharing" && permit.issuerSignature !== "0x")
+      cleanedPermit.issuerSignature = permit.issuerSignature;
+    return JSON.stringify(cleanedPermit, void 0, 2);
+  },
+  /**
+   * Unseal encrypted data using the permit's sealing key
+   */
+  unseal: (permit, ciphertext) => {
+    return permit.sealingPair.unseal(ciphertext);
+  },
+  /**
+   * Check if permit is expired
+   */
+  isExpired: (permit) => {
+    return ValidationUtils.isExpired(permit);
+  },
+  /**
+   * Check if permit is signed
+   */
+  isSigned: (permit) => {
+    return ValidationUtils.isSigned(permit);
+  },
+  /**
+   * Check if permit is signed and not expired
+   */
+  isSignedAndNotExpired: (permit) => {
+    return ValidationUtils.isSignedAndNotExpired(permit);
+  },
+  /**
+   * Assert that permit is signed and not expired
+   */
+  assertSignedAndNotExpired: (permit) => {
+    return ValidationUtils.assertSignedAndNotExpired(permit);
+  },
+  isValid: (permit) => {
+    return ValidationUtils.isValid(permit);
+  },
+  /**
+   * Update permit name (returns new permit instance)
+   */
+  updateName: (permit, name) => {
+    return { ...permit, name };
+  },
+  /**
+   * Fetch EIP712 domain from the blockchain
+   */
+  fetchEIP712Domain: async (publicClient) => {
+    return getAclEIP712Domain(publicClient);
+  },
+  /**
+   * Check if permit's signed domain matches the provided domain
+   */
+  matchesDomain: (permit, domain) => {
+    return permit._signedDomain?.name === domain.name && permit._signedDomain?.version === domain.version && permit._signedDomain?.verifyingContract === domain.verifyingContract && permit._signedDomain?.chainId === domain.chainId;
+  },
+  /**
+   * Check if permit's signed domain is valid for the current chain
+   */
+  checkSignedDomainValid: async (permit, publicClient) => {
+    if (permit._signedDomain == null)
+      return false;
+    const domain = await getAclEIP712Domain(publicClient);
+    return PermitUtils.matchesDomain(permit, domain);
+  },
+  /**
+   * Check if permit passes the on-chain validation
+   */
+  checkValidityOnChain: async (permit, publicClient) => {
+    const permission = PermitUtils.getPermission(permit);
+    return checkPermitValidityOnChain(permission, publicClient);
+  }
+};
+var PERMIT_STORE_DEFAULTS = {
+  permits: {},
+  activePermitHash: {}
+};
+var _permitStore = vanilla.createStore()(
+  middleware.persist(() => PERMIT_STORE_DEFAULTS, { name: "cofhesdk-permits" })
+);
+var clearStaleStore = () => {
+  const state = _permitStore.getState();
+  const hasExpectedStructure = state && typeof state === "object" && "permits" in state && "activePermitHash" in state && typeof state.permits === "object" && typeof state.activePermitHash === "object";
+  if (hasExpectedStructure)
+    return;
+  _permitStore.setState({ permits: {}, activePermitHash: {} });
+};
+var getPermit = (chainId, account, hash) => {
+  clearStaleStore();
+  if (chainId == null || account == null || hash == null)
+    return;
+  const savedPermit = _permitStore.getState().permits[chainId]?.[account]?.[hash];
+  if (savedPermit == null)
+    return;
+  return PermitUtils.deserialize(savedPermit);
+};
+var getActivePermit = (chainId, account) => {
+  clearStaleStore();
+  if (chainId == null || account == null)
+    return;
+  const activePermitHash = _permitStore.getState().activePermitHash[chainId]?.[account];
+  return getPermit(chainId, account, activePermitHash);
+};
+var getPermits = (chainId, account) => {
+  clearStaleStore();
+  if (chainId == null || account == null)
+    return {};
+  return Object.entries(_permitStore.getState().permits[chainId]?.[account] ?? {}).reduce(
+    (acc, [hash, permit]) => {
+      if (permit == void 0)
+        return acc;
+      return { ...acc, [hash]: PermitUtils.deserialize(permit) };
+    },
+    {}
+  );
+};
+var setPermit = (chainId, account, permit) => {
+  clearStaleStore();
+  _permitStore.setState(
+    immer.produce((state) => {
+      if (state.permits[chainId] == null)
+        state.permits[chainId] = {};
+      if (state.permits[chainId][account] == null)
+        state.permits[chainId][account] = {};
+      state.permits[chainId][account][permit.hash] = PermitUtils.serialize(permit);
+    })
+  );
+};
+var removePermit = (chainId, account, hash) => {
+  clearStaleStore();
+  _permitStore.setState(
+    immer.produce((state) => {
+      if (state.permits[chainId] == null)
+        state.permits[chainId] = {};
+      if (state.activePermitHash[chainId] == null)
+        state.activePermitHash[chainId] = {};
+      const accountPermits = state.permits[chainId][account];
+      if (accountPermits == null)
+        return;
+      if (accountPermits[hash] == null)
+        return;
+      if (state.activePermitHash[chainId][account] === hash) {
+        state.activePermitHash[chainId][account] = void 0;
+      }
+      accountPermits[hash] = void 0;
+    })
+  );
+};
+var getActivePermitHash = (chainId, account) => {
+  clearStaleStore();
+  if (chainId == null || account == null)
+    return void 0;
+  return _permitStore.getState().activePermitHash[chainId]?.[account];
+};
+var setActivePermitHash = (chainId, account, hash) => {
+  clearStaleStore();
+  _permitStore.setState(
+    immer.produce((state) => {
+      if (state.activePermitHash[chainId] == null)
+        state.activePermitHash[chainId] = {};
+      state.activePermitHash[chainId][account] = hash;
+    })
+  );
+};
+var removeActivePermitHash = (chainId, account) => {
+  clearStaleStore();
+  _permitStore.setState(
+    immer.produce((state) => {
+      if (state.activePermitHash[chainId])
+        state.activePermitHash[chainId][account] = void 0;
+    })
+  );
+};
+var resetStore = () => {
+  clearStaleStore();
+  _permitStore.setState({ permits: {}, activePermitHash: {} });
+};
+var permitStore = {
+  store: _permitStore,
+  getPermit,
+  getActivePermit,
+  getPermits,
+  setPermit,
+  removePermit,
+  getActivePermitHash,
+  setActivePermitHash,
+  removeActivePermitHash,
+  resetStore
+};
+var storeActivePermit = async (permit, publicClient, walletClient) => {
+  const chainId = await publicClient.getChainId();
+  const account = walletClient.account.address;
+  permitStore.setPermit(chainId, account, permit);
+  permitStore.setActivePermitHash(chainId, account, permit.hash);
+};
+var createPermitWithSign = async (options, publicClient, walletClient, permitMethod) => {
+  const permit = await permitMethod(options, publicClient, walletClient);
+  await storeActivePermit(permit, publicClient, walletClient);
+  return permit;
+};
+var createSelf = async (options, publicClient, walletClient) => {
+  return createPermitWithSign(options, publicClient, walletClient, PermitUtils.createSelfAndSign);
+};
+var createSharing = async (options, publicClient, walletClient) => {
+  return createPermitWithSign(options, publicClient, walletClient, PermitUtils.createSharingAndSign);
+};
+var importShared = async (options, publicClient, walletClient) => {
+  return createPermitWithSign(options, publicClient, walletClient, PermitUtils.importSharedAndSign);
+};
+var getHash = (permit) => {
+  return PermitUtils.getHash(permit);
+};
+var serialize = (permit) => {
+  return PermitUtils.serialize(permit);
+};
+var deserialize = (serialized) => {
+  return PermitUtils.deserialize(serialized);
+};
+var getPermit2 = (chainId, account, hash) => {
+  return permitStore.getPermit(chainId, account, hash);
+};
+var getPermits2 = (chainId, account) => {
+  return permitStore.getPermits(chainId, account);
+};
+var getActivePermit2 = (chainId, account) => {
+  return permitStore.getActivePermit(chainId, account);
+};
+var getActivePermitHash2 = (chainId, account) => {
+  return permitStore.getActivePermitHash(chainId, account);
+};
+var selectActivePermit = (chainId, account, hash) => {
+  permitStore.setActivePermitHash(chainId, account, hash);
+};
+var getOrCreateSelfPermit = async (publicClient, walletClient, chainId, account, options) => {
+  const _chainId = chainId ?? await publicClient.getChainId();
+  const _account = account ?? walletClient.account.address;
+  const activePermit = await getActivePermit2(_chainId, _account);
+  if (activePermit && activePermit.type === "self") {
+    return activePermit;
+  }
+  return createSelf(options ?? { issuer: _account, name: "Autogenerated Self Permit" }, publicClient, walletClient);
+};
+var getOrCreateSharingPermit = async (publicClient, walletClient, options, chainId, account) => {
+  const _chainId = chainId ?? await publicClient.getChainId();
+  const _account = account ?? walletClient.account.address;
+  const activePermit = await getActivePermit2(_chainId, _account);
+  if (activePermit && activePermit.type === "sharing") {
+    return activePermit;
+  }
+  return createSharing(options, publicClient, walletClient);
