@cofhe/sdk 0.1.1 → 0.2.1

package/dist/{chunk-KFGPTJ6X.js → chunk-I5WFEYXX.js}

@@ -1,10 +1,10 @@
-import { hardhat } from './chunk-GZCQQYVI.js';
-import { permitStore, PermitUtils } from './chunk-LU7BMUUT.js';
+import { hardhat as hardhat$1 } from './chunk-TBLR7NNE.js';
+import { permitStore, PermitUtils, MOCKS_QUERY_DECRYPTER_ADDRESS, MOCKS_ZK_VERIFIER_SIGNER_PRIVATE_KEY, MOCKS_ZK_VERIFIER_ADDRESS } from './chunk-R3B5TMVX.js';
 import { createStore } from 'zustand/vanilla';
-import { getAddress, http, createWalletClient, encodePacked, keccak256, toBytes, hashMessage } from 'viem';
-import { z } from 'zod';
-import { hardhat as hardhat$1 } from 'viem/chains';
+import { createWalletClient, http, encodePacked, keccak256, toBytes, hashMessage, getAddress } from 'viem';
+import { hardhat } from 'viem/chains';
 import { privateKeyToAccount } from 'viem/accounts';
+import { z } from 'zod';
 import { persist, createJSONStorage } from 'zustand/middleware';
 import { produce } from 'immer';
 
@@ -143,250 +143,123 @@ var bigintSafeJsonStringify = (value) => {
 };
 var isCofhesdkError = (error) => error instanceof CofhesdkError;
 
-// core/result.ts
-var ResultErr = (error) => ({
-  success: false,
-  data: null,
-  error
-});
-var ResultOk = (data) => ({
-  success: true,
-  data,
-  error: null
-});
-var ResultErrOrInternal = (error) => {
-  return ResultErr(CofhesdkError.fromError(error));
-};
-var ResultHttpError = (error, url, status) => {
-  if (error instanceof CofhesdkError)
-    return error;
-  const message = status ? `HTTP error ${status} from ${url}` : `HTTP request failed for ${url}`;
-  return new CofhesdkError({
-    code: "INTERNAL_ERROR" /* InternalError */,
-    message,
-    cause: error instanceof Error ? error : void 0
-  });
-};
-var ResultValidationError = (message) => {
-  return new CofhesdkError({
-    code: "INVALID_PERMIT_DATA" /* InvalidPermitData */,
-    message
-  });
-};
-var resultWrapper = async (tryFn, catchFn, finallyFn) => {
-  try {
-    const result = await tryFn();
-    return ResultOk(result);
-  } catch (error) {
-    const result = ResultErrOrInternal(error);
-    catchFn?.(result.error);
-    return result;
-  } finally {
-    finallyFn?.();
-  }
-};
-var resultWrapperSync = (fn) => {
-  try {
-    const result = fn();
-    return ResultOk(result);
-  } catch (error) {
-    return ResultErrOrInternal(error);
-  }
-};
-var storeActivePermit = async (permit, publicClient, walletClient) => {
-  const chainId = await publicClient.getChainId();
-  const account = walletClient.account.address;
-  permitStore.setPermit(chainId, account, permit);
-  permitStore.setActivePermitHash(chainId, account, PermitUtils.getHash(permit));
-};
-var createPermitWithSign = async (options, publicClient, walletClient, permitMethod) => {
-  const permit = await permitMethod(options, publicClient, walletClient);
-  await storeActivePermit(permit, publicClient, walletClient);
-  return permit;
-};
-var createSelf = async (options, publicClient, walletClient) => {
-  return createPermitWithSign(options, publicClient, walletClient, PermitUtils.createSelfAndSign);
-};
-var createSharing = async (options, publicClient, walletClient) => {
-  return createPermitWithSign(options, publicClient, walletClient, PermitUtils.createSharingAndSign);
-};
-var importShared = async (options, publicClient, walletClient) => {
-  return createPermitWithSign(options, publicClient, walletClient, PermitUtils.importSharedAndSign);
-};
-var getHash = (permit) => {
-  return PermitUtils.getHash(permit);
-};
-var serialize = (permit) => {
-  return PermitUtils.serialize(permit);
-};
-var deserialize = (serialized) => {
-  return PermitUtils.deserialize(serialized);
-};
-var getPermit = async (chainId, account, hash) => {
-  return permitStore.getPermit(chainId, account, hash);
-};
-var getPermits = async (chainId, account) => {
-  return permitStore.getPermits(chainId, account);
-};
-var getActivePermit = async (chainId, account) => {
-  return permitStore.getActivePermit(chainId, account);
-};
-var getActivePermitHash = async (chainId, account) => {
-  return permitStore.getActivePermitHash(chainId, account);
-};
-var selectActivePermit = async (chainId, account, hash) => {
-  await permitStore.setActivePermitHash(chainId, account, hash);
-};
-var removePermit = async (chainId, account, hash) => {
-  await permitStore.removePermit(chainId, account, hash);
-};
-var removeActivePermit = async (chainId, account) => {
-  await permitStore.removeActivePermitHash(chainId, account);
-};
-var permits = {
-  getSnapshot: permitStore.store.getState,
-  subscribe: permitStore.store.subscribe,
-  createSelf,
-  createSharing,
-  importShared,
-  getHash,
-  serialize,
-  deserialize,
-  getPermit,
-  getPermits,
-  getActivePermit,
-  getActivePermitHash,
-  removePermit,
-  selectActivePermit,
-  removeActivePermit
-};
-function uint160ToAddress(uint160) {
-  const hexStr = uint160.toString(16).padStart(40, "0");
-  return getAddress("0x" + hexStr);
+// core/types.ts
+var FheTypes = /* @__PURE__ */ ((FheTypes2) => {
+  FheTypes2[FheTypes2["Bool"] = 0] = "Bool";
+  FheTypes2[FheTypes2["Uint4"] = 1] = "Uint4";
+  FheTypes2[FheTypes2["Uint8"] = 2] = "Uint8";
+  FheTypes2[FheTypes2["Uint16"] = 3] = "Uint16";
+  FheTypes2[FheTypes2["Uint32"] = 4] = "Uint32";
+  FheTypes2[FheTypes2["Uint64"] = 5] = "Uint64";
+  FheTypes2[FheTypes2["Uint128"] = 6] = "Uint128";
+  FheTypes2[FheTypes2["Uint160"] = 7] = "Uint160";
+  FheTypes2[FheTypes2["Uint256"] = 8] = "Uint256";
+  FheTypes2[FheTypes2["Uint512"] = 9] = "Uint512";
+  FheTypes2[FheTypes2["Uint1024"] = 10] = "Uint1024";
+  FheTypes2[FheTypes2["Uint2048"] = 11] = "Uint2048";
+  FheTypes2[FheTypes2["Uint2"] = 12] = "Uint2";
+  FheTypes2[FheTypes2["Uint6"] = 13] = "Uint6";
+  FheTypes2[FheTypes2["Uint10"] = 14] = "Uint10";
+  FheTypes2[FheTypes2["Uint12"] = 15] = "Uint12";
+  FheTypes2[FheTypes2["Uint14"] = 16] = "Uint14";
+  FheTypes2[FheTypes2["Int2"] = 17] = "Int2";
+  FheTypes2[FheTypes2["Int4"] = 18] = "Int4";
+  FheTypes2[FheTypes2["Int6"] = 19] = "Int6";
+  FheTypes2[FheTypes2["Int8"] = 20] = "Int8";
+  FheTypes2[FheTypes2["Int10"] = 21] = "Int10";
+  FheTypes2[FheTypes2["Int12"] = 22] = "Int12";
+  FheTypes2[FheTypes2["Int14"] = 23] = "Int14";
+  FheTypes2[FheTypes2["Int16"] = 24] = "Int16";
+  FheTypes2[FheTypes2["Int32"] = 25] = "Int32";
+  FheTypes2[FheTypes2["Int64"] = 26] = "Int64";
+  FheTypes2[FheTypes2["Int128"] = 27] = "Int128";
+  FheTypes2[FheTypes2["Int160"] = 28] = "Int160";
+  FheTypes2[FheTypes2["Int256"] = 29] = "Int256";
+  return FheTypes2;
+})(FheTypes || {});
+var FheUintUTypes = [
+  2 /* Uint8 */,
+  3 /* Uint16 */,
+  4 /* Uint32 */,
+  5 /* Uint64 */,
+  6 /* Uint128 */
+  // [U256-DISABLED]
+  // FheTypes.Uint256,
+];
+var FheAllUTypes = [
+  0 /* Bool */,
+  2 /* Uint8 */,
+  3 /* Uint16 */,
+  4 /* Uint32 */,
+  5 /* Uint64 */,
+  6 /* Uint128 */,
+  // [U256-DISABLED]
+  // FheTypes.Uint256,
+  7 /* Uint160 */
+];
+function assertCorrectEncryptedItemInput(input) {
+  if (!input.signature.startsWith("0x"))
+    throw new Error("Signature must be a hex string starting with 0x");
 }
-var isValidUtype = (utype) => {
-  return utype === 0 /* Bool */ || utype === 7 /* Uint160 */ || utype == null || FheUintUTypes.includes(utype);
-};
-var convertViaUtype = (utype, value) => {
-  if (utype === 0 /* Bool */) {
-    return !!value;
-  } else if (utype === 7 /* Uint160 */) {
-    return uint160ToAddress(value);
-  } else if (utype == null || FheUintUTypes.includes(utype)) {
-    return value;
-  } else {
-    throw new Error(`convertViaUtype :: invalid utype :: ${utype}`);
-  }
+var EncryptableFactoriesImpl = {
+  bool: (data, securityZone = 0) => ({ data, securityZone, utype: 0 /* Bool */ }),
+  address: (data, securityZone = 0) => ({ data, securityZone, utype: 7 /* Uint160 */ }),
+  uint8: (data, securityZone = 0) => ({ data, securityZone, utype: 2 /* Uint8 */ }),
+  uint16: (data, securityZone = 0) => ({ data, securityZone, utype: 3 /* Uint16 */ }),
+  uint32: (data, securityZone = 0) => ({ data, securityZone, utype: 4 /* Uint32 */ }),
+  uint64: (data, securityZone = 0) => ({ data, securityZone, utype: 5 /* Uint64 */ }),
+  uint128: (data, securityZone = 0) => ({ data, securityZone, utype: 6 /* Uint128 */ })
+  // [U256-DISABLED]
+  // uint256: (data: EncryptableUint256['data'], securityZone = 0) =>
+  //   ({ data, securityZone, utype: FheTypes.Uint256 }) as EncryptableUint256,
 };
-var BaseBuilder = class {
-  config;
-  publicClient;
-  walletClient;
-  chainId;
-  account;
-  requireConnected;
-  constructor(params) {
-    this.config = params.config;
-    this.publicClient = params.publicClient;
-    this.walletClient = params.walletClient;
-    this.chainId = params.chainId;
-    this.account = params.account;
-    this.requireConnected = params.requireConnected;
-  }
-  /**
-   * Gets the chain ID from the instance or fetches it from the public client
-   * @returns The chain ID
-   * @throws {CofhesdkError} If chainId is not set and publicClient is not available
-   */
-  async getChainIdOrThrow() {
-    if (this.chainId)
-      return this.chainId;
-    throw new CofhesdkError({
-      code: "CHAIN_ID_UNINITIALIZED" /* ChainIdUninitialized */,
-      message: "Chain ID is not set",
-      hint: "Ensure client.connect() has been called and awaited, or use setChainId(...) to set the chainId explicitly.",
-      context: {
-        chainId: this.chainId
-      }
-    });
-  }
-  /**
-   * Gets the account address from the instance or fetches it from the wallet client
-   * @returns The account address
-   * @throws {CofhesdkError} If account is not set and walletClient is not available
-   */
-  async getAccountOrThrow() {
-    if (this.account)
-      return this.account;
-    throw new CofhesdkError({
-      code: "ACCOUNT_UNINITIALIZED" /* AccountUninitialized */,
-      message: "Account is not set",
-      hint: "Ensure client.connect() has been called and awaited, or use setAccount(...) to set the account explicitly.",
-      context: {
-        account: this.account
-      }
-    });
-  }
-  /**
-   * Gets the config or throws an error if not available
-   * @returns The config
-   * @throws {CofhesdkError} If config is not set
-   */
-  getConfigOrThrow() {
-    if (this.config)
-      return this.config;
-    throw new CofhesdkError({
-      code: "MISSING_CONFIG" /* MissingConfig */,
-      message: "Builder config is undefined",
-      hint: "Ensure client has been created with a config.",
-      context: {
-        config: this.config
-      }
-    });
-  }
-  /**
-   * Gets the public client or throws an error if not available
-   * @returns The public client
-   * @throws {CofhesdkError} If publicClient is not set
-   */
-  getPublicClientOrThrow() {
-    if (this.publicClient)
-      return this.publicClient;
-    throw new CofhesdkError({
-      code: "MISSING_PUBLIC_CLIENT" /* MissingPublicClient */,
-      message: "Public client not found",
-      hint: "Ensure client.connect() has been called with a publicClient.",
-      context: {
-        publicClient: this.publicClient
-      }
-    });
-  }
-  /**
-   * Gets the wallet client or throws an error if not available
-   * @returns The wallet client
-   * @throws {CofhesdkError} If walletClient is not set
-   */
-  getWalletClientOrThrow() {
-    if (this.walletClient)
-      return this.walletClient;
-    throw new CofhesdkError({
-      code: "MISSING_WALLET_CLIENT" /* MissingWalletClient */,
-      message: "Wallet client not found",
-      hint: "Ensure client.connect() has been called with a walletClient.",
-      context: {
-        walletClient: this.walletClient
-      }
-    });
-  }
-  /**
-   * Requires the client to be connected
-   * @throws {CofhesdkError} If client is not connected
-   */
-  requireConnectedOrThrow() {
-    if (this.requireConnected)
-      this.requireConnected();
+function createEncryptableByLiteral(type, data, securityZone = 0) {
+  switch (type) {
+    case "bool": {
+      if (typeof data !== "boolean")
+        throw new Error("Bool encryptable data must be boolean");
+      return EncryptableFactoriesImpl.bool(data, securityZone);
+    }
+    case "address":
+    case "uint8":
+    case "uint16":
+    case "uint32":
+    case "uint64":
+    case "uint128": {
+      if (typeof data === "boolean")
+        throw new Error("Uint encryptable data must be string or bigint");
+      return EncryptableFactoriesImpl[type](data, securityZone);
+    }
+    default: {
+      const _exhaustive = type;
+      throw new Error(`Unsupported encryptable type: ${_exhaustive}`);
+    }
   }
+}
+var Encryptable = {
+  ...EncryptableFactoriesImpl,
+  create: createEncryptableByLiteral
 };
+function isEncryptableItem(value) {
+  return (
+    // Is object and exists
+    typeof value === "object" && value !== null && // Has securityZone
+    "securityZone" in value && typeof value.securityZone === "number" && // Has utype
+    "utype" in value && FheAllUTypes.includes(value.utype) && // Has data
+    "data" in value && ["string", "number", "bigint", "boolean"].includes(typeof value.data)
+  );
+}
+var EncryptStep = /* @__PURE__ */ ((EncryptStep2) => {
+  EncryptStep2["InitTfhe"] = "initTfhe";
+  EncryptStep2["FetchKeys"] = "fetchKeys";
+  EncryptStep2["Pack"] = "pack";
+  EncryptStep2["Prove"] = "prove";
+  EncryptStep2["Verify"] = "verify";
+  return EncryptStep2;
+})(EncryptStep || {});
+function isLastEncryptionStep(step) {
+  return step === "verify" /* Verify */;
+}
 var toHexString = (bytes) => bytes.reduce((str, byte) => str + byte.toString(16).padStart(2, "0"), "");
 var toBigIntOrThrow = (value) => {
   if (typeof value === "bigint") {
@@ -455,23 +328,211 @@ async function getWalletClientAccount(walletClient) {
   }
   return address;
 }
+function fheTypeToString(utype) {
+  switch (utype) {
+    case 0 /* Bool */:
+      return "bool";
+    case 1 /* Uint4 */:
+      return "uint4";
+    case 2 /* Uint8 */:
+      return "uint8";
+    case 3 /* Uint16 */:
+      return "uint16";
+    case 4 /* Uint32 */:
+      return "uint32";
+    case 5 /* Uint64 */:
+      return "uint64";
+    case 6 /* Uint128 */:
+      return "uint128";
+    case 7 /* Uint160 */:
+      return "uint160";
+    case 8 /* Uint256 */:
+      return "uint256";
+    case 9 /* Uint512 */:
+      return "uint512";
+    case 10 /* Uint1024 */:
+      return "uint1024";
+    case 11 /* Uint2048 */:
+      return "uint2048";
+    case 12 /* Uint2 */:
+      return "uint2";
+    case 13 /* Uint6 */:
+      return "uint6";
+    case 14 /* Uint10 */:
+      return "uint10";
+    default:
+      throw new Error(`Unknown FheType: ${utype}`);
+  }
+}
 
-// core/decrypt/MockQueryDecrypterAbi.ts
-var MockQueryDecrypterAbi = [
-  {
-    type: "function",
-    name: "acl",
-    inputs: [],
-    outputs: [{ name: "", type: "address", internalType: "contract ACL" }],
-    stateMutability: "view"
-  },
-  {
-    type: "function",
-    name: "decodeLowLevelReversion",
-    inputs: [{ name: "data", type: "bytes", internalType: "bytes" }],
-    outputs: [{ name: "error", type: "string", internalType: "string" }],
-    stateMutability: "pure"
-  },
+// core/encrypt/zkPackProveVerify.ts
+var MAX_UINT8 = 255n;
+var MAX_UINT16 = 65535n;
+var MAX_UINT32 = 4294967295n;
+var MAX_UINT64 = 18446744073709551615n;
+var MAX_UINT128 = 340282366920938463463374607431768211455n;
+var MAX_UINT160 = 1461501637330902918203684832716283019655932542975n;
+var MAX_ENCRYPTABLE_BITS = 2048;
+var zkPack = (items, builder) => {
+  let totalBits = 0;
+  for (const item of items) {
+    switch (item.utype) {
+      case 0 /* Bool */: {
+        builder.push_boolean(item.data);
+        totalBits += 1;
+        break;
+      }
+      case 2 /* Uint8 */: {
+        const bint = toBigIntOrThrow(item.data);
+        validateBigIntInRange(bint, MAX_UINT8);
+        builder.push_u8(parseInt(bint.toString()));
+        totalBits += 8;
+        break;
+      }
+      case 3 /* Uint16 */: {
+        const bint = toBigIntOrThrow(item.data);
+        validateBigIntInRange(bint, MAX_UINT16);
+        builder.push_u16(parseInt(bint.toString()));
+        totalBits += 16;
+        break;
+      }
+      case 4 /* Uint32 */: {
+        const bint = toBigIntOrThrow(item.data);
+        validateBigIntInRange(bint, MAX_UINT32);
+        builder.push_u32(parseInt(bint.toString()));
+        totalBits += 32;
+        break;
+      }
+      case 5 /* Uint64 */: {
+        const bint = toBigIntOrThrow(item.data);
+        validateBigIntInRange(bint, MAX_UINT64);
+        builder.push_u64(bint);
+        totalBits += 64;
+        break;
+      }
+      case 6 /* Uint128 */: {
+        const bint = toBigIntOrThrow(item.data);
+        validateBigIntInRange(bint, MAX_UINT128);
+        builder.push_u128(bint);
+        totalBits += 128;
+        break;
+      }
+      case 7 /* Uint160 */: {
+        const bint = toBigIntOrThrow(item.data);
+        validateBigIntInRange(bint, MAX_UINT160);
+        builder.push_u160(bint);
+        totalBits += 160;
+        break;
+      }
+      default: {
+        throw new CofhesdkError({
+          code: "ZK_PACK_FAILED" /* ZkPackFailed */,
