@cofhe/sdk 0.2.1 → 0.3.1

package/core/config.test.ts

@@ -2,17 +2,17 @@ import { sepolia, hardhat } from '@/chains';
 
 import { describe, it, expect, vi } from 'vitest';
 import {
-  createCofhesdkConfigBase,
-  getCofhesdkConfigItem,
-  type CofhesdkInputConfig,
+  createCofheConfigBase,
+  getCofheConfigItem,
+  type CofheInputConfig,
   getSupportedChainOrThrow,
   getCoFheUrlOrThrow,
   getZkVerifierUrlOrThrow,
   getThresholdNetworkUrlOrThrow,
 } from './config.js';
 
-describe('createCofhesdkConfigBase', () => {
-  const validBaseConfig: CofhesdkInputConfig = {
+describe('createCofheConfigBase', () => {
+  const validBaseConfig: CofheInputConfig = {
     supportedChains: [],
   };
 
@@ -36,18 +36,18 @@ describe('createCofhesdkConfigBase', () => {
     if (log) {
       console.log('expect config invalid', path, value, config);
       try {
-        createCofhesdkConfigBase(config as CofhesdkInputConfig);
+        createCofheConfigBase(config as CofheInputConfig);
       } catch (e) {
         console.log('expect config invalid', path, value, config, e);
       }
     }
-    expect(() => createCofhesdkConfigBase(config as CofhesdkInputConfig)).toThrow('Invalid cofhesdk configuration:');
+    expect(() => createCofheConfigBase(config as CofheInputConfig)).toThrow('Invalid cofhe configuration:');
   };
 
   const expectValidConfigItem = (path: string, value: any, expectedValue: any): void => {
     const config = { ...validBaseConfig };
     setNestedValue(config, path, value);
-    const result = createCofhesdkConfigBase(config);
+    const result = createCofheConfigBase(config);
     expect(getNestedValue(result, path)).toEqual(expectedValue);
   };
 
@@ -72,16 +72,6 @@ describe('createCofhesdkConfigBase', () => {
     expectValidConfigItem('supportedChains', [sepolia, hardhat], [sepolia, hardhat]);
   });
 
-  it('permitGeneration', () => {
-    expectInvalidConfigItem('permitGeneration', 'not-a-boolean');
-    expectInvalidConfigItem('permitGeneration', null);
-
-    expectValidConfigItem('permitGeneration', 'ON_CONNECT', 'ON_CONNECT');
-    expectValidConfigItem('permitGeneration', 'ON_DECRYPT_HANDLES', 'ON_DECRYPT_HANDLES');
-    expectValidConfigItem('permitGeneration', 'MANUAL', 'MANUAL');
-    expectValidConfigItem('permitGeneration', undefined, 'ON_CONNECT');
-  });
-
   it('defaultPermitExpiration', () => {
     expectInvalidConfigItem('defaultPermitExpiration', 'not-a-number');
     expectInvalidConfigItem('defaultPermitExpiration', null);
@@ -116,7 +106,7 @@ describe('createCofhesdkConfigBase', () => {
     };
 
     const config = { ...validBaseConfig, fheKeyStorage: fakeStorage };
-    const result = createCofhesdkConfigBase(config);
+    const result = createCofheConfigBase(config);
 
     expect(result.fheKeyStorage).not.toBeNull();
     await result.fheKeyStorage!.getItem('test');
@@ -139,17 +129,26 @@ describe('createCofhesdkConfigBase', () => {
   it('mocks', () => {
     expectInvalidConfigItem('mocks', 'not-an-object');
     expectInvalidConfigItem('mocks', null);
+  });
+
+  it('mocks.decryptDelay', () => {
+    expectInvalidConfigItem('mocks.decryptDelay', 'not-a-number');
+    expectInvalidConfigItem('mocks.decryptDelay', null);
 
