@cofhe/sdk 0.2.0 → 0.3.0

package/dist/core.cjs

@@ -32,53 +32,53 @@ var nacl__namespace = /*#__PURE__*/_interopNamespace(nacl);
 // core/client.ts
 
 // core/error.ts
-var CofhesdkErrorCode = /* @__PURE__ */ ((CofhesdkErrorCode2) => {
-  CofhesdkErrorCode2["InternalError"] = "INTERNAL_ERROR";
-  CofhesdkErrorCode2["UnknownEnvironment"] = "UNKNOWN_ENVIRONMENT";
-  CofhesdkErrorCode2["InitTfheFailed"] = "INIT_TFHE_FAILED";
-  CofhesdkErrorCode2["InitViemFailed"] = "INIT_VIEM_FAILED";
-  CofhesdkErrorCode2["InitEthersFailed"] = "INIT_ETHERS_FAILED";
-  CofhesdkErrorCode2["NotConnected"] = "NOT_CONNECTED";
-  CofhesdkErrorCode2["MissingPublicClient"] = "MISSING_PUBLIC_CLIENT";
-  CofhesdkErrorCode2["MissingWalletClient"] = "MISSING_WALLET_CLIENT";
-  CofhesdkErrorCode2["MissingProviderParam"] = "MISSING_PROVIDER_PARAM";
-  CofhesdkErrorCode2["EmptySecurityZonesParam"] = "EMPTY_SECURITY_ZONES_PARAM";
-  CofhesdkErrorCode2["InvalidPermitData"] = "INVALID_PERMIT_DATA";
-  CofhesdkErrorCode2["InvalidPermitDomain"] = "INVALID_PERMIT_DOMAIN";
-  CofhesdkErrorCode2["PermitNotFound"] = "PERMIT_NOT_FOUND";
-  CofhesdkErrorCode2["CannotRemoveLastPermit"] = "CANNOT_REMOVE_LAST_PERMIT";
-  CofhesdkErrorCode2["AccountUninitialized"] = "ACCOUNT_UNINITIALIZED";
-  CofhesdkErrorCode2["ChainIdUninitialized"] = "CHAIN_ID_UNINITIALIZED";
-  CofhesdkErrorCode2["SealOutputFailed"] = "SEAL_OUTPUT_FAILED";
-  CofhesdkErrorCode2["SealOutputReturnedNull"] = "SEAL_OUTPUT_RETURNED_NULL";
-  CofhesdkErrorCode2["InvalidUtype"] = "INVALID_UTYPE";
-  CofhesdkErrorCode2["DecryptFailed"] = "DECRYPT_FAILED";
-  CofhesdkErrorCode2["DecryptReturnedNull"] = "DECRYPT_RETURNED_NULL";
-  CofhesdkErrorCode2["ZkMocksInsertCtHashesFailed"] = "ZK_MOCKS_INSERT_CT_HASHES_FAILED";
-  CofhesdkErrorCode2["ZkMocksCalcCtHashesFailed"] = "ZK_MOCKS_CALC_CT_HASHES_FAILED";
-  CofhesdkErrorCode2["ZkMocksVerifySignFailed"] = "ZK_MOCKS_VERIFY_SIGN_FAILED";
-  CofhesdkErrorCode2["ZkMocksCreateProofSignatureFailed"] = "ZK_MOCKS_CREATE_PROOF_SIGNATURE_FAILED";
-  CofhesdkErrorCode2["ZkVerifyFailed"] = "ZK_VERIFY_FAILED";
-  CofhesdkErrorCode2["ZkPackFailed"] = "ZK_PACK_FAILED";
-  CofhesdkErrorCode2["ZkProveFailed"] = "ZK_PROVE_FAILED";
-  CofhesdkErrorCode2["EncryptRemainingInItems"] = "ENCRYPT_REMAINING_IN_ITEMS";
-  CofhesdkErrorCode2["ZkUninitialized"] = "ZK_UNINITIALIZED";
-  CofhesdkErrorCode2["ZkVerifierUrlUninitialized"] = "ZK_VERIFIER_URL_UNINITIALIZED";
-  CofhesdkErrorCode2["ThresholdNetworkUrlUninitialized"] = "THRESHOLD_NETWORK_URL_UNINITIALIZED";
-  CofhesdkErrorCode2["MissingConfig"] = "MISSING_CONFIG";
-  CofhesdkErrorCode2["UnsupportedChain"] = "UNSUPPORTED_CHAIN";
-  CofhesdkErrorCode2["MissingZkBuilderAndCrsGenerator"] = "MISSING_ZK_BUILDER_AND_CRS_GENERATOR";
-  CofhesdkErrorCode2["MissingTfhePublicKeyDeserializer"] = "MISSING_TFHE_PUBLIC_KEY_DESERIALIZER";
-  CofhesdkErrorCode2["MissingCompactPkeCrsDeserializer"] = "MISSING_COMPACT_PKE_CRS_DESERIALIZER";
-  CofhesdkErrorCode2["MissingFheKey"] = "MISSING_FHE_KEY";
-  CofhesdkErrorCode2["MissingCrs"] = "MISSING_CRS";
-  CofhesdkErrorCode2["FetchKeysFailed"] = "FETCH_KEYS_FAILED";
-  CofhesdkErrorCode2["PublicWalletGetChainIdFailed"] = "PUBLIC_WALLET_GET_CHAIN_ID_FAILED";
-  CofhesdkErrorCode2["PublicWalletGetAddressesFailed"] = "PUBLIC_WALLET_GET_ADDRESSES_FAILED";
-  CofhesdkErrorCode2["RehydrateKeysStoreFailed"] = "REHYDRATE_KEYS_STORE_FAILED";
-  return CofhesdkErrorCode2;
-})(CofhesdkErrorCode || {});
-var CofhesdkError = class _CofhesdkError extends Error {
+var CofheErrorCode = /* @__PURE__ */ ((CofheErrorCode2) => {
+  CofheErrorCode2["InternalError"] = "INTERNAL_ERROR";
+  CofheErrorCode2["UnknownEnvironment"] = "UNKNOWN_ENVIRONMENT";
+  CofheErrorCode2["InitTfheFailed"] = "INIT_TFHE_FAILED";
+  CofheErrorCode2["InitViemFailed"] = "INIT_VIEM_FAILED";
+  CofheErrorCode2["InitEthersFailed"] = "INIT_ETHERS_FAILED";
+  CofheErrorCode2["NotConnected"] = "NOT_CONNECTED";
+  CofheErrorCode2["MissingPublicClient"] = "MISSING_PUBLIC_CLIENT";
+  CofheErrorCode2["MissingWalletClient"] = "MISSING_WALLET_CLIENT";
+  CofheErrorCode2["MissingProviderParam"] = "MISSING_PROVIDER_PARAM";
+  CofheErrorCode2["EmptySecurityZonesParam"] = "EMPTY_SECURITY_ZONES_PARAM";
+  CofheErrorCode2["InvalidPermitData"] = "INVALID_PERMIT_DATA";
+  CofheErrorCode2["InvalidPermitDomain"] = "INVALID_PERMIT_DOMAIN";
+  CofheErrorCode2["PermitNotFound"] = "PERMIT_NOT_FOUND";
+  CofheErrorCode2["CannotRemoveLastPermit"] = "CANNOT_REMOVE_LAST_PERMIT";
+  CofheErrorCode2["AccountUninitialized"] = "ACCOUNT_UNINITIALIZED";
+  CofheErrorCode2["ChainIdUninitialized"] = "CHAIN_ID_UNINITIALIZED";
+  CofheErrorCode2["SealOutputFailed"] = "SEAL_OUTPUT_FAILED";
+  CofheErrorCode2["SealOutputReturnedNull"] = "SEAL_OUTPUT_RETURNED_NULL";
+  CofheErrorCode2["InvalidUtype"] = "INVALID_UTYPE";
+  CofheErrorCode2["DecryptFailed"] = "DECRYPT_FAILED";
+  CofheErrorCode2["DecryptReturnedNull"] = "DECRYPT_RETURNED_NULL";
+  CofheErrorCode2["ZkMocksInsertCtHashesFailed"] = "ZK_MOCKS_INSERT_CT_HASHES_FAILED";
+  CofheErrorCode2["ZkMocksCalcCtHashesFailed"] = "ZK_MOCKS_CALC_CT_HASHES_FAILED";
+  CofheErrorCode2["ZkMocksVerifySignFailed"] = "ZK_MOCKS_VERIFY_SIGN_FAILED";
+  CofheErrorCode2["ZkMocksCreateProofSignatureFailed"] = "ZK_MOCKS_CREATE_PROOF_SIGNATURE_FAILED";
+  CofheErrorCode2["ZkVerifyFailed"] = "ZK_VERIFY_FAILED";
+  CofheErrorCode2["ZkPackFailed"] = "ZK_PACK_FAILED";
+  CofheErrorCode2["ZkProveFailed"] = "ZK_PROVE_FAILED";
+  CofheErrorCode2["EncryptRemainingInItems"] = "ENCRYPT_REMAINING_IN_ITEMS";
+  CofheErrorCode2["ZkUninitialized"] = "ZK_UNINITIALIZED";
+  CofheErrorCode2["ZkVerifierUrlUninitialized"] = "ZK_VERIFIER_URL_UNINITIALIZED";
+  CofheErrorCode2["ThresholdNetworkUrlUninitialized"] = "THRESHOLD_NETWORK_URL_UNINITIALIZED";
+  CofheErrorCode2["MissingConfig"] = "MISSING_CONFIG";
+  CofheErrorCode2["UnsupportedChain"] = "UNSUPPORTED_CHAIN";
+  CofheErrorCode2["MissingZkBuilderAndCrsGenerator"] = "MISSING_ZK_BUILDER_AND_CRS_GENERATOR";
+  CofheErrorCode2["MissingTfhePublicKeyDeserializer"] = "MISSING_TFHE_PUBLIC_KEY_DESERIALIZER";
+  CofheErrorCode2["MissingCompactPkeCrsDeserializer"] = "MISSING_COMPACT_PKE_CRS_DESERIALIZER";
+  CofheErrorCode2["MissingFheKey"] = "MISSING_FHE_KEY";
+  CofheErrorCode2["MissingCrs"] = "MISSING_CRS";
+  CofheErrorCode2["FetchKeysFailed"] = "FETCH_KEYS_FAILED";
+  CofheErrorCode2["PublicWalletGetChainIdFailed"] = "PUBLIC_WALLET_GET_CHAIN_ID_FAILED";
+  CofheErrorCode2["PublicWalletGetAddressesFailed"] = "PUBLIC_WALLET_GET_ADDRESSES_FAILED";
+  CofheErrorCode2["RehydrateKeysStoreFailed"] = "REHYDRATE_KEYS_STORE_FAILED";
+  return CofheErrorCode2;
+})(CofheErrorCode || {});
+var CofheError = class _CofheError extends Error {
   code;
   cause;
   hint;
@@ -86,25 +86,25 @@ var CofhesdkError = class _CofhesdkError extends Error {
   constructor({ code, message, cause, hint, context }) {
     const fullMessage = cause ? `${message} | Caused by: ${cause.message}` : message;
     super(fullMessage);
-    this.name = "CofhesdkError";
+    this.name = "CofheError";
     this.code = code;
     this.cause = cause;
     this.hint = hint;
     this.context = context;
     if (Error.captureStackTrace) {
-      Error.captureStackTrace(this, _CofhesdkError);
+      Error.captureStackTrace(this, _CofheError);
     }
   }
   /**
-   * Creates a CofhesdkError from an unknown error
-   * If the error is a CofhesdkError, it is returned unchanged, else a new CofhesdkError is created
-   * If a wrapperError is provided, it is used to create the new CofhesdkError, else a default is used
+   * Creates a CofheError from an unknown error
+   * If the error is a CofheError, it is returned unchanged, else a new CofheError is created
+   * If a wrapperError is provided, it is used to create the new CofheError, else a default is used
    */
   static fromError(error, wrapperError) {
-    if (isCofhesdkError(error))
+    if (isCofheError(error))
       return error;
     const cause = error instanceof Error ? error : new Error(`${error}`);
-    return new _CofhesdkError({
+    return new _CofheError({
       code: wrapperError?.code ?? "INTERNAL_ERROR" /* InternalError */,
       message: wrapperError?.message ?? "An internal error occurred",
       hint: wrapperError?.hint,
@@ -164,7 +164,7 @@ var bigintSafeJsonStringify = (value) => {
     return value2;
   });
 };
-var isCofhesdkError = (error) => error instanceof CofhesdkError;
+var isCofheError = (error) => error instanceof CofheError;
 
 // core/types.ts
 var FheTypes = /* @__PURE__ */ ((FheTypes2) => {
@@ -315,14 +315,14 @@ async function getPublicClientChainID(publicClient) {
   try {
     chainId = publicClient.chain?.id ?? await publicClient.getChainId();
   } catch (e) {
-    throw new CofhesdkError({
+    throw new CofheError({
       code: "PUBLIC_WALLET_GET_CHAIN_ID_FAILED" /* PublicWalletGetChainIdFailed */,
       message: "getting chain ID from public client failed",
       cause: e instanceof Error ? e : void 0
     });
   }
   if (chainId === null) {
-    throw new CofhesdkError({
+    throw new CofheError({
       code: "PUBLIC_WALLET_GET_CHAIN_ID_FAILED" /* PublicWalletGetChainIdFailed */,
       message: "chain ID from public client is null"
     });
@@ -337,14 +337,14 @@ async function getWalletClientAccount(walletClient) {
       address = (await walletClient.getAddresses())?.[0];
     }
   } catch (e) {
-    throw new CofhesdkError({
+    throw new CofheError({
       code: "PUBLIC_WALLET_GET_ADDRESSES_FAILED" /* PublicWalletGetAddressesFailed */,
       message: "getting address from wallet client failed",
       cause: e instanceof Error ? e : void 0
     });
   }
   if (!address) {
-    throw new CofhesdkError({
+    throw new CofheError({
       code: "PUBLIC_WALLET_GET_ADDRESSES_FAILED" /* PublicWalletGetAddressesFailed */,
       message: "address from wallet client is null"
     });
@@ -448,7 +448,7 @@ var zkPack = (items, builder) => {
         break;
       }
       default: {
-        throw new CofhesdkError({
+        throw new CofheError({
           code: "ZK_PACK_FAILED" /* ZkPackFailed */,
           message: `Invalid utype: ${item.utype}`,
           hint: `Ensure that the utype is valid, using the Encryptable type, for example: Encryptable.uint128(100n)`,
@@ -460,7 +460,7 @@ var zkPack = (items, builder) => {
     }
   }
   if (totalBits > MAX_ENCRYPTABLE_BITS) {
-    throw new CofhesdkError({
+    throw new CofheError({
       code: "ZK_PACK_FAILED" /* ZkPackFailed */,
       message: `Total bits ${totalBits} exceeds ${MAX_ENCRYPTABLE_BITS}`,
       hint: `Ensure that the total bits of the items to encrypt does not exceed ${MAX_ENCRYPTABLE_BITS}`,
@@ -524,14 +524,14 @@ var zkVerify = async (verifierUrl, serializedBytes, address, securityZone, chain
     });
     if (!response.ok) {
       const errorBody = await response.text();
-      throw new CofhesdkError({
+      throw new CofheError({
         code: "ZK_VERIFY_FAILED" /* ZkVerifyFailed */,
         message: `HTTP error! ZK proof verification failed - ${errorBody}`
       });
     }
     const json = await response.json();
     if (json.status !== "success") {
-      throw new CofhesdkError({
+      throw new CofheError({
         code: "ZK_VERIFY_FAILED" /* ZkVerifyFailed */,
         message: `ZK proof verification response malformed - ${json.error}`
       });
@@ -543,7 +543,7 @@ var zkVerify = async (verifierUrl, serializedBytes, address, securityZone, chain
       };
     });
   } catch (e) {
-    throw new CofhesdkError({
+    throw new CofheError({
       code: "ZK_VERIFY_FAILED" /* ZkVerifyFailed */,
       message: `ZK proof verification failed`,
       cause: e instanceof Error ? e : void 0
@@ -661,9 +661,17 @@ var MockZkVerifierAbi = [
   },
   { type: "error", name: "InvalidInputs", inputs: [] }
 ];
-var MocksZkVerifierAddress = "0x0000000000000000000000000000000000000100";
+
+// core/consts.ts
+var TASK_MANAGER_ADDRESS = "0xeA30c4B8b44078Bbf8a6ef5b9f1eC1626C7848D9";
+var MOCKS_ZK_VERIFIER_ADDRESS = "0x0000000000000000000000000000000000005001";
+var MOCKS_THRESHOLD_NETWORK_ADDRESS = "0x0000000000000000000000000000000000005002";
+var TEST_BED_ADDRESS = "0x0000000000000000000000000000000000005003";
 var MOCKS_ZK_VERIFIER_SIGNER_PRIVATE_KEY = "0x6C8D7F768A6BB4AAFE85E8A2F5A9680355239C7E14646ED62B044E39DE154512";
 var MOCKS_ZK_VERIFIER_SIGNER_ADDRESS = "0x6E12D8C87503D4287c294f2Fdef96ACd9DFf6bd2";
+var MOCKS_DECRYPT_RESULT_SIGNER_PRIVATE_KEY = "0x59c6995e998f97a5a0044966f0945389dc9e86dae88c7a8412f4603b6b78690d";
+
+// core/encrypt/cofheMocksZkVerifySign.ts
 function createMockZkVerifierSigner() {
   return viem.createWalletClient({
     chain: chains.hardhat,
@@ -706,7 +714,7 @@ async function cofheMocksCheckEncryptableBits(items) {
     }
   }
   if (totalBits > MAX_ENCRYPTABLE_BITS) {
-    throw new CofhesdkError({
+    throw new CofheError({
       code: "ZK_PACK_FAILED" /* ZkPackFailed */,
       message: `Total bits ${totalBits} exceeds ${MAX_ENCRYPTABLE_BITS}`,
       hint: `Ensure that the total bits of the items to encrypt does not exceed ${MAX_ENCRYPTABLE_BITS}`,
@@ -729,18 +737,18 @@ async function calcCtHashes(items, account, securityZone, publicClient) {
   let ctHashes;
   try {
     ctHashes = await publicClient.readContract({
-      address: MocksZkVerifierAddress,