+          message: `Invalid utype: ${item.utype}`,
+          hint: `Ensure that the utype is valid, using the Encryptable type, for example: Encryptable.uint128(100n)`,
+          context: {
+            item
+          }
+        });
+      }
+    }
+  }
+  if (totalBits > MAX_ENCRYPTABLE_BITS) {
+    throw new CofhesdkError({
+      code: "ZK_PACK_FAILED" /* ZkPackFailed */,
+      message: `Total bits ${totalBits} exceeds ${MAX_ENCRYPTABLE_BITS}`,
+      hint: `Ensure that the total bits of the items to encrypt does not exceed ${MAX_ENCRYPTABLE_BITS}`,
+      context: {
+        totalBits,
+        maxBits: MAX_ENCRYPTABLE_BITS,
+        items
+      }
+    });
+  }
+  return builder;
+};
+var zkProveWithWorker = async (workerFn, fheKeyHex, crsHex, items, metadata) => {
+  return await workerFn(fheKeyHex, crsHex, items, metadata);
+};
+var zkProve = async (builder, crs, metadata) => {
+  return new Promise((resolve) => {
+    setTimeout(() => {
+      const compactList = builder.build_with_proof_packed(
+        crs,
+        metadata,
+        1
+        // ZkComputeLoad.Verify
+      );
+      resolve(compactList.serialize());
+    }, 0);
+  });
+};
+var constructZkPoKMetadata = (accountAddr, securityZone, chainId) => {
+  const accountAddrNoPrefix = accountAddr.startsWith("0x") ? accountAddr.slice(2) : accountAddr;
+  const accountBytes = hexToBytes(accountAddrNoPrefix);
+  const chainIdBytes = new Uint8Array(32);
+  let value = chainId;
+  for (let i = 31; i >= 0 && value > 0; i--) {
+    chainIdBytes[i] = value & 255;
+    value = value >>> 8;
+  }
+  const metadata = new Uint8Array(1 + accountBytes.length + 32);
+  metadata[0] = securityZone;
+  metadata.set(accountBytes, 1);
+  metadata.set(chainIdBytes, 1 + accountBytes.length);
+  return metadata;
+};
+var zkVerify = async (verifierUrl, serializedBytes, address, securityZone, chainId) => {
+  const packed_list = toHexString(serializedBytes);
+  const sz_byte = new Uint8Array([securityZone]);
+  const payload = {
+    packed_list,
+    account_addr: address,
+    security_zone: sz_byte[0],
+    chain_id: chainId
+  };
+  const body = JSON.stringify(payload);
+  try {
+    const response = await fetch(`${verifierUrl}/verify`, {
+      method: "POST",
+      headers: {
+        "Content-Type": "application/json"
+      },
+      body
+    });
+    if (!response.ok) {
+      const errorBody = await response.text();
+      throw new CofhesdkError({
+        code: "ZK_VERIFY_FAILED" /* ZkVerifyFailed */,
+        message: `HTTP error! ZK proof verification failed - ${errorBody}`
+      });
+    }
+    const json = await response.json();
+    if (json.status !== "success") {
+      throw new CofhesdkError({
+        code: "ZK_VERIFY_FAILED" /* ZkVerifyFailed */,
+        message: `ZK proof verification response malformed - ${json.error}`
+      });
+    }
+    return json.data.map(({ ct_hash, signature, recid }) => {
+      return {
+        ct_hash,
+        signature: concatSigRecid(signature, recid)
+      };
+    });
+  } catch (e) {
+    throw new CofhesdkError({
+      code: "ZK_VERIFY_FAILED" /* ZkVerifyFailed */,
+      message: `ZK proof verification failed`,
+      cause: e instanceof Error ? e : void 0
+    });
+  }
+};
+var concatSigRecid = (signature, recid) => {
+  return signature + (recid + 27).toString(16).padStart(2, "0");
+};
+
+// core/encrypt/MockZkVerifierAbi.ts
+var MockZkVerifierAbi = [
   {
     type: "function",
     name: "exists",
@@ -481,943 +542,670 @@ var MockQueryDecrypterAbi = [
   },
   {
     type: "function",
-    name: "initialize",
+    name: "insertCtHash",
     inputs: [
-      { name: "_taskManager", type: "address", internalType: "address" },
-      { name: "_acl", type: "address", internalType: "address" }
+      { name: "ctHash", type: "uint256", internalType: "uint256" },
+      { name: "value", type: "uint256", internalType: "uint256" }
     ],
     outputs: [],
     stateMutability: "nonpayable"
   },
   {
     type: "function",
-    name: "queryDecrypt",
+    name: "insertPackedCtHashes",
     inputs: [
-      { name: "ctHash", type: "uint256", internalType: "uint256" },
-      { name: "", type: "uint256", internalType: "uint256" },
-      {
-        name: "permission",
-        type: "tuple",
-        internalType: "struct Permission",
-        components: [
-          { name: "issuer", type: "address", internalType: "address" },
-          { name: "expiration", type: "uint64", internalType: "uint64" },
-          { name: "recipient", type: "address", internalType: "address" },
-          { name: "validatorId", type: "uint256", internalType: "uint256" },
-          {
-            name: "validatorContract",
-            type: "address",
-            internalType: "address"
-          },
-          { name: "sealingKey", type: "bytes32", internalType: "bytes32" },
-          { name: "issuerSignature", type: "bytes", internalType: "bytes" },
-          { name: "recipientSignature", type: "bytes", internalType: "bytes" }
-        ]
-      }
-    ],
-    outputs: [
-      { name: "allowed", type: "bool", internalType: "bool" },
-      { name: "error", type: "string", internalType: "string" },
-      { name: "", type: "uint256", internalType: "uint256" }
+      { name: "ctHashes", type: "uint256[]", internalType: "uint256[]" },
+      { name: "values", type: "uint256[]", internalType: "uint256[]" }
     ],
-    stateMutability: "view"
+    outputs: [],
+    stateMutability: "nonpayable"
   },
   {
     type: "function",
-    name: "querySealOutput",
+    name: "zkVerify",
     inputs: [
-      { name: "ctHash", type: "uint256", internalType: "uint256" },
-      { name: "", type: "uint256", internalType: "uint256" },
+      { name: "value", type: "uint256", internalType: "uint256" },
+      { name: "utype", type: "uint8", internalType: "uint8" },
+      { name: "user", type: "address", internalType: "address" },
+      { name: "securityZone", type: "uint8", internalType: "uint8" },
+      { name: "", type: "uint256", internalType: "uint256" }
+    ],
+    outputs: [
       {
-        name: "permission",
+        name: "",
         type: "tuple",
-        internalType: "struct Permission",
+        internalType: "struct EncryptedInput",
         components: [
-          { name: "issuer", type: "address", internalType: "address" },
-          { name: "expiration", type: "uint64", internalType: "uint64" },
-          { name: "recipient", type: "address", internalType: "address" },
-          { name: "validatorId", type: "uint256", internalType: "uint256" },
-          {
-            name: "validatorContract",
-            type: "address",
-            internalType: "address"
-          },
-          { name: "sealingKey", type: "bytes32", internalType: "bytes32" },
-          { name: "issuerSignature", type: "bytes", internalType: "bytes" },
-          { name: "recipientSignature", type: "bytes", internalType: "bytes" }
+          { name: "ctHash", type: "uint256", internalType: "uint256" },
+          { name: "securityZone", type: "uint8", internalType: "uint8" },
+          { name: "utype", type: "uint8", internalType: "uint8" },
+          { name: "signature", type: "bytes", internalType: "bytes" }
         ]
       }
     ],
-    outputs: [
-      { name: "allowed", type: "bool", internalType: "bool" },
-      { name: "error", type: "string", internalType: "string" },
-      { name: "", type: "bytes32", internalType: "bytes32" }
-    ],
-    stateMutability: "view"
+    stateMutability: "nonpayable"
   },
   {
     type: "function",
-    name: "seal",
+    name: "zkVerifyCalcCtHash",
     inputs: [
-      { name: "input", type: "uint256", internalType: "uint256" },
-      { name: "key", type: "bytes32", internalType: "bytes32" }
+      { name: "value", type: "uint256", internalType: "uint256" },
+      { name: "utype", type: "uint8", internalType: "uint8" },
+      { name: "user", type: "address", internalType: "address" },
+      { name: "securityZone", type: "uint8", internalType: "uint8" },
+      { name: "", type: "uint256", internalType: "uint256" }
     ],
-    outputs: [{ name: "", type: "bytes32", internalType: "bytes32" }],
-    stateMutability: "pure"
+    outputs: [{ name: "ctHash", type: "uint256", internalType: "uint256" }],
+    stateMutability: "view"
   },
   {
     type: "function",
-    name: "taskManager",
-    inputs: [],
-    outputs: [{ name: "", type: "address", internalType: "contract TaskManager" }],
+    name: "zkVerifyCalcCtHashesPacked",
+    inputs: [
+      { name: "values", type: "uint256[]", internalType: "uint256[]" },
+      { name: "utypes", type: "uint8[]", internalType: "uint8[]" },
+      { name: "user", type: "address", internalType: "address" },
+      { name: "securityZone", type: "uint8", internalType: "uint8" },
+      { name: "chainId", type: "uint256", internalType: "uint256" }
+    ],
+    outputs: [{ name: "ctHashes", type: "uint256[]", internalType: "uint256[]" }],
     stateMutability: "view"
   },
   {
     type: "function",
-    name: "unseal",
+    name: "zkVerifyPacked",
     inputs: [
-      { name: "hashed", type: "bytes32", internalType: "bytes32" },
-      { name: "key", type: "bytes32", internalType: "bytes32" }
+      { name: "values", type: "uint256[]", internalType: "uint256[]" },
+      { name: "utypes", type: "uint8[]", internalType: "uint8[]" },
+      { name: "user", type: "address", internalType: "address" },
+      { name: "securityZone", type: "uint8", internalType: "uint8" },
+      { name: "chainId", type: "uint256", internalType: "uint256" }
     ],
-    outputs: [{ name: "", type: "uint256", internalType: "uint256" }],
-    stateMutability: "pure"
+    outputs: [
+      {
+        name: "inputs",
+        type: "tuple[]",
+        internalType: "struct EncryptedInput[]",
+        components: [
+          { name: "ctHash", type: "uint256", internalType: "uint256" },
+          { name: "securityZone", type: "uint8", internalType: "uint8" },
+          { name: "utype", type: "uint8", internalType: "uint8" },
+          { name: "signature", type: "bytes", internalType: "bytes" }
+        ]
+      }
+    ],
+    stateMutability: "nonpayable"
   },
-  { type: "error", name: "NotAllowed", inputs: [] },
-  { type: "error", name: "SealingKeyInvalid", inputs: [] },
-  { type: "error", name: "SealingKeyMissing", inputs: [] }
+  { type: "error", name: "InvalidInputs", inputs: [] }
 ];
-
-// core/decrypt/cofheMocksSealOutput.ts
-var MockQueryDecrypterAddress = "0x0000000000000000000000000000000000000200";
-async function cofheMocksSealOutput(ctHash, utype, permit, publicClient, mocksSealOutputDelay) {
-  if (mocksSealOutputDelay > 0)
-    await sleep(mocksSealOutputDelay);
-  const permission = PermitUtils.getPermission(permit, true);
-  const permissionWithBigInts = {
-    ...permission,
-    expiration: BigInt(permission.expiration),
-    validatorId: BigInt(permission.validatorId)
-  };
-  const [allowed, error, result] = await publicClient.readContract({
-    address: MockQueryDecrypterAddress,
-    abi: MockQueryDecrypterAbi,
-    functionName: "querySealOutput",
-    args: [ctHash, BigInt(utype), permissionWithBigInts]
+function createMockZkVerifierSigner() {
+  return createWalletClient({
+    chain: hardhat,
+    transport: http(),
+    account: privateKeyToAccount(MOCKS_ZK_VERIFIER_SIGNER_PRIVATE_KEY)
   });
-  if (error != "") {
-    throw new CofhesdkError({
-      code: "SEAL_OUTPUT_FAILED" /* SealOutputFailed */,
-      message: `mocks querySealOutput call failed: ${error}`
-    });
+}
+async function cofheMocksCheckEncryptableBits(items) {
+  let totalBits = 0;
+  for (const item of items) {
+    switch (item.utype) {
+      case 0 /* Bool */: {
+        totalBits += 1;
+        break;
+      }
+      case 2 /* Uint8 */: {
+        totalBits += 8;
+        break;
+      }
+      case 3 /* Uint16 */: {
+        totalBits += 16;
+        break;
+      }
+      case 4 /* Uint32 */: {
+        totalBits += 32;
+        break;
+      }
+      case 5 /* Uint64 */: {
+        totalBits += 64;
+        break;
+      }
+      case 6 /* Uint128 */: {
+        totalBits += 128;
+        break;
+      }
+      case 7 /* Uint160 */: {
+        totalBits += 160;
+        break;
+      }
+    }
   }
-  if (allowed == false) {
+  if (totalBits > MAX_ENCRYPTABLE_BITS) {
     throw new CofhesdkError({
-      code: "SEAL_OUTPUT_FAILED" /* SealOutputFailed */,
-      message: `mocks querySealOutput call failed: ACL Access Denied (NotAllowed)`
+      code: "ZK_PACK_FAILED" /* ZkPackFailed */,
+      message: `Total bits ${totalBits} exceeds ${MAX_ENCRYPTABLE_BITS}`,
+      hint: `Ensure that the total bits of the items to encrypt does not exceed ${MAX_ENCRYPTABLE_BITS}`,
+      context: {
+        totalBits,
+        maxBits: MAX_ENCRYPTABLE_BITS,
+        items
+      }
     });
   }
-  const sealedBigInt = BigInt(result);
-  const sealingKeyBigInt = BigInt(permission.sealingKey);
-  const unsealed = sealedBigInt ^ sealingKeyBigInt;
-  return unsealed;
 }
-
-// core/decrypt/tnSealOutput.ts
-async function tnSealOutput(ctHash, chainId, permission, thresholdNetworkUrl) {
-  let sealed;
-  let errorMessage;
-  let sealOutputResult;
-  const body = {
-    ct_tempkey: ctHash.toString(16).padStart(64, "0"),
-    host_chain_id: chainId,
-    permit: permission
-  };
+async function calcCtHashes(items, account, securityZone, publicClient) {
+  const calcCtHashesArgs = [
+    items.map(({ data }) => BigInt(data)),
+    items.map(({ utype }) => utype),
+    account,
+    securityZone,
+    BigInt(hardhat.id)
+  ];
+  let ctHashes;
   try {
-    const sealOutputRes = await fetch(`${thresholdNetworkUrl}/sealoutput`, {
-      method: "POST",
-      headers: {
-        "Content-Type": "application/json"
-      },
-      body: JSON.stringify(body)
+    ctHashes = await publicClient.readContract({
+      address: MOCKS_ZK_VERIFIER_ADDRESS,
+      abi: MockZkVerifierAbi,
+      functionName: "zkVerifyCalcCtHashesPacked",
+      args: calcCtHashesArgs
     });
-    sealOutputResult = await sealOutputRes.json();
-    sealed = sealOutputResult.sealed;
-    errorMessage = sealOutputResult.error_message;
-  } catch (e) {
+  } catch (err) {
     throw new CofhesdkError({
-      code: "SEAL_OUTPUT_FAILED" /* SealOutputFailed */,
-      message: `sealOutput request failed`,
-      hint: "Ensure the threshold network URL is valid.",
-      cause: e instanceof Error ? e : void 0,
+      code: "ZK_MOCKS_CALC_CT_HASHES_FAILED" /* ZkMocksCalcCtHashesFailed */,
+      message: `mockZkVerifySign calcCtHashes failed while calling zkVerifyCalcCtHashesPacked`,
+      cause: err instanceof Error ? err : void 0,
       context: {
-        thresholdNetworkUrl,
-        body
+        address: MOCKS_ZK_VERIFIER_ADDRESS,
+        items,
+        account,
+        securityZone,
+        publicClient,
+        calcCtHashesArgs
       }
     });
   }
-  if (sealed == null) {
+  if (ctHashes.length !== items.length) {
     throw new CofhesdkError({
-      code: "SEAL_OUTPUT_RETURNED_NULL" /* SealOutputReturnedNull */,
-      message: `sealOutput request returned no data | Caused by: ${errorMessage}`,
+      code: "ZK_MOCKS_CALC_CT_HASHES_FAILED" /* ZkMocksCalcCtHashesFailed */,
+      message: `mockZkVerifySign calcCtHashes returned incorrect number of ctHashes`,
       context: {
-        thresholdNetworkUrl,
-        body,
-        sealOutputResult
+        items,
+        account,
+        securityZone,
+        publicClient,
+        calcCtHashesArgs,
+        ctHashes
       }
     });
   }
-  return sealed;
+  return items.map((item, index) => ({
+    ...item,
+    ctHash: ctHashes[index]
+  }));
 }
-
-// core/decrypt/decryptHandleBuilder.ts
-var DecryptHandlesBuilder = class extends BaseBuilder {
-  ctHash;
-  utype;
-  permitHash;
-  permit;
-  constructor(params) {
-    super({
-      config: params.config,
-      publicClient: params.publicClient,
-      walletClient: params.walletClient,
-      chainId: params.chainId,
-      account: params.account,
-      requireConnected: params.requireConnected
+async function insertCtHashes(items, walletClient) {
+  const insertPackedCtHashesArgs = [items.map(({ ctHash }) => ctHash), items.map(({ data }) => BigInt(data))];
+  try {
+    const account = walletClient.account;
+    await walletClient.writeContract({
+      address: MOCKS_ZK_VERIFIER_ADDRESS,
+      abi: MockZkVerifierAbi,
+      functionName: "insertPackedCtHashes",
+      args: insertPackedCtHashesArgs,
+      chain: hardhat,
+      account
+    });
+  } catch (err) {
+    throw new CofhesdkError({
+      code: "ZK_MOCKS_INSERT_CT_HASHES_FAILED" /* ZkMocksInsertCtHashesFailed */,
+      message: `mockZkVerifySign insertPackedCtHashes failed while calling insertPackedCtHashes`,
+      cause: err instanceof Error ? err : void 0,
+      context: {
+        items,
+        walletClient,
+        insertPackedCtHashesArgs
+      }
     });
-    this.ctHash = params.ctHash;
-    this.utype = params.utype;
-    this.permitHash = params.permitHash;
-    this.permit = params.permit;
-  }
-  /**
-   * @param chainId - Chain to decrypt values from. Used to fetch the threshold network URL and use the correct permit.