-    expectValidConfigItem('mocks', { sealOutputDelay: 1000 }, { sealOutputDelay: 1000 });
-    expectValidConfigItem('mocks', undefined, { sealOutputDelay: 0 });
+    expectValidConfigItem('mocks.decryptDelay', undefined, 0);
+    expectValidConfigItem('mocks.decryptDelay', 1000, 1000);
   });
 
-  it('mocks.sealOutputDelay', () => {
-    expectInvalidConfigItem('mocks.sealOutputDelay', 'not-a-number');
-    expectInvalidConfigItem('mocks.sealOutputDelay', null);
+  it('mocks.encryptDelay', () => {
+    expectInvalidConfigItem('mocks.encryptDelay', 'not-a-number');
+    expectInvalidConfigItem('mocks.encryptDelay', null);
+    expectInvalidConfigItem('mocks.encryptDelay', [100, 100, 100]); // wrong tuple length
+    expectInvalidConfigItem('mocks.encryptDelay', ['a', 'b', 'c', 'd', 'e']); // non-number elements
 
-    expectValidConfigItem('mocks.sealOutputDelay', undefined, 0);
-    expectValidConfigItem('mocks.sealOutputDelay', 1000, 1000);
+    expectValidConfigItem('mocks.encryptDelay', undefined, [100, 100, 100, 500, 500]);
+    expectValidConfigItem('mocks.encryptDelay', 200, 200);
+    expectValidConfigItem('mocks.encryptDelay', 0, 0);
+    expectValidConfigItem('mocks.encryptDelay', [10, 20, 30, 40, 50], [10, 20, 30, 40, 50]);
   });
 
   it('useWorkers', () => {
@@ -164,19 +163,19 @@ describe('createCofhesdkConfigBase', () => {
   });
 
   it('should get config item', () => {
-    const config: CofhesdkInputConfig = {
+    const config: CofheInputConfig = {
       supportedChains: [sepolia],
     };
 
-    const result = createCofhesdkConfigBase(config);
+    const result = createCofheConfigBase(config);
 
-    const supportedChains = getCofhesdkConfigItem(result, 'supportedChains');
+    const supportedChains = getCofheConfigItem(result, 'supportedChains');
     expect(supportedChains).toEqual(config.supportedChains);
   });
 });
 
 describe('Config helper functions', () => {
-  const config = createCofhesdkConfigBase({
+  const config = createCofheConfigBase({
     supportedChains: [sepolia, hardhat],
   });
 
@@ -200,7 +199,7 @@ describe('Config helper functions', () => {
     });
 
     it('should throw MissingConfig when url not set', () => {
-      const configWithoutUrl = createCofhesdkConfigBase({
+      const configWithoutUrl = createCofheConfigBase({
         supportedChains: [{ ...sepolia, coFheUrl: undefined } as any],
       });
       expect(() => getCoFheUrlOrThrow(configWithoutUrl, sepolia.id)).toThrow();
@@ -217,7 +216,7 @@ describe('Config helper functions', () => {
     });
 
     it('should throw ZkVerifierUrlUninitialized when url not set', () => {
-      const configWithoutUrl = createCofhesdkConfigBase({
+      const configWithoutUrl = createCofheConfigBase({
         supportedChains: [{ ...sepolia, verifierUrl: undefined } as any],
       });
       expect(() => getZkVerifierUrlOrThrow(configWithoutUrl, sepolia.id)).toThrow();
@@ -234,7 +233,7 @@ describe('Config helper functions', () => {
     });
 
     it('should throw ThresholdNetworkUrlUninitialized when url not set', () => {
-      const configWithoutUrl = createCofhesdkConfigBase({
+      const configWithoutUrl = createCofheConfigBase({
         supportedChains: [{ ...sepolia, thresholdNetworkUrl: undefined } as any],
       });
       expect(() => getThresholdNetworkUrlOrThrow(configWithoutUrl, sepolia.id)).toThrow();

package/core/config.ts

@@ -2,26 +2,19 @@ import { type CofheChain } from '@/chains';
 
 import { z } from 'zod';
 import { type WalletClient } from 'viem';
-import { CofhesdkError, CofhesdkErrorCode } from './error.js';
+import { CofheError, CofheErrorCode } from './error.js';
 import { type IStorage } from './types.js';
 