+};
+var removePermit2 = async (chainId, account, hash) => permitStore.removePermit(chainId, account, hash);
+var removeActivePermit = async (chainId, account) => permitStore.removeActivePermitHash(chainId, account);
+var permits = {
+  getSnapshot: permitStore.store.getState,
+  subscribe: permitStore.store.subscribe,
+  createSelf,
+  createSharing,
+  importShared,
+  getOrCreateSelfPermit,
+  getOrCreateSharingPermit,
+  getHash,
+  serialize,
+  deserialize,
+  getPermit: getPermit2,
+  getPermits: getPermits2,
+  getActivePermit: getActivePermit2,
+  getActivePermitHash: getActivePermitHash2,
+  removePermit: removePermit2,
+  selectActivePermit,
+  removeActivePermit
+};
+function uint160ToAddress(uint160) {
+  const hexStr = uint160.toString(16).padStart(40, "0");
+  return viem.getAddress("0x" + hexStr);
+}
+var isValidUtype = (utype) => {
+  return utype === 0 /* Bool */ || utype === 7 /* Uint160 */ || utype == null || FheUintUTypes.includes(utype);
+};
+var convertViaUtype = (utype, value) => {
+  if (utype === 0 /* Bool */) {
+    return !!value;
+  } else if (utype === 7 /* Uint160 */) {
+    return uint160ToAddress(value);
+  } else if (utype == null || FheUintUTypes.includes(utype)) {
+    return value;
+  } else {
+    throw new Error(`convertViaUtype :: invalid utype :: ${utype}`);
+  }
+};
+
+// core/decrypt/MockThresholdNetworkAbi.ts
+var MockThresholdNetworkAbi = [
+  {
+    type: "function",
+    name: "acl",
+    inputs: [],
+    outputs: [{ name: "", type: "address", internalType: "contract ACL" }],
+    stateMutability: "view"
+  },
+  {
+    type: "function",
+    name: "decodeLowLevelReversion",
+    inputs: [{ name: "data", type: "bytes", internalType: "bytes" }],
+    outputs: [{ name: "error", type: "string", internalType: "string" }],
+    stateMutability: "pure"
+  },
+  {
+    type: "function",
+    name: "exists",
+    inputs: [],
+    outputs: [{ name: "", type: "bool", internalType: "bool" }],
+    stateMutability: "pure"
+  },
+  {
+    type: "function",
+    name: "initialize",
+    inputs: [
+      { name: "_taskManager", type: "address", internalType: "address" },
+      { name: "_acl", type: "address", internalType: "address" }
+    ],
+    outputs: [],
+    stateMutability: "nonpayable"
+  },
+  {
+    type: "function",
+    name: "queryDecrypt",
+    inputs: [
+      { name: "ctHash", type: "uint256", internalType: "uint256" },
+      { name: "", type: "uint256", internalType: "uint256" },
+      {
+        name: "permission",
+        type: "tuple",
+        internalType: "struct Permission",
+        components: [
+          { name: "issuer", type: "address", internalType: "address" },
+          { name: "expiration", type: "uint64", internalType: "uint64" },
+          { name: "recipient", type: "address", internalType: "address" },
+          { name: "validatorId", type: "uint256", internalType: "uint256" },
+          { name: "validatorContract", type: "address", internalType: "address" },
+          { name: "sealingKey", type: "bytes32", internalType: "bytes32" },
+          { name: "issuerSignature", type: "bytes", internalType: "bytes" },
+          { name: "recipientSignature", type: "bytes", internalType: "bytes" }
+        ]
+      }
+    ],
+    outputs: [
+      { name: "allowed", type: "bool", internalType: "bool" },
+      { name: "error", type: "string", internalType: "string" },
+      { name: "", type: "uint256", internalType: "uint256" }
+    ],
+    stateMutability: "view"
+  },
+  {
+    type: "function",
+    name: "querySealOutput",
+    inputs: [
+      { name: "ctHash", type: "uint256", internalType: "uint256" },
+      { name: "", type: "uint256", internalType: "uint256" },
+      {
+        name: "permission",
+        type: "tuple",
+        internalType: "struct Permission",
+        components: [
+          { name: "issuer", type: "address", internalType: "address" },
+          { name: "expiration", type: "uint64", internalType: "uint64" },
+          { name: "recipient", type: "address", internalType: "address" },
+          { name: "validatorId", type: "uint256", internalType: "uint256" },
+          { name: "validatorContract", type: "address", internalType: "address" },
+          { name: "sealingKey", type: "bytes32", internalType: "bytes32" },
+          { name: "issuerSignature", type: "bytes", internalType: "bytes" },
+          { name: "recipientSignature", type: "bytes", internalType: "bytes" }
+        ]
+      }
+    ],
+    outputs: [
+      { name: "allowed", type: "bool", internalType: "bool" },
+      { name: "error", type: "string", internalType: "string" },
+      { name: "", type: "bytes32", internalType: "bytes32" }
+    ],
+    stateMutability: "view"
+  },
+  {
+    type: "function",
+    name: "seal",
+    inputs: [
+      { name: "input", type: "uint256", internalType: "uint256" },
+      { name: "key", type: "bytes32", internalType: "bytes32" }
+    ],
+    outputs: [{ name: "", type: "bytes32", internalType: "bytes32" }],
+    stateMutability: "pure"
+  },
+  {
+    type: "function",
+    name: "unseal",
+    inputs: [
+      { name: "hashed", type: "bytes32", internalType: "bytes32" },
+      { name: "key", type: "bytes32", internalType: "bytes32" }
+    ],
+    outputs: [{ name: "", type: "uint256", internalType: "uint256" }],
+    stateMutability: "pure"
+  },
+  {
+    type: "function",
+    name: "mockAcl",
+    inputs: [],
+    outputs: [{ name: "", type: "address", internalType: "contract MockACL" }],
+    stateMutability: "view"
+  },
+  {
+    type: "function",
+    name: "mockTaskManager",
+    inputs: [],
+    outputs: [{ name: "", type: "address", internalType: "contract MockTaskManager" }],
+    stateMutability: "view"
+  },
+  {
+    type: "function",
+    name: "mockQueryDecrypt",
+    inputs: [
+      { name: "ctHash", type: "uint256", internalType: "uint256" },
+      { name: "", type: "uint256", internalType: "uint256" },
+      { name: "issuer", type: "address", internalType: "address" }
+    ],
+    outputs: [
+      { name: "allowed", type: "bool", internalType: "bool" },
+      { name: "error", type: "string", internalType: "string" },
+      { name: "", type: "uint256", internalType: "uint256" }
+    ],
+    stateMutability: "view"
+  },
+  {
+    type: "function",
+    name: "decryptForTxWithPermit",
+    inputs: [
+      { name: "ctHash", type: "uint256", internalType: "uint256" },
+      {
+        name: "permission",
+        type: "tuple",
+        internalType: "struct Permission",
+        components: [
+          { name: "issuer", type: "address", internalType: "address" },
+          { name: "expiration", type: "uint64", internalType: "uint64" },
+          { name: "recipient", type: "address", internalType: "address" },
+          { name: "validatorId", type: "uint256", internalType: "uint256" },
+          { name: "validatorContract", type: "address", internalType: "address" },
+          { name: "sealingKey", type: "bytes32", internalType: "bytes32" },
+          { name: "issuerSignature", type: "bytes", internalType: "bytes" },
+          { name: "recipientSignature", type: "bytes", internalType: "bytes" }
+        ]
+      }
+    ],
+    outputs: [
+      { name: "allowed", type: "bool", internalType: "bool" },
+      { name: "error", type: "string", internalType: "string" },
+      { name: "decryptedValue", type: "uint256", internalType: "uint256" }
+    ],
+    stateMutability: "view"
+  },
+  {
+    type: "function",
+    name: "decryptForTxWithoutPermit",
+    inputs: [{ name: "ctHash", type: "uint256", internalType: "uint256" }],
+    outputs: [
+      { name: "allowed", type: "bool", internalType: "bool" },
+      { name: "error", type: "string", internalType: "string" },
+      { name: "decryptedValue", type: "uint256", internalType: "uint256" }
+    ],
+    stateMutability: "view"
+  }
+];
+
+// core/decrypt/cofheMocksDecryptForView.ts
+async function cofheMocksDecryptForView(ctHash, utype, permit, publicClient) {
+  const permission = PermitUtils.getPermission(permit, true);
+  const permissionWithBigInts = {
+    ...permission,
+    expiration: BigInt(permission.expiration),
+    validatorId: BigInt(permission.validatorId)
+  };
+  const [allowed, error, result] = await publicClient.readContract({
+    address: MOCKS_THRESHOLD_NETWORK_ADDRESS,
+    abi: MockThresholdNetworkAbi,
+    functionName: "querySealOutput",
+    args: [BigInt(ctHash), BigInt(utype), permissionWithBigInts]
+  });
+  if (error != "") {
+    throw new CofheError({
+      code: "SEAL_OUTPUT_FAILED" /* SealOutputFailed */,
+      message: `mocks querySealOutput call failed: ${error}`
+    });
+  }
+  if (allowed == false) {
+    throw new CofheError({
+      code: "SEAL_OUTPUT_FAILED" /* SealOutputFailed */,