-   *
-   * If not provided, the chainId will be fetched from the connected publicClient.
-   *
-   * Example:
-   * ```typescript
-   * const unsealed = await decryptHandle(ctHash, utype)
-   *   .setChainId(11155111)
-   *   .decrypt();
-   * ```
-   *
-   * @returns The chainable DecryptHandlesBuilder instance.
-   */
-  setChainId(chainId) {
-    this.chainId = chainId;
-    return this;
   }
-  getChainId() {
-    return this.chainId;
+}
+async function createProofSignatures(items, securityZone) {
+  let signatures = [];
+  let encInputSignerClient;
+  try {
+    encInputSignerClient = createMockZkVerifierSigner();
+  } catch (err) {
+    throw new CofhesdkError({
+      code: "ZK_MOCKS_CREATE_PROOF_SIGNATURE_FAILED" /* ZkMocksCreateProofSignatureFailed */,
+      message: `mockZkVerifySign createProofSignatures failed while creating wallet client`,
+      cause: err instanceof Error ? err : void 0,
+      context: {
+        MOCKS_ZK_VERIFIER_SIGNER_PRIVATE_KEY
+      }
+    });
   }
-  /**
-   * @param account - Account to decrypt values from. Used to fetch the correct permit.
-   *
-   * If not provided, the account will be fetched from the connected walletClient.
-   *
-   * Example:
-   * ```typescript
-   * const unsealed = await decryptHandle(ctHash, utype)
-   *   .setAccount('0x1234567890123456789012345678901234567890')
-   *   .decrypt();
-   * ```
-   *
-   * @returns The chainable DecryptHandlesBuilder instance.
-   */
-  setAccount(account) {
-    this.account = account;
-    return this;
-  }
-  getAccount() {
-    return this.account;
-  }
-  /**
-   * @param permitHash - Permit hash to decrypt values from. Used to fetch the correct permit.
-   *
-   * If not provided, the active permit for the chainId and account will be used.
-   * If `setPermit()` is called, it will be used regardless of chainId, account, or permitHash.
-   *
-   * Example:
-   * ```typescript
-   * const unsealed = await decryptHandle(ctHash, utype)
-   *   .setPermitHash('0x1234567890123456789012345678901234567890')
-   *   .decrypt();
-   * ```
-   *
-   * @returns The chainable DecryptHandlesBuilder instance.
-   */
-  setPermitHash(permitHash) {
-    this.permitHash = permitHash;
-    return this;
-  }
-  getPermitHash() {
-    return this.permitHash;
-  }
-  /**
-   * @param permit - Permit to decrypt values with. If provided, it will be used regardless of chainId, account, or permitHash.
-   *
-   * If not provided, the permit will be determined by chainId, account, and permitHash.
-   *
-   * Example:
-   * ```typescript
-   * const unsealed = await decryptHandle(ctHash, utype)
-   *   .setPermit(permit)
-   *   .decrypt();
-   * ```
-   *
-   * @returns The chainable DecryptHandlesBuilder instance.
-   */
-  setPermit(permit) {
-    this.permit = permit;
-    return this;
-  }
-  getPermit() {
-    return this.permit;
-  }
-  getThresholdNetworkUrl(chainId) {
-    const config = this.getConfigOrThrow();
-    return getThresholdNetworkUrlOrThrow(config, chainId);
-  }
-  validateUtypeOrThrow() {
-    if (!isValidUtype(this.utype))
-      throw new CofhesdkError({
-        code: "INVALID_UTYPE" /* InvalidUtype */,
-        message: `Invalid utype to decrypt to`,
-        context: {
-          utype: this.utype
-        }
-      });
-  }
-  async getResolvedPermit() {
-    if (this.permit)
-      return this.permit;
-    const chainId = await this.getChainIdOrThrow();
-    const account = await this.getAccountOrThrow();
-    if (this.permitHash) {
-      const permit2 = await permits.getPermit(chainId, account, this.permitHash);
-      if (!permit2) {
-        throw new CofhesdkError({
-          code: "PERMIT_NOT_FOUND" /* PermitNotFound */,
-          message: `Permit with hash <${this.permitHash}> not found for account <${account}> and chainId <${chainId}>`,
-          hint: "Ensure the permit exists and is valid.",
-          context: {
-            chainId,
-            account,
-            permitHash: this.permitHash
-          }
-        });
-      }
-      return permit2;
-    }
-    const permit = await permits.getActivePermit(chainId, account);
-    if (!permit) {
-      throw new CofhesdkError({
-        code: "PERMIT_NOT_FOUND" /* PermitNotFound */,
-        message: `Active permit not found for chainId <${chainId}> and account <${account}>`,
-        hint: "Ensure a permit exists for this account on this chain.",
-        context: {
-          chainId,
-          account
-        }
+  try {
+    for (const item of items) {
+      const packedData = encodePacked(["uint256", "int32", "uint8"], [BigInt(item.data), securityZone, item.utype]);
+      const messageHash = keccak256(packedData);
+      const ethSignedHash = hashMessage({ raw: toBytes(messageHash) });
+      const signature = await encInputSignerClient.signMessage({
+        message: { raw: toBytes(ethSignedHash) },
+        account: encInputSignerClient.account
       });
+      signatures.push(signature);
     }
-    return permit;
-  }
-  /**
-   * On hardhat, interact with MockZkVerifier contract instead of CoFHE
-   */
-  async mocksSealOutput(permit) {
-    const config = this.getConfigOrThrow();
-    const mocksSealOutputDelay = config.mocks.sealOutputDelay;
-    return cofheMocksSealOutput(this.ctHash, this.utype, permit, this.getPublicClientOrThrow(), mocksSealOutputDelay);
-  }
-  /**
-   * In the production context, perform a true decryption with the CoFHE coprocessor.
-   */
-  async productionSealOutput(chainId, permit) {
-    const thresholdNetworkUrl = this.getThresholdNetworkUrl(chainId);
-    const permission = PermitUtils.getPermission(permit, true);
-    const sealed = await tnSealOutput(this.ctHash, chainId, permission, thresholdNetworkUrl);
-    return PermitUtils.unseal(permit, sealed);
-  }
-  /**
-   * Final step of the decryption process. MUST BE CALLED LAST IN THE CHAIN.
-   *
-   * This will:
-   * - Use a permit based on provided permit OR chainId + account + permitHash
-   * - Check permit validity
-   * - Call CoFHE `/sealoutput` with the permit, which returns a sealed (encrypted) item
-   * - Unseal the sealed item with the permit
-   * - Return the unsealed item
-   *
-   * Example:
-   * ```typescript
-   * const unsealed = await decryptHandle(ctHash, utype)
-   *   .setChainId(11155111)      // optional
-   *   .setAccount('0x123...890') // optional
-   *   .decrypt();                // execute
-   * ```
-   *
-   * @returns The unsealed item.
-   */
-  decrypt() {
-    return resultWrapper(async () => {
-      await this.requireConnectedOrThrow();
-      this.validateUtypeOrThrow();
-      const permit = await this.getResolvedPermit();
-      await PermitUtils.validate(permit);
-      const chainId = permit._signedDomain.chainId;
-      let unsealed;
-      if (chainId === hardhat.id) {
-        unsealed = await this.mocksSealOutput(permit);
-      } else {
-        unsealed = await this.productionSealOutput(chainId, permit);
+  } catch (err) {
+    throw new CofhesdkError({
+      code: "ZK_MOCKS_CREATE_PROOF_SIGNATURE_FAILED" /* ZkMocksCreateProofSignatureFailed */,
+      message: `mockZkVerifySign createProofSignatures failed while calling signMessage`,
+      cause: err instanceof Error ? err : void 0,
+      context: {
+        items,
+        securityZone
       }
-      return convertViaUtype(this.utype, unsealed);
     });
   }
-};
-
-// core/encrypt/zkPackProveVerify.ts
-var MAX_UINT8 = 255n;
-var MAX_UINT16 = 65535n;
-var MAX_UINT32 = 4294967295n;
-var MAX_UINT64 = 18446744073709551615n;
-var MAX_UINT128 = 340282366920938463463374607431768211455n;
-var MAX_UINT160 = 1461501637330902918203684832716283019655932542975n;
-var MAX_ENCRYPTABLE_BITS = 2048;
-var zkPack = (items, builder) => {
-  let totalBits = 0;
-  for (const item of items) {
-    switch (item.utype) {
-      case 0 /* Bool */: {
-        builder.push_boolean(item.data);
-        totalBits += 1;
-        break;
-      }
-      case 2 /* Uint8 */: {
-        const bint = toBigIntOrThrow(item.data);
-        validateBigIntInRange(bint, MAX_UINT8);
-        builder.push_u8(parseInt(bint.toString()));
-        totalBits += 8;
-        break;
-      }
-      case 3 /* Uint16 */: {
-        const bint = toBigIntOrThrow(item.data);
-        validateBigIntInRange(bint, MAX_UINT16);
-        builder.push_u16(parseInt(bint.toString()));
-        totalBits += 16;
-        break;
-      }
-      case 4 /* Uint32 */: {
-        const bint = toBigIntOrThrow(item.data);
-        validateBigIntInRange(bint, MAX_UINT32);
-        builder.push_u32(parseInt(bint.toString()));
-        totalBits += 32;
-        break;
-      }
-      case 5 /* Uint64 */: {
-        const bint = toBigIntOrThrow(item.data);
-        validateBigIntInRange(bint, MAX_UINT64);
-        builder.push_u64(bint);
-        totalBits += 64;
-        break;
-      }
-      case 6 /* Uint128 */: {
-        const bint = toBigIntOrThrow(item.data);
-        validateBigIntInRange(bint, MAX_UINT128);
-        builder.push_u128(bint);
-        totalBits += 128;
-        break;
-      }
-      case 7 /* Uint160 */: {
-        const bint = toBigIntOrThrow(item.data);
-        validateBigIntInRange(bint, MAX_UINT160);
-        builder.push_u160(bint);
-        totalBits += 160;
-        break;
-      }
-      default: {
-        throw new CofhesdkError({
-          code: "ZK_PACK_FAILED" /* ZkPackFailed */,
-          message: `Invalid utype: ${item.utype}`,
-          hint: `Ensure that the utype is valid, using the Encryptable type, for example: Encryptable.uint128(100n)`,
-          context: {
-            item
-          }
-        });
-      }
-    }
-  }
-  if (totalBits > MAX_ENCRYPTABLE_BITS) {
+  if (signatures.length !== items.length) {
     throw new CofhesdkError({
-      code: "ZK_PACK_FAILED" /* ZkPackFailed */,
-      message: `Total bits ${totalBits} exceeds ${MAX_ENCRYPTABLE_BITS}`,
-      hint: `Ensure that the total bits of the items to encrypt does not exceed ${MAX_ENCRYPTABLE_BITS}`,
+      code: "ZK_MOCKS_CREATE_PROOF_SIGNATURE_FAILED" /* ZkMocksCreateProofSignatureFailed */,
+      message: `mockZkVerifySign createProofSignatures returned incorrect number of signatures`,
       context: {
-        totalBits,
-        maxBits: MAX_ENCRYPTABLE_BITS,
-        items
+        items,
+        securityZone
       }
     });
   }
-  return builder;
-};
-var zkProve = async (builder, crs, address, securityZone, chainId) => {
-  const metadata = constructZkPoKMetadata(address, securityZone, chainId);
-  return new Promise((resolve) => {
-    setTimeout(() => {
-      const compactList = builder.build_with_proof_packed(
-        crs,
-        metadata,
-        1
-        // ZkComputeLoad.Verify
-      );
-      resolve(compactList.serialize());
-    }, 0);
-  });
-};
-var constructZkPoKMetadata = (accountAddr, securityZone, chainId) => {
-  const accountAddrNoPrefix = accountAddr.startsWith("0x") ? accountAddr.slice(2) : accountAddr;
-  const accountBytes = hexToBytes(accountAddrNoPrefix);
-  const chainIdBytes = new Uint8Array(32);
-  let value = chainId;
-  for (let i = 31; i >= 0 && value > 0; i--) {
-    chainIdBytes[i] = value & 255;
-    value = value >>> 8;
-  }
-  const metadata = new Uint8Array(1 + accountBytes.length + 32);
-  metadata[0] = securityZone;
-  metadata.set(accountBytes, 1);
-  metadata.set(chainIdBytes, 1 + accountBytes.length);
-  return metadata;
-};
-var zkVerify = async (verifierUrl, serializedBytes, address, securityZone, chainId) => {
-  const packed_list = toHexString(serializedBytes);
-  const sz_byte = new Uint8Array([securityZone]);
-  const payload = {
-    packed_list,
-    account_addr: address,
-    security_zone: sz_byte[0],
-    chain_id: chainId
+  return signatures;
+}
+async function cofheMocksZkVerifySign(items, account, securityZone, publicClient, walletClient, zkvWalletClient) {
+  const _walletClient = zkvWalletClient ?? createMockZkVerifierSigner();
+  const encryptableItems = await calcCtHashes(items, account, securityZone, publicClient);
+  await insertCtHashes(encryptableItems, _walletClient);
+  const signatures = await createProofSignatures(encryptableItems, securityZone);
+  return encryptableItems.map((item, index) => ({
+    ct_hash: item.ctHash.toString(),
+    signature: signatures[index]
+  }));
+}
+var CofhesdkConfigSchema = z.object({
+  /** Environment that the SDK is running in */
+  environment: z.enum(["node", "hardhat", "web", "react"]).optional().default("node"),
+  /** List of supported chain configurations */
+  supportedChains: z.array(z.custom()),
+  /** How permits are generated */
+  permitGeneration: z.enum(["ON_CONNECT", "ON_DECRYPT_HANDLES", "MANUAL"]).optional().default("ON_CONNECT"),
+  /** Default permit expiration in seconds, default is 30 days */
+  defaultPermitExpiration: z.number().optional().default(60 * 60 * 24 * 30),
+  /** Storage method for fhe keys (defaults to indexedDB on web, filesystem on node) */
+  fheKeyStorage: z.object({
+    getItem: z.custom((val) => typeof val === "function", {
+      message: "getItem must be a function"
+    }),
+    setItem: z.custom((val) => typeof val === "function", {
+      message: "setItem must be a function"
+    }),
+    removeItem: z.custom((val) => typeof val === "function", {
+      message: "removeItem must be a function"
+    })
+  }).or(z.null()).default(null),
+  /** Whether to use Web Workers for ZK proof generation (web platform only) */
+  useWorkers: z.boolean().optional().default(true),
+  /** Mocks configs */
+  mocks: z.object({
+    sealOutputDelay: z.number().optional().default(0)
+  }).optional().default({ sealOutputDelay: 0 }),
+  /** Internal configuration */
+  _internal: z.object({
+    zkvWalletClient: z.any().optional()
+  }).optional()
+});
+function createCofhesdkConfigBase(config) {
+  const result = CofhesdkConfigSchema.safeParse(config);
+  if (!result.success) {
+    throw new Error(`Invalid cofhesdk configuration: ${z.prettifyError(result.error)}`, { cause: result.error });
+  }
+  return result.data;
+}
+var getCofhesdkConfigItem = (config, key) => {
+  return config[key];
+};
+function getSupportedChainOrThrow(config, chainId) {
+  const supportedChain = config.supportedChains.find((chain) => chain.id === chainId);
+  if (!supportedChain) {
+    throw new CofhesdkError({
+      code: "UNSUPPORTED_CHAIN" /* UnsupportedChain */,
+      message: `Config does not support chain <${chainId}>`,
+      hint: "Ensure config passed to client has been created with this chain in the config.supportedChains array.",
+      context: {
+        chainId,
+        supportedChainIds: config.supportedChains.map((c) => c.id)
+      }
+    });
+  }
+  return supportedChain;
+}
+function getCoFheUrlOrThrow(config, chainId) {
+  const supportedChain = getSupportedChainOrThrow(config, chainId);
+  const url = supportedChain.coFheUrl;
+  if (!url) {
+    throw new CofhesdkError({
+      code: "MISSING_CONFIG" /* MissingConfig */,
+      message: `CoFHE URL is not configured for chain <${chainId}>`,
+      hint: "Ensure this chain config includes a coFheUrl property.",
+      context: { chainId }
+    });
+  }
+  return url;
+}
+function getZkVerifierUrlOrThrow(config, chainId) {
+  const supportedChain = getSupportedChainOrThrow(config, chainId);
+  const url = supportedChain.verifierUrl;
+  if (!url) {
+    throw new CofhesdkError({
+      code: "ZK_VERIFIER_URL_UNINITIALIZED" /* ZkVerifierUrlUninitialized */,
+      message: `ZK verifier URL is not configured for chain <${chainId}>`,
+      hint: "Ensure this chain config includes a verifierUrl property.",
+      context: { chainId }
+    });
+  }
+  return url;
+}
+function getThresholdNetworkUrlOrThrow(config, chainId) {
+  const supportedChain = getSupportedChainOrThrow(config, chainId);
+  const url = supportedChain.thresholdNetworkUrl;
+  if (!url) {
+    throw new CofhesdkError({
+      code: "THRESHOLD_NETWORK_URL_UNINITIALIZED" /* ThresholdNetworkUrlUninitialized */,
+      message: `Threshold network URL is not configured for chain <${chainId}>`,
+      hint: "Ensure this chain config includes a thresholdNetworkUrl property.",
+      context: { chainId }
+    });
+  }
+  return url;
+}
+function isValidPersistedState(state) {
+  if (state && typeof state === "object") {
+    if ("fhe" in state && "crs" in state) {
+      return true;
+    } else {
+      throw new Error(
+        "Invalid persisted state structure for KeysStore. Is object but doesn't contain required fields 'fhe' and 'crs'."
