@cofhe/sdk 0.3.2 → 0.5.0

package/dist/web.cjs

@@ -14,25 +14,7 @@ var init = require('tfhe');
 var _documentCurrentScript = typeof document !== 'undefined' ? document.currentScript : null;
 function _interopDefault (e) { return e && e.__esModule ? e : { default: e }; }
 
-function _interopNamespace(e) {
-  if (e && e.__esModule) return e;
-  var n = Object.create(null);
-  if (e) {
-    Object.keys(e).forEach(function (k) {
-      if (k !== 'default') {
-        var d = Object.getOwnPropertyDescriptor(e, k);
-        Object.defineProperty(n, k, d.get ? d : {
-          enumerable: true,
-          get: function () { return e[k]; }
-        });
-      }
-    });
-  }
-  n.default = e;
-  return Object.freeze(n);
-}
-
-var nacl__namespace = /*#__PURE__*/_interopNamespace(nacl);
+var nacl__default = /*#__PURE__*/_interopDefault(nacl);
 var init__default = /*#__PURE__*/_interopDefault(init);
 
 // core/client.ts
@@ -126,6 +108,16 @@ var bigintSafeJsonStringify = (value) => {
 };
 var isCofheError = (error) => error instanceof CofheError;
 
+// core/consts.ts
+var TASK_MANAGER_ADDRESS = "0xeA30c4B8b44078Bbf8a6ef5b9f1eC1626C7848D9";
+var MOCKS_ZK_VERIFIER_ADDRESS = "0x0000000000000000000000000000000000005001";
+var MOCKS_THRESHOLD_NETWORK_ADDRESS = "0x0000000000000000000000000000000000005002";
+var MOCKS_ZK_VERIFIER_SIGNER_PRIVATE_KEY = "0x6C8D7F768A6BB4AAFE85E8A2F5A9680355239C7E14646ED62B044E39DE154512";
+var MOCKS_DECRYPT_RESULT_SIGNER_PRIVATE_KEY = "0x59c6995e998f97a5a0044966f0945389dc9e86dae88c7a8412f4603b6b78690d";
+var TFHE_RS_ZK_MAX_BITS = 2048;
+var TFHE_RS_SAFE_SERIALIZATION_SIZE_LIMIT = BigInt(1 << 30);
+var TFHE_RS_KEY_VERSION = 2;
+
 // core/types.ts
 var FheUintUTypes = [
   2 /* Uint8 */,
@@ -248,7 +240,6 @@ var MAX_UINT32 = 4294967295n;
 var MAX_UINT64 = 18446744073709551615n;
 var MAX_UINT128 = 340282366920938463463374607431768211455n;
 var MAX_UINT160 = 1461501637330902918203684832716283019655932542975n;
-var MAX_ENCRYPTABLE_BITS = 2048;
 var zkPack = (items, builder) => {
   let totalBits = 0;
   for (const item of items) {
@@ -312,14 +303,14 @@ var zkPack = (items, builder) => {
       }
     }
   }
-  if (totalBits > MAX_ENCRYPTABLE_BITS) {
+  if (totalBits > TFHE_RS_ZK_MAX_BITS) {
     throw new CofheError({
       code: "ZK_PACK_FAILED" /* ZkPackFailed */,
-      message: `Total bits ${totalBits} exceeds ${MAX_ENCRYPTABLE_BITS}`,
-      hint: `Ensure that the total bits of the items to encrypt does not exceed ${MAX_ENCRYPTABLE_BITS}`,
+      message: `Total bits ${totalBits} exceeds ${TFHE_RS_ZK_MAX_BITS}`,
+      hint: `Ensure that the total bits of the items to encrypt does not exceed ${TFHE_RS_ZK_MAX_BITS}`,
       context: {
         totalBits,
-        maxBits: MAX_ENCRYPTABLE_BITS,
+        maxBits: TFHE_RS_ZK_MAX_BITS,
         items
       }
     });
@@ -338,7 +329,7 @@ var zkProve = async (builder, crs, metadata) => {
         1
         // ZkComputeLoad.Verify
       );
-      resolve(compactList.serialize());
+      resolve(compactList.safe_serialize(TFHE_RS_SAFE_SERIALIZATION_SIZE_LIMIT));
     }, 0);
   });
 };
@@ -514,15 +505,6 @@ var MockZkVerifierAbi = [
   },
   { type: "error", name: "InvalidInputs", inputs: [] }
 ];
-
-// core/consts.ts
-var TASK_MANAGER_ADDRESS = "0xeA30c4B8b44078Bbf8a6ef5b9f1eC1626C7848D9";
-var MOCKS_ZK_VERIFIER_ADDRESS = "0x0000000000000000000000000000000000005001";
-var MOCKS_THRESHOLD_NETWORK_ADDRESS = "0x0000000000000000000000000000000000005002";
-var MOCKS_ZK_VERIFIER_SIGNER_PRIVATE_KEY = "0x6C8D7F768A6BB4AAFE85E8A2F5A9680355239C7E14646ED62B044E39DE154512";
-var MOCKS_DECRYPT_RESULT_SIGNER_PRIVATE_KEY = "0x59c6995e998f97a5a0044966f0945389dc9e86dae88c7a8412f4603b6b78690d";
-
-// core/encrypt/cofheMocksZkVerifySign.ts
 function createMockZkVerifierSigner() {
   return viem.createWalletClient({
     chain: chains.hardhat,