-export type CofhesdkEnvironment = 'node' | 'hardhat' | 'web' | 'react';
+export type CofheEnvironment = 'node' | 'hardhat' | 'web' | 'react';
 
 /**
  * Usable config type inferred from the schema
  */
-export type CofhesdkConfig = {
+export type CofheConfig = {
   /** Environment that the SDK is running in */
   environment: 'node' | 'hardhat' | 'web' | 'react';
   /** List of supported chains */
   supportedChains: CofheChain[];
-  /**
-   * How permits are generated
-   * - ON_CONNECT: Generate a permit when client.connect() is called
-   * - ON_DECRYPT_HANDLES: Generate a permit when client.decryptHandles() is called
-   * - MANUAL: Generate a permit manually using client.generatePermit()
-   */
-  permitGeneration: 'ON_CONNECT' | 'ON_DECRYPT_HANDLES' | 'MANUAL';
   /** Default permit expiration in seconds, default is 30 days */
   defaultPermitExpiration: number;
   /**
@@ -43,25 +36,30 @@ export type CofhesdkConfig = {
      * Default 1000ms on web
      * Default 0ms on hardhat (will be called during tests no need for fake delay)
      */
-    sealOutputDelay: number;
+    decryptDelay: number;
+    /**
+     * Simulated delay(s) in milliseconds for each step of encryptInputs in mock mode.
+     * A single number applies the same delay to all five steps (InitTfhe, FetchKeys, Pack, Prove, Verify).
+     * A tuple of five numbers applies a per-step delay: [InitTfhe, FetchKeys, Pack, Prove, Verify].
+     * Default: [100, 100, 100, 500, 500]
+     */
+    encryptDelay: number | [number, number, number, number, number];
   };
-  _internal?: CofhesdkInternalConfig;
+  _internal?: CofheInternalConfig;
 };
 
-export type CofhesdkInternalConfig = {
+export type CofheInternalConfig = {
   zkvWalletClient?: WalletClient;
 };
 
 /**
  * Zod schema for configuration validation
  */
-export const CofhesdkConfigSchema = z.object({
+export const CofheConfigSchema = z.object({
   /** Environment that the SDK is running in */
   environment: z.enum(['node', 'hardhat', 'web', 'react']).optional().default('node'),
   /** List of supported chain configurations */
   supportedChains: z.array(z.custom<CofheChain>()),
-  /** How permits are generated */
-  permitGeneration: z.enum(['ON_CONNECT', 'ON_DECRYPT_HANDLES', 'MANUAL']).optional().default('ON_CONNECT'),
   /** Default permit expiration in seconds, default is 30 days */
   defaultPermitExpiration: z
     .number()
@@ -87,10 +85,14 @@ export const CofhesdkConfigSchema = z.object({
   /** Mocks configs */
   mocks: z
     .object({
-      sealOutputDelay: z.number().optional().default(0),
+      decryptDelay: z.number().optional().default(0),
+      encryptDelay: z
+        .union([z.number(), z.tuple([z.number(), z.number(), z.number(), z.number(), z.number()])])
+        .optional()
+        .default([100, 100, 100, 500, 500]),
     })
     .optional()
-    .default({ sealOutputDelay: 0 }),
+    .default({ decryptDelay: 0, encryptDelay: [100, 100, 100, 500, 500] }),
   /** Internal configuration */
   _internal: z
     .object({
@@ -102,48 +104,45 @@ export const CofhesdkConfigSchema = z.object({
 /**
  * Input config type inferred from the schema
  */
-export type CofhesdkInputConfig = z.input<typeof CofhesdkConfigSchema>;
+export type CofheInputConfig = z.input<typeof CofheConfigSchema>;
 