+      address: MOCKS_ZK_VERIFIER_ADDRESS,
       abi: MockZkVerifierAbi,
       functionName: "zkVerifyCalcCtHashesPacked",
       args: calcCtHashesArgs
     });
   } catch (err) {
-    throw new CofhesdkError({
+    throw new CofheError({
       code: "ZK_MOCKS_CALC_CT_HASHES_FAILED" /* ZkMocksCalcCtHashesFailed */,
       message: `mockZkVerifySign calcCtHashes failed while calling zkVerifyCalcCtHashesPacked`,
       cause: err instanceof Error ? err : void 0,
       context: {
-        address: MocksZkVerifierAddress,
+        address: MOCKS_ZK_VERIFIER_ADDRESS,
         items,
         account,
         securityZone,
@@ -750,7 +758,7 @@ async function calcCtHashes(items, account, securityZone, publicClient) {
     });
   }
   if (ctHashes.length !== items.length) {
-    throw new CofhesdkError({
+    throw new CofheError({
       code: "ZK_MOCKS_CALC_CT_HASHES_FAILED" /* ZkMocksCalcCtHashesFailed */,
       message: `mockZkVerifySign calcCtHashes returned incorrect number of ctHashes`,
       context: {
@@ -773,7 +781,7 @@ async function insertCtHashes(items, walletClient) {
   try {
     const account = walletClient.account;
     await walletClient.writeContract({
-      address: MocksZkVerifierAddress,
+      address: MOCKS_ZK_VERIFIER_ADDRESS,
       abi: MockZkVerifierAbi,
       functionName: "insertPackedCtHashes",
       args: insertPackedCtHashesArgs,
@@ -781,7 +789,7 @@ async function insertCtHashes(items, walletClient) {
       account
     });
   } catch (err) {
-    throw new CofhesdkError({
+    throw new CofheError({
       code: "ZK_MOCKS_INSERT_CT_HASHES_FAILED" /* ZkMocksInsertCtHashesFailed */,
       message: `mockZkVerifySign insertPackedCtHashes failed while calling insertPackedCtHashes`,
       cause: err instanceof Error ? err : void 0,
@@ -799,7 +807,7 @@ async function createProofSignatures(items, securityZone) {
   try {
     encInputSignerClient = createMockZkVerifierSigner();
   } catch (err) {
-    throw new CofhesdkError({
+    throw new CofheError({
       code: "ZK_MOCKS_CREATE_PROOF_SIGNATURE_FAILED" /* ZkMocksCreateProofSignatureFailed */,
       message: `mockZkVerifySign createProofSignatures failed while creating wallet client`,
       cause: err instanceof Error ? err : void 0,
@@ -820,7 +828,7 @@ async function createProofSignatures(items, securityZone) {
       signatures.push(signature);
     }
   } catch (err) {
-    throw new CofhesdkError({
+    throw new CofheError({
       code: "ZK_MOCKS_CREATE_PROOF_SIGNATURE_FAILED" /* ZkMocksCreateProofSignatureFailed */,
       message: `mockZkVerifySign createProofSignatures failed while calling signMessage`,
       cause: err instanceof Error ? err : void 0,
@@ -831,7 +839,7 @@ async function createProofSignatures(items, securityZone) {
     });
   }
   if (signatures.length !== items.length) {
-    throw new CofhesdkError({
+    throw new CofheError({
       code: "ZK_MOCKS_CREATE_PROOF_SIGNATURE_FAILED" /* ZkMocksCreateProofSignatureFailed */,
       message: `mockZkVerifySign createProofSignatures returned incorrect number of signatures`,
       context: {
@@ -861,21 +869,18 @@ var CofheChainSchema = zod.z.object({
   /** Network identifier */
   network: zod.z.string().min(1),
   /** coFhe service URL */
-  coFheUrl: zod.z.string().url(),
+  coFheUrl: zod.z.url(),
   /** Verifier service URL */
-  verifierUrl: zod.z.string().url(),
+  verifierUrl: zod.z.url(),
   /** Threshold network service URL */
-  thresholdNetworkUrl: zod.z.string().url(),
+  thresholdNetworkUrl: zod.z.url(),
   /** Environment type */
   environment: EnvironmentSchema
 });
-
-// chains/defineChain.ts
 function defineChain(chainConfig) {
   const result = CofheChainSchema.safeParse(chainConfig);
   if (!result.success) {
-    const errorMessages = result.error.errors.map((err) => `${err.path.join(".")}: ${err.message}`);
-    throw new Error(`Invalid chain configuration: ${errorMessages.join(", ")}`);
+    throw new Error(`Invalid chain configuration: ${zod.z.prettifyError(result.error)}`, { cause: result.error });
   }
   return result.data;
 }
@@ -891,46 +896,51 @@ var hardhat2 = defineChain({
   thresholdNetworkUrl: "http://127.0.0.1:3000",
   environment: "MOCK"
 });
-var CofhesdkConfigSchema = zod.z.object({
+var CofheConfigSchema = zod.z.object({
   /** Environment that the SDK is running in */
   environment: zod.z.enum(["node", "hardhat", "web", "react"]).optional().default("node"),
   /** List of supported chain configurations */
   supportedChains: zod.z.array(zod.z.custom()),
-  /** How permits are generated */
-  permitGeneration: zod.z.enum(["ON_CONNECT", "ON_DECRYPT_HANDLES", "MANUAL"]).optional().default("ON_CONNECT"),
   /** Default permit expiration in seconds, default is 30 days */
   defaultPermitExpiration: zod.z.number().optional().default(60 * 60 * 24 * 30),
   /** Storage method for fhe keys (defaults to indexedDB on web, filesystem on node) */
   fheKeyStorage: zod.z.object({
-    getItem: zod.z.function().args(zod.z.string()).returns(zod.z.promise(zod.z.any())),
-    setItem: zod.z.function().args(zod.z.string(), zod.z.any()).returns(zod.z.promise(zod.z.void())),
-    removeItem: zod.z.function().args(zod.z.string()).returns(zod.z.promise(zod.z.void()))
+    getItem: zod.z.custom((val) => typeof val === "function", {
+      message: "getItem must be a function"
+    }),
+    setItem: zod.z.custom((val) => typeof val === "function", {
+      message: "setItem must be a function"
+    }),
+    removeItem: zod.z.custom((val) => typeof val === "function", {
+      message: "removeItem must be a function"
+    })
   }).or(zod.z.null()).default(null),
   /** Whether to use Web Workers for ZK proof generation (web platform only) */
   useWorkers: zod.z.boolean().optional().default(true),
   /** Mocks configs */
   mocks: zod.z.object({
-    sealOutputDelay: zod.z.number().optional().default(0)
-  }).optional().default({ sealOutputDelay: 0 }),
+    decryptDelay: zod.z.number().optional().default(0),
+    encryptDelay: zod.z.union([zod.z.number(), zod.z.tuple([zod.z.number(), zod.z.number(), zod.z.number(), zod.z.number(), zod.z.number()])]).optional().default([100, 100, 100, 500, 500])
+  }).optional().default({ decryptDelay: 0, encryptDelay: [100, 100, 100, 500, 500] }),
   /** Internal configuration */
   _internal: zod.z.object({
     zkvWalletClient: zod.z.any().optional()
   }).optional()
 });
-function createCofhesdkConfigBase(config) {
-  const result = CofhesdkConfigSchema.safeParse(config);
+function createCofheConfigBase(config) {
+  const result = CofheConfigSchema.safeParse(config);
   if (!result.success) {
-    throw new Error(`Invalid cofhesdk configuration: ${result.error.message}`);
+    throw new Error(`Invalid cofhe configuration: ${zod.z.prettifyError(result.error)}`, { cause: result.error });
   }
   return result.data;
 }
-var getCofhesdkConfigItem = (config, key) => {
+var getCofheConfigItem = (config, key) => {
   return config[key];
 };
 function getSupportedChainOrThrow(config, chainId) {
   const supportedChain = config.supportedChains.find((chain) => chain.id === chainId);
   if (!supportedChain) {
-    throw new CofhesdkError({
+    throw new CofheError({
       code: "UNSUPPORTED_CHAIN" /* UnsupportedChain */,
       message: `Config does not support chain <${chainId}>`,
       hint: "Ensure config passed to client has been created with this chain in the config.supportedChains array.",
@@ -946,7 +956,7 @@ function getCoFheUrlOrThrow(config, chainId) {
   const supportedChain = getSupportedChainOrThrow(config, chainId);
   const url = supportedChain.coFheUrl;
   if (!url) {
-    throw new CofhesdkError({
+    throw new CofheError({
       code: "MISSING_CONFIG" /* MissingConfig */,
       message: `CoFHE URL is not configured for chain <${chainId}>`,
       hint: "Ensure this chain config includes a coFheUrl property.",
@@ -959,7 +969,7 @@ function getZkVerifierUrlOrThrow(config, chainId) {
   const supportedChain = getSupportedChainOrThrow(config, chainId);
   const url = supportedChain.verifierUrl;
   if (!url) {
-    throw new CofhesdkError({
+    throw new CofheError({
       code: "ZK_VERIFIER_URL_UNINITIALIZED" /* ZkVerifierUrlUninitialized */,
       message: `ZK verifier URL is not configured for chain <${chainId}>`,
       hint: "Ensure this chain config includes a verifierUrl property.",
@@ -972,7 +982,7 @@ function getThresholdNetworkUrlOrThrow(config, chainId) {
   const supportedChain = getSupportedChainOrThrow(config, chainId);
   const url = supportedChain.thresholdNetworkUrl;
   if (!url) {
-    throw new CofhesdkError({
+    throw new CofheError({
       code: "THRESHOLD_NETWORK_URL_UNINITIALIZED" /* ThresholdNetworkUrlUninitialized */,
       message: `Threshold network URL is not configured for chain <${chainId}>`,
       hint: "Ensure this chain config includes a thresholdNetworkUrl property.",
@@ -1184,7 +1194,7 @@ var BaseBuilder = class {
   account;
   constructor(params) {
     if (!params.config) {
-      throw new CofhesdkError({
+      throw new CofheError({
         code: "MISSING_CONFIG" /* MissingConfig */,
         message: "Builder config is undefined",
         hint: "Ensure client has been created with a config.",
@@ -1202,12 +1212,12 @@ var BaseBuilder = class {
   }
   /**
    * Asserts that this.chainId is populated
-   * @throws {CofhesdkError} If chainId is not set
+   * @throws {CofheError} If chainId is not set
    */
   assertChainId() {
     if (this.chainId)
       return;
-    throw new CofhesdkError({
+    throw new CofheError({
       code: "CHAIN_ID_UNINITIALIZED" /* ChainIdUninitialized */,
       message: "Chain ID is not set",
       hint: "Ensure client.connect() has been called and awaited, or use setChainId(...) to set the chainId explicitly.",
@@ -1218,12 +1228,12 @@ var BaseBuilder = class {
   }
   /**
    * Asserts that this.account is populated
-   * @throws {CofhesdkError} If account is not set
+   * @throws {CofheError} If account is not set
    */
   assertAccount() {
     if (this.account)
       return;
-    throw new CofhesdkError({
+    throw new CofheError({
       code: "ACCOUNT_UNINITIALIZED" /* AccountUninitialized */,
       message: "Account is not set",
       hint: "Ensure client.connect() has been called and awaited, or use setAccount(...) to set the account explicitly.",
@@ -1234,12 +1244,12 @@ var BaseBuilder = class {
   }
   /**
    * Asserts that this.publicClient is populated
-   * @throws {CofhesdkError} If publicClient is not set
+   * @throws {CofheError} If publicClient is not set
    */
   assertPublicClient() {
     if (this.publicClient)
       return;
-    throw new CofhesdkError({
+    throw new CofheError({
       code: "MISSING_PUBLIC_CLIENT" /* MissingPublicClient */,
       message: "Public client not found",
       hint: "Ensure client.connect() has been called with a publicClient.",
@@ -1250,12 +1260,12 @@ var BaseBuilder = class {
   }
   /**
    * Asserts that this.walletClient is populated
-   * @throws {CofhesdkError} If walletClient is not set
+   * @throws {CofheError} If walletClient is not set
    */
   assertWalletClient() {
     if (this.walletClient)
       return;
-    throw new CofhesdkError({
+    throw new CofheError({
       code: "MISSING_WALLET_CLIENT" /* MissingWalletClient */,
       message: "Wallet client not found",
       hint: "Ensure client.connect() has been called with a walletClient.",
@@ -1300,7 +1310,7 @@ var EncryptInputsBuilder = class extends BaseBuilder {
     this.securityZone = params.securityZone ?? 0;
     this.zkvWalletClient = params.zkvWalletClient;
     if (!params.tfhePublicKeyDeserializer) {
-      throw new CofhesdkError({
+      throw new CofheError({
         code: "MISSING_TFHE_PUBLIC_KEY_DESERIALIZER" /* MissingTfhePublicKeyDeserializer */,
         message: "EncryptInputsBuilder tfhePublicKeyDeserializer is undefined",
         hint: "Ensure client has been created with a tfhePublicKeyDeserializer.",
@@ -1311,7 +1321,7 @@ var EncryptInputsBuilder = class extends BaseBuilder {
     }
     this.tfhePublicKeyDeserializer = params.tfhePublicKeyDeserializer;
     if (!params.compactPkeCrsDeserializer) {
-      throw new CofhesdkError({
+      throw new CofheError({
         code: "MISSING_COMPACT_PKE_CRS_DESERIALIZER" /* MissingCompactPkeCrsDeserializer */,
         message: "EncryptInputsBuilder compactPkeCrsDeserializer is undefined",
         hint: "Ensure client has been created with a compactPkeCrsDeserializer.",
@@ -1322,7 +1332,7 @@ var EncryptInputsBuilder = class extends BaseBuilder {
     }
     this.compactPkeCrsDeserializer = params.compactPkeCrsDeserializer;
     if (!params.zkBuilderAndCrsGenerator) {
-      throw new CofhesdkError({
+      throw new CofheError({
         code: "MISSING_ZK_BUILDER_AND_CRS_GENERATOR" /* MissingZkBuilderAndCrsGenerator */,
         message: "EncryptInputsBuilder zkBuilderAndCrsGenerator is undefined",
         hint: "Ensure client has been created with a zkBuilderAndCrsGenerator.",
@@ -1346,7 +1356,7 @@ var EncryptInputsBuilder = class extends BaseBuilder {
    * ```typescript
    * const encrypted = await encryptInputs([Encryptable.uint128(10n)])
    *   .setAccount("0x123")
-   *   .encrypt();
+   *   .execute();
    * ```
    *
    * @returns The chainable EncryptInputsBuilder instance.