@@ -564,14 +546,14 @@ async function cofheMocksCheckEncryptableBits(items) {
       }
     }
   }
-  if (totalBits > MAX_ENCRYPTABLE_BITS) {
+  if (totalBits > TFHE_RS_ZK_MAX_BITS) {
     throw new CofheError({
       code: "ZK_PACK_FAILED" /* ZkPackFailed */,
-      message: `Total bits ${totalBits} exceeds ${MAX_ENCRYPTABLE_BITS}`,
-      hint: `Ensure that the total bits of the items to encrypt does not exceed ${MAX_ENCRYPTABLE_BITS}`,
+      message: `Total bits ${totalBits} exceeds ${TFHE_RS_ZK_MAX_BITS}`,
+      hint: `Ensure that the total bits of the items to encrypt does not exceed ${TFHE_RS_ZK_MAX_BITS}`,
       context: {
         totalBits,
-        maxBits: MAX_ENCRYPTABLE_BITS,
+        maxBits: TFHE_RS_ZK_MAX_BITS,
         items
       }
     });
@@ -842,6 +824,7 @@ function getThresholdNetworkUrlOrThrow(config, chainId) {
   }
   return url;
 }
+var KEYSTORE_NAME = `cofhesdk-keys-v${TFHE_RS_KEY_VERSION}`;
 function isValidPersistedState(state) {
   if (state && typeof state === "object") {
     if ("fhe" in state && "crs" in state) {
@@ -896,7 +879,7 @@ function createKeysStore(storage) {
   };
   const clearKeysStorage = async () => {
     if (storage) {
-      await storage.removeItem("cofhesdk-keys");
+      await storage.removeItem(KEYSTORE_NAME);
     }
   };
   const rehydrateKeysStore = async () => {
@@ -926,7 +909,7 @@ function createStoreWithPersit(storage) {
         if (_error)
           throw new Error(`onRehydrateStorage: Error rehydrating keys store: ${_error}`);
       },
-      name: "cofhesdk-keys",
+      name: KEYSTORE_NAME,
       storage: middleware.createJSONStorage(() => storage),
       merge: (persistedState, currentState) => {
         const persisted = isValidPersistedState(persistedState) ? persistedState : DEFAULT_KEYS_STORE;
@@ -1651,7 +1634,7 @@ var SealingKey = class _SealingKey {
     const ephemPublicKey = parsedData.public_key instanceof Uint8Array ? parsedData.public_key : new Uint8Array(parsedData.public_key);
     const dataToDecrypt = parsedData.data instanceof Uint8Array ? parsedData.data : new Uint8Array(parsedData.data);
     const privateKeyBytes = fromHexString(this.privateKey);
-    const decryptedMessage = nacl__namespace.box.open(dataToDecrypt, nonce, ephemPublicKey, privateKeyBytes);
+    const decryptedMessage = nacl__default.default.box.open(dataToDecrypt, nonce, ephemPublicKey, privateKeyBytes);
     if (!decryptedMessage) {
       throw new Error("Failed to decrypt message");
     }
@@ -1684,9 +1667,9 @@ var SealingKey = class _SealingKey {
   static seal = (value, publicKey) => {
     isString(publicKey);
     isBigIntOrNumber(value);
-    const ephemeralKeyPair = nacl__namespace.box.keyPair();
-    const nonce = nacl__namespace.randomBytes(nacl__namespace.box.nonceLength);
-    const encryptedMessage = nacl__namespace.box(toBeArray(value), nonce, fromHexString(publicKey), ephemeralKeyPair.secretKey);
+    const ephemeralKeyPair = nacl__default.default.box.keyPair();
+    const nonce = nacl__default.default.randomBytes(nacl__default.default.box.nonceLength);
+    const encryptedMessage = nacl__default.default.box(toBeArray(value), nonce, fromHexString(publicKey), ephemeralKeyPair.secretKey);
     return {
       data: encryptedMessage,
       public_key: ephemeralKeyPair.publicKey,
@@ -1695,7 +1678,7 @@ var SealingKey = class _SealingKey {
   };
 };
 var GenerateSealingKey = () => {
-  const sodiumKeypair = nacl__namespace.box.keyPair();
+  const sodiumKeypair = nacl__default.default.box.keyPair();
   return new SealingKey(toHexString2(sodiumKeypair.secretKey), toHexString2(sodiumKeypair.publicKey));
 };
 var SerializedSealingPair = zod.z.object({
@@ -1853,9 +1836,9 @@ var ValidationUtils = {
     return false;
   },
   /**
-   * Overall validity checker of a permit
+   * Checks that a permit is signed and not expired.