+      message: `mocks querySealOutput call failed: ACL Access Denied (NotAllowed)`
+    });
+  }
+  const sealedBigInt = BigInt(result);
+  const sealingKeyBigInt = BigInt(permission.sealingKey);
+  const unsealed = sealedBigInt ^ sealingKeyBigInt;
+  return unsealed;
+}
+
+// core/decrypt/polling.ts
+function computeMinuteRampPollIntervalMs(elapsedMs, params) {
+  const elapsedSeconds = Math.floor(elapsedMs / 1e3);
+  const intervalSeconds = 1 + Math.floor(elapsedSeconds / 60);
+  const intervalMs = intervalSeconds * 1e3;
+  return Math.min(params.maxIntervalMs, Math.max(params.minIntervalMs, intervalMs));
+}
+
+// core/decrypt/tnSealOutputV2.ts
+var POLL_INTERVAL_MS = 1e3;
+var POLL_MAX_INTERVAL_MS = 1e4;
+var POLL_TIMEOUT_MS = 5 * 60 * 1e3;
+function numberArrayToUint8Array(arr) {
+  return new Uint8Array(arr);
+}
+function convertSealedData(sealed) {
+  if (!sealed) {
+    throw new CofheError({
+      code: "SEAL_OUTPUT_RETURNED_NULL" /* SealOutputReturnedNull */,
+      message: "Sealed data is missing from completed response"
+    });
+  }
+  return {
+    data: numberArrayToUint8Array(sealed.data),
+    public_key: numberArrayToUint8Array(sealed.public_key),
+    nonce: numberArrayToUint8Array(sealed.nonce)
+  };
+}
+async function submitSealOutputRequest(thresholdNetworkUrl, ctHash, chainId, permission) {
+  const body = {
+    ct_tempkey: BigInt(ctHash).toString(16).padStart(64, "0"),
+    host_chain_id: chainId,
+    permit: permission
+  };
+  let response;
+  try {
+    response = await fetch(`${thresholdNetworkUrl}/v2/sealoutput`, {
+      method: "POST",
+      headers: {
+        "Content-Type": "application/json"
+      },
+      body: JSON.stringify(body)
+    });
+  } catch (e) {
+    throw new CofheError({
+      code: "SEAL_OUTPUT_FAILED" /* SealOutputFailed */,
+      message: `sealOutput request failed`,
+      hint: "Ensure the threshold network URL is valid and reachable.",
+      cause: e instanceof Error ? e : void 0,
+      context: {
+        thresholdNetworkUrl,
+        body
+      }
+    });
+  }
+  if (!response.ok) {
+    let errorMessage = `HTTP ${response.status}`;
+    try {
+      const errorBody = await response.json();
+      errorMessage = errorBody.error_message || errorBody.message || errorMessage;
+    } catch {
+      errorMessage = response.statusText || errorMessage;
+    }
+    throw new CofheError({
+      code: "SEAL_OUTPUT_FAILED" /* SealOutputFailed */,
+      message: `sealOutput request failed: ${errorMessage}`,
+      hint: "Check the threshold network URL and request parameters.",
+      context: {
+        thresholdNetworkUrl,
+        status: response.status,
+        statusText: response.statusText,
+        body
+      }
+    });
+  }
+  let submitResponse;
+  try {
+    submitResponse = await response.json();
+  } catch (e) {
+    throw new CofheError({
+      code: "SEAL_OUTPUT_FAILED" /* SealOutputFailed */,
+      message: `Failed to parse sealOutput submit response`,
+      cause: e instanceof Error ? e : void 0,
+      context: {
+        thresholdNetworkUrl,
+        body
+      }
+    });
+  }
+  if (!submitResponse.request_id) {
+    throw new CofheError({
+      code: "SEAL_OUTPUT_FAILED" /* SealOutputFailed */,
+      message: `sealOutput submit response missing request_id`,
+      context: {
+        thresholdNetworkUrl,
+        body,
+        submitResponse
+      }
+    });
+  }
+  return submitResponse.request_id;
+}
+async function pollSealOutputStatus(thresholdNetworkUrl, requestId, onPoll) {
+  const startTime = Date.now();
+  let attemptIndex = 0;
+  let completed = false;
+  while (!completed) {
+    const elapsedMs = Date.now() - startTime;
+    const intervalMs = computeMinuteRampPollIntervalMs(elapsedMs, {
+      minIntervalMs: POLL_INTERVAL_MS,
+      maxIntervalMs: POLL_MAX_INTERVAL_MS
+    });
+    onPoll?.({
+      operation: "sealoutput",
+      requestId,
+      attemptIndex,
+      elapsedMs,
+      intervalMs,
+      timeoutMs: POLL_TIMEOUT_MS
+    });
+    if (elapsedMs > POLL_TIMEOUT_MS) {
+      throw new CofheError({
+        code: "SEAL_OUTPUT_FAILED" /* SealOutputFailed */,
+        message: `sealOutput polling timed out after ${POLL_TIMEOUT_MS}ms`,
+        hint: "The request may still be processing. Try again later.",
+        context: {
+          thresholdNetworkUrl,
+          requestId,
+          timeoutMs: POLL_TIMEOUT_MS
+        }
+      });
+    }
+    let response;
+    try {
+      response = await fetch(`${thresholdNetworkUrl}/v2/sealoutput/${requestId}`, {
+        method: "GET",
+        headers: {
+          "Content-Type": "application/json"
+        }
+      });
+    } catch (e) {
+      throw new CofheError({
+        code: "SEAL_OUTPUT_FAILED" /* SealOutputFailed */,
+        message: `sealOutput status poll failed`,
+        hint: "Ensure the threshold network URL is valid and reachable.",
+        cause: e instanceof Error ? e : void 0,
+        context: {
+          thresholdNetworkUrl,
+          requestId
+        }
+      });
+    }
+    if (response.status === 404) {
+      throw new CofheError({
+        code: "SEAL_OUTPUT_FAILED" /* SealOutputFailed */,
+        message: `sealOutput request not found: ${requestId}`,
+        hint: "The request may have expired or been invalid.",
+        context: {
+          thresholdNetworkUrl,
+          requestId
+        }
+      });
+    }
+    if (!response.ok) {
+      let errorMessage = `HTTP ${response.status}`;
+      try {
+        const errorBody = await response.json();
+        errorMessage = errorBody.error_message || errorBody.message || errorMessage;
+      } catch {
+        errorMessage = response.statusText || errorMessage;
+      }
+      throw new CofheError({
+        code: "SEAL_OUTPUT_FAILED" /* SealOutputFailed */,
+        message: `sealOutput status poll failed: ${errorMessage}`,
+        context: {
+          thresholdNetworkUrl,
+          requestId,
+          status: response.status,
+          statusText: response.statusText
+        }
+      });
+    }
+    let statusResponse;
+    try {
+      statusResponse = await response.json();
+    } catch (e) {
+      throw new CofheError({
+        code: "SEAL_OUTPUT_FAILED" /* SealOutputFailed */,
+        message: `Failed to parse sealOutput status response`,
+        cause: e instanceof Error ? e : void 0,
+        context: {
+          thresholdNetworkUrl,
+          requestId
+        }
+      });
+    }
+    if (statusResponse.status === "COMPLETED") {
+      if (statusResponse.is_succeed === false) {
+        const errorMessage = statusResponse.error_message || "Unknown error";
+        throw new CofheError({
+          code: "SEAL_OUTPUT_FAILED" /* SealOutputFailed */,
+          message: `sealOutput request failed: ${errorMessage}`,
+          context: {
+            thresholdNetworkUrl,
+            requestId,
+            statusResponse
+          }
+        });
+      }
+      if (!statusResponse.sealed) {
+        throw new CofheError({
+          code: "SEAL_OUTPUT_RETURNED_NULL" /* SealOutputReturnedNull */,
+          message: `sealOutput request completed but returned no sealed data`,
+          context: {
+            thresholdNetworkUrl,
+            requestId,
+            statusResponse
+          }
+        });
+      }
+      return convertSealedData(statusResponse.sealed);
+    }
+    await new Promise((resolve) => setTimeout(resolve, intervalMs));
+    attemptIndex += 1;
+  }
+  throw new CofheError({
+    code: "SEAL_OUTPUT_FAILED" /* SealOutputFailed */,
+    message: "Polling loop exited unexpectedly",
+    context: {
+      thresholdNetworkUrl,
+      requestId
+    }
+  });
+}
+async function tnSealOutputV2(params) {
+  const { thresholdNetworkUrl, ctHash, chainId, permission, onPoll } = params;
+  const requestId = await submitSealOutputRequest(thresholdNetworkUrl, ctHash, chainId, permission);
+  return await pollSealOutputStatus(thresholdNetworkUrl, requestId, onPoll);
+}
+
+// core/decrypt/decryptForViewBuilder.ts
+var DecryptForViewBuilder = class extends BaseBuilder {
+  ctHash;
+  utype;
+  permitHash;
+  permit;
+  pollCallback;
+  constructor(params) {
+    super({
+      config: params.config,
+      publicClient: params.publicClient,
+      walletClient: params.walletClient,
+      chainId: params.chainId,
+      account: params.account,
+      requireConnected: params.requireConnected
+    });
+    this.ctHash = params.ctHash;
+    this.utype = params.utype;
+    this.permitHash = params.permitHash;
+    this.permit = params.permit;
+  }
+  /**
+   * @param chainId - Chain to decrypt values from. Used to fetch the threshold network URL and use the correct permit.
+   *
+   * If not provided, the chainId will be fetched from the connected publicClient.