+      );
+    }
+  }
+  return false;
+}
+var DEFAULT_KEYS_STORE = {
+  fhe: {},
+  crs: {}
+};
+function isStoreWithPersist(store) {
+  return "persist" in store;
+}
+function createKeysStore(storage) {
+  const keysStore = storage ? createStoreWithPersit(storage) : createStore()(() => ({
+    fhe: {},
+    crs: {}
+  }));
+  const getFheKey = (chainId, securityZone = 0) => {
+    if (chainId == null || securityZone == null)
+      return void 0;
+    const stored = keysStore.getState().fhe[chainId]?.[securityZone];
+    return stored;
   };
-  const body = JSON.stringify(payload);
+  const getCrs = (chainId) => {
+    if (chainId == null)
+      return void 0;
+    const stored = keysStore.getState().crs[chainId];
+    return stored;
+  };
+  const setFheKey = (chainId, securityZone, key) => {
+    keysStore.setState(
+      produce((state) => {
+        if (state.fhe[chainId] == null)
+          state.fhe[chainId] = {};
+        state.fhe[chainId][securityZone] = key;
+      })
+    );
+  };
+  const setCrs = (chainId, crs) => {
+    keysStore.setState(
+      produce((state) => {
+        state.crs[chainId] = crs;
+      })
+    );
+  };
+  const clearKeysStorage = async () => {
+    if (storage) {
+      await storage.removeItem("cofhesdk-keys");
+    }
+  };
+  const rehydrateKeysStore = async () => {
+    if (!isStoreWithPersist(keysStore))
+      return;
+    if (keysStore.persist.hasHydrated())
+      return;
+    await keysStore.persist.rehydrate();
+  };
+  return {
+    store: keysStore,
+    getFheKey,
+    getCrs,
+    setFheKey,
+    setCrs,
+    clearKeysStorage,
+    rehydrateKeysStore
+  };
+}
+function createStoreWithPersit(storage) {
+  const result = createStore()(
+    persist(() => DEFAULT_KEYS_STORE, {
+      // because earleir tests were written with on-init hydration skipped (due to the error suppression in zustand), returning this flag to fix test (i.e. KeyStore > Storage Utilities > should rehydrate keys store)
+      skipHydration: true,
+      // if onRehydrateStorage is not passed here, the errors thrown by storage layer are swallowed by zustand here: https://github.com/pmndrs/zustand/blob/39a391b6c1ff9aa89b81694d9bdb21da37dd4ac6/src/middleware/persist.ts#L321
+      onRehydrateStorage: () => (_state, _error) => {
+        if (_error)
+          throw new Error(`onRehydrateStorage: Error rehydrating keys store: ${_error}`);
+      },
+      name: "cofhesdk-keys",
+      storage: createJSONStorage(() => storage),
+      merge: (persistedState, currentState) => {
+        const persisted = isValidPersistedState(persistedState) ? persistedState : DEFAULT_KEYS_STORE;
+        const current = currentState;
+        const mergedFhe = { ...persisted.fhe };
+        const allChainIds = /* @__PURE__ */ new Set([...Object.keys(current.fhe), ...Object.keys(persisted.fhe)]);
+        for (const chainId of allChainIds) {
+          const persistedZones = persisted.fhe[chainId] || {};
+          const currentZones = current.fhe[chainId] || {};
+          mergedFhe[chainId] = { ...persistedZones, ...currentZones };
+        }
+        const mergedCrs = { ...persisted.crs, ...current.crs };
+        return {
+          fhe: mergedFhe,
+          crs: mergedCrs
+        };
+      }
+    })
+  );
+  return result;
+}
+
+// core/fetchKeys.ts
+var PUBLIC_KEY_LENGTH_MIN = 15e3;
+var checkKeyValidity = (key, serializer) => {
+  if (key == null || key.length === 0)
+    return [false, `Key is null or empty <${key}>`];
   try {
-    const response = await fetch(`${verifierUrl}/verify`, {
+    serializer(key);
+    return [true, `Key is valid`];
+  } catch (err) {
+    return [false, `Serialization failed <${err}> key length <${key.length}>`];
+  }
+};
+var fetchFhePublicKey = async (coFheUrl, chainId, securityZone, tfhePublicKeyDeserializer, keysStorage) => {
+  const storedKey = keysStorage?.getFheKey(chainId, securityZone);
+  const [storedKeyValid] = checkKeyValidity(storedKey, tfhePublicKeyDeserializer);
+  if (storedKeyValid)
+    return [storedKey, false];
+  let pk_data = void 0;
+  try {
+    const pk_res = await fetch(`${coFheUrl}/GetNetworkPublicKey`, {
       method: "POST",
       headers: {
         "Content-Type": "application/json"
       },
-      body
-    });
-    if (!response.ok) {
-      const errorBody = await response.text();
-      throw new CofhesdkError({
-        code: "ZK_VERIFY_FAILED" /* ZkVerifyFailed */,
-        message: `HTTP error! ZK proof verification failed - ${errorBody}`
-      });
-    }
-    const json = await response.json();
-    if (json.status !== "success") {
-      throw new CofhesdkError({
-        code: "ZK_VERIFY_FAILED" /* ZkVerifyFailed */,
-        message: `ZK proof verification response malformed - ${json.error}`
-      });
-    }
-    return json.data.map(({ ct_hash, signature, recid }) => {
-      return {
-        ct_hash,
-        signature: concatSigRecid(signature, recid)
-      };
-    });
-  } catch (e) {
-    throw new CofhesdkError({
-      code: "ZK_VERIFY_FAILED" /* ZkVerifyFailed */,
-      message: `ZK proof verification failed`,
-      cause: e instanceof Error ? e : void 0
+      body: JSON.stringify({ securityZone })
     });
+    const json = await pk_res.json();
+    pk_data = json.publicKey;
+  } catch (err) {
+    throw new Error(`Error fetching FHE publicKey; fetching from CoFHE failed with error ${err}`);
   }
+  if (pk_data == null || typeof pk_data !== "string") {
+    throw new Error(`Error fetching FHE publicKey; fetched result invalid: missing or not a string`);
+  }
+  if (pk_data === "0x") {
+    throw new Error("Error fetching FHE publicKey; provided chain is not FHE enabled / not found");
+  }
+  if (pk_data.length < PUBLIC_KEY_LENGTH_MIN) {
+    throw new Error(
+      `Error fetching FHE publicKey; got shorter than expected key length: ${pk_data.length}. Expected length >= ${PUBLIC_KEY_LENGTH_MIN}`
+    );
+  }
+  try {
+    tfhePublicKeyDeserializer(pk_data);
+  } catch (err) {
+    throw new Error(`Error serializing FHE publicKey; ${err}`);
+  }
+  keysStorage?.setFheKey(chainId, securityZone, pk_data);
+  return [pk_data, true];
 };
-var concatSigRecid = (signature, recid) => {
-  return signature + (recid + 27).toString(16).padStart(2, "0");
-};
-
-// core/encrypt/MockZkVerifierAbi.ts
-var MockZkVerifierAbi = [
-  {
-    type: "function",
-    name: "exists",
-    inputs: [],
-    outputs: [{ name: "", type: "bool", internalType: "bool" }],
-    stateMutability: "pure"
-  },
-  {
-    type: "function",
-    name: "insertCtHash",
-    inputs: [
-      { name: "ctHash", type: "uint256", internalType: "uint256" },
-      { name: "value", type: "uint256", internalType: "uint256" }
-    ],
-    outputs: [],
-    stateMutability: "nonpayable"
-  },
-  {
-    type: "function",
-    name: "insertPackedCtHashes",
-    inputs: [
-      { name: "ctHashes", type: "uint256[]", internalType: "uint256[]" },
-      { name: "values", type: "uint256[]", internalType: "uint256[]" }
-    ],
-    outputs: [],
-    stateMutability: "nonpayable"
-  },
-  {
-    type: "function",
-    name: "zkVerify",
-    inputs: [
-      { name: "value", type: "uint256", internalType: "uint256" },
-      { name: "utype", type: "uint8", internalType: "uint8" },
-      { name: "user", type: "address", internalType: "address" },
-      { name: "securityZone", type: "uint8", internalType: "uint8" },
-      { name: "", type: "uint256", internalType: "uint256" }
-    ],
-    outputs: [
-      {
-        name: "",
-        type: "tuple",
-        internalType: "struct EncryptedInput",
-        components: [
-          { name: "ctHash", type: "uint256", internalType: "uint256" },
-          { name: "securityZone", type: "uint8", internalType: "uint8" },
-          { name: "utype", type: "uint8", internalType: "uint8" },
-          { name: "signature", type: "bytes", internalType: "bytes" }
-        ]
-      }
-    ],
-    stateMutability: "nonpayable"
-  },
-  {
-    type: "function",
-    name: "zkVerifyCalcCtHash",
-    inputs: [
-      { name: "value", type: "uint256", internalType: "uint256" },
-      { name: "utype", type: "uint8", internalType: "uint8" },
-      { name: "user", type: "address", internalType: "address" },
-      { name: "securityZone", type: "uint8", internalType: "uint8" },
-      { name: "", type: "uint256", internalType: "uint256" }
-    ],
-    outputs: [{ name: "ctHash", type: "uint256", internalType: "uint256" }],
-    stateMutability: "view"
-  },
-  {
-    type: "function",
-    name: "zkVerifyCalcCtHashesPacked",
-    inputs: [
-      { name: "values", type: "uint256[]", internalType: "uint256[]" },
-      { name: "utypes", type: "uint8[]", internalType: "uint8[]" },
-      { name: "user", type: "address", internalType: "address" },
-      { name: "securityZone", type: "uint8", internalType: "uint8" },
-      { name: "chainId", type: "uint256", internalType: "uint256" }
-    ],
-    outputs: [{ name: "ctHashes", type: "uint256[]", internalType: "uint256[]" }],
-    stateMutability: "view"
-  },
-  {
-    type: "function",
-    name: "zkVerifyPacked",
-    inputs: [
-      { name: "values", type: "uint256[]", internalType: "uint256[]" },
-      { name: "utypes", type: "uint8[]", internalType: "uint8[]" },
-      { name: "user", type: "address", internalType: "address" },
-      { name: "securityZone", type: "uint8", internalType: "uint8" },
-      { name: "chainId", type: "uint256", internalType: "uint256" }
-    ],
-    outputs: [
-      {
-        name: "inputs",
-        type: "tuple[]",
-        internalType: "struct EncryptedInput[]",
-        components: [
-          { name: "ctHash", type: "uint256", internalType: "uint256" },
-          { name: "securityZone", type: "uint8", internalType: "uint8" },
-          { name: "utype", type: "uint8", internalType: "uint8" },
-          { name: "signature", type: "bytes", internalType: "bytes" }
-        ]
-      }
-    ],
-    stateMutability: "nonpayable"
-  },
-  { type: "error", name: "InvalidInputs", inputs: [] }
-];
-var MocksZkVerifierAddress = "0x0000000000000000000000000000000000000100";
-var MocksEncryptedInputSignerPkey = "0x6c8d7f768a6bb4aafe85e8a2f5a9680355239c7e14646ed62b044e39de154512";
-async function cofheMocksCheckEncryptableBits(items) {
-  let totalBits = 0;
-  for (const item of items) {
-    switch (item.utype) {
-      case 0 /* Bool */: {
-        totalBits += 1;
-        break;
-      }
-      case 2 /* Uint8 */: {
-        totalBits += 8;
-        break;
-      }
-      case 3 /* Uint16 */: {
-        totalBits += 16;
-        break;
-      }
-      case 4 /* Uint32 */: {
-        totalBits += 32;
-        break;
-      }
-      case 5 /* Uint64 */: {
-        totalBits += 64;
-        break;
-      }
-      case 6 /* Uint128 */: {
-        totalBits += 128;
-        break;
-      }
-      case 7 /* Uint160 */: {
-        totalBits += 160;
-        break;
-      }
+var fetchCrs = async (coFheUrl, chainId, securityZone, compactPkeCrsDeserializer, keysStorage) => {
+  const storedKey = keysStorage?.getCrs(chainId);
+  const [storedKeyValid] = checkKeyValidity(storedKey, compactPkeCrsDeserializer);
+  if (storedKeyValid)
+    return [storedKey, false];
+  let crs_data = void 0;
+  try {
+    const crs_res = await fetch(`${coFheUrl}/GetCrs`, {
+      method: "POST",
+      headers: {
+        "Content-Type": "application/json"
+      },
+      body: JSON.stringify({ securityZone })
+    });
+    const json = await crs_res.json();
+    crs_data = json.crs;
+  } catch (err) {
+    throw new Error(`Error fetching CRS; fetching failed with error ${err}`);
+  }
+  if (crs_data == null || typeof crs_data !== "string") {
+    throw new Error(`Error fetching CRS; invalid: missing or not a string`);
+  }
+  try {
+    compactPkeCrsDeserializer(crs_data);
+  } catch (err) {
+    console.error(`Error serializing CRS ${err}`);
+    throw new Error(`Error serializing CRS; ${err}`);
+  }
+  keysStorage?.setCrs(chainId, crs_data);
+  return [crs_data, true];
+};
+var fetchKeys = async (config, chainId, securityZone = 0, tfhePublicKeyDeserializer, compactPkeCrsDeserializer, keysStorage) => {
+  const coFheUrl = getCoFheUrlOrThrow(config, chainId);
+  return await Promise.all([
+    fetchFhePublicKey(coFheUrl, chainId, securityZone, tfhePublicKeyDeserializer, keysStorage),
+    fetchCrs(coFheUrl, chainId, securityZone, compactPkeCrsDeserializer, keysStorage)
+  ]);
+};
+var BaseBuilder = class {
+  config;
+  publicClient;
+  walletClient;
+  chainId;
+  account;
+  constructor(params) {
+    if (!params.config) {
+      throw new CofhesdkError({
+        code: "MISSING_CONFIG" /* MissingConfig */,
+        message: "Builder config is undefined",
+        hint: "Ensure client has been created with a config.",
+        context: {
+          config: params.config
+        }
+      });
     }
+    this.config = params.config;
+    this.publicClient = params.publicClient;
+    this.walletClient = params.walletClient;
+    this.chainId = params.chainId;
+    this.account = params.account;
+    params.requireConnected?.();
   }
-  if (totalBits > MAX_ENCRYPTABLE_BITS) {
+  /**
+   * Asserts that this.chainId is populated
+   * @throws {CofhesdkError} If chainId is not set
+   */
+  assertChainId() {
+    if (this.chainId)
+      return;
     throw new CofhesdkError({
-      code: "ZK_PACK_FAILED" /* ZkPackFailed */,
-      message: `Total bits ${totalBits} exceeds ${MAX_ENCRYPTABLE_BITS}`,
-      hint: `Ensure that the total bits of the items to encrypt does not exceed ${MAX_ENCRYPTABLE_BITS}`,
+      code: "CHAIN_ID_UNINITIALIZED" /* ChainIdUninitialized */,
+      message: "Chain ID is not set",
+      hint: "Ensure client.connect() has been called and awaited, or use setChainId(...) to set the chainId explicitly.",
       context: {
-        totalBits,
-        maxBits: MAX_ENCRYPTABLE_BITS,
-        items
+        chainId: this.chainId
       }
     });
   }
-}
-async function calcCtHashes(items, account, securityZone, publicClient) {
-  const calcCtHashesArgs = [
-    items.map(({ data }) => BigInt(data)),
-    items.map(({ utype }) => utype),
-    account,
-    securityZone,
-    BigInt(hardhat$1.id)
-  ];
-  let ctHashes;
-  try {
-    ctHashes = await publicClient.readContract({
-      address: MocksZkVerifierAddress,
-      abi: MockZkVerifierAbi,
-      functionName: "zkVerifyCalcCtHashesPacked",
-      args: calcCtHashesArgs
+  /**
+   * Asserts that this.account is populated
+   * @throws {CofhesdkError} If account is not set
+   */
+  assertAccount() {
+    if (this.account)
+      return;
+    throw new CofhesdkError({
+      code: "ACCOUNT_UNINITIALIZED" /* AccountUninitialized */,
+      message: "Account is not set",
+      hint: "Ensure client.connect() has been called and awaited, or use setAccount(...) to set the account explicitly.",
+      context: {
+        account: this.account
+      }
     });
-  } catch (err) {
+  }
+  /**
+   * Asserts that this.publicClient is populated
+   * @throws {CofhesdkError} If publicClient is not set
+   */
+  assertPublicClient() {
+    if (this.publicClient)
+      return;
     throw new CofhesdkError({
-      code: "ZK_MOCKS_CALC_CT_HASHES_FAILED" /* ZkMocksCalcCtHashesFailed */,
-      message: `mockZkVerifySign calcCtHashes failed while calling zkVerifyCalcCtHashesPacked`,
-      cause: err instanceof Error ? err : void 0,
+      code: "MISSING_PUBLIC_CLIENT" /* MissingPublicClient */,
+      message: "Public client not found",
+      hint: "Ensure client.connect() has been called with a publicClient.",
       context: {