    */
-  isValid: (permit) => {
+  isSignedAndNotExpired: (permit) => {
     if (ValidationUtils.isExpired(permit)) {
       return { valid: false, error: "expired" };
     }
@@ -1863,6 +1846,34 @@ var ValidationUtils = {
       return { valid: false, error: "not-signed" };
     }
     return { valid: true, error: null };
+  },
+  /**
+   * Asserts that a permit is signed and not expired.
+   *
+   * Throws `Error` with message:
+   * - `Permit is expired`
+   * - `Permit is not signed`
+   */
+  assertSignedAndNotExpired: (permit) => {
+    const result = ValidationUtils.isSignedAndNotExpired(permit);
+    if (result.valid)
+      return;
+    if (result.error === "expired") {
+      throw new Error("Permit is expired");
+    }
+    if (result.error === "not-signed") {
+      throw new Error("Permit is not signed");
+    }
+    throw new Error("Permit is invalid");
+  },
+  isValid: (permit) => {
+    const schema = permit.type === "self" ? SelfPermitValidator : permit.type === "sharing" ? SharingPermitValidator : permit.type === "recipient" ? ImportPermitValidator : null;
+    if (schema == null)
+      return { valid: false, error: "invalid-schema" };
+    const schemaResult = schema.safeParse(permit);
+    if (!schemaResult.success)
+      return { valid: false, error: "invalid-schema" };
+    return ValidationUtils.isSignedAndNotExpired(permit);
   }
 };
 
@@ -2244,9 +2255,9 @@ var PermitUtils = {
     };
   },
   /**
-   * Validate a permit
+   * Validate a permit (schema-level validation)
    */
-  validate: (permit) => {
+  validateSchema: (permit) => {
     if (permit.type === "self") {
       return validateSelfPermit(permit);
     } else if (permit.type === "sharing") {
@@ -2257,12 +2268,27 @@ var PermitUtils = {
       throw new Error("Invalid permit type");
     }
   },
+  /**
+   * Validate a permit (holistic validation).
+   *
+   * This validates:
+   * - Permit schema (shape + invariants)
+   * - Permit is signed
+   * - Permit is not expired
+   *
+   * For schema-only validation, use `validateSchema(permit)`.
+   */
+  validate: (permit) => {
+    const validated = PermitUtils.validateSchema(permit);
+    ValidationUtils.assertSignedAndNotExpired(validated);
+    return validated;
+  },
   /**
    * Get the permission object from a permit (for use in contracts)
    */
   getPermission: (permit, skipValidation = false) => {
     if (!skipValidation) {
-      PermitUtils.validate(permit);
+      PermitUtils.validateSchema(permit);
     }
     return {
       issuer: permit.issuer,
@@ -2328,8 +2354,17 @@ var PermitUtils = {
     return ValidationUtils.isSigned(permit);
   },
   /**
-   * Check if permit is valid
+   * Check if permit is signed and not expired
+   */
+  isSignedAndNotExpired: (permit) => {
+    return ValidationUtils.isSignedAndNotExpired(permit);
+  },
+  /**
+   * Assert that permit is signed and not expired
    */
+  assertSignedAndNotExpired: (permit) => {
+    return ValidationUtils.assertSignedAndNotExpired(permit);
+  },
   isValid: (permit) => {
     return ValidationUtils.isValid(permit);
   },
@@ -2507,19 +2542,22 @@ var importShared = async (options, publicClient, walletClient) => {
 var getHash = (permit) => {
   return PermitUtils.getHash(permit);
 };
+var exportShared = (permit) => {
+  return PermitUtils.export(permit);
+};
 var serialize = (permit) => {
   return PermitUtils.serialize(permit);
 };
 var deserialize = (serialized) => {
   return PermitUtils.deserialize(serialized);
 };
-var getPermit2 = async (chainId, account, hash) => {
+var getPermit2 = (chainId, account, hash) => {
   return permitStore.getPermit(chainId, account, hash);
 };
-var getPermits2 = async (chainId, account) => {
+var getPermits2 = (chainId, account) => {
   return permitStore.getPermits(chainId, account);
 };
-var getActivePermit2 = async (chainId, account) => {
+var getActivePermit2 = (chainId, account) => {
   return permitStore.getActivePermit(chainId, account);
 };
 var getActivePermitHash2 = (chainId, account) => {
@@ -2557,6 +2595,7 @@ var permits = {
   getOrCreateSelfPermit,
   getOrCreateSharingPermit,
   getHash,
+  export: exportShared,
   serialize,