@@ -1367,7 +1377,7 @@ var EncryptInputsBuilder = class extends BaseBuilder {
    * ```typescript
    * const encrypted = await encryptInputs([Encryptable.uint128(10n)])
    *   .setChainId(11155111)
-   *   .encrypt();
+   *   .execute();
    * ```
    *
    * @returns The chainable EncryptInputsBuilder instance.
@@ -1388,7 +1398,7 @@ var EncryptInputsBuilder = class extends BaseBuilder {
    * ```typescript
    * const encrypted = await encryptInputs([Encryptable.uint128(10n)])
    *   .setSecurityZone(1)
-   *   .encrypt();
+   *   .execute();
    * ```
    *
    * @returns The chainable EncryptInputsBuilder instance.
@@ -1409,7 +1419,7 @@ var EncryptInputsBuilder = class extends BaseBuilder {
    * ```typescript
    * const encrypted = await encryptInputs([Encryptable.uint128(10n)])
    *   .setUseWorker(false)
-   *   .encrypt();
+   *   .execute();
    * ```
    *
    * @returns The chainable EncryptInputsBuilder instance.
@@ -1443,13 +1453,13 @@ var EncryptInputsBuilder = class extends BaseBuilder {
    * Example:
    * ```typescript
    * const encrypted = await encryptInputs([Encryptable.uint128(10n)])
-   *   .setStepCallback((step: EncryptStep) => console.log(step))
-   *   .encrypt();
+   *   .onStep((step: EncryptStep) => console.log(step))
+   *   .execute();
    * ```
    *
    * @returns The EncryptInputsBuilder instance.
    */
-  setStepCallback(callback) {
+  onStep(callback) {
     this.stepCallback = callback;
     return this;
   }
@@ -1472,7 +1482,7 @@ var EncryptInputsBuilder = class extends BaseBuilder {
     this.stepCallback(step, { ...context, isStart: false, isEnd: true, duration });
   }
   /**
-   * zkVerifierUrl is included in the chains exported from cofhesdk/chains for use in CofhesdkConfig.supportedChains
+   * zkVerifierUrl is included in the chains exported from @cofhe/sdk/chains for use in CofheConfig.supportedChains
    * Users should generally not set this manually.
    */
   async getZkVerifierUrl() {
@@ -1480,7 +1490,7 @@ var EncryptInputsBuilder = class extends BaseBuilder {
     return getZkVerifierUrlOrThrow(this.config, this.chainId);
   }
   /**
-   * initTfhe is a platform-specific dependency injected into core/createCofhesdkClientBase by web/createCofhesdkClient and node/createCofhesdkClient
+   * initTfhe is a platform-specific dependency injected into core/createCofheClientBase by web/createCofheClient and node/createCofheClient
    * web/ uses zama "tfhe"
    * node/ uses zama "node-tfhe"
    * Users should not set this manually.
@@ -1491,7 +1501,7 @@ var EncryptInputsBuilder = class extends BaseBuilder {
     try {
       return await this.initTfhe();
     } catch (error) {
-      throw CofhesdkError.fromError(error, {
+      throw CofheError.fromError(error, {
         code: "INIT_TFHE_FAILED" /* InitTfheFailed */,
         message: `Failed to initialize TFHE`,
         context: {
@@ -1510,7 +1520,7 @@ var EncryptInputsBuilder = class extends BaseBuilder {
     try {
       await this.keysStorage?.rehydrateKeysStore();
     } catch (error) {
-      throw CofhesdkError.fromError(error, {
+      throw CofheError.fromError(error, {
         code: "REHYDRATE_KEYS_STORE_FAILED" /* RehydrateKeysStoreFailed */,
         message: `Failed to rehydrate keys store`,
         context: {
@@ -1532,7 +1542,7 @@ var EncryptInputsBuilder = class extends BaseBuilder {
         this.keysStorage
       );
     } catch (error) {
-      throw CofhesdkError.fromError(error, {
+      throw CofheError.fromError(error, {
         code: "FETCH_KEYS_FAILED" /* FetchKeysFailed */,
         message: `Failed to fetch FHE key and CRS`,
         context: {
@@ -1545,7 +1555,7 @@ var EncryptInputsBuilder = class extends BaseBuilder {
       });
     }
     if (!fheKey) {
-      throw new CofhesdkError({
+      throw new CofheError({
         code: "MISSING_FHE_KEY" /* MissingFheKey */,
         message: `FHE key not found`,
         context: {
@@ -1555,7 +1565,7 @@ var EncryptInputsBuilder = class extends BaseBuilder {
       });
     }
     if (!crs) {
-      throw new CofhesdkError({
+      throw new CofheError({
         code: "MISSING_CRS" /* MissingCrs */,
         message: `CRS not found for chainId <${this.chainId}>`,
         context: {
@@ -1565,6 +1575,17 @@ var EncryptInputsBuilder = class extends BaseBuilder {
     }
     return { fheKey, fheKeyFetchedFromCoFHE, crs, crsFetchedFromCoFHE };
   }
+  /**
+   * Resolves the encryptDelay config into an array of 5 per-step delays.
+   * A single number is broadcast to all steps; a tuple is used as-is.
+   */
+  resolveEncryptDelays() {
+    const encryptDelay = this.config?.mocks?.encryptDelay ?? [100, 100, 100, 500, 500];
+    if (typeof encryptDelay === "number") {
+      return [encryptDelay, encryptDelay, encryptDelay, encryptDelay, encryptDelay];
+    }
+    return encryptDelay;
+  }
   /**
    * @dev Encrypt against the cofheMocks instead of CoFHE
    *
@@ -1572,25 +1593,35 @@ var EncryptInputsBuilder = class extends BaseBuilder {
    * cofheMocksInsertPackedHashes - stores the ctHashes and their plaintext values for on-chain mocking of FHE operations.
    * cofheMocksZkCreateProofSignatures - creates signatures to be included in the encrypted inputs. The signers address is known and verified in the mock contracts.
    */
-  async mocksEncrypt() {
+  async mocksExecute() {
     this.assertAccount();
     this.assertPublicClient();
     this.assertWalletClient();
+    const [initTfheDelay, fetchKeysDelay, packDelay, proveDelay, verifyDelay] = this.resolveEncryptDelays();
     this.fireStepStart("initTfhe" /* InitTfhe */);
-    await sleep(100);
-    this.fireStepEnd("initTfhe" /* InitTfhe */, { tfheInitializationExecuted: false });
+    await sleep(initTfheDelay);
+    this.fireStepEnd("initTfhe" /* InitTfhe */, {
+      tfheInitializationExecuted: false,
+      isMocks: true,
+      mockSleep: initTfheDelay
+    });
     this.fireStepStart("fetchKeys" /* FetchKeys */);
-    await sleep(100);
-    this.fireStepEnd("fetchKeys" /* FetchKeys */, { fheKeyFetchedFromCoFHE: false, crsFetchedFromCoFHE: false });
+    await sleep(fetchKeysDelay);
+    this.fireStepEnd("fetchKeys" /* FetchKeys */, {
+      fheKeyFetchedFromCoFHE: false,
+      crsFetchedFromCoFHE: false,
+      isMocks: true,
+      mockSleep: fetchKeysDelay
+    });
     this.fireStepStart("pack" /* Pack */);
     await cofheMocksCheckEncryptableBits(this.inputItems);
-    await sleep(100);
-    this.fireStepEnd("pack" /* Pack */);
+    await sleep(packDelay);
+    this.fireStepEnd("pack" /* Pack */, { isMocks: true, mockSleep: packDelay });
     this.fireStepStart("prove" /* Prove */);
-    await sleep(500);
-    this.fireStepEnd("prove" /* Prove */);
+    await sleep(proveDelay);
+    this.fireStepEnd("prove" /* Prove */, { isMocks: true, mockSleep: proveDelay });
     this.fireStepStart("verify" /* Verify */);
-    await sleep(500);
+    await sleep(verifyDelay);
     const signedResults = await cofheMocksZkVerifySign(
       this.inputItems,
       this.account,
@@ -1605,13 +1636,13 @@ var EncryptInputsBuilder = class extends BaseBuilder {
       utype: this.inputItems[index].utype,
       signature
     }));
-    this.fireStepEnd("verify" /* Verify */);
+    this.fireStepEnd("verify" /* Verify */, { isMocks: true, mockSleep: verifyDelay });
     return encryptedInputs;
   }
   /**
    * In the production context, perform a true encryption with the CoFHE coprocessor.
    */
-  async productionEncrypt() {
+  async productionExecute() {
     this.assertAccount();
     this.assertChainId();
     this.fireStepStart("initTfhe" /* InitTfhe */);
@@ -1674,15 +1705,15 @@ var EncryptInputsBuilder = class extends BaseBuilder {
    * const encrypted = await encryptInputs([Encryptable.uint128(10n)])
    *   .setAccount('0x123...890') // optional
    *   .setChainId(11155111)      // optional
-   *   .encrypt();                // execute
+   *   .execute();                // execute
    * ```
    *
    * @returns The encrypted inputs.