 /**
- * Creates and validates a cofhesdk configuration (base implementation)
+ * Creates and validates a cofhe configuration (base implementation)
  * @param config - The configuration object to validate
  * @returns The validated configuration
  * @throws {Error} If the configuration is invalid
  */
-export function createCofhesdkConfigBase(config: CofhesdkInputConfig): CofhesdkConfig {
-  const result = CofhesdkConfigSchema.safeParse(config);
+export function createCofheConfigBase(config: CofheInputConfig): CofheConfig {
+  const result = CofheConfigSchema.safeParse(config);
 
   if (!result.success) {
-    throw new Error(`Invalid cofhesdk configuration: ${z.prettifyError(result.error)}`, { cause: result.error });
+    throw new Error(`Invalid cofhe configuration: ${z.prettifyError(result.error)}`, { cause: result.error });
   }
 
   return result.data;
 }
 
 /**
- * Access the CofhesdkConfig object directly by providing the key.
+ * Access the CofheConfig object directly by providing the key.
  * This is powerful when you use OnchainKit utilities outside of the React context.
  */
-export const getCofhesdkConfigItem = <K extends keyof CofhesdkConfig>(
-  config: CofhesdkConfig,
-  key: K
-): CofhesdkConfig[K] => {
+export const getCofheConfigItem = <K extends keyof CofheConfig>(config: CofheConfig, key: K): CofheConfig[K] => {
   return config[key];
 };
 
 /**
  * Gets a supported chain from config by chainId, throws if not found
- * @param config - The cofhesdk configuration
+ * @param config - The cofhe configuration
  * @param chainId - The chain ID to look up
  * @returns The supported chain configuration
- * @throws {CofhesdkError} If the chain is not found in the config
+ * @throws {CofheError} If the chain is not found in the config
  */
-export function getSupportedChainOrThrow(config: CofhesdkConfig, chainId: number): CofheChain {
+export function getSupportedChainOrThrow(config: CofheConfig, chainId: number): CofheChain {
   const supportedChain = config.supportedChains.find((chain) => chain.id === chainId);
 
   if (!supportedChain) {
-    throw new CofhesdkError({
-      code: CofhesdkErrorCode.UnsupportedChain,
+    throw new CofheError({
+      code: CofheErrorCode.UnsupportedChain,
       message: `Config does not support chain <${chainId}>`,
       hint: 'Ensure config passed to client has been created with this chain in the config.supportedChains array.',
       context: {
@@ -158,18 +157,18 @@ export function getSupportedChainOrThrow(config: CofhesdkConfig, chainId: number
 
 /**
  * Gets the CoFHE URL for a chain, throws if not found
- * @param config - The cofhesdk configuration
+ * @param config - The cofhe configuration
  * @param chainId - The chain ID to look up
  * @returns The CoFHE URL for the chain
- * @throws {CofhesdkError} If the chain or URL is not found
+ * @throws {CofheError} If the chain or URL is not found
  */
-export function getCoFheUrlOrThrow(config: CofhesdkConfig, chainId: number): string {
+export function getCoFheUrlOrThrow(config: CofheConfig, chainId: number): string {
   const supportedChain = getSupportedChainOrThrow(config, chainId);
   const url = supportedChain.coFheUrl;
 
   if (!url) {
-    throw new CofhesdkError({
-      code: CofhesdkErrorCode.MissingConfig,
+    throw new CofheError({
+      code: CofheErrorCode.MissingConfig,
       message: `CoFHE URL is not configured for chain <${chainId}>`,
       hint: 'Ensure this chain config includes a coFheUrl property.',
       context: { chainId },
@@ -181,18 +180,18 @@ export function getCoFheUrlOrThrow(config: CofhesdkConfig, chainId: number): str
 