   deserialize,
   getPermit: getPermit2,
@@ -2799,9 +2838,19 @@ async function cofheMocksDecryptForView(ctHash, utype, permit, publicClient) {
   return unsealed;
 }
 
+// core/decrypt/polling.ts
+function computeMinuteRampPollIntervalMs(elapsedMs, params) {
+  const elapsedSeconds = Math.floor(elapsedMs / 1e3);
+  const intervalSeconds = 1 + Math.floor(elapsedSeconds / 60);
+  const intervalMs = intervalSeconds * 1e3;
+  return Math.min(params.maxIntervalMs, Math.max(params.minIntervalMs, intervalMs));
+}
+
 // core/decrypt/tnSealOutputV2.ts
 var POLL_INTERVAL_MS = 1e3;
-var POLL_TIMEOUT_MS = 5 * 60 * 1e3;
+var POLL_MAX_INTERVAL_MS = 1e4;
+var SEAL_OUTPUT_TIMEOUT_MS = 5 * 60 * 1e3;
+var SUBMIT_RETRY_INTERVAL_MS = 1e3;
 function numberArrayToUint8Array(arr) {
   return new Uint8Array(arr);
 }
@@ -2818,93 +2867,193 @@ function convertSealedData(sealed) {
     nonce: numberArrayToUint8Array(sealed.nonce)
   };
 }
-async function submitSealOutputRequest(thresholdNetworkUrl, ctHash, chainId, permission) {
-  const body = {
-    ct_tempkey: BigInt(ctHash).toString(16).padStart(64, "0"),
-    host_chain_id: chainId,
-    permit: permission
-  };
-  let response;
-  try {
-    response = await fetch(`${thresholdNetworkUrl}/v2/sealoutput`, {
-      method: "POST",
-      headers: {
-        "Content-Type": "application/json"
-      },
-      body: JSON.stringify(body)
-    });
-  } catch (e) {
-    throw new CofheError({
-      code: "SEAL_OUTPUT_FAILED" /* SealOutputFailed */,
-      message: `sealOutput request failed`,
-      hint: "Ensure the threshold network URL is valid and reachable.",
-      cause: e instanceof Error ? e : void 0,
-      context: {
-        thresholdNetworkUrl,
-        body
-      }
-    });
+function getSealedDataFromSubmitResponse(value) {
+  if (value.sealed)
+    return value.sealed;
+  if (Array.isArray(value.sealed_data) && Array.isArray(value.ephemeral_public_key) && Array.isArray(value.nonce)) {
+    return {
+      data: value.sealed_data,
+      public_key: value.ephemeral_public_key,
+      nonce: value.nonce
+    };
   }
-  if (!response.ok) {
-    let errorMessage = `HTTP ${response.status}`;
-    try {
-      const errorBody = await response.json();
-      errorMessage = errorBody.error_message || errorBody.message || errorMessage;
-    } catch {
-      errorMessage = response.statusText || errorMessage;
-    }
+  return void 0;
+}
+function parseCompletedSealOutputResponse(params) {
+  const { value, thresholdNetworkUrl, requestId } = params;
+  if (value.is_succeed === false) {
+    const errorMessage = value.error_message || "Unknown error";
     throw new CofheError({
       code: "SEAL_OUTPUT_FAILED" /* SealOutputFailed */,
       message: `sealOutput request failed: ${errorMessage}`,
-      hint: "Check the threshold network URL and request parameters.",
       context: {
         thresholdNetworkUrl,
-        status: response.status,
-        statusText: response.statusText,
-        body
+        requestId,
+        response: value
       }
     });
   }
-  let submitResponse;
-  try {
-    submitResponse = await response.json();
-  } catch (e) {
+  const sealed = "sealed" in value ? value.sealed : getSealedDataFromSubmitResponse(value);
+  if (!sealed) {
     throw new CofheError({
-      code: "SEAL_OUTPUT_FAILED" /* SealOutputFailed */,
-      message: `Failed to parse sealOutput submit response`,
-      cause: e instanceof Error ? e : void 0,
+      code: "SEAL_OUTPUT_RETURNED_NULL" /* SealOutputReturnedNull */,
+      message: `sealOutput request completed but returned no sealed data`,
       context: {
         thresholdNetworkUrl,
-        body
+        requestId,
+        response: value
       }
     });
   }
-  if (!submitResponse.request_id) {
+  return convertSealedData(sealed);
+}
+async function submitSealOutputRequest(thresholdNetworkUrl, ctHash, chainId, permission, overallStartTime, onPoll) {
+  const body = {
+    ct_tempkey: BigInt(ctHash).toString(16).padStart(64, "0"),
+    host_chain_id: chainId,
+    permit: permission
+  };
+  let attemptIndex = 0;
+  for (; ; ) {
+    let response;
+    try {