-        address: MocksZkVerifierAddress,
-        items,
-        account,
-        securityZone,
-        publicClient,
-        calcCtHashesArgs
+        publicClient: this.publicClient
       }
     });
   }
-  if (ctHashes.length !== items.length) {
+  /**
+   * Asserts that this.walletClient is populated
+   * @throws {CofhesdkError} If walletClient is not set
+   */
+  assertWalletClient() {
+    if (this.walletClient)
+      return;
     throw new CofhesdkError({
-      code: "ZK_MOCKS_CALC_CT_HASHES_FAILED" /* ZkMocksCalcCtHashesFailed */,
-      message: `mockZkVerifySign calcCtHashes returned incorrect number of ctHashes`,
+      code: "MISSING_WALLET_CLIENT" /* MissingWalletClient */,
+      message: "Wallet client not found",
+      hint: "Ensure client.connect() has been called with a walletClient.",
       context: {
-        items,
-        account,
-        securityZone,
-        publicClient,
-        calcCtHashesArgs,
-        ctHashes
+        walletClient: this.walletClient
       }
     });
   }
-  return items.map((item, index) => ({
-    ...item,
-    ctHash: ctHashes[index]
-  }));
-}
-async function insertCtHashes(items, walletClient) {
-  const insertPackedCtHashesArgs = [items.map(({ ctHash }) => ctHash), items.map(({ data }) => BigInt(data))];
-  try {
-    const account = walletClient.account;
-    await walletClient.writeContract({
-      address: MocksZkVerifierAddress,
-      abi: MockZkVerifierAbi,
-      functionName: "insertPackedCtHashes",
-      args: insertPackedCtHashesArgs,
-      chain: hardhat$1,
-      account
-    });
-  } catch (err) {
-    throw new CofhesdkError({
-      code: "ZK_MOCKS_INSERT_CT_HASHES_FAILED" /* ZkMocksInsertCtHashesFailed */,
-      message: `mockZkVerifySign insertPackedCtHashes failed while calling insertPackedCtHashes`,
-      cause: err instanceof Error ? err : void 0,
-      context: {
-        items,
-        walletClient,
-        insertPackedCtHashesArgs
-      }
-    });
-  }
-}
-async function createProofSignatures(items, securityZone) {
-  let signatures = [];
-  let encInputSignerClient;
-  try {
-    encInputSignerClient = createWalletClient({
-      chain: hardhat$1,
-      transport: http(),
-      account: privateKeyToAccount(MocksEncryptedInputSignerPkey)
-    });
-  } catch (err) {
-    throw new CofhesdkError({
-      code: "ZK_MOCKS_CREATE_PROOF_SIGNATURE_FAILED" /* ZkMocksCreateProofSignatureFailed */,
-      message: `mockZkVerifySign createProofSignatures failed while creating wallet client`,
-      cause: err instanceof Error ? err : void 0,
-      context: {
-        MocksEncryptedInputSignerPkey
-      }
-    });
-  }
-  try {
-    for (const item of items) {
-      const packedData = encodePacked(["uint256", "int32", "uint8"], [BigInt(item.data), securityZone, item.utype]);
-      const messageHash = keccak256(packedData);
-      const ethSignedHash = hashMessage({ raw: toBytes(messageHash) });
-      const signature = await encInputSignerClient.signMessage({
-        message: { raw: toBytes(ethSignedHash) },
-        account: encInputSignerClient.account
-      });
-      signatures.push(signature);
-    }
-  } catch (err) {
-    throw new CofhesdkError({
-      code: "ZK_MOCKS_CREATE_PROOF_SIGNATURE_FAILED" /* ZkMocksCreateProofSignatureFailed */,
-      message: `mockZkVerifySign createProofSignatures failed while calling signMessage`,
-      cause: err instanceof Error ? err : void 0,
-      context: {
-        items,
-        securityZone
-      }
-    });
-  }
-  if (signatures.length !== items.length) {
-    throw new CofhesdkError({
-      code: "ZK_MOCKS_CREATE_PROOF_SIGNATURE_FAILED" /* ZkMocksCreateProofSignatureFailed */,
-      message: `mockZkVerifySign createProofSignatures returned incorrect number of signatures`,
-      context: {
-        items,
-        securityZone
-      }
-    });
-  }
-  return signatures;
-}
-async function cofheMocksZkVerifySign(items, account, securityZone, publicClient, walletClient, zkvWalletClient) {
-  const _walletClient = zkvWalletClient ?? walletClient;
-  const encryptableItems = await calcCtHashes(items, account, securityZone, publicClient);
-  await insertCtHashes(encryptableItems, _walletClient);
-  const signatures = await createProofSignatures(encryptableItems, securityZone);
-  return encryptableItems.map((item, index) => ({
-    ct_hash: item.ctHash.toString(),
-    signature: signatures[index]
-  }));
-}
-function createKeysStore(storage) {
-  const keysStore = storage ? createStore()(
-    persist(
-      () => ({
-        fhe: {},
-        crs: {}
-      }),
-      {
-        name: "cofhesdk-keys",
-        storage: createJSONStorage(() => storage),
-        merge: (persistedState, currentState) => {
-          const persisted = persistedState;
-          const current = currentState;
-          const mergedFhe = { ...persisted.fhe };
-          const allChainIds = /* @__PURE__ */ new Set([...Object.keys(current.fhe), ...Object.keys(persisted.fhe)]);
-          for (const chainId of allChainIds) {
-            const persistedZones = persisted.fhe[chainId] || {};
-            const currentZones = current.fhe[chainId] || {};
-            mergedFhe[chainId] = { ...persistedZones, ...currentZones };
-          }
-          const mergedCrs = { ...persisted.crs, ...current.crs };
-          return {
-            fhe: mergedFhe,
-            crs: mergedCrs
-          };
-        }
-      }
-    )
-  ) : createStore()(() => ({
-    fhe: {},
-    crs: {}
-  }));
-  const getFheKey = (chainId, securityZone = 0) => {
-    if (chainId == null || securityZone == null)
-      return void 0;
-    const stored = keysStore.getState().fhe[chainId]?.[securityZone];
-    return stored;
-  };
-  const getCrs = (chainId) => {
-    if (chainId == null)
-      return void 0;
-    const stored = keysStore.getState().crs[chainId];
-    return stored;
-  };
-  const setFheKey = (chainId, securityZone, key) => {
-    keysStore.setState(
-      produce((state) => {
-        if (state.fhe[chainId] == null)
-          state.fhe[chainId] = {};
-        state.fhe[chainId][securityZone] = key;
-      })
-    );
-  };
-  const setCrs = (chainId, crs) => {
-    keysStore.setState(
-      produce((state) => {
-        state.crs[chainId] = crs;
-      })
-    );
-  };
-  const clearKeysStorage = async () => {
-    if (storage) {
-      await storage.removeItem("cofhesdk-keys");
-    }
-  };
-  const rehydrateKeysStore = async () => {
-    if ("persist" in keysStore) {
-      if (keysStore.persist.hasHydrated())
-        return;
-      await keysStore.persist.rehydrate();
-    }
-  };
-  return {
-    store: keysStore,
-    getFheKey,
-    getCrs,
-    setFheKey,
-    setCrs,
-    clearKeysStorage,
-    rehydrateKeysStore
-  };
-}
+};
 
 // core/encrypt/encryptInputsBuilder.ts
 var EncryptInputsBuilder = class extends BaseBuilder {
@@ -1429,7 +1217,10 @@ var EncryptInputsBuilder = class extends BaseBuilder {
   compactPkeCrsDeserializer;
   zkBuilderAndCrsGenerator;
   initTfhe;
+  zkProveWorkerFn;
   keysStorage;
+  // Worker configuration (from config, overrideable)
+  useWorker;
   stepTimestamps = {
     ["initTfhe" /* InitTfhe */]: 0,
     ["fetchKeys" /* FetchKeys */]: 0,
@@ -1449,11 +1240,43 @@ var EncryptInputsBuilder = class extends BaseBuilder {
     this.inputItems = params.inputs;
     this.securityZone = params.securityZone ?? 0;
     this.zkvWalletClient = params.zkvWalletClient;
+    if (!params.tfhePublicKeyDeserializer) {
+      throw new CofhesdkError({
+        code: "MISSING_TFHE_PUBLIC_KEY_DESERIALIZER" /* MissingTfhePublicKeyDeserializer */,
+        message: "EncryptInputsBuilder tfhePublicKeyDeserializer is undefined",
+        hint: "Ensure client has been created with a tfhePublicKeyDeserializer.",
+        context: {
+          tfhePublicKeyDeserializer: params.tfhePublicKeyDeserializer
+        }
+      });
+    }
     this.tfhePublicKeyDeserializer = params.tfhePublicKeyDeserializer;
+    if (!params.compactPkeCrsDeserializer) {
+      throw new CofhesdkError({
+        code: "MISSING_COMPACT_PKE_CRS_DESERIALIZER" /* MissingCompactPkeCrsDeserializer */,
+        message: "EncryptInputsBuilder compactPkeCrsDeserializer is undefined",
+        hint: "Ensure client has been created with a compactPkeCrsDeserializer.",
+        context: {
+          compactPkeCrsDeserializer: params.compactPkeCrsDeserializer
+        }
+      });
+    }
     this.compactPkeCrsDeserializer = params.compactPkeCrsDeserializer;
+    if (!params.zkBuilderAndCrsGenerator) {
+      throw new CofhesdkError({
+        code: "MISSING_ZK_BUILDER_AND_CRS_GENERATOR" /* MissingZkBuilderAndCrsGenerator */,
+        message: "EncryptInputsBuilder zkBuilderAndCrsGenerator is undefined",
+        hint: "Ensure client has been created with a zkBuilderAndCrsGenerator.",
+        context: {
+          zkBuilderAndCrsGenerator: params.zkBuilderAndCrsGenerator
+        }
+      });
+    }
     this.zkBuilderAndCrsGenerator = params.zkBuilderAndCrsGenerator;
     this.initTfhe = params.initTfhe;
+    this.zkProveWorkerFn = params.zkProveWorkerFn;
     this.keysStorage = params.keysStorage;
+    this.useWorker = params.config?.useWorkers ?? true;
   }
   /**
    * @param account - Account that will create the tx using the encrypted inputs.
@@ -1518,6 +1341,40 @@ var EncryptInputsBuilder = class extends BaseBuilder {
   getSecurityZone() {
     return this.securityZone;
   }
+  /**
+   * @param useWorker - Whether to use Web Workers for ZK proof generation.
+   *
+   * Overrides the config-level useWorkers setting for this specific encryption.
+   *
+   * Example:
+   * ```typescript
+   * const encrypted = await encryptInputs([Encryptable.uint128(10n)])
+   *   .setUseWorker(false)
+   *   .encrypt();
+   * ```
+   *
+   * @returns The chainable EncryptInputsBuilder instance.
+   */
+  setUseWorker(useWorker) {
+    this.useWorker = useWorker;
+    return this;
+  }
+  /**
+   * Gets the current worker configuration.
+   *
+   * @returns Whether Web Workers are enabled for this encryption.
+   *
+   * Example:
+   * ```typescript
+   * const builder = encryptInputs([Encryptable.uint128(10n)]);
+   * console.log(builder.getUseWorker()); // true (from config)
+   * builder.setUseWorker(false);
+   * console.log(builder.getUseWorker()); // false (overridden)
+   * ```
+   */
+  getUseWorker() {
+    return this.useWorker;
+  }
   /**
    * @param callback - Function to be called with the encryption step.
    *
@@ -1555,50 +1412,13 @@ var EncryptInputsBuilder = class extends BaseBuilder {
     const duration = Date.now() - this.stepTimestamps[step];
     this.stepCallback(step, { ...context, isStart: false, isEnd: true, duration });
   }
-  /**
-   * tfhePublicKeyDeserializer is a platform-specific dependency injected into core/createCofhesdkClientBase by web/createCofhesdkClient and node/createCofhesdkClient
-   * web/ uses zama "tfhe"
-   * node/ uses zama "node-tfhe"
-   * Users should not set this manually.
-   */
-  getTfhePublicKeyDeserializerOrThrow() {
-    if (this.tfhePublicKeyDeserializer)
-      return this.tfhePublicKeyDeserializer;
-    throw new CofhesdkError({
-      code: "MISSING_TFHE_PUBLIC_KEY_DESERIALIZER" /* MissingTfhePublicKeyDeserializer */,
-      message: "EncryptInputsBuilder tfhePublicKeyDeserializer is undefined",
-      hint: "Ensure client has been created with a tfhePublicKeyDeserializer.",
-      context: {
-        tfhePublicKeyDeserializer: this.tfhePublicKeyDeserializer
-      }
-    });
-  }
-  /**
-   * compactPkeCrsDeserializer is a platform-specific dependency injected into core/createCofhesdkClientBase by web/createCofhesdkClient and node/createCofhesdkClient
-   * web/ uses zama "tfhe"
-   * node/ uses zama "node-tfhe"
-   * Users should not set this manually.
-   */
-  getCompactPkeCrsDeserializerOrThrow() {
-    if (this.compactPkeCrsDeserializer)
-      return this.compactPkeCrsDeserializer;
-    throw new CofhesdkError({
-      code: "MISSING_COMPACT_PKE_CRS_DESERIALIZER" /* MissingCompactPkeCrsDeserializer */,
-      message: "EncryptInputsBuilder compactPkeCrsDeserializer is undefined",
-      hint: "Ensure client has been created with a compactPkeCrsDeserializer.",
-      context: {
-        compactPkeCrsDeserializer: this.compactPkeCrsDeserializer
-      }
-    });
-  }
   /**
    * zkVerifierUrl is included in the chains exported from cofhesdk/chains for use in CofhesdkConfig.supportedChains
    * Users should generally not set this manually.
    */
   async getZkVerifierUrl() {
-    const config = this.getConfigOrThrow();
-    const chainId = await this.getChainIdOrThrow();
-    return getZkVerifierUrlOrThrow(config, chainId);
+    this.assertChainId();
+    return getZkVerifierUrlOrThrow(this.config, this.chainId);
   }
   /**
    * initTfhe is a platform-specific dependency injected into core/createCofhesdkClientBase by web/createCofhesdkClient and node/createCofhesdkClient
@@ -1626,10 +1446,7 @@ var EncryptInputsBuilder = class extends BaseBuilder {
    * If the key/crs already exists in the store it is returned, else it is fetched, stored, and returned
    */
   async fetchFheKeyAndCrs() {
-    const config = this.getConfigOrThrow();
-    const chainId = await this.getChainIdOrThrow();
-    const compactPkeCrsDeserializer = this.getCompactPkeCrsDeserializerOrThrow();
-    const tfhePublicKeyDeserializer = this.getTfhePublicKeyDeserializerOrThrow();
+    this.assertChainId();
     const securityZone = this.getSecurityZone();
     try {
       await this.keysStorage?.rehydrateKeysStore();
@@ -1648,11 +1465,11 @@ var EncryptInputsBuilder = class extends BaseBuilder {
     let crsFetchedFromCoFHE = false;
     try {
       [[fheKey, fheKeyFetchedFromCoFHE], [crs, crsFetchedFromCoFHE]] = await fetchKeys(
-        config,
-        chainId,
+        this.config,
+        this.chainId,
         securityZone,
-        tfhePublicKeyDeserializer,
-        compactPkeCrsDeserializer,
+        this.tfhePublicKeyDeserializer,
+        this.compactPkeCrsDeserializer,
         this.keysStorage
       );
     } catch (error) {
@@ -1660,11 +1477,11 @@ var EncryptInputsBuilder = class extends BaseBuilder {
         code: "FETCH_KEYS_FAILED" /* FetchKeysFailed */,
         message: `Failed to fetch FHE key and CRS`,
         context: {
-          config,
-          chainId,
+          config: this.config,
+          chainId: this.chainId,
           securityZone,
-          compactPkeCrsDeserializer,
-          tfhePublicKeyDeserializer
+          compactPkeCrsDeserializer: this.compactPkeCrsDeserializer,
+          tfhePublicKeyDeserializer: this.tfhePublicKeyDeserializer
         }
       });
     }
@@ -1673,7 +1490,7 @@ var EncryptInputsBuilder = class extends BaseBuilder {
         code: "MISSING_FHE_KEY" /* MissingFheKey */,
         message: `FHE key not found`,
         context: {
-          chainId,
+          chainId: this.chainId,
           securityZone
         }
       });
@@ -1683,34 +1500,12 @@ var EncryptInputsBuilder = class extends BaseBuilder {
         code: "MISSING_CRS" /* MissingCrs */,
         message: `CRS not found for chainId <${this.chainId}>`,
         context: {
-          chainId
+          chainId: this.chainId
         }
       });
     }
     return { fheKey, fheKeyFetchedFromCoFHE, crs, crsFetchedFromCoFHE };
   }
-  /**
-   * zkBuilderAndCrsGenerator is a platform-specific dependency injected into core/createCofhesdkClientBase by web/createCofhesdkClient and node/createCofhesdkClient
-   * web/ uses zama "tfhe"
-   * node/ uses zama "node-tfhe"
-   * Users should not set this manually.