    */
-  async encrypt() {
+  async execute() {
     if (this.chainId === chains.hardhat.id)
-      return this.mocksEncrypt();
-    return this.productionEncrypt();
+      return this.mocksExecute();
+    return this.productionExecute();
   }
 };
 
@@ -1733,9 +1764,6 @@ function isBigIntOrNumber(value) {
     }
   }
 }
-function is0xPrefixed(value) {
-  return value.startsWith("0x");
-}
 
 // permits/sealing.ts
 var PRIVATE_KEY_LENGTH = 64;
@@ -1823,158 +1851,137 @@ var SerializedSealingPair = zod.z.object({
   privateKey: zod.z.string(),
   publicKey: zod.z.string()
 });
+var addressSchema = zod.z.string().refine((val) => viem.isAddress(val), {
+  error: "Invalid address"
+}).transform((val) => viem.getAddress(val));
+var addressNotZeroSchema = addressSchema.refine((val) => val !== viem.zeroAddress, {
+  error: "Must not be zeroAddress"
+});
+var bytesSchema = zod.z.custom(
+  (val) => {
+    return typeof val === "string" && viem.isHex(val);
+  },
+  {
+    message: "Invalid hex value"
+  }
+);
+var bytesNotEmptySchema = bytesSchema.refine((val) => val !== "0x", {
+  error: "Must not be empty"
+});
 var DEFAULT_EXPIRATION_FN = () => Math.round(Date.now() / 1e3) + 7 * 24 * 60 * 60;
 var zPermitWithDefaults = zod.z.object({
   name: zod.z.string().optional().default("Unnamed Permit"),
   type: zod.z.enum(["self", "sharing", "recipient"]),
-  issuer: zod.z.string().refine((val) => viem.isAddress(val), {
-    message: "Permit issuer :: invalid address"
-  }).refine((val) => val !== viem.zeroAddress, {
-    message: "Permit issuer :: must not be zeroAddress"
-  }),
-  expiration: zod.z.number().optional().default(DEFAULT_EXPIRATION_FN),
-  recipient: zod.z.string().optional().default(viem.zeroAddress).refine((val) => viem.isAddress(val), {
-    message: "Permit recipient :: invalid address"
-  }),
-  validatorId: zod.z.number().optional().default(0),
-  validatorContract: zod.z.string().optional().default(viem.zeroAddress).refine((val) => viem.isAddress(val), {
-    message: "Permit validatorContract :: invalid address"
-  }),
-  issuerSignature: zod.z.string().optional().default("0x"),
-  recipientSignature: zod.z.string().optional().default("0x")
+  issuer: addressNotZeroSchema,
+  expiration: zod.z.int().optional().default(DEFAULT_EXPIRATION_FN),
+  recipient: addressSchema.optional().default(viem.zeroAddress),
+  validatorId: zod.z.int().optional().default(0),
+  validatorContract: addressSchema.optional().default(viem.zeroAddress),
+  issuerSignature: bytesSchema.optional().default("0x"),
+  recipientSignature: bytesSchema.optional().default("0x")
 });
 var zPermitWithSealingPair = zPermitWithDefaults.extend({
   sealingPair: SerializedSealingPair.optional()
 });
-var ValidatorContractRefinement = [
+var ExternalValidatorRefinement = [
   (data) => data.validatorId !== 0 && data.validatorContract !== viem.zeroAddress || data.validatorId === 0 && data.validatorContract === viem.zeroAddress,
   {
-    message: "Permit external validator :: validatorId and validatorContract must either both be set or both be unset.",
+    error: "Permit external validator :: validatorId and validatorContract must either both be set or both be unset.",
     path: ["validatorId", "validatorContract"]
   }
 ];
+var RecipientRefinement = [
+  (data) => data.issuer !== data.recipient,
+  {
+    error: "Sharing permit :: issuer and recipient must not be the same",
+    path: ["issuer", "recipient"]
+  }
+];
 var SelfPermitOptionsValidator = zod.z.object({
   type: zod.z.literal("self").optional().default("self"),
-  issuer: zod.z.string().refine((val) => viem.isAddress(val), {
-    message: "Self permit issuer :: invalid address"
-  }).refine((val) => is0xPrefixed(val), {
-    message: "Self permit issuer :: must be 0x prefixed"
-  }).refine((val) => val !== viem.zeroAddress, {
-    message: "Self permit issuer :: must not be zeroAddress"
-  }),
+  issuer: addressNotZeroSchema,
   name: zod.z.string().optional().default("Unnamed Permit"),
-  expiration: zod.z.number().optional().default(DEFAULT_EXPIRATION_FN),
-  recipient: zod.z.string().optional().default(viem.zeroAddress).refine((val) => viem.isAddress(val), {
-    message: "Self permit recipient :: invalid address"
-  }).refine((val) => is0xPrefixed(val), {
-    message: "Self permit recipient :: must be 0x prefixed"
-  }).refine((val) => val === viem.zeroAddress, {
-    message: "Self permit recipient :: must be zeroAddress"
-  }),
-  validatorId: zod.z.number().optional().default(0),
-  validatorContract: zod.z.string().optional().default(viem.zeroAddress).refine((val) => viem.isAddress(val), {
-    message: "Self permit validatorContract :: invalid address"
-  }),
-  issuerSignature: zod.z.string().optional().default("0x").refine((val) => is0xPrefixed(val), {
-    message: "Self permit issuerSignature :: must be 0x prefixed"
-  }),
-  recipientSignature: zod.z.string().optional().default("0x").refine((val) => is0xPrefixed(val), {
-    message: "Self permit recipientSignature :: must be 0x prefixed"
-  })
-}).refine(...ValidatorContractRefinement);
+  expiration: zod.z.int().optional().default(DEFAULT_EXPIRATION_FN),
+  recipient: addressSchema.optional().default(viem.zeroAddress),
+  validatorId: zod.z.int().optional().default(0),
+  validatorContract: addressSchema.optional().default(viem.zeroAddress),
+  issuerSignature: bytesSchema.optional().default("0x"),
+  recipientSignature: bytesSchema.optional().default("0x")
+}).refine(...ExternalValidatorRefinement);
 var SelfPermitValidator = zPermitWithSealingPair.refine((data) => data.type === "self", {
-  message: "Self permit :: type must be 'self'"
+  error: "Type must be 'self'"
 }).refine((data) => data.recipient === viem.zeroAddress, {
-  message: "Self permit :: recipient must be zeroAddress"
+  error: "Recipient must be zeroAddress"
 }).refine((data) => data.issuerSignature !== "0x", {
-  message: "Self permit :: issuerSignature must be populated"
+  error: "IssuerSignature must be populated"
 }).refine((data) => data.recipientSignature === "0x", {
-  message: "Self permit :: recipientSignature must be empty"
-}).refine(...ValidatorContractRefinement);
+  error: "RecipientSignature must be empty"
+}).refine(...ExternalValidatorRefinement);
 var SharingPermitOptionsValidator = zod.z.object({
   type: zod.z.literal("sharing").optional().default("sharing"),
-  issuer: zod.z.string().refine((val) => viem.isAddress(val), {
-    message: "Sharing permit issuer :: invalid address"
-  }).refine((val) => is0xPrefixed(val), {
-    message: "Sharing permit issuer :: must be 0x prefixed"
-  }).refine((val) => val !== viem.zeroAddress, {
-    message: "Sharing permit issuer :: must not be zeroAddress"
-  }),
-  recipient: zod.z.string().refine((val) => viem.isAddress(val), {
-    message: "Sharing permit recipient :: invalid address"
-  }).refine((val) => is0xPrefixed(val), {
-    message: "Sharing permit recipient :: must be 0x prefixed"
-  }).refine((val) => val !== viem.zeroAddress, {
-    message: "Sharing permit recipient :: must not be zeroAddress"
-  }),
+  issuer: addressNotZeroSchema,
+  recipient: addressNotZeroSchema,
   name: zod.z.string().optional().default("Unnamed Permit"),
-  expiration: zod.z.number().optional().default(DEFAULT_EXPIRATION_FN),
-  validatorId: zod.z.number().optional().default(0),
-  validatorContract: zod.z.string().optional().default(viem.zeroAddress).refine((val) => viem.isAddress(val), {
-    message: "Sharing permit validatorContract :: invalid address"
-  }),
-  issuerSignature: zod.z.string().optional().default("0x").refine((val) => is0xPrefixed(val), {
-    message: "Sharing permit issuerSignature :: must be 0x prefixed"
-  }),
-  recipientSignature: zod.z.string().optional().default("0x").refine((val) => is0xPrefixed(val), {
-    message: "Sharing permit recipientSignature :: must be 0x prefixed"
-  })
-}).refine(...ValidatorContractRefinement);
+  expiration: zod.z.int().optional().default(DEFAULT_EXPIRATION_FN),
+  validatorId: zod.z.int().optional().default(0),
+  validatorContract: addressSchema.optional().default(viem.zeroAddress),
+  issuerSignature: bytesSchema.optional().default("0x"),
+  recipientSignature: bytesSchema.optional().default("0x")
+}).refine(...RecipientRefinement).refine(...ExternalValidatorRefinement);
 var SharingPermitValidator = zPermitWithSealingPair.refine((data) => data.type === "sharing", {
-  message: "Sharing permit :: type must be 'sharing'"
+  error: "Type must be 'sharing'"
 }).refine((data) => data.recipient !== viem.zeroAddress, {
-  message: "Sharing permit :: recipient must not be zeroAddress"
+  error: "Recipient must not be zeroAddress"
 }).refine((data) => data.issuerSignature !== "0x", {
-  message: "Sharing permit :: issuerSignature must be populated"
+  error: "IssuerSignature must be populated"
 }).refine((data) => data.recipientSignature === "0x", {
-  message: "Sharing permit :: recipientSignature must be empty"
-}).refine(...ValidatorContractRefinement);
+  error: "RecipientSignature must be empty"
+}).refine(...ExternalValidatorRefinement);
 var ImportPermitOptionsValidator = zod.z.object({
   type: zod.z.literal("recipient").optional().default("recipient"),
-  issuer: zod.z.string().refine((val) => viem.isAddress(val), {
-    message: "Import permit issuer :: invalid address"
-  }).refine((val) => is0xPrefixed(val), {
-    message: "Import permit issuer :: must be 0x prefixed"
-  }).refine((val) => val !== viem.zeroAddress, {
-    message: "Import permit issuer :: must not be zeroAddress"
-  }),
-  recipient: zod.z.string().refine((val) => viem.isAddress(val), {
-    message: "Import permit recipient :: invalid address"
-  }).refine((val) => is0xPrefixed(val), {
-    message: "Import permit recipient :: must be 0x prefixed"
-  }).refine((val) => val !== viem.zeroAddress, {
-    message: "Import permit recipient :: must not be zeroAddress"
-  }),
-  issuerSignature: zod.z.string().refine((val) => is0xPrefixed(val), {
-    message: "Import permit issuerSignature :: must be 0x prefixed"
-  }).refine((val) => val !== "0x", {
-    message: "Import permit :: issuerSignature must be provided"
-  }),
+  issuer: addressNotZeroSchema,
+  recipient: addressNotZeroSchema,
   name: zod.z.string().optional().default("Unnamed Permit"),
-  expiration: zod.z.number().optional().default(DEFAULT_EXPIRATION_FN),
-  validatorId: zod.z.number().optional().default(0),
-  validatorContract: zod.z.string().optional().default(viem.zeroAddress).refine((val) => viem.isAddress(val), {
-    message: "Import permit validatorContract :: invalid address"
-  }),
-  recipientSignature: zod.z.string().optional().default("0x").refine((val) => is0xPrefixed(val), {
-    message: "Import permit recipientSignature :: must be 0x prefixed"
-  })
-}).refine(...ValidatorContractRefinement);
+  expiration: zod.z.int(),
+  validatorId: zod.z.int().optional().default(0),
+  validatorContract: addressSchema.optional().default(viem.zeroAddress),
+  issuerSignature: bytesNotEmptySchema,
+  recipientSignature: bytesSchema.optional().default("0x")
+}).refine(...ExternalValidatorRefinement);
 var ImportPermitValidator = zPermitWithSealingPair.refine((data) => data.type === "recipient", {
-  message: "Import permit :: type must be 'recipient'"
+  error: "Type must be 'recipient'"
 }).refine((data) => data.recipient !== viem.zeroAddress, {
-  message: "Import permit :: recipient must not be zeroAddress"
+  error: "Recipient must not be zeroAddress"
 }).refine((data) => data.issuerSignature !== "0x", {
-  message: "Import permit :: issuerSignature must be populated"
+  error: "IssuerSignature must be populated"
 }).refine((data) => data.recipientSignature !== "0x", {
-  message: "Import permit :: recipientSignature must be populated"
-}).refine(...ValidatorContractRefinement);
-var validateSelfPermitOptions = (options) => SelfPermitOptionsValidator.safeParse(options);
-var validateSharingPermitOptions = (options) => SharingPermitOptionsValidator.safeParse(options);
-var validateImportPermitOptions = (options) => ImportPermitOptionsValidator.safeParse(options);
-var validateSelfPermit = (permit) => SelfPermitValidator.safeParse(permit);
-var validateSharingPermit = (permit) => SharingPermitValidator.safeParse(permit);
-var validateImportPermit = (permit) => ImportPermitValidator.safeParse(permit);
+  error: "RecipientSignature must be populated"
+}).refine(...ExternalValidatorRefinement);
+var safeParseAndThrowFormatted = (schema, data, message) => {
+  const result = schema.safeParse(data);
+  if (!result.success) {
+    throw new Error(`${message}: ${zod.z.prettifyError(result.error)}`, { cause: result.error });
+  }
+  return result.data;
+};
+var validateSelfPermitOptions = (options) => {
+  return safeParseAndThrowFormatted(SelfPermitOptionsValidator, options, "Invalid self permit options");
+};
+var validateSharingPermitOptions = (options) => {
+  return safeParseAndThrowFormatted(SharingPermitOptionsValidator, options, "Invalid sharing permit options");
+};
+var validateImportPermitOptions = (options) => {
+  return safeParseAndThrowFormatted(ImportPermitOptionsValidator, options, "Invalid import permit options");
+};
+var validateSelfPermit = (permit) => {
+  return safeParseAndThrowFormatted(SelfPermitValidator, permit, "Invalid self permit");
+};
+var validateSharingPermit = (permit) => {
+  return safeParseAndThrowFormatted(SharingPermitValidator, permit, "Invalid sharing permit");
+};
+var validateImportPermit = (permit) => {
+  return safeParseAndThrowFormatted(ImportPermitValidator, permit, "Invalid import permit");
+};
 var ValidationUtils = {
   /**
    * Check if permit is expired
@@ -2068,6 +2075,179 @@ var SignatureUtils = {
     throw new Error(`Unknown permit type: ${permitType}`);
   }
 };
+var getAclAddress = async (publicClient) => {
+  const ACL_IFACE = "function acl() view returns (address)";
+  const aclAbi = viem.parseAbi([ACL_IFACE]);
+  return await publicClient.readContract({
+    address: TASK_MANAGER_ADDRESS,
+    abi: aclAbi,
+    functionName: "acl"
+  });
+};
+var getAclEIP712Domain = async (publicClient) => {
+  const aclAddress = await getAclAddress(publicClient);
+  const EIP712_DOMAIN_IFACE = "function eip712Domain() public view returns (bytes1 fields, string name, string version, uint256 chainId, address verifyingContract, bytes32 salt, uint256[] extensions)";
+  const domainAbi = viem.parseAbi([EIP712_DOMAIN_IFACE]);
+  const domain = await publicClient.readContract({
+    address: aclAddress,
+    abi: domainAbi,
+    functionName: "eip712Domain"
+  });