+   *
+   * Example:
+   * ```typescript
+   * const unsealed = await client.decryptForView(ctHash, utype)
+   *   .setChainId(11155111)
+   *   .execute();
+   * ```
+   *
+   * @returns The chainable DecryptForViewBuilder instance.
+   */
+  setChainId(chainId) {
+    this.chainId = chainId;
+    return this;
+  }
+  getChainId() {
+    return this.chainId;
+  }
+  /**
+   * @param account - Account to decrypt values from. Used to fetch the correct permit.
+   *
+   * If not provided, the account will be fetched from the connected walletClient.
+   *
+   * Example:
+   * ```typescript
+   * const unsealed = await client.decryptForView(ctHash, utype)
+   *   .setAccount('0x1234567890123456789012345678901234567890')
+   *   .execute();
+   * ```
+   *
+   * @returns The chainable DecryptForViewBuilder instance.
+   */
+  setAccount(account) {
+    this.account = account;
+    return this;
+  }
+  getAccount() {
+    return this.account;
+  }
+  onPoll(callback) {
+    this.pollCallback = callback;
+    return this;
+  }
+  withPermit(permitOrPermitHash) {
+    if (typeof permitOrPermitHash === "string") {
+      this.permitHash = permitOrPermitHash;
+      this.permit = void 0;
+    } else if (permitOrPermitHash === void 0) {
+      this.permitHash = void 0;
+      this.permit = void 0;
+    } else {
+      this.permit = permitOrPermitHash;
+      this.permitHash = void 0;
+    }
+    return this;
+  }
+  /**
+   * @param permitHash - Permit hash to decrypt values from. Used to fetch the correct permit.
+   *
+   * If not provided, the active permit for the chainId and account will be used.
+   * If `setPermit()` is called, it will be used regardless of chainId, account, or permitHash.
+   *
+   * Example:
+   * ```typescript
+   * const unsealed = await client.decryptForView(ctHash, utype)
+   *   .setPermitHash('0x1234567890123456789012345678901234567890')
+   *   .execute();
+   * ```
+   *
+   * @returns The chainable DecryptForViewBuilder instance.
+   */
+  /** @deprecated Use `withPermit(permitHash)` instead. */
+  setPermitHash(permitHash) {
+    return this.withPermit(permitHash);
+  }
+  getPermitHash() {
+    return this.permitHash;
+  }
+  /**
+   * @param permit - Permit to decrypt values with. If provided, it will be used regardless of chainId, account, or permitHash.
+   *
+   * If not provided, the permit will be determined by chainId, account, and permitHash.
+   *
+   * Example:
+   * ```typescript
+   * const unsealed = await client.decryptForView(ctHash, utype)
+   *   .setPermit(permit)
+   *   .execute();
+   * ```
+   *
+   * @returns The chainable DecryptForViewBuilder instance.
+   */
+  /** @deprecated Use `withPermit(permit)` instead. */
+  setPermit(permit) {
+    return this.withPermit(permit);
+  }
+  getPermit() {
+    return this.permit;
+  }
+  async getThresholdNetworkUrl() {
+    this.assertChainId();
+    return getThresholdNetworkUrlOrThrow(this.config, this.chainId);
+  }
+  validateUtypeOrThrow() {
+    if (!isValidUtype(this.utype))
+      throw new CofheError({
+        code: "INVALID_UTYPE" /* InvalidUtype */,
+        message: `Invalid utype to decrypt to`,
+        context: {
+          utype: this.utype
+        }
+      });
+  }
+  async getResolvedPermit() {
+    if (this.permit)
+      return this.permit;
+    this.assertChainId();
+    this.assertAccount();
+    if (this.permitHash) {
+      const permit2 = await permits.getPermit(this.chainId, this.account, this.permitHash);
+      if (!permit2) {
+        throw new CofheError({
+          code: "PERMIT_NOT_FOUND" /* PermitNotFound */,
+          message: `Permit with hash <${this.permitHash}> not found for account <${this.account}> and chainId <${this.chainId}>`,
+          hint: "Ensure the permit exists and is valid.",
+          context: {
+            chainId: this.chainId,
+            account: this.account,
+            permitHash: this.permitHash
+          }
+        });
+      }
+      return permit2;
+    }
+    const permit = await permits.getActivePermit(this.chainId, this.account);
+    if (!permit) {
+      throw new CofheError({
+        code: "PERMIT_NOT_FOUND" /* PermitNotFound */,
+        message: `Active permit not found for chainId <${this.chainId}> and account <${this.account}>`,
+        hint: "Ensure a permit exists for this account on this chain.",
+        context: {
+          chainId: this.chainId,
+          account: this.account
+        }
+      });
+    }
+    return permit;
+  }
+  /**
+   * On hardhat, interact with MockZkVerifier contract instead of CoFHE
+   */
+  async mocksSealOutput(permit) {
+    this.assertPublicClient();
+    const mocksDecryptDelay = this.config.mocks.decryptDelay;
+    if (mocksDecryptDelay > 0)
+      await sleep(mocksDecryptDelay);
+    return cofheMocksDecryptForView(this.ctHash, this.utype, permit, this.publicClient);
+  }
+  /**
+   * In the production context, perform a true decryption with the CoFHE coprocessor.
+   */
+  async productionSealOutput(permit) {
+    this.assertChainId();
+    this.assertPublicClient();
+    const thresholdNetworkUrl = await this.getThresholdNetworkUrl();
+    const permission = PermitUtils.getPermission(permit, true);
+    const sealed = await tnSealOutputV2({
+      ctHash: this.ctHash,
+      chainId: this.chainId,
+      permission,
+      thresholdNetworkUrl,
+      onPoll: this.pollCallback
+    });
+    return PermitUtils.unseal(permit, sealed);
+  }
+  /**
+   * Final step of the decryption process. MUST BE CALLED LAST IN THE CHAIN.
+   *
+   * This will:
+   * - Use a permit based on provided permit OR chainId + account + permitHash
+   * - Check permit validity
+   * - Call CoFHE `/sealoutput` with the permit, which returns a sealed (encrypted) item
+   * - Unseal the sealed item with the permit
+   * - Return the unsealed item
+   *
+   * Example:
+   * ```typescript
+   * const unsealed = await client.decryptForView(ctHash, utype)
+   *   .setChainId(11155111)      // optional
+   *   .setAccount('0x123...890') // optional
+   *   .withPermit()              // optional
+   *   .execute();                // execute
+   * ```
+   *
+   * @returns The unsealed item.
+   */
+  async execute() {
+    this.validateUtypeOrThrow();
+    const permit = await this.getResolvedPermit();
+    PermitUtils.validate(permit);
+    const chainId = permit._signedDomain.chainId;
+    let unsealed;
+    if (chainId === hardhat2.id) {
+      unsealed = await this.mocksSealOutput(permit);
+    } else {
+      unsealed = await this.productionSealOutput(permit);
+    }
+    return convertViaUtype(this.utype, unsealed);
+  }
+};
+async function cofheMocksDecryptForTx(ctHash, utype, permit, publicClient) {
+  let allowed;
+  let error;
+  let decryptedValue;
+  if (permit !== null) {
+    let permission = PermitUtils.getPermission(permit, true);
+    const permissionWithBigInts = {
+      ...permission,
+      expiration: BigInt(permission.expiration),
+      validatorId: BigInt(permission.validatorId)
+    };
+    [allowed, error, decryptedValue] = await publicClient.readContract({
+      address: MOCKS_THRESHOLD_NETWORK_ADDRESS,
+      abi: MockThresholdNetworkAbi,
+      functionName: "decryptForTxWithPermit",
+      args: [BigInt(ctHash), permissionWithBigInts]
+    });
+  } else {
+    [allowed, error, decryptedValue] = await publicClient.readContract({
+      address: MOCKS_THRESHOLD_NETWORK_ADDRESS,
+      abi: MockThresholdNetworkAbi,
+      functionName: "decryptForTxWithoutPermit",
+      args: [BigInt(ctHash)]
+    });
+  }
+  if (error != "") {
+    throw new CofheError({
+      code: "DECRYPT_FAILED" /* DecryptFailed */,
+      message: `mocks decryptForTx call failed: ${error}`
+    });
+  }
+  if (allowed == false) {
+    throw new CofheError({
+      code: "DECRYPT_FAILED" /* DecryptFailed */,
+      message: `mocks decryptForTx call failed: ACL Access Denied (NotAllowed)`
+    });
+  }
+  const packed = viem.encodePacked(["uint256", "uint256"], [BigInt(ctHash), decryptedValue]);
+  const messageHash = viem.keccak256(packed);
+  const signature = await accounts.sign({
+    hash: messageHash,
+    privateKey: MOCKS_DECRYPT_RESULT_SIGNER_PRIVATE_KEY,
+    to: "hex"
+  });
+  return {
+    ctHash,
+    decryptedValue,
+    signature
+  };
+}
+function normalizeTnSignature(signature) {
+  if (typeof signature !== "string") {
+    throw new CofheError({
+      code: "DECRYPT_RETURNED_NULL" /* DecryptReturnedNull */,