-   *
-   * Generates the zkBuilder and zkCrs from the fheKey and crs
-   */
-  generateZkBuilderAndCrs(fheKey, crs) {
-    const zkBuilderAndCrsGenerator = this.zkBuilderAndCrsGenerator;
-    if (!zkBuilderAndCrsGenerator) {
-      throw new CofhesdkError({
-        code: "MISSING_ZK_BUILDER_AND_CRS_GENERATOR" /* MissingZkBuilderAndCrsGenerator */,
-        message: `zkBuilderAndCrsGenerator is undefined`,
-        hint: "Ensure client has been created with a zkBuilderAndCrsGenerator.",
-        context: {
-          zkBuilderAndCrsGenerator: this.zkBuilderAndCrsGenerator
-        }
-      });
-    }
-    return zkBuilderAndCrsGenerator(fheKey, crs);
-  }
   /**
    * @dev Encrypt against the cofheMocks instead of CoFHE
    *
@@ -1718,7 +1513,10 @@ var EncryptInputsBuilder = class extends BaseBuilder {
    * cofheMocksInsertPackedHashes - stores the ctHashes and their plaintext values for on-chain mocking of FHE operations.
    * cofheMocksZkCreateProofSignatures - creates signatures to be included in the encrypted inputs. The signers address is known and verified in the mock contracts.
    */
-  async mocksEncrypt(account) {
+  async mocksEncrypt() {
+    this.assertAccount();
+    this.assertPublicClient();
+    this.assertWalletClient();
     this.fireStepStart("initTfhe" /* InitTfhe */);
     await sleep(100);
     this.fireStepEnd("initTfhe" /* InitTfhe */, { tfheInitializationExecuted: false });
@@ -1736,10 +1534,10 @@ var EncryptInputsBuilder = class extends BaseBuilder {
     await sleep(500);
     const signedResults = await cofheMocksZkVerifySign(
       this.inputItems,
-      account,
+      this.account,
       this.securityZone,
-      this.getPublicClientOrThrow(),
-      this.getWalletClientOrThrow(),
+      this.publicClient,
+      this.walletClient,
       this.zkvWalletClient
     );
     const encryptedInputs = signedResults.map(({ ct_hash, signature }, index) => ({
@@ -1754,23 +1552,44 @@ var EncryptInputsBuilder = class extends BaseBuilder {
   /**
    * In the production context, perform a true encryption with the CoFHE coprocessor.
    */
-  async productionEncrypt(account, chainId) {
+  async productionEncrypt() {
+    this.assertAccount();
+    this.assertChainId();
     this.fireStepStart("initTfhe" /* InitTfhe */);
     const tfheInitializationExecuted = await this.initTfheOrThrow();
     this.fireStepEnd("initTfhe" /* InitTfhe */, { tfheInitializationExecuted });
     this.fireStepStart("fetchKeys" /* FetchKeys */);
     const { fheKey, fheKeyFetchedFromCoFHE, crs, crsFetchedFromCoFHE } = await this.fetchFheKeyAndCrs();
-    let { zkBuilder, zkCrs } = this.generateZkBuilderAndCrs(fheKey, crs);
+    let { zkBuilder, zkCrs } = this.zkBuilderAndCrsGenerator(fheKey, crs);
     this.fireStepEnd("fetchKeys" /* FetchKeys */, { fheKeyFetchedFromCoFHE, crsFetchedFromCoFHE });
     this.fireStepStart("pack" /* Pack */);
     zkBuilder = zkPack(this.inputItems, zkBuilder);
     this.fireStepEnd("pack" /* Pack */);
     this.fireStepStart("prove" /* Prove */);
-    const proof = await zkProve(zkBuilder, zkCrs, account, this.securityZone, chainId);
-    this.fireStepEnd("prove" /* Prove */);
+    const metadata = constructZkPoKMetadata(this.account, this.securityZone, this.chainId);
+    let proof = null;
+    let usedWorker = false;
+    let workerFailedError;
+    if (this.useWorker && this.zkProveWorkerFn) {
+      try {
+        proof = await zkProveWithWorker(this.zkProveWorkerFn, fheKey, crs, this.inputItems, metadata);
+        usedWorker = true;
+      } catch (error) {
+        workerFailedError = error instanceof Error ? error.message : String(error);
+      }
+    }
+    if (proof == null) {
+      proof = await zkProve(zkBuilder, zkCrs, metadata);
+      usedWorker = false;
+    }
+    this.fireStepEnd("prove" /* Prove */, {
+      useWorker: this.useWorker,
+      usedWorker,
+      workerFailedError
+    });
     this.fireStepStart("verify" /* Verify */);
     const zkVerifierUrl = await this.getZkVerifierUrl();
-    const verifyResults = await zkVerify(zkVerifierUrl, proof, account, this.securityZone, chainId);
+    const verifyResults = await zkVerify(zkVerifierUrl, proof, this.account, this.securityZone, this.chainId);
     const encryptedInputs = verifyResults.map(
       ({ ct_hash, signature }, index) => ({
         ctHash: BigInt(ct_hash),
@@ -1802,307 +1621,722 @@ var EncryptInputsBuilder = class extends BaseBuilder {
    * @returns The encrypted inputs.
    */
   async encrypt() {
-    return resultWrapper(async () => {
-      await this.requireConnectedOrThrow();
-      const account = await this.getAccountOrThrow();
-      const chainId = await this.getChainIdOrThrow();
-      if (chainId === hardhat$1.id) {
-        return await this.mocksEncrypt(account);
-      }
-      return await this.productionEncrypt(account, chainId);
-    });
+    if (this.chainId === hardhat.id)
+      return this.mocksEncrypt();
+    return this.productionEncrypt();
   }
 };
-
-// core/types.ts
-var FheTypes = /* @__PURE__ */ ((FheTypes2) => {
-  FheTypes2[FheTypes2["Bool"] = 0] = "Bool";
-  FheTypes2[FheTypes2["Uint4"] = 1] = "Uint4";
-  FheTypes2[FheTypes2["Uint8"] = 2] = "Uint8";
-  FheTypes2[FheTypes2["Uint16"] = 3] = "Uint16";
-  FheTypes2[FheTypes2["Uint32"] = 4] = "Uint32";
-  FheTypes2[FheTypes2["Uint64"] = 5] = "Uint64";
-  FheTypes2[FheTypes2["Uint128"] = 6] = "Uint128";
-  FheTypes2[FheTypes2["Uint160"] = 7] = "Uint160";
-  FheTypes2[FheTypes2["Uint256"] = 8] = "Uint256";
-  FheTypes2[FheTypes2["Uint512"] = 9] = "Uint512";
-  FheTypes2[FheTypes2["Uint1024"] = 10] = "Uint1024";
-  FheTypes2[FheTypes2["Uint2048"] = 11] = "Uint2048";
-  FheTypes2[FheTypes2["Uint2"] = 12] = "Uint2";
-  FheTypes2[FheTypes2["Uint6"] = 13] = "Uint6";
-  FheTypes2[FheTypes2["Uint10"] = 14] = "Uint10";
-  FheTypes2[FheTypes2["Uint12"] = 15] = "Uint12";
-  FheTypes2[FheTypes2["Uint14"] = 16] = "Uint14";
-  FheTypes2[FheTypes2["Int2"] = 17] = "Int2";
-  FheTypes2[FheTypes2["Int4"] = 18] = "Int4";
-  FheTypes2[FheTypes2["Int6"] = 19] = "Int6";
-  FheTypes2[FheTypes2["Int8"] = 20] = "Int8";
-  FheTypes2[FheTypes2["Int10"] = 21] = "Int10";
-  FheTypes2[FheTypes2["Int12"] = 22] = "Int12";
-  FheTypes2[FheTypes2["Int14"] = 23] = "Int14";
-  FheTypes2[FheTypes2["Int16"] = 24] = "Int16";
-  FheTypes2[FheTypes2["Int32"] = 25] = "Int32";
-  FheTypes2[FheTypes2["Int64"] = 26] = "Int64";
-  FheTypes2[FheTypes2["Int128"] = 27] = "Int128";
-  FheTypes2[FheTypes2["Int160"] = 28] = "Int160";
-  FheTypes2[FheTypes2["Int256"] = 29] = "Int256";
-  return FheTypes2;
-})(FheTypes || {});
-var FheUintUTypes = [
-  2 /* Uint8 */,
-  3 /* Uint16 */,
-  4 /* Uint32 */,
-  5 /* Uint64 */,
-  6 /* Uint128 */
-  // [U256-DISABLED]
-  // FheTypes.Uint256,
-];
-var FheAllUTypes = [
-  0 /* Bool */,
-  2 /* Uint8 */,
-  3 /* Uint16 */,
-  4 /* Uint32 */,
-  5 /* Uint64 */,
-  6 /* Uint128 */,
-  // [U256-DISABLED]
-  // FheTypes.Uint256,
-  7 /* Uint160 */
-];
-var Encryptable = {
-  bool: (data, securityZone = 0) => ({ data, securityZone, utype: 0 /* Bool */ }),
-  address: (data, securityZone = 0) => ({ data, securityZone, utype: 7 /* Uint160 */ }),
-  uint8: (data, securityZone = 0) => ({ data, securityZone, utype: 2 /* Uint8 */ }),
-  uint16: (data, securityZone = 0) => ({ data, securityZone, utype: 3 /* Uint16 */ }),
-  uint32: (data, securityZone = 0) => ({ data, securityZone, utype: 4 /* Uint32 */ }),
-  uint64: (data, securityZone = 0) => ({ data, securityZone, utype: 5 /* Uint64 */ }),
-  uint128: (data, securityZone = 0) => ({ data, securityZone, utype: 6 /* Uint128 */ })
-  // [U256-DISABLED]
-  // uint256: (data: EncryptableUint256['data'], securityZone = 0) =>
-  //   ({ data, securityZone, utype: FheTypes.Uint256 }) as EncryptableUint256,
+var storeActivePermit = async (permit, publicClient, walletClient) => {
+  const chainId = await publicClient.getChainId();
+  const account = walletClient.account.address;
+  permitStore.setPermit(chainId, account, permit);
+  permitStore.setActivePermitHash(chainId, account, permit.hash);
 };
-function isEncryptableItem(value) {
-  return (
-    // Is object and exists
-    typeof value === "object" && value !== null && // Has securityZone
-    "securityZone" in value && typeof value.securityZone === "number" && // Has utype
-    "utype" in value && FheAllUTypes.includes(value.utype) && // Has data
-    "data" in value && ["string", "number", "bigint", "boolean"].includes(typeof value.data)
-  );
+var createPermitWithSign = async (options, publicClient, walletClient, permitMethod) => {
+  const permit = await permitMethod(options, publicClient, walletClient);
+  await storeActivePermit(permit, publicClient, walletClient);
+  return permit;
+};
+var createSelf = async (options, publicClient, walletClient) => {
+  return createPermitWithSign(options, publicClient, walletClient, PermitUtils.createSelfAndSign);
+};
+var createSharing = async (options, publicClient, walletClient) => {
+  return createPermitWithSign(options, publicClient, walletClient, PermitUtils.createSharingAndSign);
+};
+var importShared = async (options, publicClient, walletClient) => {
+  return createPermitWithSign(options, publicClient, walletClient, PermitUtils.importSharedAndSign);
+};
+var getHash = (permit) => {
+  return PermitUtils.getHash(permit);
+};
+var serialize = (permit) => {
+  return PermitUtils.serialize(permit);
+};
+var deserialize = (serialized) => {
+  return PermitUtils.deserialize(serialized);
+};
+var getPermit = async (chainId, account, hash) => {
+  return permitStore.getPermit(chainId, account, hash);
+};
+var getPermits = async (chainId, account) => {
+  return permitStore.getPermits(chainId, account);
+};
+var getActivePermit = async (chainId, account) => {
+  return permitStore.getActivePermit(chainId, account);
+};
+var getActivePermitHash = (chainId, account) => {
+  return permitStore.getActivePermitHash(chainId, account);
+};
+var selectActivePermit = (chainId, account, hash) => {
+  permitStore.setActivePermitHash(chainId, account, hash);
+};
+var getOrCreateSelfPermit = async (publicClient, walletClient, chainId, account, options) => {
+  const _chainId = chainId ?? await publicClient.getChainId();
+  const _account = account ?? walletClient.account.address;
+  const activePermit = await getActivePermit(_chainId, _account);
+  if (activePermit && activePermit.type === "self") {
+    return activePermit;
+  }
+  return createSelf(options ?? { issuer: _account, name: "Autogenerated Self Permit" }, publicClient, walletClient);
+};
+var getOrCreateSharingPermit = async (publicClient, walletClient, options, chainId, account) => {
+  const _chainId = chainId ?? await publicClient.getChainId();
+  const _account = account ?? walletClient.account.address;
+  const activePermit = await getActivePermit(_chainId, _account);
+  if (activePermit && activePermit.type === "sharing") {
+    return activePermit;
+  }
+  return createSharing(options, publicClient, walletClient);
+};
+var removePermit = async (chainId, account, hash) => permitStore.removePermit(chainId, account, hash);
+var removeActivePermit = async (chainId, account) => permitStore.removeActivePermitHash(chainId, account);
+var permits = {
+  getSnapshot: permitStore.store.getState,
+  subscribe: permitStore.store.subscribe,
+  createSelf,
+  createSharing,
+  importShared,
+  getOrCreateSelfPermit,
+  getOrCreateSharingPermit,
+  getHash,
+  serialize,
+  deserialize,
+  getPermit,
+  getPermits,
+  getActivePermit,
+  getActivePermitHash,
+  removePermit,
+  selectActivePermit,
+  removeActivePermit
+};
+function uint160ToAddress(uint160) {
+  const hexStr = uint160.toString(16).padStart(40, "0");
+  return getAddress("0x" + hexStr);
+}
+var isValidUtype = (utype) => {
+  return utype === 0 /* Bool */ || utype === 7 /* Uint160 */ || utype == null || FheUintUTypes.includes(utype);
+};
+var convertViaUtype = (utype, value) => {
+  if (utype === 0 /* Bool */) {
+    return !!value;
+  } else if (utype === 7 /* Uint160 */) {
+    return uint160ToAddress(value);
+  } else if (utype == null || FheUintUTypes.includes(utype)) {
+    return value;
+  } else {
+    throw new Error(`convertViaUtype :: invalid utype :: ${utype}`);
+  }
+};
+
+// core/decrypt/MockQueryDecrypterAbi.ts
+var MockQueryDecrypterAbi = [
+  {
+    type: "function",
+    name: "acl",
+    inputs: [],
+    outputs: [{ name: "", type: "address", internalType: "contract ACL" }],
+    stateMutability: "view"
+  },
+  {
+    type: "function",
+    name: "decodeLowLevelReversion",
+    inputs: [{ name: "data", type: "bytes", internalType: "bytes" }],
+    outputs: [{ name: "error", type: "string", internalType: "string" }],
+    stateMutability: "pure"
+  },
+  {
+    type: "function",
+    name: "exists",
+    inputs: [],
+    outputs: [{ name: "", type: "bool", internalType: "bool" }],
+    stateMutability: "pure"
+  },
+  {
+    type: "function",
+    name: "initialize",
+    inputs: [
+      { name: "_taskManager", type: "address", internalType: "address" },
+      { name: "_acl", type: "address", internalType: "address" }
+    ],
+    outputs: [],
+    stateMutability: "nonpayable"
+  },
+  {
+    type: "function",
+    name: "queryDecrypt",
+    inputs: [
+      { name: "ctHash", type: "uint256", internalType: "uint256" },
+      { name: "", type: "uint256", internalType: "uint256" },
+      {
+        name: "permission",
+        type: "tuple",
+        internalType: "struct Permission",
+        components: [
+          { name: "issuer", type: "address", internalType: "address" },
+          { name: "expiration", type: "uint64", internalType: "uint64" },
+          { name: "recipient", type: "address", internalType: "address" },
+          { name: "validatorId", type: "uint256", internalType: "uint256" },
+          {
+            name: "validatorContract",
+            type: "address",
+            internalType: "address"
+          },
+          { name: "sealingKey", type: "bytes32", internalType: "bytes32" },
+          { name: "issuerSignature", type: "bytes", internalType: "bytes" },
+          { name: "recipientSignature", type: "bytes", internalType: "bytes" }
+        ]
+      }
+    ],
+    outputs: [
+      { name: "allowed", type: "bool", internalType: "bool" },
+      { name: "error", type: "string", internalType: "string" },
+      { name: "", type: "uint256", internalType: "uint256" }
+    ],
+    stateMutability: "view"
+  },
+  {
+    type: "function",
+    name: "querySealOutput",
+    inputs: [
+      { name: "ctHash", type: "uint256", internalType: "uint256" },
+      { name: "", type: "uint256", internalType: "uint256" },
+      {
+        name: "permission",
+        type: "tuple",
+        internalType: "struct Permission",
+        components: [
+          { name: "issuer", type: "address", internalType: "address" },
+          { name: "expiration", type: "uint64", internalType: "uint64" },
+          { name: "recipient", type: "address", internalType: "address" },
+          { name: "validatorId", type: "uint256", internalType: "uint256" },
+          {
+            name: "validatorContract",
+            type: "address",
+            internalType: "address"
+          },
+          { name: "sealingKey", type: "bytes32", internalType: "bytes32" },
+          { name: "issuerSignature", type: "bytes", internalType: "bytes" },
+          { name: "recipientSignature", type: "bytes", internalType: "bytes" }
+        ]
+      }
+    ],
+    outputs: [
+      { name: "allowed", type: "bool", internalType: "bool" },
+      { name: "error", type: "string", internalType: "string" },
+      { name: "", type: "bytes32", internalType: "bytes32" }
+    ],
+    stateMutability: "view"
+  },
+  {
+    type: "function",
+    name: "seal",
+    inputs: [
+      { name: "input", type: "uint256", internalType: "uint256" },
+      { name: "key", type: "bytes32", internalType: "bytes32" }
+    ],
+    outputs: [{ name: "", type: "bytes32", internalType: "bytes32" }],
+    stateMutability: "pure"
+  },
+  {
+    type: "function",
+    name: "taskManager",
+    inputs: [],
+    outputs: [{ name: "", type: "address", internalType: "contract TaskManager" }],
+    stateMutability: "view"
+  },
+  {
+    type: "function",
+    name: "unseal",
+    inputs: [
+      { name: "hashed", type: "bytes32", internalType: "bytes32" },
+      { name: "key", type: "bytes32", internalType: "bytes32" }