+  const [_fields, name, version, chainId, verifyingContract, _salt, _extensions] = domain;
+  return {
+    name,
+    version,
+    chainId: Number(chainId),
+    verifyingContract
+  };
+};
+var checkPermitValidityOnChain = async (permission, publicClient) => {
+  const aclAddress = await getAclAddress(publicClient);
+  try {
+    await publicClient.simulateContract({
+      address: aclAddress,
+      abi: checkPermitValidityAbi,
+      functionName: "checkPermitValidity",
+      args: [
+        {
+          issuer: permission.issuer,
+          expiration: BigInt(permission.expiration),
+          recipient: permission.recipient,
+          validatorId: BigInt(permission.validatorId),
+          validatorContract: permission.validatorContract,
+          sealingKey: permission.sealingKey,
+          issuerSignature: permission.issuerSignature,
+          recipientSignature: permission.recipientSignature
+        }
+      ]
+    });
+    return true;
+  } catch (err) {
+    if (err instanceof viem.BaseError) {
+      const revertError = err.walk((err2) => err2 instanceof viem.ContractFunctionRevertedError);
+      if (revertError instanceof viem.ContractFunctionRevertedError) {
+        const errorName = revertError.data?.errorName ?? "";
+        throw new Error(errorName);
+      }
+    }
+    const customErrorName = extractCustomErrorFromDetails(err, checkPermitValidityAbi);
+    if (customErrorName) {
+      throw new Error(customErrorName);
+    }
+    const hhDetailsData = extractReturnData(err);
+    if (hhDetailsData != null) {
+      const decoded = viem.decodeErrorResult({
+        abi: checkPermitValidityAbi,
+        data: hhDetailsData
+      });
+      throw new Error(decoded.errorName);
+    }
+    throw err;
+  }
+};
+function extractCustomErrorFromDetails(err, abi) {
+  const anyErr = err;
+  const details = anyErr?.details ?? anyErr?.cause?.details;
+  if (typeof details === "string") {
+    const customErrorMatch = details.match(/reverted with custom error '(\w+)\(\)'/);
+    if (customErrorMatch) {
+      const errorName = customErrorMatch[1];
+      const errorExists = abi.some((item) => item.type === "error" && item.name === errorName);
+      if (errorExists) {
+        return errorName;
+      }
+    }
+  }
+  return void 0;
+}
+function extractReturnData(err) {
+  const anyErr = err;
+  const s = anyErr?.details ?? anyErr?.cause?.details ?? anyErr?.shortMessage ?? anyErr?.message ?? String(err);
+  return s.match(/return data:\s*(0x[a-fA-F0-9]+)/)?.[1];
+}
+var checkPermitValidityAbi = [
+  {
+    type: "function",
+    name: "checkPermitValidity",
+    inputs: [
+      {
+        name: "permission",
+        type: "tuple",
+        internalType: "struct Permission",
+        components: [
+          {
+            name: "issuer",
+            type: "address",
+            internalType: "address"
+          },
+          {
+            name: "expiration",
+            type: "uint64",
+            internalType: "uint64"
+          },
+          {
+            name: "recipient",
+            type: "address",
+            internalType: "address"
+          },
+          {
+            name: "validatorId",
+            type: "uint256",
+            internalType: "uint256"
+          },
+          {
+            name: "validatorContract",
+            type: "address",
+            internalType: "address"
+          },
+          {
+            name: "sealingKey",
+            type: "bytes32",
+            internalType: "bytes32"
+          },
+          {
+            name: "issuerSignature",
+            type: "bytes",
+            internalType: "bytes"
+          },
+          {
+            name: "recipientSignature",
+            type: "bytes",
+            internalType: "bytes"
+          }
+        ]
+      }
+    ],
+    outputs: [
+      {
+        name: "",
+        type: "bool",
+        internalType: "bool"
+      }
+    ],
+    stateMutability: "view"
+  },
+  {
+    type: "error",
+    name: "PermissionInvalid_Disabled",
+    inputs: []
+  },
+  {
+    type: "error",
+    name: "PermissionInvalid_Expired",
+    inputs: []
+  },
+  {
+    type: "error",
+    name: "PermissionInvalid_IssuerSignature",
+    inputs: []
+  },
+  {
+    type: "error",
+    name: "PermissionInvalid_RecipientSignature",
+    inputs: []
+  }
+];
 
 // permits/permit.ts
 var PermitUtils = {
@@ -2076,14 +2256,10 @@ var PermitUtils = {
    */
   createSelf: (options) => {
     const validation = validateSelfPermitOptions(options);
-    if (!validation.success) {
-      throw new Error(
-        "PermitUtils :: createSelf :: Parsing SelfPermitOptions failed " + JSON.stringify(validation.error, null, 2)
-      );
-    }
     const sealingPair = GenerateSealingKey();
     const permit = {
-      ...validation.data,
+      hash: PermitUtils.getHash(validation),
+      ...validation,
       sealingPair,
       _signedDomain: void 0
     };
@@ -2094,14 +2270,10 @@ var PermitUtils = {
    */
   createSharing: (options) => {
     const validation = validateSharingPermitOptions(options);
-    if (!validation.success) {
-      throw new Error(
-        "PermitUtils :: createSharing :: Parsing SharingPermitOptions failed " + JSON.stringify(validation.error, null, 2)
-      );
-    }
     const sealingPair = GenerateSealingKey();
     const permit = {
-      ...validation.data,
+      hash: PermitUtils.getHash(validation),
+      ...validation,
       sealingPair,
       _signedDomain: void 0
     };
@@ -2116,27 +2288,21 @@ var PermitUtils = {
       try {
         parsedOptions = JSON.parse(options);
       } catch (error) {
-        throw new Error(`PermitUtils :: importShared :: Failed to parse JSON string: ${error}`);
+        throw new Error(`Failed to parse JSON string: ${error}`);
       }
     } else if (typeof options === "object" && options !== null) {
       parsedOptions = options;
     } else {
-      throw new Error(
-        "PermitUtils :: importShared :: Invalid input type, expected ImportSharedPermitOptions, object, or string"
-      );
+      throw new Error("Invalid input type, expected ImportSharedPermitOptions, object, or string");
     }
     if (parsedOptions.type != null && parsedOptions.type !== "sharing") {
-      throw new Error(`PermitUtils :: importShared :: Invalid permit type <${parsedOptions.type}>, must be "sharing"`);
+      throw new Error(`Invalid permit type <${parsedOptions.type}>, must be "sharing"`);
     }
     const validation = validateImportPermitOptions({ ...parsedOptions, type: "recipient" });
-    if (!validation.success) {
-      throw new Error(
-        "PermitUtils :: importShared :: Parsing ImportPermitOptions failed " + JSON.stringify(validation.error, null, 2)
-      );
-    }
     const sealingPair = GenerateSealingKey();
     const permit = {
-      ...validation.data,
+      hash: PermitUtils.getHash(validation),
+      ...validation,
       sealingPair,
       _signedDomain: void 0
     };
@@ -2148,11 +2314,11 @@ var PermitUtils = {
   sign: async (permit, publicClient, walletClient) => {
     if (walletClient == null || walletClient.account == null) {
       throw new Error(
-        "PermitUtils :: sign - walletClient undefined, you must pass in a `walletClient` for the connected user to create a permit signature"
+        "Missing walletClient, you must pass in a `walletClient` for the connected user to create a permit signature"
       );
     }
     const primaryType = SignatureUtils.getPrimaryType(permit.type);
-    const domain = await PermitUtils.fetchEIP712Domain(publicClient);
+    const domain = await getAclEIP712Domain(publicClient);
     const { types, message } = SignatureUtils.getSignatureParams(PermitUtils.getPermission(permit, true), primaryType);
     const signature = await walletClient.signTypedData({
       domain,
@@ -2212,6 +2378,7 @@ var PermitUtils = {
    */
   serialize: (permit) => {
     return {
+      hash: permit.hash,
       name: permit.name,
       type: permit.type,
       issuer: permit.issuer,
@@ -2236,7 +2403,7 @@ var PermitUtils = {
     } else if (permit.type === "recipient") {
       return validateImportPermit(permit);
     } else {
-      throw new Error("PermitUtils :: validate :: Invalid permit type");
+      throw new Error("Invalid permit type");
     }
   },
   /**
@@ -2244,12 +2411,7 @@ var PermitUtils = {
    */
   getPermission: (permit, skipValidation = false) => {
     if (!skipValidation) {
-      const validationResult = PermitUtils.validate(permit);
-      if (!validationResult.success) {
-        throw new Error(
-          `PermitUtils :: getPermission :: permit validation failed - ${JSON.stringify(validationResult.error, null, 2)} ${JSON.stringify(permit, null, 2)}`
-        );
-      }
+      PermitUtils.validate(permit);
     }
     return {
       issuer: permit.issuer,
@@ -2330,28 +2492,7 @@ var PermitUtils = {
    * Fetch EIP712 domain from the blockchain
    */
   fetchEIP712Domain: async (publicClient) => {
-    const TASK_MANAGER_ADDRESS = "0xeA30c4B8b44078Bbf8a6ef5b9f1eC1626C7848D9";
-    const ACL_IFACE = "function acl() view returns (address)";
-    const EIP712_DOMAIN_IFACE = "function eip712Domain() public view returns (bytes1 fields, string name, string version, uint256 chainId, address verifyingContract, bytes32 salt, uint256[] extensions)";
-    const aclAbi = viem.parseAbi([ACL_IFACE]);
-    const aclAddress = await publicClient.readContract({
-      address: TASK_MANAGER_ADDRESS,
-      abi: aclAbi,
-      functionName: "acl"
-    });
-    const domainAbi = viem.parseAbi([EIP712_DOMAIN_IFACE]);
-    const domain = await publicClient.readContract({
-      address: aclAddress,
-      abi: domainAbi,
-      functionName: "eip712Domain"
-    });
-    const [_fields, name, version, chainId, verifyingContract, _salt, _extensions] = domain;
-    return {
-      name,
-      version,
-      chainId: Number(chainId),
-      verifyingContract
-    };
+    return getAclEIP712Domain(publicClient);
   },
   /**
    * Check if permit's signed domain matches the provided domain
@@ -2365,8 +2506,15 @@ var PermitUtils = {
   checkSignedDomainValid: async (permit, publicClient) => {
     if (permit._signedDomain == null)
       return false;
-    const domain = await PermitUtils.fetchEIP712Domain(publicClient);
+    const domain = await getAclEIP712Domain(publicClient);
     return PermitUtils.matchesDomain(permit, domain);
+  },
+  /**
+   * Check if permit passes the on-chain validation
+   */
+  checkValidityOnChain: async (permit, publicClient) => {
+    const permission = PermitUtils.getPermission(permit);
+    return checkPermitValidityOnChain(permission, publicClient);
   }
 };
 var PERMIT_STORE_DEFAULTS = {
@@ -2420,11 +2568,11 @@ var setPermit = (chainId, account, permit) => {
         state.permits[chainId] = {};
       if (state.permits[chainId][account] == null)
         state.permits[chainId][account] = {};
-      state.permits[chainId][account][PermitUtils.getHash(permit)] = PermitUtils.serialize(permit);
+      state.permits[chainId][account][permit.hash] = PermitUtils.serialize(permit);
     })
   );
 };
-var removePermit = (chainId, account, hash, force) => {
+var removePermit = (chainId, account, hash) => {
   clearStaleStore();
   _permitStore.setState(
     immer.produce((state) => {
@@ -2438,15 +2586,7 @@ var removePermit = (chainId, account, hash, force) => {
       if (accountPermits[hash] == null)
         return;
       if (state.activePermitHash[chainId][account] === hash) {
-        const otherPermitHash = Object.keys(accountPermits).find((key) => key !== hash && accountPermits[key] != null);
-        if (otherPermitHash) {
-          state.activePermitHash[chainId][account] = otherPermitHash;
-        } else {
-          if (!force) {
-            throw new Error("Cannot remove the last permit without force flag");
-          }
-          state.activePermitHash[chainId][account] = void 0;
-        }
+        state.activePermitHash[chainId][account] = void 0;
       }
       accountPermits[hash] = void 0;
     })
@@ -2497,7 +2637,7 @@ var storeActivePermit = async (permit, publicClient, walletClient) => {
   const chainId = await publicClient.getChainId();
   const account = walletClient.account.address;
   permitStore.setPermit(chainId, account, permit);
-  permitStore.setActivePermitHash(chainId, account, PermitUtils.getHash(permit));
+  permitStore.setActivePermitHash(chainId, account, permit.hash);
 };
 var createPermitWithSign = async (options, publicClient, walletClient, permitMethod) => {
   const permit = await permitMethod(options, publicClient, walletClient);
@@ -2555,7 +2695,7 @@ var getOrCreateSharingPermit = async (publicClient, walletClient, options, chain
   }
   return createSharing(options, publicClient, walletClient);
 };
-var removePermit2 = async (chainId, account, hash, force) => permitStore.removePermit(chainId, account, hash, force);
+var removePermit2 = async (chainId, account, hash) => permitStore.removePermit(chainId, account, hash);
 var removeActivePermit = async (chainId, account) => permitStore.removeActivePermitHash(chainId, account);
 var permits = {
   getSnapshot: permitStore.store.getState,
@@ -2595,8 +2735,8 @@ var convertViaUtype = (utype, value) => {
   }
 };
 
-// core/decrypt/MockQueryDecrypterAbi.ts
-var MockQueryDecrypterAbi = [
+// core/decrypt/MockThresholdNetworkAbi.ts
+var MockThresholdNetworkAbi = [
   {
     type: "function",
     name: "acl",
@@ -2643,11 +2783,7 @@ var MockQueryDecrypterAbi = [
           { name: "expiration", type: "uint64", internalType: "uint64" },
           { name: "recipient", type: "address", internalType: "address" },
           { name: "validatorId", type: "uint256", internalType: "uint256" },
-          {
-            name: "validatorContract",
-            type: "address",
-            internalType: "address"
-          },
+          { name: "validatorContract", type: "address", internalType: "address" },
           { name: "sealingKey", type: "bytes32", internalType: "bytes32" },
           { name: "issuerSignature", type: "bytes", internalType: "bytes" },
           { name: "recipientSignature", type: "bytes", internalType: "bytes" }
@@ -2676,11 +2812,7 @@ var MockQueryDecrypterAbi = [
           { name: "expiration", type: "uint64", internalType: "uint64" },
           { name: "recipient", type: "address", internalType: "address" },
           { name: "validatorId", type: "uint256", internalType: "uint256" },
-          {
-            name: "validatorContract",
-            type: "address",