 /**
  * Gets the ZK verifier URL for a chain, throws if not found
- * @param config - The cofhesdk configuration
+ * @param config - The cofhe configuration
  * @param chainId - The chain ID to look up
  * @returns The ZK verifier URL for the chain
- * @throws {CofhesdkError} If the chain or URL is not found
+ * @throws {CofheError} If the chain or URL is not found
  */
-export function getZkVerifierUrlOrThrow(config: CofhesdkConfig, chainId: number): string {
+export function getZkVerifierUrlOrThrow(config: CofheConfig, chainId: number): string {
   const supportedChain = getSupportedChainOrThrow(config, chainId);
   const url = supportedChain.verifierUrl;
 
   if (!url) {
-    throw new CofhesdkError({
-      code: CofhesdkErrorCode.ZkVerifierUrlUninitialized,
+    throw new CofheError({
+      code: CofheErrorCode.ZkVerifierUrlUninitialized,
       message: `ZK verifier URL is not configured for chain <${chainId}>`,
       hint: 'Ensure this chain config includes a verifierUrl property.',
       context: { chainId },
@@ -204,18 +203,18 @@ export function getZkVerifierUrlOrThrow(config: CofhesdkConfig, chainId: number)
 
 /**
  * Gets the threshold network URL for a chain, throws if not found
- * @param config - The cofhesdk configuration
+ * @param config - The cofhe configuration
  * @param chainId - The chain ID to look up
  * @returns The threshold network URL for the chain
- * @throws {CofhesdkError} If the chain or URL is not found
+ * @throws {CofheError} If the chain or URL is not found
  */
-export function getThresholdNetworkUrlOrThrow(config: CofhesdkConfig, chainId: number): string {
+export function getThresholdNetworkUrlOrThrow(config: CofheConfig, chainId: number): string {
   const supportedChain = getSupportedChainOrThrow(config, chainId);
   const url = supportedChain.thresholdNetworkUrl;
 
   if (!url) {
-    throw new CofhesdkError({
-      code: CofhesdkErrorCode.ThresholdNetworkUrlUninitialized,
+    throw new CofheError({
+      code: CofheErrorCode.ThresholdNetworkUrlUninitialized,
       message: `Threshold network URL is not configured for chain <${chainId}>`,
       hint: 'Ensure this chain config includes a thresholdNetworkUrl property.',
       context: { chainId },

package/core/consts.ts

@@ -4,8 +4,8 @@ export const TASK_MANAGER_ADDRESS = '0xeA30c4B8b44078Bbf8a6ef5b9f1eC1626C7848D9'
 /** Mock ZK Verifier contract address (used for testing) */
 export const MOCKS_ZK_VERIFIER_ADDRESS = '0x0000000000000000000000000000000000005001' as const;
 
-/** Mock Query Decrypter contract address (used for testing) */
-export const MOCKS_QUERY_DECRYPTER_ADDRESS = '0x0000000000000000000000000000000000005002' as const;
+/** Mock Threshold Network contract address (used for testing) */
+export const MOCKS_THRESHOLD_NETWORK_ADDRESS = '0x0000000000000000000000000000000000005002' as const;
 
 /** Test Bed contract address (used for testing) */
 export const TEST_BED_ADDRESS = '0x0000000000000000000000000000000000005003' as const;
@@ -16,3 +16,7 @@ export const MOCKS_ZK_VERIFIER_SIGNER_PRIVATE_KEY =
 