+      message: "decrypt response missing signature",
+      context: {
+        signature
+      }
+    });
+  }
+  const trimmed = signature.trim();
+  if (trimmed.length === 0) {
+    throw new CofheError({
+      code: "DECRYPT_RETURNED_NULL" /* DecryptReturnedNull */,
+      message: "decrypt response returned empty signature"
+    });
+  }
+  const prefixed = trimmed.startsWith("0x") ? trimmed : `0x${trimmed}`;
+  const parsed = viem.parseSignature(prefixed);
+  return viem.serializeSignature(parsed);
+}
+function parseDecryptedBytesToBigInt(decrypted) {
+  if (!Array.isArray(decrypted)) {
+    throw new CofheError({
+      code: "DECRYPT_RETURNED_NULL" /* DecryptReturnedNull */,
+      message: "decrypt response field <decrypted> must be a byte array",
+      context: {
+        decrypted
+      }
+    });
+  }
+  if (decrypted.length === 0) {
+    throw new CofheError({
+      code: "DECRYPT_RETURNED_NULL" /* DecryptReturnedNull */,
+      message: "decrypt response field <decrypted> was an empty byte array",
+      context: {
+        decrypted
+      }
+    });
+  }
+  let hex = "";
+  for (const b of decrypted) {
+    if (typeof b !== "number" || !Number.isInteger(b) || b < 0 || b > 255) {
+      throw new CofheError({
+        code: "DECRYPT_RETURNED_NULL" /* DecryptReturnedNull */,
+        message: "decrypt response field <decrypted> contained a non-byte value",
+        context: {
+          badElement: b,
+          decrypted
+        }
+      });
+    }
+    hex += b.toString(16).padStart(2, "0");
+  }
+  return BigInt(`0x${hex}`);
+}
+
+// core/decrypt/tnDecryptV2.ts
+var POLL_INTERVAL_MS2 = 1e3;
+var POLL_MAX_INTERVAL_MS2 = 1e4;
+var POLL_TIMEOUT_MS2 = 5 * 60 * 1e3;
+function assertDecryptSubmitResponseV2(value) {
+  if (value == null || typeof value !== "object") {
+    throw new CofheError({
+      code: "DECRYPT_FAILED" /* DecryptFailed */,
+      message: "decrypt submit response must be a JSON object",
+      context: {
+        value
+      }
+    });
+  }
+  const v = value;
+  if (typeof v.request_id !== "string" || v.request_id.trim().length === 0) {
+    throw new CofheError({
+      code: "DECRYPT_FAILED" /* DecryptFailed */,
+      message: "decrypt submit response missing request_id",
+      context: {
+        value
+      }
+    });
+  }
+  return { request_id: v.request_id };
+}
+function assertDecryptStatusResponseV2(value) {
+  if (value == null || typeof value !== "object") {
+    throw new CofheError({
+      code: "DECRYPT_FAILED" /* DecryptFailed */,
+      message: "decrypt status response must be a JSON object",
+      context: {
+        value
+      }
+    });
+  }
+  const v = value;
+  const requestId = v.request_id;
+  const status = v.status;
+  const submittedAt = v.submitted_at;
+  if (typeof requestId !== "string" || requestId.trim().length === 0) {
+    throw new CofheError({
+      code: "DECRYPT_FAILED" /* DecryptFailed */,
+      message: "decrypt status response missing request_id",
+      context: {
+        value
+      }
+    });
+  }
+  if (status !== "PROCESSING" && status !== "COMPLETED") {
+    throw new CofheError({
+      code: "DECRYPT_FAILED" /* DecryptFailed */,
+      message: "decrypt status response has invalid status",
+      context: {
+        value,
+        status
+      }
+    });
+  }
+  if (typeof submittedAt !== "string" || submittedAt.trim().length === 0) {
+    throw new CofheError({
+      code: "DECRYPT_FAILED" /* DecryptFailed */,
+      message: "decrypt status response missing submitted_at",
+      context: {
+        value
+      }
+    });
+  }
+  return value;
+}
+async function submitDecryptRequestV2(thresholdNetworkUrl, ctHash, chainId, permission) {
+  const body = {
+    ct_tempkey: BigInt(ctHash).toString(16).padStart(64, "0"),
+    host_chain_id: chainId
+  };
+  if (permission) {
+    body.permit = permission;
+  }
+  let response;
+  try {
+    response = await fetch(`${thresholdNetworkUrl}/v2/decrypt`, {
+      method: "POST",
+      headers: {
+        "Content-Type": "application/json"
+      },
+      body: JSON.stringify(body)
+    });
+  } catch (e) {
+    throw new CofheError({
+      code: "DECRYPT_FAILED" /* DecryptFailed */,
+      message: `decrypt request failed`,
+      hint: "Ensure the threshold network URL is valid and reachable.",
+      cause: e instanceof Error ? e : void 0,
+      context: {
+        thresholdNetworkUrl,
+        body
+      }
+    });
+  }
+  if (!response.ok) {
+    let errorMessage = `HTTP ${response.status}`;
+    try {
+      const errorBody = await response.json();
+      const maybeMessage = errorBody.error_message || errorBody.message;
+      if (typeof maybeMessage === "string" && maybeMessage.length > 0)
+        errorMessage = maybeMessage;
+    } catch {
+      errorMessage = response.statusText || errorMessage;
+    }
+    throw new CofheError({
+      code: "DECRYPT_FAILED" /* DecryptFailed */,
+      message: `decrypt request failed: ${errorMessage}`,
+      hint: "Check the threshold network URL and request parameters.",
+      context: {
+        thresholdNetworkUrl,
+        status: response.status,
+        statusText: response.statusText,
+        body
+      }
+    });
+  }
+  let rawJson;
+  try {
+    rawJson = await response.json();
+  } catch (e) {
+    throw new CofheError({
+      code: "DECRYPT_FAILED" /* DecryptFailed */,
+      message: `Failed to parse decrypt submit response`,
+      cause: e instanceof Error ? e : void 0,
+      context: {
+        thresholdNetworkUrl,
+        body
+      }
+    });
+  }
+  const submitResponse = assertDecryptSubmitResponseV2(rawJson);
+  return submitResponse.request_id;
+}
+async function pollDecryptStatusV2(thresholdNetworkUrl, requestId, onPoll) {
+  const startTime = Date.now();
+  let attemptIndex = 0;
+  let completed = false;
+  while (!completed) {
+    const elapsedMs = Date.now() - startTime;
+    const intervalMs = computeMinuteRampPollIntervalMs(elapsedMs, {
+      minIntervalMs: POLL_INTERVAL_MS2,
+      maxIntervalMs: POLL_MAX_INTERVAL_MS2
+    });
+    onPoll?.({
+      operation: "decrypt",
+      requestId,
+      attemptIndex,
+      elapsedMs,
+      intervalMs,
+      timeoutMs: POLL_TIMEOUT_MS2
+    });
+    if (elapsedMs > POLL_TIMEOUT_MS2) {
+      throw new CofheError({
+        code: "DECRYPT_FAILED" /* DecryptFailed */,
+        message: `decrypt polling timed out after ${POLL_TIMEOUT_MS2}ms`,
+        hint: "The request may still be processing. Try again later.",
+        context: {
+          thresholdNetworkUrl,
+          requestId,
+          timeoutMs: POLL_TIMEOUT_MS2
+        }
+      });
+    }
+    let response;
+    try {
+      response = await fetch(`${thresholdNetworkUrl}/v2/decrypt/${requestId}`, {
+        method: "GET",
+        headers: {
+          "Content-Type": "application/json"
+        }
+      });
+    } catch (e) {
+      throw new CofheError({
+        code: "DECRYPT_FAILED" /* DecryptFailed */,
+        message: `decrypt status poll failed`,
+        hint: "Ensure the threshold network URL is valid and reachable.",
+        cause: e instanceof Error ? e : void 0,
+        context: {
+          thresholdNetworkUrl,
+          requestId
+        }
+      });
+    }
+    if (response.status === 404) {
+      throw new CofheError({
+        code: "DECRYPT_FAILED" /* DecryptFailed */,
+        message: `decrypt request not found: ${requestId}`,
+        hint: "The request may have expired or been invalid.",
+        context: {
+          thresholdNetworkUrl,
+          requestId
+        }
+      });
+    }
+    if (!response.ok) {
+      let errorMessage = `HTTP ${response.status}`;
+      try {
+        const errorBody = await response.json();
+        const maybeMessage = errorBody.error_message || errorBody.message;
+        if (typeof maybeMessage === "string" && maybeMessage.length > 0)
+          errorMessage = maybeMessage;
+      } catch {
+        errorMessage = response.statusText || errorMessage;
+      }
+      throw new CofheError({
+        code: "DECRYPT_FAILED" /* DecryptFailed */,
+        message: `decrypt status poll failed: ${errorMessage}`,
+        context: {
+          thresholdNetworkUrl,
+          requestId,
+          status: response.status,
+          statusText: response.statusText
+        }
+      });
+    }
+    let rawJson;
+    try {
+      rawJson = await response.json();
+    } catch (e) {
+      throw new CofheError({