-            internalType: "address"
-          },
+          { name: "validatorContract", type: "address", internalType: "address" },
           { name: "sealingKey", type: "bytes32", internalType: "bytes32" },
           { name: "issuerSignature", type: "bytes", internalType: "bytes" },
           { name: "recipientSignature", type: "bytes", internalType: "bytes" }
@@ -2704,13 +2836,6 @@ var MockQueryDecrypterAbi = [
     outputs: [{ name: "", type: "bytes32", internalType: "bytes32" }],
     stateMutability: "pure"
   },
-  {
-    type: "function",
-    name: "taskManager",
-    inputs: [],
-    outputs: [{ name: "", type: "address", internalType: "contract TaskManager" }],
-    stateMutability: "view"
-  },
   {
     type: "function",
     name: "unseal",
@@ -2721,16 +2846,80 @@ var MockQueryDecrypterAbi = [
     outputs: [{ name: "", type: "uint256", internalType: "uint256" }],
     stateMutability: "pure"
   },
-  { type: "error", name: "NotAllowed", inputs: [] },
-  { type: "error", name: "SealingKeyInvalid", inputs: [] },
-  { type: "error", name: "SealingKeyMissing", inputs: [] }
+  {
+    type: "function",
+    name: "mockAcl",
+    inputs: [],
+    outputs: [{ name: "", type: "address", internalType: "contract MockACL" }],
+    stateMutability: "view"
+  },
+  {
+    type: "function",
+    name: "mockTaskManager",
+    inputs: [],
+    outputs: [{ name: "", type: "address", internalType: "contract MockTaskManager" }],
+    stateMutability: "view"
+  },
+  {
+    type: "function",
+    name: "mockQueryDecrypt",
+    inputs: [
+      { name: "ctHash", type: "uint256", internalType: "uint256" },
+      { name: "", type: "uint256", internalType: "uint256" },
+      { name: "issuer", type: "address", internalType: "address" }
+    ],
+    outputs: [
+      { name: "allowed", type: "bool", internalType: "bool" },
+      { name: "error", type: "string", internalType: "string" },
+      { name: "", type: "uint256", internalType: "uint256" }
+    ],
+    stateMutability: "view"
+  },
+  {
+    type: "function",
+    name: "decryptForTxWithPermit",
+    inputs: [
+      { name: "ctHash", type: "uint256", internalType: "uint256" },
+      {
+        name: "permission",
+        type: "tuple",
+        internalType: "struct Permission",
+        components: [
+          { name: "issuer", type: "address", internalType: "address" },
+          { name: "expiration", type: "uint64", internalType: "uint64" },
+          { name: "recipient", type: "address", internalType: "address" },
+          { name: "validatorId", type: "uint256", internalType: "uint256" },
+          { name: "validatorContract", type: "address", internalType: "address" },
+          { name: "sealingKey", type: "bytes32", internalType: "bytes32" },
+          { name: "issuerSignature", type: "bytes", internalType: "bytes" },
+          { name: "recipientSignature", type: "bytes", internalType: "bytes" }
+        ]
+      }
+    ],
+    outputs: [
+      { name: "allowed", type: "bool", internalType: "bool" },
+      { name: "error", type: "string", internalType: "string" },
+      { name: "decryptedValue", type: "uint256", internalType: "uint256" }
+    ],
+    stateMutability: "view"
+  },
+  {
+    type: "function",
+    name: "decryptForTxWithoutPermit",
+    inputs: [{ name: "ctHash", type: "uint256", internalType: "uint256" }],
+    outputs: [
+      { name: "allowed", type: "bool", internalType: "bool" },
+      { name: "error", type: "string", internalType: "string" },
+      { name: "decryptedValue", type: "uint256", internalType: "uint256" }
+    ],
+    stateMutability: "view"
+  }
 ];
 
-// core/decrypt/cofheMocksSealOutput.ts
-var MockQueryDecrypterAddress = "0x0000000000000000000000000000000000000200";
-async function cofheMocksSealOutput(ctHash, utype, permit, publicClient, mocksSealOutputDelay) {
-  if (mocksSealOutputDelay > 0)
-    await sleep(mocksSealOutputDelay);
+// core/decrypt/cofheMocksDecryptForView.ts
+async function cofheMocksDecryptForView(ctHash, utype, permit, publicClient, mocksDecryptDelay) {
+  if (mocksDecryptDelay > 0)
+    await sleep(mocksDecryptDelay);
   const permission = PermitUtils.getPermission(permit, true);
   const permissionWithBigInts = {
     ...permission,
@@ -2738,19 +2927,19 @@ async function cofheMocksSealOutput(ctHash, utype, permit, publicClient, mocksSe
     validatorId: BigInt(permission.validatorId)
   };
   const [allowed, error, result] = await publicClient.readContract({
-    address: MockQueryDecrypterAddress,
-    abi: MockQueryDecrypterAbi,
+    address: MOCKS_THRESHOLD_NETWORK_ADDRESS,
+    abi: MockThresholdNetworkAbi,
     functionName: "querySealOutput",
     args: [ctHash, BigInt(utype), permissionWithBigInts]
   });
   if (error != "") {
-    throw new CofhesdkError({
+    throw new CofheError({
       code: "SEAL_OUTPUT_FAILED" /* SealOutputFailed */,
       message: `mocks querySealOutput call failed: ${error}`
     });
   }
   if (allowed == false) {
-    throw new CofhesdkError({
+    throw new CofheError({
       code: "SEAL_OUTPUT_FAILED" /* SealOutputFailed */,
       message: `mocks querySealOutput call failed: ACL Access Denied (NotAllowed)`
     });
@@ -2769,7 +2958,7 @@ function numberArrayToUint8Array(arr) {
 }
 function convertSealedData(sealed) {
   if (!sealed) {
-    throw new CofhesdkError({
+    throw new CofheError({
       code: "SEAL_OUTPUT_RETURNED_NULL" /* SealOutputReturnedNull */,
       message: "Sealed data is missing from completed response"
     });
@@ -2796,7 +2985,7 @@ async function submitSealOutputRequest(thresholdNetworkUrl, ctHash, chainId, per
       body: JSON.stringify(body)
     });
   } catch (e) {
-    throw new CofhesdkError({
+    throw new CofheError({
       code: "SEAL_OUTPUT_FAILED" /* SealOutputFailed */,
       message: `sealOutput request failed`,
       hint: "Ensure the threshold network URL is valid and reachable.",
@@ -2815,7 +3004,7 @@ async function submitSealOutputRequest(thresholdNetworkUrl, ctHash, chainId, per
     } catch {
       errorMessage = response.statusText || errorMessage;
     }
-    throw new CofhesdkError({
+    throw new CofheError({
       code: "SEAL_OUTPUT_FAILED" /* SealOutputFailed */,
       message: `sealOutput request failed: ${errorMessage}`,
       hint: "Check the threshold network URL and request parameters.",
@@ -2831,7 +3020,7 @@ async function submitSealOutputRequest(thresholdNetworkUrl, ctHash, chainId, per
   try {
     submitResponse = await response.json();
   } catch (e) {
-    throw new CofhesdkError({
+    throw new CofheError({
       code: "SEAL_OUTPUT_FAILED" /* SealOutputFailed */,
       message: `Failed to parse sealOutput submit response`,
       cause: e instanceof Error ? e : void 0,
@@ -2842,7 +3031,7 @@ async function submitSealOutputRequest(thresholdNetworkUrl, ctHash, chainId, per
     });
   }
   if (!submitResponse.request_id) {
-    throw new CofhesdkError({
+    throw new CofheError({
       code: "SEAL_OUTPUT_FAILED" /* SealOutputFailed */,
       message: `sealOutput submit response missing request_id`,
       context: {
@@ -2859,7 +3048,7 @@ async function pollSealOutputStatus(thresholdNetworkUrl, requestId) {
   let completed = false;
   while (!completed) {
     if (Date.now() - startTime > POLL_TIMEOUT_MS) {
-      throw new CofhesdkError({
+      throw new CofheError({
         code: "SEAL_OUTPUT_FAILED" /* SealOutputFailed */,
         message: `sealOutput polling timed out after ${POLL_TIMEOUT_MS}ms`,
         hint: "The request may still be processing. Try again later.",
@@ -2879,7 +3068,7 @@ async function pollSealOutputStatus(thresholdNetworkUrl, requestId) {
         }
       });
     } catch (e) {
-      throw new CofhesdkError({
+      throw new CofheError({
         code: "SEAL_OUTPUT_FAILED" /* SealOutputFailed */,
         message: `sealOutput status poll failed`,
         hint: "Ensure the threshold network URL is valid and reachable.",
@@ -2891,7 +3080,7 @@ async function pollSealOutputStatus(thresholdNetworkUrl, requestId) {
       });
     }
     if (response.status === 404) {
-      throw new CofhesdkError({
+      throw new CofheError({
         code: "SEAL_OUTPUT_FAILED" /* SealOutputFailed */,
         message: `sealOutput request not found: ${requestId}`,
         hint: "The request may have expired or been invalid.",
@@ -2909,7 +3098,7 @@ async function pollSealOutputStatus(thresholdNetworkUrl, requestId) {
       } catch {
         errorMessage = response.statusText || errorMessage;
       }
-      throw new CofhesdkError({
+      throw new CofheError({
         code: "SEAL_OUTPUT_FAILED" /* SealOutputFailed */,
         message: `sealOutput status poll failed: ${errorMessage}`,
         context: {
@@ -2924,7 +3113,7 @@ async function pollSealOutputStatus(thresholdNetworkUrl, requestId) {
     try {
       statusResponse = await response.json();
     } catch (e) {
-      throw new CofhesdkError({
+      throw new CofheError({
         code: "SEAL_OUTPUT_FAILED" /* SealOutputFailed */,
         message: `Failed to parse sealOutput status response`,
         cause: e instanceof Error ? e : void 0,
@@ -2937,7 +3126,7 @@ async function pollSealOutputStatus(thresholdNetworkUrl, requestId) {
     if (statusResponse.status === "COMPLETED") {
       if (statusResponse.is_succeed === false) {
         const errorMessage = statusResponse.error_message || "Unknown error";
-        throw new CofhesdkError({
+        throw new CofheError({
           code: "SEAL_OUTPUT_FAILED" /* SealOutputFailed */,
           message: `sealOutput request failed: ${errorMessage}`,
           context: {
@@ -2948,7 +3137,7 @@ async function pollSealOutputStatus(thresholdNetworkUrl, requestId) {
         });
       }
       if (!statusResponse.sealed) {
-        throw new CofhesdkError({
+        throw new CofheError({
           code: "SEAL_OUTPUT_RETURNED_NULL" /* SealOutputReturnedNull */,
           message: `sealOutput request completed but returned no sealed data`,
           context: {
@@ -2962,7 +3151,7 @@ async function pollSealOutputStatus(thresholdNetworkUrl, requestId) {
     }
     await new Promise((resolve) => setTimeout(resolve, POLL_INTERVAL_MS));
   }
-  throw new CofhesdkError({
+  throw new CofheError({
     code: "SEAL_OUTPUT_FAILED" /* SealOutputFailed */,
     message: "Polling loop exited unexpectedly",
     context: {
@@ -2975,9 +3164,99 @@ async function tnSealOutputV2(ctHash, chainId, permission, thresholdNetworkUrl)
   const requestId = await submitSealOutputRequest(thresholdNetworkUrl, ctHash, chainId, permission);
   return await pollSealOutputStatus(thresholdNetworkUrl, requestId);
 }
+async function cofheMocksDecryptForTx(ctHash, utype, permit, publicClient, mocksDecryptForTxDelay) {
+  if (mocksDecryptForTxDelay > 0)
+    await sleep(mocksDecryptForTxDelay);
+  if (permit !== null) {
+    let permission = PermitUtils.getPermission(permit, true);
+    const permissionWithBigInts = {
+      ...permission,
+      expiration: BigInt(permission.expiration),
+      validatorId: BigInt(permission.validatorId)
+    };
+    const [allowed2, error2, result2] = await publicClient.readContract({
+      address: MOCKS_THRESHOLD_NETWORK_ADDRESS,
+      abi: MockThresholdNetworkAbi,
+      functionName: "decryptForTxWithPermit",
+      args: [ctHash, permissionWithBigInts]
+    });
+    if (error2 != "") {
+      throw new CofheError({
+        code: "DECRYPT_FAILED" /* DecryptFailed */,
+        message: `mocks decryptForTx call failed: ${error2}`
+      });
+    }
+    if (allowed2 == false) {
+      throw new CofheError({
+        code: "DECRYPT_FAILED" /* DecryptFailed */,
+        message: `mocks decryptForTx call failed: ACL Access Denied (NotAllowed)`
+      });
+    }
+    const chainId2 = await publicClient.getChainId();
+    const ctHashBigInt2 = BigInt(ctHash);
+    const resultBigInt2 = BigInt(result2);
+    const encryptionType2 = Number((ctHashBigInt2 & 0x7fn << 8n) >> 8n);
+    const ctHashBytes322 = viem.pad(viem.toHex(ctHashBigInt2), { size: 32 });
+    const packed2 = viem.encodePacked(
+      ["uint256", "uint32", "uint64", "bytes32"],
+      [resultBigInt2, encryptionType2, BigInt(chainId2), ctHashBytes322]
+    );
+    const messageHash2 = viem.keccak256(packed2);
+    const signatureHex2 = await accounts.sign({
+      hash: messageHash2,
+      privateKey: MOCKS_DECRYPT_RESULT_SIGNER_PRIVATE_KEY,
+      to: "hex"
+    });
+    const signature2 = signatureHex2.slice(2);
+    return {
+      ctHash,
+      decryptedValue: BigInt(result2),
+      signature: signature2
+    };
+  }
+  const [allowed, error, result] = await publicClient.readContract({
+    address: MOCKS_THRESHOLD_NETWORK_ADDRESS,
+    abi: MockThresholdNetworkAbi,
+    functionName: "decryptForTxWithoutPermit",
+    args: [ctHash]
+  });
+  if (error != "") {
+    throw new CofheError({
+      code: "DECRYPT_FAILED" /* DecryptFailed */,
+      message: `mocks decryptForTx call failed: ${error}`
+    });
+  }
+  if (allowed == false) {
+    throw new CofheError({
+      code: "DECRYPT_FAILED" /* DecryptFailed */,
+      message: `mocks decryptForTx call failed: ACL Access Denied (NotAllowed)`
+    });
+  }
+  const chainId = await publicClient.getChainId();
+  const ctHashBigInt = BigInt(ctHash);
+  const resultBigInt = BigInt(result);
+  const encryptionType = Number((ctHashBigInt & 0x7fn << 8n) >> 8n);
+  const ctHashBytes32 = viem.pad(viem.toHex(ctHashBigInt), { size: 32 });
+  const packed = viem.encodePacked(
+    ["uint256", "uint32", "uint64", "bytes32"],
+    [resultBigInt, encryptionType, BigInt(chainId), ctHashBytes32]
+  );
+  const messageHash = viem.keccak256(packed);
+  const signatureHex = await accounts.sign({
+    hash: messageHash,
+    privateKey: MOCKS_DECRYPT_RESULT_SIGNER_PRIVATE_KEY,
+    to: "hex"
+  });
+  const signature = signatureHex.slice(2);
+  return {
+    ctHash,
+    decryptedValue: BigInt(result),
+    signature
+  };
+}
 
-// core/decrypt/decryptHandleBuilder.ts
-var DecryptHandlesBuilder = class extends BaseBuilder {
+// core/decrypt/decryptForViewBuilder.ts
+var DecryptForViewBuilder = class extends BaseBuilder {
   ctHash;
   utype;
   permitHash;
@@ -3003,12 +3282,12 @@ var DecryptHandlesBuilder = class extends BaseBuilder {
    *
    * Example:
    * ```typescript
-   * const unsealed = await decryptHandle(ctHash, utype)
+   * const unsealed = await client.decryptForView(ctHash, utype)
    *   .setChainId(11155111)
-   *   .decrypt();
+   *   .execute();
    * ```
    *
-   * @returns The chainable DecryptHandlesBuilder instance.