 /** Address for the Mock ZK Verifier signer account */
 export const MOCKS_ZK_VERIFIER_SIGNER_ADDRESS = '0x6E12D8C87503D4287c294f2Fdef96ACd9DFf6bd2' as const;
+
+/** Private key for the Mock decrypt result signer account */
+export const MOCKS_DECRYPT_RESULT_SIGNER_PRIVATE_KEY =
+  '0x59c6995e998f97a5a0044966f0945389dc9e86dae88c7a8412f4603b6b78690d' as const;

package/core/decrypt/{MockQueryDecrypterAbi.ts → MockThresholdNetworkAbi.ts}

@@ -1,4 +1,4 @@
-export const MockQueryDecrypterAbi = [
+export const MockThresholdNetworkAbi = [
   {
     type: 'function',
     name: 'acl',
@@ -45,11 +45,7 @@ export const MockQueryDecrypterAbi = [
           { name: 'expiration', type: 'uint64', internalType: 'uint64' },
           { name: 'recipient', type: 'address', internalType: 'address' },
           { name: 'validatorId', type: 'uint256', internalType: 'uint256' },
-          {
-            name: 'validatorContract',
-            type: 'address',
-            internalType: 'address',
-          },
+          { name: 'validatorContract', type: 'address', internalType: 'address' },
           { name: 'sealingKey', type: 'bytes32', internalType: 'bytes32' },
           { name: 'issuerSignature', type: 'bytes', internalType: 'bytes' },
           { name: 'recipientSignature', type: 'bytes', internalType: 'bytes' },
@@ -78,11 +74,7 @@ export const MockQueryDecrypterAbi = [
           { name: 'expiration', type: 'uint64', internalType: 'uint64' },
           { name: 'recipient', type: 'address', internalType: 'address' },
           { name: 'validatorId', type: 'uint256', internalType: 'uint256' },
-          {
-            name: 'validatorContract',
-            type: 'address',
-            internalType: 'address',
-          },
+          { name: 'validatorContract', type: 'address', internalType: 'address' },
           { name: 'sealingKey', type: 'bytes32', internalType: 'bytes32' },
           { name: 'issuerSignature', type: 'bytes', internalType: 'bytes' },
           { name: 'recipientSignature', type: 'bytes', internalType: 'bytes' },
@@ -106,13 +98,6 @@ export const MockQueryDecrypterAbi = [
     outputs: [{ name: '', type: 'bytes32', internalType: 'bytes32' }],
     stateMutability: 'pure',
   },
-  {
-    type: 'function',
-    name: 'taskManager',
-    inputs: [],
-    outputs: [{ name: '', type: 'address', internalType: 'contract TaskManager' }],
-    stateMutability: 'view',
-  },
   {
     type: 'function',
     name: 'unseal',
@@ -123,7 +108,72 @@ export const MockQueryDecrypterAbi = [
     outputs: [{ name: '', type: 'uint256', internalType: 'uint256' }],
     stateMutability: 'pure',
   },
-  { type: 'error', name: 'NotAllowed', inputs: [] },
-  { type: 'error', name: 'SealingKeyInvalid', inputs: [] },
-  { type: 'error', name: 'SealingKeyMissing', inputs: [] },
+  {
+    type: 'function',
+    name: 'mockAcl',
+    inputs: [],
+    outputs: [{ name: '', type: 'address', internalType: 'contract MockACL' }],
+    stateMutability: 'view',
+  },
+  {
+    type: 'function',
+    name: 'mockTaskManager',
+    inputs: [],
+    outputs: [{ name: '', type: 'address', internalType: 'contract MockTaskManager' }],
+    stateMutability: 'view',
+  },
+  {
+    type: 'function',
+    name: 'mockQueryDecrypt',
+    inputs: [
+      { name: 'ctHash', type: 'uint256', internalType: 'uint256' },
+      { name: '', type: 'uint256', internalType: 'uint256' },
+      { name: 'issuer', type: 'address', internalType: 'address' },
+    ],
+    outputs: [
+      { name: 'allowed', type: 'bool', internalType: 'bool' },
+      { name: 'error', type: 'string', internalType: 'string' },
+      { name: '', type: 'uint256', internalType: 'uint256' },
+    ],
+    stateMutability: 'view',
+  },
+  {
+    type: 'function',
+    name: 'decryptForTxWithPermit',
+    inputs: [
+      { name: 'ctHash', type: 'uint256', internalType: 'uint256' },
+      {
+        name: 'permission',
+        type: 'tuple',
+        internalType: 'struct Permission',
+        components: [
+          { name: 'issuer', type: 'address', internalType: 'address' },
+          { name: 'expiration', type: 'uint64', internalType: 'uint64' },
+          { name: 'recipient', type: 'address', internalType: 'address' },
+          { name: 'validatorId', type: 'uint256', internalType: 'uint256' },
+          { name: 'validatorContract', type: 'address', internalType: 'address' },
+          { name: 'sealingKey', type: 'bytes32', internalType: 'bytes32' },
+          { name: 'issuerSignature', type: 'bytes', internalType: 'bytes' },
+          { name: 'recipientSignature', type: 'bytes', internalType: 'bytes' },
+        ],
+      },
+    ],
+    outputs: [
+      { name: 'allowed', type: 'bool', internalType: 'bool' },
+      { name: 'error', type: 'string', internalType: 'string' },
+      { name: 'decryptedValue', type: 'uint256', internalType: 'uint256' },
+    ],
+    stateMutability: 'view',
+  },
+  {
+    type: 'function',
+    name: 'decryptForTxWithoutPermit',
+    inputs: [{ name: 'ctHash', type: 'uint256', internalType: 'uint256' }],
+    outputs: [
+      { name: 'allowed', type: 'bool', internalType: 'bool' },
+      { name: 'error', type: 'string', internalType: 'string' },
+      { name: 'decryptedValue', type: 'uint256', internalType: 'uint256' },
+    ],
+    stateMutability: 'view',
+  },
 ] as const;