+        code: "DECRYPT_FAILED" /* DecryptFailed */,
+        message: `Failed to parse decrypt status response`,
+        cause: e instanceof Error ? e : void 0,
+        context: {
+          thresholdNetworkUrl,
+          requestId
+        }
+      });
+    }
+    const statusResponse = assertDecryptStatusResponseV2(rawJson);
+    if (statusResponse.status === "COMPLETED") {
+      if (statusResponse.is_succeed === false) {
+        const errorMessage = statusResponse.error_message || "Unknown error";
+        throw new CofheError({
+          code: "DECRYPT_FAILED" /* DecryptFailed */,
+          message: `decrypt request failed: ${errorMessage}`,
+          context: {
+            thresholdNetworkUrl,
+            requestId,
+            statusResponse
+          }
+        });
+      }
+      if (statusResponse.error_message) {
+        throw new CofheError({
+          code: "DECRYPT_FAILED" /* DecryptFailed */,
+          message: `decrypt request failed: ${statusResponse.error_message}`,
+          context: {
+            thresholdNetworkUrl,
+            requestId,
+            statusResponse
+          }
+        });
+      }
+      if (!Array.isArray(statusResponse.decrypted)) {
+        throw new CofheError({
+          code: "DECRYPT_RETURNED_NULL" /* DecryptReturnedNull */,
+          message: "decrypt completed but response missing <decrypted> byte array",
+          context: {
+            thresholdNetworkUrl,
+            requestId,
+            statusResponse
+          }
+        });
+      }
+      const decryptedValue = parseDecryptedBytesToBigInt(statusResponse.decrypted);
+      const signature = normalizeTnSignature(statusResponse.signature);
+      return { decryptedValue, signature };
+    }
+    await new Promise((resolve) => setTimeout(resolve, intervalMs));
+    attemptIndex += 1;
+  }
+  throw new CofheError({
+    code: "DECRYPT_FAILED" /* DecryptFailed */,
+    message: "Polling loop exited unexpectedly",
+    context: {
+      thresholdNetworkUrl,
+      requestId
+    }
+  });
+}
+async function tnDecryptV2(params) {
+  const { thresholdNetworkUrl, ctHash, chainId, permission, onPoll } = params;
+  const requestId = await submitDecryptRequestV2(thresholdNetworkUrl, ctHash, chainId, permission);
+  return await pollDecryptStatusV2(thresholdNetworkUrl, requestId, onPoll);
+}
+
+// core/decrypt/decryptForTxBuilder.ts
+var DecryptForTxBuilder = class extends BaseBuilder {
+  ctHash;
+  permitHash;
+  permit;
+  permitSelection = "unset";
+  pollCallback;
+  constructor(params) {
+    super({
+      config: params.config,
+      publicClient: params.publicClient,
+      walletClient: params.walletClient,
+      chainId: params.chainId,
+      account: params.account,
+      requireConnected: params.requireConnected
+    });
+    this.ctHash = params.ctHash;
+  }
+  setChainId(chainId) {
+    this.chainId = chainId;
+    return this;
+  }
+  getChainId() {
+    return this.chainId;
+  }
+  setAccount(account) {
+    this.account = account;
+    return this;
+  }
+  getAccount() {
+    return this.account;
+  }
+  onPoll(callback) {
+    this.pollCallback = callback;
+    return this;
+  }
+  withPermit(permitOrPermitHash) {
+    if (this.permitSelection === "with-permit") {
+      throw new CofheError({
+        code: "INTERNAL_ERROR" /* InternalError */,
+        message: "decryptForTx: withPermit() can only be selected once.",
+        hint: "Choose the permit mode once. If you need a different permit, start a new decryptForTx() builder chain."
+      });
+    }
+    if (this.permitSelection === "without-permit") {
+      throw new CofheError({
+        code: "INTERNAL_ERROR" /* InternalError */,
+        message: "decryptForTx: cannot call withPermit() after withoutPermit() has been selected.",
+        hint: "Choose exactly one permit mode: either call .withPermit(...) or .withoutPermit(), but not both."
+      });
+    }
+    this.permitSelection = "with-permit";
+    if (typeof permitOrPermitHash === "string") {
+      this.permitHash = permitOrPermitHash;
+      this.permit = void 0;
+    } else if (permitOrPermitHash === void 0) {
+      this.permitHash = void 0;
+      this.permit = void 0;
+    } else {
+      this.permit = permitOrPermitHash;
+      this.permitHash = void 0;
+    }
+    return this;
+  }
+  /**
+   * Select "no permit" mode.
+   *
+   * This uses global allowance (no permit required) and sends an empty permission payload to `/decrypt`.
+   */
+  withoutPermit() {
+    if (this.permitSelection === "without-permit") {
+      throw new CofheError({
+        code: "INTERNAL_ERROR" /* InternalError */,
+        message: "decryptForTx: withoutPermit() can only be selected once.",
+        hint: "Choose the permit mode once. If you need a different mode, start a new decryptForTx() builder chain."
+      });
+    }
+    if (this.permitSelection === "with-permit") {
+      throw new CofheError({
+        code: "INTERNAL_ERROR" /* InternalError */,
+        message: "decryptForTx: cannot call withoutPermit() after withPermit() has been selected.",
+        hint: "Choose exactly one permit mode: either call .withPermit(...) or .withoutPermit(), but not both."
+      });
+    }
+    this.permitSelection = "without-permit";
+    this.permitHash = void 0;
+    this.permit = void 0;
+    return this;
+  }
+  getPermit() {
+    return this.permit;
+  }
+  getPermitHash() {
+    return this.permitHash;
+  }
+  async getThresholdNetworkUrl() {
+    this.assertChainId();
+    return getThresholdNetworkUrlOrThrow(this.config, this.chainId);
+  }
+  async getResolvedPermit() {
+    if (this.permitSelection === "unset") {
+      throw new CofheError({
+        code: "INTERNAL_ERROR" /* InternalError */,
+        message: "decryptForTx: missing permit selection; call withPermit(...) or withoutPermit() before execute().",
+        hint: "Call .withPermit() to use the active permit, or .withoutPermit() for global allowance."
+      });
+    }
+    if (this.permitSelection === "without-permit") {
+      return null;
+    }
+    if (this.permit)
+      return this.permit;
+    this.assertChainId();
+    this.assertAccount();
+    if (this.permitHash) {
+      const permit2 = await permits.getPermit(this.chainId, this.account, this.permitHash);
+      if (!permit2) {
+        throw new CofheError({
+          code: "PERMIT_NOT_FOUND" /* PermitNotFound */,
+          message: `Permit with hash <${this.permitHash}> not found for account <${this.account}> and chainId <${this.chainId}>`,
+          hint: "Ensure the permit exists and is valid.",
+          context: {
+            chainId: this.chainId,
+            account: this.account,
+            permitHash: this.permitHash
+          }
+        });
+      }
+      return permit2;
+    }
+    const permit = await permits.getActivePermit(this.chainId, this.account);
+    if (!permit) {
+      throw new CofheError({
+        code: "PERMIT_NOT_FOUND" /* PermitNotFound */,
+        message: `Active permit not found for chainId <${this.chainId}> and account <${this.account}>`,
+        hint: "Create a permit (e.g. client.permits.createSelf(...)) and/or set it active (client.permits.selectActivePermit(hash)).",
+        context: {
+          chainId: this.chainId,
+          account: this.account
+        }
+      });
+    }
+    return permit;
+  }
+  /**
+   * On hardhat, interact with MockThresholdNetwork contract
+   */
+  async mocksDecryptForTx(permit) {
+    this.assertPublicClient();
+    const delay = this.config.mocks.decryptDelay;
+    if (delay > 0)
+      await sleep(delay);
+    const result = await cofheMocksDecryptForTx(this.ctHash, 0, permit, this.publicClient);
+    return result;
+  }
+  /**
+   * In the production context, perform a true decryption with the CoFHE coprocessor.
+   */
+  async productionDecryptForTx(permit) {
+    this.assertChainId();
+    this.assertPublicClient();
+    const thresholdNetworkUrl = await this.getThresholdNetworkUrl();
+    const permission = permit ? PermitUtils.getPermission(permit, true) : null;
+    const { decryptedValue, signature } = await tnDecryptV2({
+      ctHash: this.ctHash,
+      chainId: this.chainId,
+      permission,
+      thresholdNetworkUrl,
+      onPoll: this.pollCallback
+    });
+    return {
+      ctHash: this.ctHash,
+      decryptedValue,
+      signature
+    };
+  }
+  /**
+   * Final step of the decryptForTx process. MUST BE CALLED LAST IN THE CHAIN.