+   * @returns The chainable DecryptForViewBuilder instance.
    */
   setChainId(chainId) {
     this.chainId = chainId;
@@ -3024,12 +3303,12 @@ var DecryptHandlesBuilder = class extends BaseBuilder {
    *
    * Example:
    * ```typescript
-   * const unsealed = await decryptHandle(ctHash, utype)
+   * const unsealed = await client.decryptForView(ctHash, utype)
    *   .setAccount('0x1234567890123456789012345678901234567890')
-   *   .decrypt();
+   *   .execute();
    * ```
    *
-   * @returns The chainable DecryptHandlesBuilder instance.
+   * @returns The chainable DecryptForViewBuilder instance.
    */
   setAccount(account) {
     this.account = account;
@@ -3038,6 +3317,19 @@ var DecryptHandlesBuilder = class extends BaseBuilder {
   getAccount() {
     return this.account;
   }
+  withPermit(permitOrPermitHash) {
+    if (typeof permitOrPermitHash === "string") {
+      this.permitHash = permitOrPermitHash;
+      this.permit = void 0;
+    } else if (permitOrPermitHash === void 0) {
+      this.permitHash = void 0;
+      this.permit = void 0;
+    } else {
+      this.permit = permitOrPermitHash;
+      this.permitHash = void 0;
+    }
+    return this;
+  }
   /**
    * @param permitHash - Permit hash to decrypt values from. Used to fetch the correct permit.
    *
@@ -3046,16 +3338,16 @@ var DecryptHandlesBuilder = class extends BaseBuilder {
    *
    * Example:
    * ```typescript
-   * const unsealed = await decryptHandle(ctHash, utype)
+   * const unsealed = await client.decryptForView(ctHash, utype)
    *   .setPermitHash('0x1234567890123456789012345678901234567890')
-   *   .decrypt();
+   *   .execute();
    * ```
    *
-   * @returns The chainable DecryptHandlesBuilder instance.
+   * @returns The chainable DecryptForViewBuilder instance.
    */
+  /** @deprecated Use `withPermit(permitHash)` instead. */
   setPermitHash(permitHash) {
-    this.permitHash = permitHash;
-    return this;
+    return this.withPermit(permitHash);
   }
   getPermitHash() {
     return this.permitHash;
@@ -3067,16 +3359,16 @@ var DecryptHandlesBuilder = class extends BaseBuilder {
    *
    * Example:
    * ```typescript
-   * const unsealed = await decryptHandle(ctHash, utype)
+   * const unsealed = await client.decryptForView(ctHash, utype)
    *   .setPermit(permit)
-   *   .decrypt();
+   *   .execute();
    * ```
    *
-   * @returns The chainable DecryptHandlesBuilder instance.
+   * @returns The chainable DecryptForViewBuilder instance.
    */
+  /** @deprecated Use `withPermit(permit)` instead. */
   setPermit(permit) {
-    this.permit = permit;
-    return this;
+    return this.withPermit(permit);
   }
   getPermit() {
     return this.permit;
@@ -3087,7 +3379,7 @@ var DecryptHandlesBuilder = class extends BaseBuilder {
   }
   validateUtypeOrThrow() {
     if (!isValidUtype(this.utype))
-      throw new CofhesdkError({
+      throw new CofheError({
         code: "INVALID_UTYPE" /* InvalidUtype */,
         message: `Invalid utype to decrypt to`,
         context: {
@@ -3103,7 +3395,7 @@ var DecryptHandlesBuilder = class extends BaseBuilder {
     if (this.permitHash) {
       const permit2 = await permits.getPermit(this.chainId, this.account, this.permitHash);
       if (!permit2) {
-        throw new CofhesdkError({
+        throw new CofheError({
           code: "PERMIT_NOT_FOUND" /* PermitNotFound */,
           message: `Permit with hash <${this.permitHash}> not found for account <${this.account}> and chainId <${this.chainId}>`,
           hint: "Ensure the permit exists and is valid.",
@@ -3118,7 +3410,7 @@ var DecryptHandlesBuilder = class extends BaseBuilder {
     }
     const permit = await permits.getActivePermit(this.chainId, this.account);
     if (!permit) {
-      throw new CofhesdkError({
+      throw new CofheError({
         code: "PERMIT_NOT_FOUND" /* PermitNotFound */,
         message: `Active permit not found for chainId <${this.chainId}> and account <${this.account}>`,
         hint: "Ensure a permit exists for this account on this chain.",
@@ -3135,8 +3427,8 @@ var DecryptHandlesBuilder = class extends BaseBuilder {
    */
   async mocksSealOutput(permit) {
     this.assertPublicClient();
-    const mocksSealOutputDelay = this.config.mocks.sealOutputDelay;
-    return cofheMocksSealOutput(this.ctHash, this.utype, permit, this.publicClient, mocksSealOutputDelay);
+    const mocksDecryptDelay = this.config.mocks.decryptDelay;
+    return cofheMocksDecryptForView(this.ctHash, this.utype, permit, this.publicClient, mocksDecryptDelay);
   }
   /**
    * In the production context, perform a true decryption with the CoFHE coprocessor.
@@ -3161,15 +3453,16 @@ var DecryptHandlesBuilder = class extends BaseBuilder {
    *
    * Example:
    * ```typescript
-   * const unsealed = await decryptHandle(ctHash, utype)
+   * const unsealed = await client.decryptForView(ctHash, utype)
    *   .setChainId(11155111)      // optional
    *   .setAccount('0x123...890') // optional
-   *   .decrypt();                // execute
+   *   .withPermit()              // optional
+   *   .execute();                // execute
    * ```
    *
    * @returns The unsealed item.
    */
-  async decrypt() {
+  async execute() {
     this.validateUtypeOrThrow();
     const permit = await this.getResolvedPermit();
     PermitUtils.validate(permit);
@@ -3185,6 +3478,394 @@ var DecryptHandlesBuilder = class extends BaseBuilder {
   }
 };
 
+// core/decrypt/tnDecrypt.ts
+function normalizeSignature(signature) {
+  if (typeof signature !== "string") {
+    throw new CofheError({
+      code: "DECRYPT_RETURNED_NULL" /* DecryptReturnedNull */,
+      message: "decrypt response missing signature",
+      context: {
+        signature
+      }
+    });
+  }
+  const trimmed = signature.trim();
+  if (trimmed.length === 0) {
+    throw new CofheError({
+      code: "DECRYPT_RETURNED_NULL" /* DecryptReturnedNull */,
+      message: "decrypt response returned empty signature"
+    });
+  }
+  return trimmed.startsWith("0x") ? trimmed.slice(2) : trimmed;
+}
+function parseDecryptedBytesToBigInt(decrypted) {
+  if (!Array.isArray(decrypted)) {
+    throw new CofheError({
+      code: "DECRYPT_RETURNED_NULL" /* DecryptReturnedNull */,
+      message: "decrypt response field <decrypted> must be a byte array",
+      context: {
+        decrypted
+      }
+    });
+  }
+  if (decrypted.length === 0) {
+    throw new CofheError({
+      code: "DECRYPT_RETURNED_NULL" /* DecryptReturnedNull */,
+      message: "decrypt response field <decrypted> was an empty byte array",
+      context: {
+        decrypted
+      }
+    });
+  }
+  let hex = "";
+  for (const b of decrypted) {
+    if (typeof b !== "number" || !Number.isInteger(b) || b < 0 || b > 255) {
+      throw new CofheError({
+        code: "DECRYPT_RETURNED_NULL" /* DecryptReturnedNull */,
+        message: "decrypt response field <decrypted> contained a non-byte value",
+        context: {
+          badElement: b,
+          decrypted
+        }
+      });
+    }
+    hex += b.toString(16).padStart(2, "0");
+  }
+  return BigInt(`0x${hex}`);
+}
+function assertTnDecryptResponse(value) {
+  if (value == null || typeof value !== "object") {
+    throw new CofheError({
+      code: "DECRYPT_FAILED" /* DecryptFailed */,
+      message: "decrypt response must be a JSON object",
+      context: {
+        value
+      }
+    });
+  }
+  const v = value;
+  const decrypted = v.decrypted;
+  const signature = v.signature;
+  const encryptionType = v.encryption_type;
+  const errorMessage = v.error_message;
+  if (!Array.isArray(decrypted)) {
+    throw new CofheError({
+      code: "DECRYPT_RETURNED_NULL" /* DecryptReturnedNull */,
+      message: "decrypt response missing <decrypted> byte array",
+      context: { decryptResponse: value }
+    });
+  }
+  if (typeof signature !== "string") {
+    throw new CofheError({
+      code: "DECRYPT_RETURNED_NULL" /* DecryptReturnedNull */,
+      message: "decrypt response missing <signature> string",
+      context: { decryptResponse: value }
+    });
+  }
+  if (typeof encryptionType !== "number") {
+    throw new CofheError({
+      code: "DECRYPT_FAILED" /* DecryptFailed */,
+      message: "decrypt response missing <encryption_type> number",
+      context: { decryptResponse: value }
+    });
+  }
+  if (!(typeof errorMessage === "string" || errorMessage === null)) {
+    throw new CofheError({
+      code: "DECRYPT_FAILED" /* DecryptFailed */,
+      message: "decrypt response field <error_message> must be string or null",
+      context: { decryptResponse: value }
+    });
+  }
+  return {
+    decrypted,
+    signature,
+    encryption_type: encryptionType,
+    error_message: errorMessage
+  };
+}
+async function tnDecrypt(ctHash, chainId, permission, thresholdNetworkUrl) {
+  const body = {
+    ct_tempkey: ctHash.toString(16).padStart(64, "0"),
+    host_chain_id: chainId
+  };
+  if (permission) {
+    body.permit = permission;
+  }
+  let response;
+  try {
+    response = await fetch(`${thresholdNetworkUrl}/decrypt`, {
+      method: "POST",
+      headers: {
+        "Content-Type": "application/json"
+      },
+      body: JSON.stringify(body)
+    });
+  } catch (e) {
+    throw new CofheError({
+      code: "DECRYPT_FAILED" /* DecryptFailed */,
+      message: `decrypt request failed`,
+      hint: "Ensure the threshold network URL is valid and reachable.",
+      cause: e instanceof Error ? e : void 0,
+      context: {
+        thresholdNetworkUrl,
+        body
+      }
+    });
+  }
+  const responseText = await response.text();
+  if (!response.ok) {
+    let errorMessage = response.statusText || `HTTP ${response.status}`;
+    try {
+      const errorBody = JSON.parse(responseText);
+      const maybeMessage = errorBody.error_message || errorBody.message;
+      if (typeof maybeMessage === "string" && maybeMessage.length > 0)
+        errorMessage = maybeMessage;
+    } catch {
+      const trimmed = responseText.trim();
+      if (trimmed.length > 0)
+        errorMessage = trimmed;
+    }
+    throw new CofheError({
+      code: "DECRYPT_FAILED" /* DecryptFailed */,
+      message: `decrypt request failed: ${errorMessage}`,
+      hint: "Check the threshold network URL and request parameters.",
+      context: {
+        thresholdNetworkUrl,
+        status: response.status,
+        statusText: response.statusText,
+        body,
+        responseText
+      }
+    });
+  }
+  let rawJson;
+  try {
+    rawJson = JSON.parse(responseText);
+  } catch (e) {
+    throw new CofheError({
+      code: "DECRYPT_FAILED" /* DecryptFailed */,
+      message: `Failed to parse decrypt response`,
+      cause: e instanceof Error ? e : void 0,
+      context: {
+        thresholdNetworkUrl,
+        body,
+        responseText
+      }
+    });
+  }
+  const decryptResponse = assertTnDecryptResponse(rawJson);
+  if (decryptResponse.error_message) {
+    throw new CofheError({
+      code: "DECRYPT_FAILED" /* DecryptFailed */,
+      message: `decrypt request failed: ${decryptResponse.error_message}`,
+      context: {
+        thresholdNetworkUrl,
+        body,
+        decryptResponse
+      }
+    });
+  }
+  const decryptedValue = parseDecryptedBytesToBigInt(decryptResponse.decrypted);
+  const signature = normalizeSignature(decryptResponse.signature);
+  return { decryptedValue, signature };
+}
+
+// core/decrypt/decryptForTxBuilder.ts
+var DecryptForTxBuilder = class extends BaseBuilder {
+  ctHash;
+  permitHash;
+  permit;
+  permitSelection = "unset";
+  constructor(params) {
+    super({
+      config: params.config,
+      publicClient: params.publicClient,
+      walletClient: params.walletClient,
+      chainId: params.chainId,
+      account: params.account,
+      requireConnected: params.requireConnected
+    });
+    this.ctHash = params.ctHash;
+  }
+  setChainId(chainId) {
+    this.chainId = chainId;
+    return this;
+  }
+  getChainId() {
+    return this.chainId;
+  }
+  setAccount(account) {
+    this.account = account;
+    return this;
+  }
+  getAccount() {
+    return this.account;
+  }
+  withPermit(permitOrPermitHash) {
+    if (this.permitSelection === "with-permit") {
+      throw new CofheError({
+        code: "INTERNAL_ERROR" /* InternalError */,
+        message: "decryptForTx: withPermit() can only be selected once.",
+        hint: "Choose the permit mode once. If you need a different permit, start a new decryptForTx() builder chain."