package/core/decrypt/cofheMocksDecryptForTx.ts

@@ -0,0 +1,142 @@
+import { type Permit, PermitUtils } from '@/permits';
+
+import { encodePacked, keccak256, pad, toHex, type Hex, type PublicClient } from 'viem';
+import { sign } from 'viem/accounts';
+import { sleep } from '../utils.js';
+import { MockThresholdNetworkAbi } from './MockThresholdNetworkAbi.js';
+import { FheTypes } from '../types.js';
+import { CofheError, CofheErrorCode } from '../error.js';
+import { MOCKS_DECRYPT_RESULT_SIGNER_PRIVATE_KEY } from '../consts.js';
+import { MOCKS_THRESHOLD_NETWORK_ADDRESS } from '../consts.js';
+
+export type DecryptForTxMocksResult = {
+  ctHash: bigint;
+  decryptedValue: bigint;
+  signature: string;
+};
+
+export async function cofheMocksDecryptForTx(
+  ctHash: bigint,
+  utype: FheTypes,
+  permit: Permit | null,
+  publicClient: PublicClient,
+  mocksDecryptForTxDelay: number
+): Promise<DecryptForTxMocksResult> {
+  // Configurable delay before decrypting to simulate the CoFHE decrypt processing time
+  // Recommended 1000ms on web
+  // Recommended 0ms on hardhat (will be called during tests no need for fake delay)
+  if (mocksDecryptForTxDelay > 0) await sleep(mocksDecryptForTxDelay);
+
+  if (permit !== null) {
+    // With permit
+    let permission = PermitUtils.getPermission(permit, true);
+    const permissionWithBigInts = {
+      ...permission,
+      expiration: BigInt(permission.expiration),
+      validatorId: BigInt(permission.validatorId),
+    };
+
+    const [allowed, error, result] = await publicClient.readContract({
+      address: MOCKS_THRESHOLD_NETWORK_ADDRESS,
+      abi: MockThresholdNetworkAbi,
+      functionName: 'decryptForTxWithPermit',
+      args: [ctHash, permissionWithBigInts],
+    });
+
+    if (error != '') {
+      throw new CofheError({
+        code: CofheErrorCode.DecryptFailed,
+        message: `mocks decryptForTx call failed: ${error}`,
+      });
+    }
+
+    if (allowed == false) {
+      throw new CofheError({
+        code: CofheErrorCode.DecryptFailed,
+        message: `mocks decryptForTx call failed: ACL Access Denied (NotAllowed)`,
+      });
+    }
+
+    // decryptForTx returns plaintext directly (no sealing/unsealing needed)
+    // Generate a mock threshold network signature (in production, this would be the actual signature)
+    // The signature must be valid for MockTaskManager verification.
+    const chainId = await publicClient.getChainId();
+    const ctHashBigInt = BigInt(ctHash);
+    const resultBigInt = BigInt(result);
+    const encryptionType = Number((ctHashBigInt & (0x7fn << 8n)) >> 8n);
+