+    ],
+    outputs: [{ name: "", type: "uint256", internalType: "uint256" }],
+    stateMutability: "pure"
+  },
+  { type: "error", name: "NotAllowed", inputs: [] },
+  { type: "error", name: "SealingKeyInvalid", inputs: [] },
+  { type: "error", name: "SealingKeyMissing", inputs: [] }
+];
+
+// core/decrypt/cofheMocksSealOutput.ts
+async function cofheMocksSealOutput(ctHash, utype, permit, publicClient, mocksSealOutputDelay) {
+  if (mocksSealOutputDelay > 0)
+    await sleep(mocksSealOutputDelay);
+  const permission = PermitUtils.getPermission(permit, true);
+  const permissionWithBigInts = {
+    ...permission,
+    expiration: BigInt(permission.expiration),
+    validatorId: BigInt(permission.validatorId)
+  };
+  const [allowed, error, result] = await publicClient.readContract({
+    address: MOCKS_QUERY_DECRYPTER_ADDRESS,
+    abi: MockQueryDecrypterAbi,
+    functionName: "querySealOutput",
+    args: [ctHash, BigInt(utype), permissionWithBigInts]
+  });
+  if (error != "") {
+    throw new CofhesdkError({
+      code: "SEAL_OUTPUT_FAILED" /* SealOutputFailed */,
+      message: `mocks querySealOutput call failed: ${error}`
+    });
+  }
+  if (allowed == false) {
+    throw new CofhesdkError({
+      code: "SEAL_OUTPUT_FAILED" /* SealOutputFailed */,
+      message: `mocks querySealOutput call failed: ACL Access Denied (NotAllowed)`
+    });
+  }
+  const sealedBigInt = BigInt(result);
+  const sealingKeyBigInt = BigInt(permission.sealingKey);
+  const unsealed = sealedBigInt ^ sealingKeyBigInt;
+  return unsealed;
 }
-var EncryptStep = /* @__PURE__ */ ((EncryptStep2) => {
-  EncryptStep2["InitTfhe"] = "initTfhe";
-  EncryptStep2["FetchKeys"] = "fetchKeys";
-  EncryptStep2["Pack"] = "pack";
-  EncryptStep2["Prove"] = "prove";
-  EncryptStep2["Verify"] = "verify";
-  return EncryptStep2;
-})(EncryptStep || {});
 
-// core/config.ts
-var CofhesdkConfigSchema = z.object({
-  /** List of supported chain configurations */
-  supportedChains: z.array(z.custom()),
-  /** Strategy for fetching FHE keys */
-  fheKeysPrefetching: z.enum(["CONNECTED_CHAIN", "SUPPORTED_CHAINS", "OFF"]).optional().default("OFF"),
-  /** How permits are generated */
-  permitGeneration: z.enum(["ON_CONNECT", "ON_DECRYPT_HANDLES", "MANUAL"]).optional().default("ON_CONNECT"),
-  /** Default permit expiration in seconds, default is 30 days */
-  defaultPermitExpiration: z.number().optional().default(60 * 60 * 24 * 30),
-  /** Storage method for fhe keys (defaults to indexedDB on web, filesystem on node) */
-  fheKeyStorage: z.object({
-    getItem: z.function().args(z.string()).returns(z.promise(z.any())),
-    setItem: z.function().args(z.string(), z.any()).returns(z.promise(z.void())),
-    removeItem: z.function().args(z.string()).returns(z.promise(z.void()))
-  }).or(z.null()).default(null),
-  /** Mocks configs */
-  mocks: z.object({
-    sealOutputDelay: z.number().optional().default(0)
-  }).optional().default({ sealOutputDelay: 0 }),
-  /** Internal configuration */
-  _internal: z.object({
-    zkvWalletClient: z.any().optional()
-  }).optional()
-});
-function createCofhesdkConfigBase(config) {
-  const result = CofhesdkConfigSchema.safeParse(config);
-  if (!result.success) {
-    throw new Error(`Invalid cofhesdk configuration: ${result.error.message}`);
+// core/decrypt/tnSealOutputV2.ts
+var POLL_INTERVAL_MS = 1e3;
+var POLL_TIMEOUT_MS = 5 * 60 * 1e3;
+function numberArrayToUint8Array(arr) {
+  return new Uint8Array(arr);
+}
+function convertSealedData(sealed) {
+  if (!sealed) {
+    throw new CofhesdkError({
+      code: "SEAL_OUTPUT_RETURNED_NULL" /* SealOutputReturnedNull */,
+      message: "Sealed data is missing from completed response"
+    });
   }
-  return result.data;
+  return {
+    data: numberArrayToUint8Array(sealed.data),
+    public_key: numberArrayToUint8Array(sealed.public_key),
+    nonce: numberArrayToUint8Array(sealed.nonce)
+  };
 }
-var getCofhesdkConfigItem = (config, key) => {
-  return config[key];
-};
-function getSupportedChainOrThrow(config, chainId) {
-  const supportedChain = config.supportedChains.find((chain) => chain.id === chainId);
-  if (!supportedChain) {
+async function submitSealOutputRequest(thresholdNetworkUrl, ctHash, chainId, permission) {
+  const body = {
+    ct_tempkey: ctHash.toString(16).padStart(64, "0"),
+    host_chain_id: chainId,
+    permit: permission
+  };
+  let response;
+  try {
+    response = await fetch(`${thresholdNetworkUrl}/v2/sealoutput`, {
+      method: "POST",
+      headers: {
+        "Content-Type": "application/json"
+      },
+      body: JSON.stringify(body)
+    });
+  } catch (e) {
     throw new CofhesdkError({
-      code: "UNSUPPORTED_CHAIN" /* UnsupportedChain */,
-      message: `Config does not support chain <${chainId}>`,
-      hint: "Ensure config passed to client has been created with this chain in the config.supportedChains array.",
+      code: "SEAL_OUTPUT_FAILED" /* SealOutputFailed */,
+      message: `sealOutput request failed`,
+      hint: "Ensure the threshold network URL is valid and reachable.",
+      cause: e instanceof Error ? e : void 0,
       context: {
-        chainId,
-        supportedChainIds: config.supportedChains.map((c) => c.id)
+        thresholdNetworkUrl,
+        body
       }
     });
   }
-  return supportedChain;
-}
-function getCoFheUrlOrThrow(config, chainId) {
-  const supportedChain = getSupportedChainOrThrow(config, chainId);
-  const url = supportedChain.coFheUrl;
-  if (!url) {
+  if (!response.ok) {
+    let errorMessage = `HTTP ${response.status}`;
+    try {
+      const errorBody = await response.json();
+      errorMessage = errorBody.error_message || errorBody.message || errorMessage;
+    } catch {
+      errorMessage = response.statusText || errorMessage;
+    }
     throw new CofhesdkError({
-      code: "MISSING_CONFIG" /* MissingConfig */,
-      message: `CoFHE URL is not configured for chain <${chainId}>`,
-      hint: "Ensure this chain config includes a coFheUrl property.",
-      context: { chainId }
+      code: "SEAL_OUTPUT_FAILED" /* SealOutputFailed */,
+      message: `sealOutput request failed: ${errorMessage}`,
+      hint: "Check the threshold network URL and request parameters.",
+      context: {
+        thresholdNetworkUrl,
+        status: response.status,
+        statusText: response.statusText,
+        body
+      }
     });
   }
-  return url;
-}
-function getZkVerifierUrlOrThrow(config, chainId) {
-  const supportedChain = getSupportedChainOrThrow(config, chainId);
-  const url = supportedChain.verifierUrl;
-  if (!url) {
+  let submitResponse;
+  try {
+    submitResponse = await response.json();
+  } catch (e) {
     throw new CofhesdkError({
-      code: "ZK_VERIFIER_URL_UNINITIALIZED" /* ZkVerifierUrlUninitialized */,
-      message: `ZK verifier URL is not configured for chain <${chainId}>`,
-      hint: "Ensure this chain config includes a verifierUrl property.",
-      context: { chainId }
+      code: "SEAL_OUTPUT_FAILED" /* SealOutputFailed */,
+      message: `Failed to parse sealOutput submit response`,
+      cause: e instanceof Error ? e : void 0,
+      context: {
+        thresholdNetworkUrl,
+        body
+      }
+    });
+  }
+  if (!submitResponse.request_id) {
+    throw new CofhesdkError({
+      code: "SEAL_OUTPUT_FAILED" /* SealOutputFailed */,
+      message: `sealOutput submit response missing request_id`,
+      context: {
+        thresholdNetworkUrl,
+        body,
+        submitResponse
+      }
+    });
+  }
+  return submitResponse.request_id;
+}
+async function pollSealOutputStatus(thresholdNetworkUrl, requestId) {
+  const startTime = Date.now();
+  let completed = false;
+  while (!completed) {
+    if (Date.now() - startTime > POLL_TIMEOUT_MS) {
+      throw new CofhesdkError({
+        code: "SEAL_OUTPUT_FAILED" /* SealOutputFailed */,
+        message: `sealOutput polling timed out after ${POLL_TIMEOUT_MS}ms`,
+        hint: "The request may still be processing. Try again later.",
+        context: {
+          thresholdNetworkUrl,
+          requestId,
+          timeoutMs: POLL_TIMEOUT_MS
+        }
+      });
+    }
+    let response;
+    try {
+      response = await fetch(`${thresholdNetworkUrl}/v2/sealoutput/${requestId}`, {
+        method: "GET",
+        headers: {
+          "Content-Type": "application/json"
+        }
+      });
+    } catch (e) {
+      throw new CofhesdkError({
+        code: "SEAL_OUTPUT_FAILED" /* SealOutputFailed */,
+        message: `sealOutput status poll failed`,
+        hint: "Ensure the threshold network URL is valid and reachable.",
+        cause: e instanceof Error ? e : void 0,
+        context: {
+          thresholdNetworkUrl,
+          requestId
+        }
+      });
+    }
+    if (response.status === 404) {
+      throw new CofhesdkError({
+        code: "SEAL_OUTPUT_FAILED" /* SealOutputFailed */,
+        message: `sealOutput request not found: ${requestId}`,
+        hint: "The request may have expired or been invalid.",
+        context: {
+          thresholdNetworkUrl,
+          requestId
+        }
+      });
+    }
+    if (!response.ok) {
+      let errorMessage = `HTTP ${response.status}`;
+      try {
+        const errorBody = await response.json();
+        errorMessage = errorBody.error_message || errorBody.message || errorMessage;
+      } catch {
+        errorMessage = response.statusText || errorMessage;
+      }
+      throw new CofhesdkError({
+        code: "SEAL_OUTPUT_FAILED" /* SealOutputFailed */,
+        message: `sealOutput status poll failed: ${errorMessage}`,
+        context: {
+          thresholdNetworkUrl,
+          requestId,
+          status: response.status,
+          statusText: response.statusText
+        }
+      });
+    }
+    let statusResponse;
+    try {
+      statusResponse = await response.json();
+    } catch (e) {
+      throw new CofhesdkError({
+        code: "SEAL_OUTPUT_FAILED" /* SealOutputFailed */,
+        message: `Failed to parse sealOutput status response`,
+        cause: e instanceof Error ? e : void 0,
+        context: {
+          thresholdNetworkUrl,
+          requestId
+        }
+      });
+    }
+    if (statusResponse.status === "COMPLETED") {
+      if (statusResponse.is_succeed === false) {
+        const errorMessage = statusResponse.error_message || "Unknown error";
+        throw new CofhesdkError({
+          code: "SEAL_OUTPUT_FAILED" /* SealOutputFailed */,
+          message: `sealOutput request failed: ${errorMessage}`,
+          context: {
+            thresholdNetworkUrl,
+            requestId,
+            statusResponse
+          }
+        });
+      }
+      if (!statusResponse.sealed) {
+        throw new CofhesdkError({
+          code: "SEAL_OUTPUT_RETURNED_NULL" /* SealOutputReturnedNull */,
+          message: `sealOutput request completed but returned no sealed data`,
+          context: {
+            thresholdNetworkUrl,
+            requestId,
+            statusResponse
+          }
+        });
+      }
+      return convertSealedData(statusResponse.sealed);
+    }
+    await new Promise((resolve) => setTimeout(resolve, POLL_INTERVAL_MS));
+  }
+  throw new CofhesdkError({
+    code: "SEAL_OUTPUT_FAILED" /* SealOutputFailed */,
+    message: "Polling loop exited unexpectedly",
+    context: {
+      thresholdNetworkUrl,
+      requestId
+    }
+  });
+}
+async function tnSealOutputV2(ctHash, chainId, permission, thresholdNetworkUrl) {
+  const requestId = await submitSealOutputRequest(thresholdNetworkUrl, ctHash, chainId, permission);
+  return await pollSealOutputStatus(thresholdNetworkUrl, requestId);
+}
+
+// core/decrypt/decryptHandleBuilder.ts
+var DecryptHandlesBuilder = class extends BaseBuilder {
+  ctHash;
+  utype;
+  permitHash;
+  permit;
+  constructor(params) {
+    super({
+      config: params.config,
+      publicClient: params.publicClient,
+      walletClient: params.walletClient,
+      chainId: params.chainId,
+      account: params.account,
+      requireConnected: params.requireConnected
     });
+    this.ctHash = params.ctHash;
+    this.utype = params.utype;
+    this.permitHash = params.permitHash;
+    this.permit = params.permit;
+  }
+  /**
+   * @param chainId - Chain to decrypt values from. Used to fetch the threshold network URL and use the correct permit.
+   *
+   * If not provided, the chainId will be fetched from the connected publicClient.
+   *
+   * Example:
+   * ```typescript
+   * const unsealed = await decryptHandle(ctHash, utype)
+   *   .setChainId(11155111)
+   *   .decrypt();
+   * ```
+   *
+   * @returns The chainable DecryptHandlesBuilder instance.
+   */
+  setChainId(chainId) {
+    this.chainId = chainId;
+    return this;
+  }
+  getChainId() {
+    return this.chainId;
+  }
+  /**
+   * @param account - Account to decrypt values from. Used to fetch the correct permit.
+   *
+   * If not provided, the account will be fetched from the connected walletClient.
+   *
+   * Example:
+   * ```typescript
+   * const unsealed = await decryptHandle(ctHash, utype)
+   *   .setAccount('0x1234567890123456789012345678901234567890')
+   *   .decrypt();
+   * ```
+   *
+   * @returns The chainable DecryptHandlesBuilder instance.
+   */
+  setAccount(account) {
+    this.account = account;
+    return this;
   }
-  return url;
-}
-function getThresholdNetworkUrlOrThrow(config, chainId) {
-  const supportedChain = getSupportedChainOrThrow(config, chainId);
-  const url = supportedChain.thresholdNetworkUrl;
-  if (!url) {
-    throw new CofhesdkError({
-      code: "THRESHOLD_NETWORK_URL_UNINITIALIZED" /* ThresholdNetworkUrlUninitialized */,
-      message: `Threshold network URL is not configured for chain <${chainId}>`,
-      hint: "Ensure this chain config includes a thresholdNetworkUrl property.",
-      context: { chainId }
-    });
+  getAccount() {
+    return this.account;
   }
-  return url;
-}
-
-// core/fetchKeys.ts
-var PUBLIC_KEY_LENGTH_MIN = 15e3;
-var checkKeyValidity = (key, serializer) => {
-  if (key == null || key.length === 0)
-    return [false, `Key is null or empty <${key}>`];
-  try {
-    serializer(key);
-    return [true, `Key is valid`];
-  } catch (err) {
-    return [false, `Serialization failed <${err}> key length <${key.length}>`];
+  /**
+   * @param permitHash - Permit hash to decrypt values from. Used to fetch the correct permit.
+   *
+   * If not provided, the active permit for the chainId and account will be used.
+   * If `setPermit()` is called, it will be used regardless of chainId, account, or permitHash.
+   *
+   * Example:
+   * ```typescript
+   * const unsealed = await decryptHandle(ctHash, utype)
+   *   .setPermitHash('0x1234567890123456789012345678901234567890')
+   *   .decrypt();
+   * ```
+   *
+   * @returns The chainable DecryptHandlesBuilder instance.
+   */
+  setPermitHash(permitHash) {
+    this.permitHash = permitHash;
+    return this;
   }
-};
-var fetchFhePublicKey = async (coFheUrl, chainId, securityZone, tfhePublicKeyDeserializer, keysStorage) => {
-  const storedKey = keysStorage?.getFheKey(chainId, securityZone);
-  const [storedKeyValid] = checkKeyValidity(storedKey, tfhePublicKeyDeserializer);
-  if (storedKeyValid)
-    return [storedKey, false];
-  let pk_data = void 0;
-  try {
-    const pk_res = await fetch(`${coFheUrl}/GetNetworkPublicKey`, {
-      method: "POST",
-      headers: {
-        "Content-Type": "application/json"
-      },
-      body: JSON.stringify({ securityZone })
-    });
-    const json = await pk_res.json();
-    pk_data = json.publicKey;
-  } catch (err) {
-    throw new Error(`Error fetching FHE publicKey; fetching from CoFHE failed with error ${err}`);
+  getPermitHash() {
+    return this.permitHash;
   }
-  if (pk_data == null || typeof pk_data !== "string") {
-    throw new Error(`Error fetching FHE publicKey; fetched result invalid: missing or not a string`);
+  /**
+   * @param permit - Permit to decrypt values with. If provided, it will be used regardless of chainId, account, or permitHash.
+   *
+   * If not provided, the permit will be determined by chainId, account, and permitHash.
+   *
+   * Example:
+   * ```typescript
+   * const unsealed = await decryptHandle(ctHash, utype)
+   *   .setPermit(permit)
+   *   .decrypt();
+   * ```
+   *
+   * @returns The chainable DecryptHandlesBuilder instance.