+   *
+   * You must explicitly choose one permit mode before calling `execute()`:
+   * - `withPermit(permit)` / `withPermit(permitHash)` / `withPermit()` (active permit)
+   * - `withoutPermit()` (global allowance)
+   */
+  async execute() {
+    const permit = await this.getResolvedPermit();
+    if (permit !== null) {
+      PermitUtils.validate(permit);
+      const chainId = permit._signedDomain.chainId;
+      if (chainId === hardhat2.id) {
+        return await this.mocksDecryptForTx(permit);
+      } else {
+        return await this.productionDecryptForTx(permit);
+      }
+    } else {
+      if (!this.chainId) {
+        this.assertPublicClient();
+        this.chainId = await getPublicClientChainID(this.publicClient);
+      }
+      this.assertChainId();
+      if (this.chainId === hardhat2.id) {
+        return await this.mocksDecryptForTx(null);
+      } else {
+        return await this.productionDecryptForTx(null);
+      }
+    }
+  }
+};
+var decryptResultSignerAbi = viem.parseAbi(["function decryptResultSigner() view returns (address)"]);
+async function verifyDecryptResult(handle, cleartext, signature, publicClient) {
+  const expectedSigner = await publicClient.readContract({
+    address: TASK_MANAGER_ADDRESS,
+    abi: decryptResultSignerAbi,
+    functionName: "decryptResultSigner",
+    args: []
+  });
+  if (viem.isAddressEqual(expectedSigner, viem.zeroAddress))
+    return true;
+  const ctHash = BigInt(handle);
+  const messageHash = viem.keccak256(viem.encodePacked(["uint256", "uint256"], [ctHash, cleartext]));
+  try {
+    const recovered = await viem.recoverAddress({ hash: messageHash, signature });
+    return viem.isAddressEqual(recovered, expectedSigner);
+  } catch {
+    return false;
+  }
+}
+
+// core/client.ts
+var InitialConnectStore = {
+  connected: false,
+  connecting: false,
+  connectError: void 0,
+  chainId: void 0,
+  account: void 0,
+  publicClient: void 0,
+  walletClient: void 0
+};
+function createCofheClientBase(opts) {
+  const keysStorage = createKeysStore(opts.config.fheKeyStorage);
+  const connectStore = vanilla.createStore(() => InitialConnectStore);
+  let connectAttemptId = 0;
+  const updateConnectState = (partial) => {
+    connectStore.setState((state) => ({ ...state, ...partial }));
+  };
+  const _requireConnected = () => {
+    const state = connectStore.getState();
+    const notConnected = !state.connected || !state.account || !state.chainId || !state.publicClient || !state.walletClient;
+    if (notConnected) {
+      throw new CofheError({
+        code: "NOT_CONNECTED" /* NotConnected */,
+        message: "Client must be connected, account and chainId must be initialized",
+        hint: "Ensure client.connect() has been called and awaited.",
+        context: {
+          connected: state.connected,
+          account: state.account,
+          chainId: state.chainId,
+          publicClient: state.publicClient,
+          walletClient: state.walletClient
+        }
+      });
+    }
+  };
+  async function connect(publicClient, walletClient) {
+    const state = connectStore.getState();
+    if (state.connected && state.publicClient === publicClient && state.walletClient === walletClient)
+      return;
+    connectAttemptId += 1;
+    const localAttemptId = connectAttemptId;
+    updateConnectState({
+      ...InitialConnectStore,
+      connecting: true
+    });
+    try {
+      const chainId = await getPublicClientChainID(publicClient);
+      const account = await getWalletClientAccount(walletClient);
+      if (localAttemptId !== connectAttemptId)
+        return;
+      updateConnectState({
+        connected: true,
+        connecting: false,
+        connectError: void 0,
+        chainId,
+        account,
+        publicClient,
+        walletClient
+      });
+    } catch (e) {
+      if (localAttemptId !== connectAttemptId)
+        return;
+      updateConnectState({
+        ...InitialConnectStore,
+        connectError: e
+      });
+      throw e;
+    }
+  }
+  function disconnect() {
+    connectAttemptId += 1;
+    updateConnectState({ ...InitialConnectStore });
+  }
+  function encryptInputs(inputs) {
+    const state = connectStore.getState();
+    return new EncryptInputsBuilder({
+      inputs,
+      account: state.account ?? void 0,
+      chainId: state.chainId ?? void 0,
+      config: opts.config,
+      publicClient: state.publicClient ?? void 0,
+      walletClient: state.walletClient ?? void 0,
+      zkvWalletClient: opts.config._internal?.zkvWalletClient,
+      tfhePublicKeyDeserializer: opts.tfhePublicKeyDeserializer,
+      compactPkeCrsDeserializer: opts.compactPkeCrsDeserializer,
+      zkBuilderAndCrsGenerator: opts.zkBuilderAndCrsGenerator,
+      initTfhe: opts.initTfhe,
+      zkProveWorkerFn: opts.zkProveWorkerFn,
+      keysStorage,
+      requireConnected: _requireConnected
+    });
+  }
+  function decryptForView(ctHash, utype) {
+    const state = connectStore.getState();
+    return new DecryptForViewBuilder({
+      ctHash,
+      utype,
+      chainId: state.chainId,
+      account: state.account,
+      config: opts.config,
+      publicClient: state.publicClient,
+      walletClient: state.walletClient,
+      requireConnected: _requireConnected
+    });
+  }
+  function decryptForTx(ctHash) {
+    const state = connectStore.getState();
+    return new DecryptForTxBuilder({
+      ctHash,
+      chainId: state.chainId,
+      account: state.account,
+      config: opts.config,
+      publicClient: state.publicClient,
+      walletClient: state.walletClient,
+      requireConnected: _requireConnected
+    });
+  }
+  function verifyDecryptResult2(handle, cleartext, signature) {
+    _requireConnected();
+    const { publicClient } = connectStore.getState();
+    return verifyDecryptResult(handle, cleartext, signature, publicClient);
+  }
+  const _getChainIdAndAccount = (chainId, account) => {
+    const state = connectStore.getState();
+    const _chainId = chainId ?? state.chainId;
+    const _account = account ?? state.account;
+    if (_chainId == null || _account == null) {
+      throw new CofheError({
+        code: "NOT_CONNECTED" /* NotConnected */,
+        message: "ChainId or account not available.",
+        hint: "Ensure client.connect() has been called, or provide chainId and account explicitly.",
+        context: {
+          chainId: _chainId,
+          account: _account
+        }
+      });
+    }
+    return { chainId: _chainId, account: _account };
+  };
+  const clientPermits = {
+    // Pass through store access
+    getSnapshot: permits.getSnapshot,
+    subscribe: permits.subscribe,
+    // Creation methods (require connection)
+    createSelf: async (options, clients) => {
+      _requireConnected();
+      const { publicClient, walletClient } = clients ?? connectStore.getState();
+      return permits.createSelf(options, publicClient, walletClient);
+    },
+    createSharing: async (options, clients) => {
+      _requireConnected();
+      const { publicClient, walletClient } = clients ?? connectStore.getState();
+      return permits.createSharing(options, publicClient, walletClient);
+    },
+    importShared: async (options, clients) => {
+      _requireConnected();
+      const { publicClient, walletClient } = clients ?? connectStore.getState();
+      return permits.importShared(options, publicClient, walletClient);
+    },
+    // Get or create methods (require connection)
+    getOrCreateSelfPermit: async (chainId, account, options) => {
+      _requireConnected();
+      const { chainId: _chainId, account: _account } = _getChainIdAndAccount(chainId, account);
+      const { publicClient, walletClient } = connectStore.getState();
+      return permits.getOrCreateSelfPermit(publicClient, walletClient, _chainId, _account, options);
+    },
+    getOrCreateSharingPermit: async (options, chainId, account) => {
+      _requireConnected();
+      const { chainId: _chainId, account: _account } = _getChainIdAndAccount(chainId, account);
+      const { publicClient, walletClient } = connectStore.getState();
+      return permits.getOrCreateSharingPermit(publicClient, walletClient, options, _chainId, _account);
+    },
+    // Retrieval methods (auto-fill chainId/account)
+    getPermit: (hash, chainId, account) => {
+      const { chainId: _chainId, account: _account } = _getChainIdAndAccount(chainId, account);
+      return permits.getPermit(_chainId, _account, hash);
+    },
+    getPermits: (chainId, account) => {
+      const { chainId: _chainId, account: _account } = _getChainIdAndAccount(chainId, account);
+      return permits.getPermits(_chainId, _account);
+    },
+    getActivePermit: (chainId, account) => {
+      const { chainId: _chainId, account: _account } = _getChainIdAndAccount(chainId, account);
+      return permits.getActivePermit(_chainId, _account);
+    },
+    getActivePermitHash: (chainId, account) => {
+      const { chainId: _chainId, account: _account } = _getChainIdAndAccount(chainId, account);
+      return permits.getActivePermitHash(_chainId, _account);
+    },
+    // Mutation methods (auto-fill chainId/account)
+    selectActivePermit: (hash, chainId, account) => {
+      const { chainId: _chainId, account: _account } = _getChainIdAndAccount(chainId, account);
+      return permits.selectActivePermit(_chainId, _account, hash);
+    },
+    removePermit: async (hash, chainId, account) => {
+      const { chainId: _chainId, account: _account } = _getChainIdAndAccount(chainId, account);
+      return permits.removePermit(_chainId, _account, hash);
+    },
+    removeActivePermit: async (chainId, account) => {
+      const { chainId: _chainId, account: _account } = _getChainIdAndAccount(chainId, account);
+      return permits.removeActivePermit(_chainId, _account);
+    },
+    // Utils (no context needed)
+    getHash: permits.getHash,
+    serialize: permits.serialize,
+    deserialize: permits.deserialize
+  };
+  return {
+    // Zustand reactive accessors (don't export store directly to prevent mutation)
+    getSnapshot: connectStore.getState,
+    subscribe: connectStore.subscribe,
+    // flags (read-only: reflect snapshot)
+    get connection() {
+      return connectStore.getState();
+    },
+    get connected() {
+      return connectStore.getState().connected;
+    },
+    get connecting() {
+      return connectStore.getState().connecting;
+    },
+    // config & platform-specific (read-only)
+    config: opts.config,
+    connect,
+    disconnect,
+    encryptInputs,
+    decryptForView,
+    /**
+     * @deprecated Use `decryptForView` instead. Kept for backward compatibility.