+      });
+    }
+    if (this.permitSelection === "without-permit") {
+      throw new CofheError({
+        code: "INTERNAL_ERROR" /* InternalError */,
+        message: "decryptForTx: cannot call withPermit() after withoutPermit() has been selected.",
+        hint: "Choose exactly one permit mode: either call .withPermit(...) or .withoutPermit(), but not both."
+      });
+    }
+    this.permitSelection = "with-permit";
+    if (typeof permitOrPermitHash === "string") {
+      this.permitHash = permitOrPermitHash;
+      this.permit = void 0;
+    } else if (permitOrPermitHash === void 0) {
+      this.permitHash = void 0;
+      this.permit = void 0;
+    } else {
+      this.permit = permitOrPermitHash;
+      this.permitHash = void 0;
+    }
+    return this;
+  }
+  /**
+   * Select "no permit" mode.
+   *
+   * This uses global allowance (no permit required) and sends an empty permission payload to `/decrypt`.
+   */
+  withoutPermit() {
+    if (this.permitSelection === "without-permit") {
+      throw new CofheError({
+        code: "INTERNAL_ERROR" /* InternalError */,
+        message: "decryptForTx: withoutPermit() can only be selected once.",
+        hint: "Choose the permit mode once. If you need a different mode, start a new decryptForTx() builder chain."
+      });
+    }
+    if (this.permitSelection === "with-permit") {
+      throw new CofheError({
+        code: "INTERNAL_ERROR" /* InternalError */,
+        message: "decryptForTx: cannot call withoutPermit() after withPermit() has been selected.",
+        hint: "Choose exactly one permit mode: either call .withPermit(...) or .withoutPermit(), but not both."
+      });
+    }
+    this.permitSelection = "without-permit";
+    this.permitHash = void 0;
+    this.permit = void 0;
+    return this;
+  }
+  getPermit() {
+    return this.permit;
+  }
+  getPermitHash() {
+    return this.permitHash;
+  }
+  async getThresholdNetworkUrl() {
+    this.assertChainId();
+    return getThresholdNetworkUrlOrThrow(this.config, this.chainId);
+  }
+  async getResolvedPermit() {
+    if (this.permitSelection === "unset") {
+      throw new CofheError({
+        code: "INTERNAL_ERROR" /* InternalError */,
+        message: "decryptForTx: missing permit selection; call withPermit(...) or withoutPermit() before execute().",
+        hint: "Call .withPermit() to use the active permit, or .withoutPermit() for global allowance."
+      });
+    }
+    if (this.permitSelection === "without-permit") {
+      return null;
+    }
+    if (this.permit)
+      return this.permit;
+    this.assertChainId();
+    this.assertAccount();
+    if (this.permitHash) {
+      const permit2 = await permits.getPermit(this.chainId, this.account, this.permitHash);
+      if (!permit2) {
+        throw new CofheError({
+          code: "PERMIT_NOT_FOUND" /* PermitNotFound */,
+          message: `Permit with hash <${this.permitHash}> not found for account <${this.account}> and chainId <${this.chainId}>`,
+          hint: "Ensure the permit exists and is valid.",
+          context: {
+            chainId: this.chainId,
+            account: this.account,
+            permitHash: this.permitHash
+          }
+        });
+      }
+      return permit2;
+    }
+    const permit = await permits.getActivePermit(this.chainId, this.account);
+    if (!permit) {
+      throw new CofheError({
+        code: "PERMIT_NOT_FOUND" /* PermitNotFound */,
+        message: `Active permit not found for chainId <${this.chainId}> and account <${this.account}>`,
+        hint: "Create a permit (e.g. client.permits.createSelf(...)) and/or set it active (client.permits.selectActivePermit(hash)).",
+        context: {
+          chainId: this.chainId,
+          account: this.account
+        }
+      });
+    }
+    return permit;
+  }
+  /**
+   * On hardhat, interact with MockThresholdNetwork contract
+   */
+  async mocksDecryptForTx(permit) {
+    this.assertPublicClient();
+    const delay = this.config.mocks.decryptDelay;
+    const result = await cofheMocksDecryptForTx(this.ctHash, 0, permit, this.publicClient, delay);
+    return result;
+  }
+  /**
+   * In the production context, perform a true decryption with the CoFHE coprocessor.
+   */
+  async productionDecryptForTx(permit) {
+    this.assertChainId();
+    this.assertPublicClient();
+    const thresholdNetworkUrl = await this.getThresholdNetworkUrl();
+    const permission = permit ? PermitUtils.getPermission(permit, true) : null;
+    const { decryptedValue, signature } = await tnDecrypt(this.ctHash, this.chainId, permission, thresholdNetworkUrl);
+    return {
+      ctHash: this.ctHash,
+      decryptedValue,
+      signature
+    };
+  }
+  /**
+   * Final step of the decryptForTx process. MUST BE CALLED LAST IN THE CHAIN.
+   *
+   * You must explicitly choose one permit mode before calling `execute()`:
+   * - `withPermit(permit)` / `withPermit(permitHash)` / `withPermit()` (active permit)
+   * - `withoutPermit()` (global allowance)
+   */
+  async execute() {
+    const permit = await this.getResolvedPermit();
+    if (permit !== null) {
+      PermitUtils.validate(permit);
+      PermitUtils.isValid(permit);
+      const chainId = permit._signedDomain.chainId;
+      if (chainId === hardhat2.id) {
+        return await this.mocksDecryptForTx(permit);
+      } else {
+        return await this.productionDecryptForTx(permit);
+      }
+    } else {
+      if (!this.chainId) {
+        this.assertPublicClient();
+        this.chainId = await getPublicClientChainID(this.publicClient);
+      }
+      this.assertChainId();
+      if (this.chainId === hardhat2.id) {
+        return await this.mocksDecryptForTx(null);
+      } else {
+        return await this.productionDecryptForTx(null);
+      }
+    }
+  }
+};
+
 // core/client.ts
 var InitialConnectStore = {
   connected: false,
@@ -3195,9 +3876,10 @@ var InitialConnectStore = {
   publicClient: void 0,
   walletClient: void 0
 };
-function createCofhesdkClientBase(opts) {
+function createCofheClientBase(opts) {
   const keysStorage = createKeysStore(opts.config.fheKeyStorage);
   const connectStore = vanilla.createStore(() => InitialConnectStore);
+  let connectAttemptId = 0;
   const updateConnectState = (partial) => {
     connectStore.setState((state) => ({ ...state, ...partial }));
   };
@@ -3205,7 +3887,7 @@ function createCofhesdkClientBase(opts) {
     const state = connectStore.getState();
     const notConnected = !state.connected || !state.account || !state.chainId || !state.publicClient || !state.walletClient;
     if (notConnected) {
-      throw new CofhesdkError({
+      throw new CofheError({
         code: "NOT_CONNECTED" /* NotConnected */,
         message: "Client must be connected, account and chainId must be initialized",
         hint: "Ensure client.connect() has been called and awaited.",
@@ -3223,6 +3905,8 @@ function createCofhesdkClientBase(opts) {
     const state = connectStore.getState();
     if (state.connected && state.publicClient === publicClient && state.walletClient === walletClient)
       return;
+    connectAttemptId += 1;
+    const localAttemptId = connectAttemptId;
     updateConnectState({
       ...InitialConnectStore,
       connecting: true
@@ -3230,6 +3914,8 @@ function createCofhesdkClientBase(opts) {
     try {
       const chainId = await getPublicClientChainID(publicClient);
       const account = await getWalletClientAccount(walletClient);
+      if (localAttemptId !== connectAttemptId)
+        return;
       updateConnectState({
         connected: true,
         connecting: false,
@@ -3240,6 +3926,8 @@ function createCofhesdkClientBase(opts) {
         walletClient
       });
     } catch (e) {
+      if (localAttemptId !== connectAttemptId)
+        return;
       updateConnectState({
         ...InitialConnectStore,
         connectError: e
@@ -3247,6 +3935,10 @@ function createCofhesdkClientBase(opts) {
       throw e;
     }
   }
+  function disconnect() {
+    connectAttemptId += 1;
+    updateConnectState({ ...InitialConnectStore });
+  }
   function encryptInputs(inputs) {
     const state = connectStore.getState();
     return new EncryptInputsBuilder({
@@ -3266,16 +3958,28 @@ function createCofhesdkClientBase(opts) {
       requireConnected: _requireConnected
     });
   }
-  function decryptHandle(ctHash, utype) {
+  function decryptForView(ctHash, utype) {
     const state = connectStore.getState();
-    return new DecryptHandlesBuilder({
+    return new DecryptForViewBuilder({
       ctHash,
       utype,
-      chainId: state.chainId ?? void 0,
-      account: state.account ?? void 0,
+      chainId: state.chainId,
+      account: state.account,
       config: opts.config,
-      publicClient: state.publicClient ?? void 0,
-      walletClient: state.walletClient ?? void 0,
+      publicClient: state.publicClient,
+      walletClient: state.walletClient,
+      requireConnected: _requireConnected
+    });
+  }
+  function decryptForTx(ctHash) {
+    const state = connectStore.getState();
+    return new DecryptForTxBuilder({
+      ctHash,
+      chainId: state.chainId,
+      account: state.account,
+      config: opts.config,
+      publicClient: state.publicClient,
+      walletClient: state.walletClient,
       requireConnected: _requireConnected
     });
   }
@@ -3284,7 +3988,7 @@ function createCofhesdkClientBase(opts) {
     const _chainId = chainId ?? state.chainId;
     const _account = account ?? state.account;
     if (_chainId == null || _account == null) {
-      throw new CofhesdkError({
+      throw new CofheError({
         code: "NOT_CONNECTED" /* NotConnected */,
         message: "ChainId or account not available.",
         hint: "Ensure client.connect() has been called, or provide chainId and account explicitly.",
@@ -3351,9 +4055,9 @@ function createCofhesdkClientBase(opts) {
       const { chainId: _chainId, account: _account } = _getChainIdAndAccount(chainId, account);
       return permits.selectActivePermit(_chainId, _account, hash);
     },
-    removePermit: async (hash, chainId, account, force) => {
+    removePermit: async (hash, chainId, account) => {
       const { chainId: _chainId, account: _account } = _getChainIdAndAccount(chainId, account);
-      return permits.removePermit(_chainId, _account, hash, force);
+      return permits.removePermit(_chainId, _account, hash);
     },
     removeActivePermit: async (chainId, account) => {
       const { chainId: _chainId, account: _account } = _getChainIdAndAccount(chainId, account);
@@ -3369,6 +4073,9 @@ function createCofhesdkClientBase(opts) {
     getSnapshot: connectStore.getState,
     subscribe: connectStore.subscribe,
     // flags (read-only: reflect snapshot)
+    get connection() {
+      return connectStore.getState();
+    },
     get connected() {
       return connectStore.getState().connected;
     },
@@ -3378,8 +4085,14 @@ function createCofhesdkClientBase(opts) {
     // config & platform-specific (read-only)
     config: opts.config,
     connect,
+    disconnect,
     encryptInputs,
-    decryptHandle,
+    decryptForView,
+    /**
+     * @deprecated Use `decryptForView` instead. Kept for backward compatibility.
+     */
+    decryptHandle: decryptForView,
+    decryptForTx,
     permits: clientPermits
     // Add SDK-specific methods below that require connection
     // Example:
@@ -3391,24 +4104,31 @@ function createCofhesdkClientBase(opts) {
 }
 
 exports.CONNECT_STORE_DEFAULTS = InitialConnectStore;
-exports.CofhesdkError = CofhesdkError;
-exports.CofhesdkErrorCode = CofhesdkErrorCode;
-exports.DecryptHandlesBuilder = DecryptHandlesBuilder;
+exports.CofheError = CofheError;
+exports.CofheErrorCode = CofheErrorCode;
+exports.DecryptForTxBuilder = DecryptForTxBuilder;
+exports.DecryptForViewBuilder = DecryptForViewBuilder;
 exports.EncryptInputsBuilder = EncryptInputsBuilder;
 exports.EncryptStep = EncryptStep;
 exports.Encryptable = Encryptable;
 exports.FheAllUTypes = FheAllUTypes;
 exports.FheTypes = FheTypes;
 exports.FheUintUTypes = FheUintUTypes;
+exports.MOCKS_DECRYPT_RESULT_SIGNER_PRIVATE_KEY = MOCKS_DECRYPT_RESULT_SIGNER_PRIVATE_KEY;
+exports.MOCKS_THRESHOLD_NETWORK_ADDRESS = MOCKS_THRESHOLD_NETWORK_ADDRESS;
+exports.MOCKS_ZK_VERIFIER_ADDRESS = MOCKS_ZK_VERIFIER_ADDRESS;
 exports.MOCKS_ZK_VERIFIER_SIGNER_ADDRESS = MOCKS_ZK_VERIFIER_SIGNER_ADDRESS;
+exports.MOCKS_ZK_VERIFIER_SIGNER_PRIVATE_KEY = MOCKS_ZK_VERIFIER_SIGNER_PRIVATE_KEY;
+exports.TASK_MANAGER_ADDRESS = TASK_MANAGER_ADDRESS;
+exports.TEST_BED_ADDRESS = TEST_BED_ADDRESS;
 exports.assertCorrectEncryptedItemInput = assertCorrectEncryptedItemInput;
-exports.createCofhesdkClientBase = createCofhesdkClientBase;
-exports.createCofhesdkConfigBase = createCofhesdkConfigBase;
+exports.createCofheClientBase = createCofheClientBase;
+exports.createCofheConfigBase = createCofheConfigBase;
 exports.createKeysStore = createKeysStore;
 exports.fetchKeys = fetchKeys;
 exports.fheTypeToString = fheTypeToString;
-exports.getCofhesdkConfigItem = getCofhesdkConfigItem;
-exports.isCofhesdkError = isCofhesdkError;
+exports.getCofheConfigItem = getCofheConfigItem;
+exports.isCofheError = isCofheError;
 exports.isEncryptableItem = isEncryptableItem;
 exports.isLastEncryptionStep = isLastEncryptionStep;
 exports.zkProveWithWorker = zkProveWithWorker;