+   */
+  setPermit(permit) {
+    this.permit = permit;
+    return this;
   }
-  if (pk_data === "0x") {
-    throw new Error("Error fetching FHE publicKey; provided chain is not FHE enabled / not found");
+  getPermit() {
+    return this.permit;
   }
-  if (pk_data.length < PUBLIC_KEY_LENGTH_MIN) {
-    throw new Error(
-      `Error fetching FHE publicKey; got shorter than expected key length: ${pk_data.length}. Expected length >= ${PUBLIC_KEY_LENGTH_MIN}`
-    );
+  async getThresholdNetworkUrl() {
+    this.assertChainId();
+    return getThresholdNetworkUrlOrThrow(this.config, this.chainId);
   }
-  try {
-    tfhePublicKeyDeserializer(pk_data);
-  } catch (err) {
-    throw new Error(`Error serializing FHE publicKey; ${err}`);
+  validateUtypeOrThrow() {
+    if (!isValidUtype(this.utype))
+      throw new CofhesdkError({
+        code: "INVALID_UTYPE" /* InvalidUtype */,
+        message: `Invalid utype to decrypt to`,
+        context: {
+          utype: this.utype
+        }
+      });
   }
-  keysStorage?.setFheKey(chainId, securityZone, pk_data);
-  return [pk_data, true];
-};
-var fetchCrs = async (coFheUrl, chainId, securityZone, compactPkeCrsDeserializer, keysStorage) => {
-  const storedKey = keysStorage?.getCrs(chainId);
-  const [storedKeyValid] = checkKeyValidity(storedKey, compactPkeCrsDeserializer);
-  if (storedKeyValid)
-    return [storedKey, false];
-  let crs_data = void 0;
-  try {
-    const crs_res = await fetch(`${coFheUrl}/GetCrs`, {
-      method: "POST",
-      headers: {
-        "Content-Type": "application/json"
-      },
-      body: JSON.stringify({ securityZone })
-    });
-    const json = await crs_res.json();
-    crs_data = json.crs;
-  } catch (err) {
-    throw new Error(`Error fetching CRS; fetching failed with error ${err}`);
+  async getResolvedPermit() {
+    if (this.permit)
+      return this.permit;
+    this.assertChainId();
+    this.assertAccount();
+    if (this.permitHash) {
+      const permit2 = await permits.getPermit(this.chainId, this.account, this.permitHash);
+      if (!permit2) {
+        throw new CofhesdkError({
+          code: "PERMIT_NOT_FOUND" /* PermitNotFound */,
+          message: `Permit with hash <${this.permitHash}> not found for account <${this.account}> and chainId <${this.chainId}>`,
+          hint: "Ensure the permit exists and is valid.",
+          context: {
+            chainId: this.chainId,
+            account: this.account,
+            permitHash: this.permitHash
+          }
+        });
+      }
+      return permit2;
+    }
+    const permit = await permits.getActivePermit(this.chainId, this.account);
+    if (!permit) {
+      throw new CofhesdkError({
+        code: "PERMIT_NOT_FOUND" /* PermitNotFound */,
+        message: `Active permit not found for chainId <${this.chainId}> and account <${this.account}>`,
+        hint: "Ensure a permit exists for this account on this chain.",
+        context: {
+          chainId: this.chainId,
+          account: this.account
+        }
+      });
+    }
+    return permit;
   }
-  if (crs_data == null || typeof crs_data !== "string") {
-    throw new Error(`Error fetching CRS; invalid: missing or not a string`);
+  /**
+   * On hardhat, interact with MockZkVerifier contract instead of CoFHE
+   */
+  async mocksSealOutput(permit) {
+    this.assertPublicClient();
+    const mocksSealOutputDelay = this.config.mocks.sealOutputDelay;
+    return cofheMocksSealOutput(this.ctHash, this.utype, permit, this.publicClient, mocksSealOutputDelay);
   }
-  try {
-    compactPkeCrsDeserializer(crs_data);
-  } catch (err) {
-    console.error(`Error serializing CRS ${err}`);
-    throw new Error(`Error serializing CRS; ${err}`);
+  /**
+   * In the production context, perform a true decryption with the CoFHE coprocessor.
+   */
+  async productionSealOutput(permit) {
+    this.assertChainId();
+    this.assertPublicClient();
+    const thresholdNetworkUrl = await this.getThresholdNetworkUrl();
+    const permission = PermitUtils.getPermission(permit, true);
+    const sealed = await tnSealOutputV2(this.ctHash, this.chainId, permission, thresholdNetworkUrl);
+    return PermitUtils.unseal(permit, sealed);
+  }
+  /**
+   * Final step of the decryption process. MUST BE CALLED LAST IN THE CHAIN.
+   *
+   * This will:
+   * - Use a permit based on provided permit OR chainId + account + permitHash
+   * - Check permit validity
+   * - Call CoFHE `/sealoutput` with the permit, which returns a sealed (encrypted) item
+   * - Unseal the sealed item with the permit
+   * - Return the unsealed item
+   *
+   * Example:
+   * ```typescript
+   * const unsealed = await decryptHandle(ctHash, utype)
+   *   .setChainId(11155111)      // optional
+   *   .setAccount('0x123...890') // optional
+   *   .decrypt();                // execute
+   * ```
+   *
+   * @returns The unsealed item.
+   */
+  async decrypt() {
+    this.validateUtypeOrThrow();
+    const permit = await this.getResolvedPermit();
+    PermitUtils.validate(permit);
+    PermitUtils.isValid(permit);
+    const chainId = permit._signedDomain.chainId;
+    let unsealed;
+    if (chainId === hardhat$1.id) {
+      unsealed = await this.mocksSealOutput(permit);
+    } else {
+      unsealed = await this.productionSealOutput(permit);
+    }
+    return convertViaUtype(this.utype, unsealed);
   }
-  keysStorage?.setCrs(chainId, crs_data);
-  return [crs_data, true];
-};
-var fetchKeys = async (config, chainId, securityZone = 0, tfhePublicKeyDeserializer, compactPkeCrsDeserializer, keysStorage) => {
-  const coFheUrl = getCoFheUrlOrThrow(config, chainId);
-  return await Promise.all([
-    fetchFhePublicKey(coFheUrl, chainId, securityZone, tfhePublicKeyDeserializer, keysStorage),
-    fetchCrs(coFheUrl, chainId, securityZone, compactPkeCrsDeserializer, keysStorage)
-  ]);
-};
-var fetchMultichainKeys = async (config, securityZone = 0, tfhePublicKeyDeserializer, compactPkeCrsDeserializer, keysStorage) => {
-  await Promise.all(
-    config.supportedChains.filter((chain) => chain.id !== hardhat.id).map(
-      (chain) => fetchKeys(config, chain.id, securityZone, tfhePublicKeyDeserializer, compactPkeCrsDeserializer, keysStorage)
-    )
-  );
 };
 
 // core/client.ts
+var InitialConnectStore = {
+  connected: false,
+  connecting: false,
+  connectError: void 0,
+  chainId: void 0,
+  account: void 0,
+  publicClient: void 0,
+  walletClient: void 0
+};
 function createCofhesdkClientBase(opts) {
   const keysStorage = createKeysStore(opts.config.fheKeyStorage);
-  let _publicClient = void 0;
-  let _walletClient = void 0;
-  const connectStore = createStore(() => ({
-    connected: false,
-    connecting: false,
-    connectError: void 0,
-    chainId: void 0,
-    account: void 0
-  }));
+  const connectStore = createStore(() => InitialConnectStore);
+  let connectAttemptId = 0;
   const updateConnectState = (partial) => {
     connectStore.setState((state) => ({ ...state, ...partial }));
   };
-  let _connectPromise = void 0;
   const _requireConnected = () => {
     const state = connectStore.getState();
-    const notConnected = !state.connected || !_publicClient || !_walletClient || !state.account || !state.chainId;
+    const notConnected = !state.connected || !state.account || !state.chainId || !state.publicClient || !state.walletClient;
     if (notConnected) {
       throw new CofhesdkError({
         code: "NOT_CONNECTED" /* NotConnected */,
@@ -2112,55 +2346,49 @@ function createCofhesdkClientBase(opts) {
           connected: state.connected,
           account: state.account,
           chainId: state.chainId,
-          publicClient: _publicClient,
-          walletClient: _walletClient
+          publicClient: state.publicClient,
+          walletClient: state.walletClient
         }
       });
     }
   };
-  const keyFetchResult = resultWrapper(async () => {
-    if (opts.config.fheKeysPrefetching === "SUPPORTED_CHAINS") {
-      await fetchMultichainKeys(
-        opts.config,
-        0,
-        opts.tfhePublicKeyDeserializer,
-        opts.compactPkeCrsDeserializer,
-        keysStorage
-      );
-      return true;
-    }
-    return false;
-  });
   async function connect(publicClient, walletClient) {
     const state = connectStore.getState();
-    if (state.connected && _publicClient === publicClient && _walletClient === walletClient) {
-      return Promise.resolve(ResultOk(true));
-    }
-    if (_connectPromise && _publicClient === publicClient && _walletClient === walletClient) {
-      return _connectPromise;
+    if (state.connected && state.publicClient === publicClient && state.walletClient === walletClient)
+      return;
+    connectAttemptId += 1;
+    const localAttemptId = connectAttemptId;
+    updateConnectState({
+      ...InitialConnectStore,
+      connecting: true
+    });
+    try {
+      const chainId = await getPublicClientChainID(publicClient);
+      const account = await getWalletClientAccount(walletClient);
+      if (localAttemptId !== connectAttemptId)
+        return;
+      updateConnectState({
+        connected: true,
+        connecting: false,
+        connectError: void 0,
+        chainId,
+        account,
+        publicClient,
+        walletClient
+      });
+    } catch (e) {
+      if (localAttemptId !== connectAttemptId)
+        return;
+      updateConnectState({
+        ...InitialConnectStore,
+        connectError: e
+      });
+      throw e;
     }
-    updateConnectState({ connecting: true, connectError: null, connected: false });
-    _connectPromise = resultWrapper(
-      // try
-      async () => {
-        _publicClient = publicClient;
-        _walletClient = walletClient;
-        const chainId = await getPublicClientChainID(publicClient);
-        const account = await getWalletClientAccount(walletClient);
-        updateConnectState({ connecting: false, connected: true, chainId, account });
-        return true;
-      },
-      // catch
-      (e) => {
-        updateConnectState({ connecting: false, connected: false, connectError: e });
-        return false;
-      },
-      // finally
-      () => {
-        _connectPromise = void 0;
-      }
-    );
-    return _connectPromise;
+  }
+  function disconnect() {
+    connectAttemptId += 1;
+    updateConnectState({ ...InitialConnectStore });
   }
   function encryptInputs(inputs) {
     const state = connectStore.getState();
@@ -2169,13 +2397,14 @@ function createCofhesdkClientBase(opts) {
       account: state.account ?? void 0,
       chainId: state.chainId ?? void 0,
       config: opts.config,
-      publicClient: _publicClient ?? void 0,
-      walletClient: _walletClient ?? void 0,
+      publicClient: state.publicClient ?? void 0,
+      walletClient: state.walletClient ?? void 0,
       zkvWalletClient: opts.config._internal?.zkvWalletClient,
       tfhePublicKeyDeserializer: opts.tfhePublicKeyDeserializer,
       compactPkeCrsDeserializer: opts.compactPkeCrsDeserializer,
       zkBuilderAndCrsGenerator: opts.zkBuilderAndCrsGenerator,
       initTfhe: opts.initTfhe,
+      zkProveWorkerFn: opts.zkProveWorkerFn,
       keysStorage,
       requireConnected: _requireConnected
     });
@@ -2188,8 +2417,8 @@ function createCofhesdkClientBase(opts) {
       chainId: state.chainId ?? void 0,
       account: state.account ?? void 0,
       config: opts.config,
-      publicClient: _publicClient ?? void 0,
-      walletClient: _walletClient ?? void 0,
+      publicClient: state.publicClient ?? void 0,
+      walletClient: state.walletClient ?? void 0,
       requireConnected: _requireConnected
     });
   }
@@ -2215,48 +2444,64 @@ function createCofhesdkClientBase(opts) {
     getSnapshot: permits.getSnapshot,
     subscribe: permits.subscribe,
     // Creation methods (require connection)
-    createSelf: async (options) => resultWrapper(async () => {
+    createSelf: async (options, clients) => {
       _requireConnected();
-      return permits.createSelf(options, _publicClient, _walletClient);
-    }),
-    createSharing: async (options) => resultWrapper(async () => {
+      const { publicClient, walletClient } = clients ?? connectStore.getState();
+      return permits.createSelf(options, publicClient, walletClient);
+    },
+    createSharing: async (options, clients) => {
       _requireConnected();
-      return permits.createSharing(options, _publicClient, _walletClient);
-    }),
-    importShared: async (options) => resultWrapper(async () => {
+      const { publicClient, walletClient } = clients ?? connectStore.getState();
+      return permits.createSharing(options, publicClient, walletClient);
+    },
+    importShared: async (options, clients) => {
       _requireConnected();
-      return permits.importShared(options, _publicClient, _walletClient);
-    }),
+      const { publicClient, walletClient } = clients ?? connectStore.getState();
+      return permits.importShared(options, publicClient, walletClient);
+    },
+    // Get or create methods (require connection)
+    getOrCreateSelfPermit: async (chainId, account, options) => {
+      _requireConnected();
+      const { chainId: _chainId, account: _account } = _getChainIdAndAccount(chainId, account);
+      const { publicClient, walletClient } = connectStore.getState();
+      return permits.getOrCreateSelfPermit(publicClient, walletClient, _chainId, _account, options);
+    },
+    getOrCreateSharingPermit: async (options, chainId, account) => {
+      _requireConnected();
+      const { chainId: _chainId, account: _account } = _getChainIdAndAccount(chainId, account);
+      const { publicClient, walletClient } = connectStore.getState();
+      return permits.getOrCreateSharingPermit(publicClient, walletClient, options, _chainId, _account);
+    },
     // Retrieval methods (auto-fill chainId/account)
-    getPermit: async (hash, chainId, account) => resultWrapper(async () => {
+    getPermit: async (hash, chainId, account) => {
       const { chainId: _chainId, account: _account } = _getChainIdAndAccount(chainId, account);
       return permits.getPermit(_chainId, _account, hash);
-    }),
-    getPermits: async (chainId, account) => resultWrapper(async () => {
+    },
+    getPermits: async (chainId, account) => {
       const { chainId: _chainId, account: _account } = _getChainIdAndAccount(chainId, account);
       return permits.getPermits(_chainId, _account);
-    }),
-    getActivePermit: async (chainId, account) => resultWrapper(async () => {
+    },
+    getActivePermit: async (chainId, account) => {
       const { chainId: _chainId, account: _account } = _getChainIdAndAccount(chainId, account);
       return permits.getActivePermit(_chainId, _account);
-    }),
-    getActivePermitHash: async (chainId, account) => resultWrapper(async () => {
+    },
+    getActivePermitHash: async (chainId, account) => {
       const { chainId: _chainId, account: _account } = _getChainIdAndAccount(chainId, account);
       return permits.getActivePermitHash(_chainId, _account);
-    }),
+    },
     // Mutation methods (auto-fill chainId/account)
-    selectActivePermit: async (hash, chainId, account) => resultWrapper(async () => {
+    selectActivePermit: (hash, chainId, account) => {
       const { chainId: _chainId, account: _account } = _getChainIdAndAccount(chainId, account);
       return permits.selectActivePermit(_chainId, _account, hash);
-    }),
-    removePermit: async (hash, chainId, account) => resultWrapper(async () => {
+    },
+    removePermit: async (hash, chainId, account) => {
       const { chainId: _chainId, account: _account } = _getChainIdAndAccount(chainId, account);
       return permits.removePermit(_chainId, _account, hash);
-    }),
-    removeActivePermit: async (chainId, account) => resultWrapper(async () => {
+    },
+    removeActivePermit: async (chainId, account) => {
       const { chainId: _chainId, account: _account } = _getChainIdAndAccount(chainId, account);
       return permits.removeActivePermit(_chainId, _account);
-    }),
+    },
     // Utils (no context needed)
     getHash: permits.getHash,
     serialize: permits.serialize,
@@ -2266,10 +2511,6 @@ function createCofhesdkClientBase(opts) {
     // Zustand reactive accessors (don't export store directly to prevent mutation)
     getSnapshot: connectStore.getState,
     subscribe: connectStore.subscribe,
-    // initialization results
-    initializationResults: {
-      keyFetchResult
-    },
     // flags (read-only: reflect snapshot)
     get connected() {
       return connectStore.getState().connected;
@@ -2280,6 +2521,7 @@ function createCofhesdkClientBase(opts) {
     // config & platform-specific (read-only)
     config: opts.config,
     connect,
+    disconnect,
     encryptInputs,
     decryptHandle,
     permits: clientPermits
@@ -2287,9 +2529,9 @@ function createCofhesdkClientBase(opts) {
     // Example:
     // async encryptData(data: unknown) {
     //   requireConnected();
-    //   // Use _publicClient and _walletClient for implementation
+    //   // Use state.publicClient and state.walletClient for implementation
     // },
   };
 }
 
-export { CofhesdkError, CofhesdkErrorCode, DecryptHandlesBuilder, EncryptInputsBuilder, EncryptStep, Encryptable, FheAllUTypes, FheTypes, FheUintUTypes, ResultErr, ResultErrOrInternal, ResultHttpError, ResultOk, ResultValidationError, createCofhesdkClientBase, createCofhesdkConfigBase, createKeysStore, fetchKeys, fetchMultichainKeys, getCofhesdkConfigItem, isCofhesdkError, isEncryptableItem, resultWrapper, resultWrapperSync };
+export { CofhesdkError, CofhesdkErrorCode, DecryptHandlesBuilder, EncryptInputsBuilder, EncryptStep, Encryptable, FheAllUTypes, FheTypes, FheUintUTypes, InitialConnectStore, assertCorrectEncryptedItemInput, createCofhesdkClientBase, createCofhesdkConfigBase, createKeysStore, fetchKeys, fheTypeToString, getCofhesdkConfigItem, isCofhesdkError, isEncryptableItem, isLastEncryptionStep, zkProveWithWorker };