+      response = await fetch(`${thresholdNetworkUrl}/v2/sealoutput`, {
+        method: "POST",
+        headers: {
+          "Content-Type": "application/json"
+        },
+        body: JSON.stringify(body)
+      });
+    } catch (e) {
+      throw new CofheError({
+        code: "SEAL_OUTPUT_FAILED" /* SealOutputFailed */,
+        message: `sealOutput request failed`,
+        hint: "Ensure the threshold network URL is valid and reachable.",
+        cause: e instanceof Error ? e : void 0,
+        context: {
+          thresholdNetworkUrl,
+          body,
+          attemptIndex
+        }
+      });
+    }
+    if (!response.ok) {
+      let errorMessage = `HTTP ${response.status}`;
+      try {
+        const errorBody = await response.json();
+        errorMessage = errorBody.error_message || errorBody.message || errorMessage;
+      } catch {
+        errorMessage = response.statusText || errorMessage;
+      }
+      throw new CofheError({
+        code: "SEAL_OUTPUT_FAILED" /* SealOutputFailed */,
+        message: `sealOutput request failed: ${errorMessage}`,
+        hint: "Check the threshold network URL and request parameters.",
+        context: {
+          thresholdNetworkUrl,
+          status: response.status,
+          statusText: response.statusText,
+          body,
+          attemptIndex
+        }
+      });
+    }
+    let submitResponse;
+    if (response.status !== 204) {
+      try {
+        submitResponse = await response.json();
+      } catch (e) {
+        throw new CofheError({
+          code: "SEAL_OUTPUT_FAILED" /* SealOutputFailed */,
+          message: `Failed to parse sealOutput submit response`,
+          cause: e instanceof Error ? e : void 0,
+          context: {
+            thresholdNetworkUrl,
+            body,
+            attemptIndex
+          }
+        });
+      }
+      if (getSealedDataFromSubmitResponse(submitResponse)) {
+        return {
+          kind: "completed",
+          sealed: parseCompletedSealOutputResponse({
+            value: submitResponse,
+            thresholdNetworkUrl,
+            requestId: submitResponse.request_id
+          })
+        };
+      }
+      if (submitResponse.request_id) {
+        return { kind: "request_id", requestId: submitResponse.request_id };
+      }
+    }
+    if (response.status === 204) {
+      const elapsedMs = Date.now() - overallStartTime;
+      if (elapsedMs > SEAL_OUTPUT_TIMEOUT_MS) {
+        throw new CofheError({
+          code: "SEAL_OUTPUT_FAILED" /* SealOutputFailed */,
+          message: `sealOutput submit retried without receiving request_id for ${SEAL_OUTPUT_TIMEOUT_MS}ms`,
+          hint: "The ciphertext may still be propagating. Try again later.",
+          context: {
+            thresholdNetworkUrl,
+            body,
+            attemptIndex,
+            timeoutMs: SEAL_OUTPUT_TIMEOUT_MS,
+            submitResponse,
+            status: response.status
+          }
+        });
+      }
+      onPoll?.({
+        operation: "sealoutput",
+        requestId: "",
+        attemptIndex,
+        elapsedMs,
+        intervalMs: SUBMIT_RETRY_INTERVAL_MS,
+        timeoutMs: SEAL_OUTPUT_TIMEOUT_MS
+      });
+      await new Promise((resolve) => setTimeout(resolve, SUBMIT_RETRY_INTERVAL_MS));
+      attemptIndex += 1;
+      continue;
+    }
     throw new CofheError({
       code: "SEAL_OUTPUT_FAILED" /* SealOutputFailed */,
       message: `sealOutput submit response missing request_id`,
       context: {
         thresholdNetworkUrl,
         body,
-        submitResponse
+        submitResponse,
+        attemptIndex
       }
     });
   }
-  return submitResponse.request_id;
 }
-async function pollSealOutputStatus(thresholdNetworkUrl, requestId) {
-  const startTime = Date.now();
-  let completed = false;
-  while (!completed) {
-    if (Date.now() - startTime > POLL_TIMEOUT_MS) {
+async function pollSealOutputStatus(thresholdNetworkUrl, requestId, overallStartTime, onPoll) {
+  let attemptIndex = 0;
+  while (true) {
+    const elapsedMs = Date.now() - overallStartTime;
+    const intervalMs = computeMinuteRampPollIntervalMs(elapsedMs, {
+      minIntervalMs: POLL_INTERVAL_MS,