+     */
+    decryptHandle: decryptForView,
+    decryptForTx,
+    verifyDecryptResult: verifyDecryptResult2,
+    permits: clientPermits
+    // Add SDK-specific methods below that require connection
+    // Example:
+    // async encryptData(data: unknown) {
+    //   requireConnected();
+    //   // Use state.publicClient and state.walletClient for implementation
+    // },
+  };
+}
+
+// web/const.ts
+var hasDOM = typeof globalThis?.document !== "undefined" && typeof globalThis?.window !== "undefined";
+
+// web/storage.ts
+var createWebStorage = (opts = { enableLog: false }) => {
+  if (!hasDOM)
+    throw new Error("createWebStorage can only be used in a browser environment");
+  const client = iframeSharedStorage.constructClient({
+    iframe: {
+      src: "https://iframe-shared-storage.vercel.app/hub.html",
+      messagingOptions: {
+        enableLog: opts.enableLog ? "both" : void 0
+      },
+      iframeReadyTimeoutMs: 3e4,
+      // if the iframe is not initied during this interval AND a reuqest is made, such request will throw an error
+      methodCallTimeoutMs: 1e4,
+      // if a method call is not answered during this interval, the call will throw an error
+      methodCallRetries: 3
+      // number of retries for a method call if it times out
+    }
+  });
+  const indexedDBKeyval = client.indexedDBKeyval;
+  return {
+    getItem: async (name) => {
+      return await indexedDBKeyval.get(name) ?? null;
+    },
+    setItem: async (name, value) => {
+      await indexedDBKeyval.set(name, value);
+    },
+    removeItem: async (name) => {
+      await indexedDBKeyval.del(name);
+    }
+  };
+};
+function createSsrStorage() {
+  console.warn("using no-op server-side SSR storage");
+  return {
+    getItem: async () => null,
+    setItem: async () => {
+    },
+    removeItem: async () => {
+    }
+  };
+}
+
+// web/workerManager.ts
+var ZkProveWorkerManager = class {
+  worker = null;
+  pendingRequests = /* @__PURE__ */ new Map();
+  requestCounter = 0;
+  workerReady = false;
+  initializationPromise = null;
+  /**
+   * Initialize the worker
+   */
+  async initializeWorker() {
+    if (this.worker && this.workerReady) {
+      return;
+    }
+    if (this.initializationPromise) {
+      return this.initializationPromise;
+    }
+    this.initializationPromise = new Promise((resolve, reject) => {
+      try {
+        if (typeof Worker === "undefined") {
+          reject(new Error("Web Workers not supported"));
+          return;
+        }
+        try {
+          this.worker = new Worker(new URL("./zkProve.worker.js", (typeof document === 'undefined' ? require('u' + 'rl').pathToFileURL(__filename).href : (_documentCurrentScript && _documentCurrentScript.src || new URL('out.js', document.baseURI).href))), { type: "module" });
+        } catch (error) {
+          reject(new Error(`Failed to create worker: ${error}`));
+          return;
+        }
+        this.worker.onmessage = (event) => {
+          const { id, type, result, error } = event.data;
+          if (type === "ready") {
+            this.workerReady = true;
+            resolve();
+            return;
+          }
+          const pending = this.pendingRequests.get(id);
+          if (!pending) {
+            console.warn("[Worker Manager] Received response for unknown request:", id);
+            return;
+          }
+          clearTimeout(pending.timeoutId);
+          this.pendingRequests.delete(id);
+          if (type === "success" && result) {
+            pending.resolve(new Uint8Array(result));
+          } else if (type === "error") {
+            pending.reject(new Error(error || "Worker error"));
+          } else {
+            pending.reject(new Error("Invalid response from worker"));
+          }
+        };
+        this.worker.onerror = (error) => {
+          console.error("[Worker Manager] Worker error event:", error);
+          console.error("[Worker Manager] Error message:", error.message);
+          console.error("[Worker Manager] Error filename:", error.filename);
+          console.error("[Worker Manager] Error lineno:", error.lineno);
+          if (!this.workerReady) {
+            reject(new Error(`Worker failed to initialize: ${error.message || "Unknown error"}`));
+          }
+          this.pendingRequests.forEach(({ reject: reject2, timeoutId }) => {
+            clearTimeout(timeoutId);
+            reject2(new Error("Worker encountered an error"));
+          });
+          this.pendingRequests.clear();
+        };
+        setTimeout(() => {
+          if (!this.workerReady) {
+            reject(new Error("Worker initialization timeout"));
+          }
+        }, 5e3);
+      } catch (error) {
+        reject(error);
+      }
+    });
+    return this.initializationPromise;
+  }
+  /**
+   * Submit a proof generation request to the worker
+   */
+  async submitProof(fheKeyHex, crsHex, items, metadata) {
+    await this.initializeWorker();
+    const id = `zkprove-${Date.now()}-${this.requestCounter++}`;
+    return new Promise((resolve, reject) => {
+      const timeoutId = setTimeout(() => {
+        this.pendingRequests.delete(id);
+        reject(new Error("Worker request timeout (30s)"));
+      }, 3e4);
+      this.pendingRequests.set(id, { resolve, reject, timeoutId });
+      const message = {
+        id,
+        type: "zkProve",
+        fheKeyHex,
+        crsHex,
+        items,
+        metadata: Array.from(metadata)
+      };
+      this.worker.postMessage(message);
+    });
+  }
+  /**
+   * Terminate the worker and clean up
+   */
+  terminate() {
+    if (this.worker) {
+      this.worker.terminate();
+      this.worker = null;
+      this.workerReady = false;
+      this.initializationPromise = null;
+    }
+    this.pendingRequests.forEach(({ reject, timeoutId }) => {
+      clearTimeout(timeoutId);
+      reject(new Error("Worker terminated"));
+    });
+    this.pendingRequests.clear();
+  }
+  /**
+   * Check if worker is available
+   */
+  isAvailable() {
+    return typeof Worker !== "undefined";
+  }
+};
+var workerManager = null;
+function getWorkerManager() {
+  if (!workerManager) {
+    workerManager = new ZkProveWorkerManager();
+  }
+  return workerManager;
+}
+function terminateWorker() {
+  if (workerManager) {
+    workerManager.terminate();
+    workerManager = null;
+  }
+}
+function areWorkersAvailable() {
+  return typeof Worker !== "undefined";
+}
+var tfheInitialized = false;
+async function initTfhe() {
+  if (tfheInitialized)
+    return false;
+  await init__default.default();
+  await init.init_panic_hook();
+  tfheInitialized = true;
+  return true;
+}
+var fromHexString2 = (hexString) => {
+  const cleanString = hexString.length % 2 === 1 ? `0${hexString}` : hexString;
+  const arr = cleanString.replace(/^0x/, "").match(/.{1,2}/g);
+  if (!arr)
+    return new Uint8Array();
+  return new Uint8Array(arr.map((byte) => parseInt(byte, 16)));
+};
+var tfhePublicKeyDeserializer = (buff) => {
+  init.TfheCompactPublicKey.deserialize(fromHexString2(buff));
+};
+var compactPkeCrsDeserializer = (buff) => {
+  init.CompactPkeCrs.deserialize(fromHexString2(buff));
+};
+var zkBuilderAndCrsGenerator = (fhe, crs) => {
+  const fhePublicKey = init.TfheCompactPublicKey.deserialize(fromHexString2(fhe));
+  const zkBuilder = init.ProvenCompactCiphertextList.builder(fhePublicKey);
+  const zkCrs = init.CompactPkeCrs.deserialize(fromHexString2(crs));
+  return { zkBuilder, zkCrs };
+};
+async function zkProveWithWorker2(fheKeyHex, crsHex, items, metadata) {
+  const serializedItems = items.map((item) => ({
+    utype: fheTypeToString(item.utype),
+    data: typeof item.data === "bigint" ? item.data.toString() : item.data
+  }));
+  const workerManager2 = getWorkerManager();
+  return await workerManager2.submitProof(fheKeyHex, crsHex, serializedItems, metadata);
+}
+function createCofheConfig(config) {
+  return createCofheConfigBase({
+    environment: "web",
+    ...config,
+    fheKeyStorage: config.fheKeyStorage === null ? null : config.fheKeyStorage ?? (hasDOM ? createWebStorage() : createSsrStorage())
+  });
+}
+function createCofheClient(config) {
+  return createCofheClientBase({
+    config,
+    zkBuilderAndCrsGenerator,
+    tfhePublicKeyDeserializer,
+    compactPkeCrsDeserializer,
+    initTfhe,
+    // Always provide the worker function if available - config.useWorkers controls usage
+    // areWorkersAvailable will return true if the Worker API is available and false in Node.js
+    zkProveWorkerFn: areWorkersAvailable() ? zkProveWithWorker2 : void 0
+  });
+}
+function createCofheClientWithCustomWorker(config, customZkProveWorkerFn) {
+  return createCofheClientBase({
+    config,
+    zkBuilderAndCrsGenerator,
+    tfhePublicKeyDeserializer,
+    compactPkeCrsDeserializer,
+    initTfhe,
+    zkProveWorkerFn: customZkProveWorkerFn
+  });
+}
+
+exports.areWorkersAvailable = areWorkersAvailable;
+exports.createCofheClient = createCofheClient;
+exports.createCofheClientWithCustomWorker = createCofheClientWithCustomWorker;
+exports.createCofheConfig = createCofheConfig;
+exports.createSsrStorage = createSsrStorage;
+exports.hasDOM = hasDOM;
+exports.terminateWorker = terminateWorker;