+    // Matches Solidity: keccak256(abi.encodePacked(result, uint32(enc_type), uint64(chainId), bytes32(ctHash)))
+    const ctHashBytes32 = pad(toHex(ctHashBigInt), { size: 32 }) as Hex;
+    const packed = encodePacked(
+      ['uint256', 'uint32', 'uint64', 'bytes32'],
+      [resultBigInt, encryptionType, BigInt(chainId), ctHashBytes32]
+    );
+    const messageHash = keccak256(packed);
+
+    // Raw digest signature (no EIP-191 prefix). Must verify against OpenZeppelin ECDSA.recover(messageHash, signature).
+    const signatureHex = await sign({
+      hash: messageHash,
+      privateKey: MOCKS_DECRYPT_RESULT_SIGNER_PRIVATE_KEY,
+      to: 'hex',
+    });
+    const signature = signatureHex.slice(2); // no 0x prefix
+
+    return {
+      ctHash,
+      decryptedValue: BigInt(result),
+      signature,
+    };
+  }
+
+  // Without permit (global allowance)
+  const [allowed, error, result] = await publicClient.readContract({
+    address: MOCKS_THRESHOLD_NETWORK_ADDRESS,
+    abi: MockThresholdNetworkAbi,
+    functionName: 'decryptForTxWithoutPermit',
+    args: [ctHash],
+  });
+
+  if (error != '') {
+    throw new CofheError({
+      code: CofheErrorCode.DecryptFailed,
+      message: `mocks decryptForTx call failed: ${error}`,
+    });
+  }
+
+  if (allowed == false) {
+    throw new CofheError({
+      code: CofheErrorCode.DecryptFailed,
+      message: `mocks decryptForTx call failed: ACL Access Denied (NotAllowed)`,
+    });
+  }
+
+  // decryptForTx returns plaintext directly (no sealing/unsealing needed)
+  // Generate a mock threshold network signature (in production, this would be the actual signature)
+  // The signature must be valid for MockTaskManager verification.
+  const chainId = await publicClient.getChainId();
+  const ctHashBigInt = BigInt(ctHash);
+  const resultBigInt = BigInt(result);
+  const encryptionType = Number((ctHashBigInt & (0x7fn << 8n)) >> 8n);
+
+  // Matches Solidity: keccak256(abi.encodePacked(result, uint32(enc_type), uint64(chainId), bytes32(ctHash)))
+  const ctHashBytes32 = pad(toHex(ctHashBigInt), { size: 32 }) as Hex;
+  const packed = encodePacked(
+    ['uint256', 'uint32', 'uint64', 'bytes32'],
+    [resultBigInt, encryptionType, BigInt(chainId), ctHashBytes32]
+  );
+  const messageHash = keccak256(packed);
+
+  // Raw digest signature (no EIP-191 prefix). Must verify against OpenZeppelin ECDSA.recover(messageHash, signature).
+  const signatureHex = await sign({
+    hash: messageHash,
+    privateKey: MOCKS_DECRYPT_RESULT_SIGNER_PRIVATE_KEY,
+    to: 'hex',
+  });
+  const signature = signatureHex.slice(2); // no 0x prefix
+
+  return {
+    ctHash,
+    decryptedValue: BigInt(result),
+    signature,
+  };
+}