+      maxIntervalMs: POLL_MAX_INTERVAL_MS
+    });
+    onPoll?.({
+      operation: "sealoutput",
+      requestId,
+      attemptIndex,
+      elapsedMs,
+      intervalMs,
+      timeoutMs: SEAL_OUTPUT_TIMEOUT_MS
+    });
+    if (elapsedMs > SEAL_OUTPUT_TIMEOUT_MS) {
       throw new CofheError({
         code: "SEAL_OUTPUT_FAILED" /* SealOutputFailed */,
-        message: `sealOutput polling timed out after ${POLL_TIMEOUT_MS}ms`,
+        message: `sealOutput polling timed out after ${SEAL_OUTPUT_TIMEOUT_MS}ms`,
         hint: "The request may still be processing. Try again later.",
         context: {
           thresholdNetworkUrl,
           requestId,
-          timeoutMs: POLL_TIMEOUT_MS
+          timeoutMs: SEAL_OUTPUT_TIMEOUT_MS
         }
       });
     }
@@ -2973,32 +3122,14 @@ async function pollSealOutputStatus(thresholdNetworkUrl, requestId) {
       });
     }
     if (statusResponse.status === "COMPLETED") {
-      if (statusResponse.is_succeed === false) {
-        const errorMessage = statusResponse.error_message || "Unknown error";
-        throw new CofheError({
-          code: "SEAL_OUTPUT_FAILED" /* SealOutputFailed */,
-          message: `sealOutput request failed: ${errorMessage}`,
-          context: {
-            thresholdNetworkUrl,
-            requestId,
-            statusResponse
-          }
-        });
-      }
-      if (!statusResponse.sealed) {
-        throw new CofheError({
-          code: "SEAL_OUTPUT_RETURNED_NULL" /* SealOutputReturnedNull */,
-          message: `sealOutput request completed but returned no sealed data`,
-          context: {
-            thresholdNetworkUrl,
-            requestId,
-            statusResponse
-          }
-        });
-      }
-      return convertSealedData(statusResponse.sealed);
+      return parseCompletedSealOutputResponse({
+        value: statusResponse,
+        thresholdNetworkUrl,
+        requestId
+      });
     }
-    await new Promise((resolve) => setTimeout(resolve, POLL_INTERVAL_MS));
+    await new Promise((resolve) => setTimeout(resolve, intervalMs));
+    attemptIndex += 1;
   }
   throw new CofheError({
     code: "SEAL_OUTPUT_FAILED" /* SealOutputFailed */,
@@ -3009,9 +3140,21 @@ async function pollSealOutputStatus(thresholdNetworkUrl, requestId) {
     }
   });
 }
-async function tnSealOutputV2(ctHash, chainId, permission, thresholdNetworkUrl) {
-  const requestId = await submitSealOutputRequest(thresholdNetworkUrl, ctHash, chainId, permission);
-  return await pollSealOutputStatus(thresholdNetworkUrl, requestId);
+async function tnSealOutputV2(params) {
+  const { thresholdNetworkUrl, ctHash, chainId, permission, onPoll } = params;
+  const overallStartTime = Date.now();
+  const submitResult = await submitSealOutputRequest(
+    thresholdNetworkUrl,
+    ctHash,
+    chainId,
+    permission,
+    overallStartTime,
+    onPoll
+  );
+  if (submitResult.kind === "completed") {
+    return submitResult.sealed;
+  }
+  return await pollSealOutputStatus(thresholdNetworkUrl, submitResult.requestId, overallStartTime, onPoll);
 }
 
 // core/decrypt/decryptForViewBuilder.ts
@@ -3020,6 +3163,7 @@ var DecryptForViewBuilder = class extends BaseBuilder {
   utype;
   permitHash;
   permit;
+  pollCallback;
   constructor(params) {
     super({
       config: params.config,
@@ -3076,6 +3220,10 @@ var DecryptForViewBuilder = class extends BaseBuilder {
   getAccount() {
     return this.account;
   }
+  onPoll(callback) {
+    this.pollCallback = callback;
+    return this;
+  }
   withPermit(permitOrPermitHash) {
     if (typeof permitOrPermitHash === "string") {
       this.permitHash = permitOrPermitHash;
@@ -3199,7 +3347,13 @@ var DecryptForViewBuilder = class extends BaseBuilder {
     this.assertPublicClient();
     const thresholdNetworkUrl = await this.getThresholdNetworkUrl();
     const permission = PermitUtils.getPermission(permit, true);
-    const sealed = await tnSealOutputV2(this.ctHash, this.chainId, permission, thresholdNetworkUrl);
+    const sealed = await tnSealOutputV2({
+      ctHash: this.ctHash,
+      chainId: this.chainId,
+      permission,
+      thresholdNetworkUrl,
+      onPoll: this.pollCallback
+    });
     return PermitUtils.unseal(permit, sealed);
   }
   /**
@@ -3227,7 +3381,6 @@ var DecryptForViewBuilder = class extends BaseBuilder {
     this.validateUtypeOrThrow();
     const permit = await this.getResolvedPermit();
     PermitUtils.validate(permit);
-    PermitUtils.isValid(permit);
     const chainId = permit._signedDomain.chainId;
     let unsealed;
     if (chainId === hardhat2.id) {
@@ -3238,6 +3391,9 @@ var DecryptForViewBuilder = class extends BaseBuilder {
     return convertViaUtype(this.utype, unsealed);
   }
 };
+var UINT_TYPE_MASK = 0x7fn;
+var TYPE_BYTE_OFFSET = 8n;
+var getEncryptionTypeFromCtHash = (ctHash) => Number(ctHash >> TYPE_BYTE_OFFSET & UINT_TYPE_MASK);
 async function cofheMocksDecryptForTx(ctHash, utype, permit, publicClient) {
   let allowed;
   let error;
@@ -3275,7 +3431,13 @@ async function cofheMocksDecryptForTx(ctHash, utype, permit, publicClient) {
       message: `mocks decryptForTx call failed: ACL Access Denied (NotAllowed)`
     });
   }
-  const packed = viem.encodePacked(["uint256", "uint256"], [BigInt(ctHash), decryptedValue]);
+  const chainId = publicClient.chain?.id ?? await publicClient.getChainId();
+  const normalizedCtHash = BigInt(ctHash);
+  const encryptionType = getEncryptionTypeFromCtHash(normalizedCtHash);
+  const packed = viem.encodePacked(
+    ["uint256", "uint32", "uint64", "uint256"],
+    [decryptedValue, encryptionType, BigInt(chainId), normalizedCtHash]
+  );
   const messageHash = viem.keccak256(packed);
   const signature = await accounts.sign({
     hash: messageHash,
@@ -3288,7 +3450,7 @@ async function cofheMocksDecryptForTx(ctHash, utype, permit, publicClient) {
     signature
   };
 }
-function normalizeSignature(signature) {
+function normalizeTnSignature(signature) {
   if (typeof signature !== "string") {
     throw new CofheError({
       code: "DECRYPT_RETURNED_NULL" /* DecryptReturnedNull */,
@@ -3344,141 +3506,384 @@ function parseDecryptedBytesToBigInt(decrypted) {
   }
   return BigInt(`0x${hex}`);
 }
-function assertTnDecryptResponse(value) {
+
+// core/decrypt/tnDecryptV2.ts
+var POLL_INTERVAL_MS2 = 1e3;
+var POLL_MAX_INTERVAL_MS2 = 1e4;
+var DECRYPT_TIMEOUT_MS = 5 * 60 * 1e3;
+var SUBMIT_RETRY_INTERVAL_MS2 = 1e3;
+function assertDecryptSubmitResponseV2(value) {
   if (value == null || typeof value !== "object") {
     throw new CofheError({
       code: "DECRYPT_FAILED" /* DecryptFailed */,
-      message: "decrypt response must be a JSON object",
+      message: "decrypt submit response must be a JSON object",
       context: {
         value
       }
     });
   }
   const v = value;
-  const decrypted = v.decrypted;
-  const signature = v.signature;
-  const encryptionType = v.encryption_type;
-  const errorMessage = v.error_message;
-  if (!Array.isArray(decrypted)) {
+  if (v.request_id !== null && typeof v.request_id !== "string") {
     throw new CofheError({
-      code: "DECRYPT_RETURNED_NULL" /* DecryptReturnedNull */,
-      message: "decrypt response missing <decrypted> byte array",
-      context: { decryptResponse: value }
+      code: "DECRYPT_FAILED" /* DecryptFailed */,
+      message: "decrypt submit response has invalid request_id",
+      context: {
+        value
+      }
     });
   }
-  if (typeof signature !== "string") {
+  return {
+    request_id: v.request_id ?? null,
+    status: typeof v.status === "string" ? v.status : void 0,
+    is_succeed: typeof v.is_succeed === "boolean" ? v.is_succeed : void 0,
+    decrypted: Array.isArray(v.decrypted) ? v.decrypted : void 0,
+    signature: typeof v.signature === "string" ? v.signature : void 0,
+    encryption_type: typeof v.encryption_type === "number" ? v.encryption_type : void 0,
+    error_message: typeof v.error_message === "string" || v.error_message === null ? v.error_message : void 0,
+    message: typeof v.message === "string" ? v.message : void 0
+  };
+}
+function parseCompletedDecryptResponseV2(params) {
+  const { value, thresholdNetworkUrl, requestId } = params;
+  if (value.is_succeed === false) {
+    const errorMessage = value.error_message || "Unknown error";
     throw new CofheError({
-      code: "DECRYPT_RETURNED_NULL" /* DecryptReturnedNull */,
-      message: "decrypt response missing <signature> string",
-      context: { decryptResponse: value }
+      code: "DECRYPT_FAILED" /* DecryptFailed */,
+      message: `decrypt request failed: ${errorMessage}`,
+      context: {
+        thresholdNetworkUrl,
+        requestId,
+        response: value
+      }
     });
   }
-  if (typeof encryptionType !== "number") {
+  if (value.error_message) {
     throw new CofheError({
       code: "DECRYPT_FAILED" /* DecryptFailed */,
-      message: "decrypt response missing <encryption_type> number",
-      context: { decryptResponse: value }
+      message: `decrypt request failed: ${value.error_message}`,
+      context: {
+        thresholdNetworkUrl,
+        requestId,
+        response: value
+      }
     });
   }
-  if (!(typeof errorMessage === "string" || errorMessage === null)) {
+  if (!Array.isArray(value.decrypted)) {
     throw new CofheError({
-      code: "DECRYPT_FAILED" /* DecryptFailed */,
-      message: "decrypt response field <error_message> must be string or null",
-      context: { decryptResponse: value }
+      code: "DECRYPT_RETURNED_NULL" /* DecryptReturnedNull */,
+      message: "decrypt completed but response missing <decrypted> byte array",
+      context: {
+        thresholdNetworkUrl,
+        requestId,
+        response: value
+      }
     });
   }
-  return {
-    decrypted,
-    signature,
-    encryption_type: encryptionType,
-    error_message: errorMessage
-  };
+  const decryptedValue = parseDecryptedBytesToBigInt(value.decrypted);
+  const signature = normalizeTnSignature(value.signature);
+  return { decryptedValue, signature };
 }
-async function tnDecrypt(ctHash, chainId, permission, thresholdNetworkUrl) {
-  const body = {
-    ct_tempkey: BigInt(ctHash).toString(16).padStart(64, "0"),
-    host_chain_id: chainId
-  };
-  if (permission) {
-    body.permit = permission;
-  }
-  let response;
-  try {
-    response = await fetch(`${thresholdNetworkUrl}/decrypt`, {
-      method: "POST",
-      headers: {
-        "Content-Type": "application/json"
-      },
-      body: JSON.stringify(body)
+function assertDecryptStatusResponseV2(value) {
+  if (value == null || typeof value !== "object") {
+    throw new CofheError({
+      code: "DECRYPT_FAILED" /* DecryptFailed */,
+      message: "decrypt status response must be a JSON object",
+      context: {
+        value
+      }
     });
-  } catch (e) {
+  }
+  const v = value;
+  const requestId = v.request_id;
+  const status = v.status;
+  const submittedAt = v.submitted_at;
+  if (typeof requestId !== "string" || requestId.trim().length === 0) {
     throw new CofheError({
       code: "DECRYPT_FAILED" /* DecryptFailed */,
-      message: `decrypt request failed`,
-      hint: "Ensure the threshold network URL is valid and reachable.",
-      cause: e instanceof Error ? e : void 0,
+      message: "decrypt status response missing request_id",
       context: {
-        thresholdNetworkUrl,
-        body
+        value
       }
     });
   }
-  const responseText = await response.text();
-  if (!response.ok) {
-    let errorMessage = response.statusText || `HTTP ${response.status}`;
-    try {
-      const errorBody = JSON.parse(responseText);
-      const maybeMessage = errorBody.error_message || errorBody.message;
-      if (typeof maybeMessage === "string" && maybeMessage.length > 0)
-        errorMessage = maybeMessage;
-    } catch {
-      const trimmed = responseText.trim();
-      if (trimmed.length > 0)
-        errorMessage = trimmed;
-    }
+  if (status !== "PROCESSING" && status !== "COMPLETED") {
     throw new CofheError({
       code: "DECRYPT_FAILED" /* DecryptFailed */,
-      message: `decrypt request failed: ${errorMessage}`,
-      hint: "Check the threshold network URL and request parameters.",
+      message: "decrypt status response has invalid status",
       context: {
-        thresholdNetworkUrl,
-        status: response.status,
-        statusText: response.statusText,
-        body,
-        responseText
+        value,
+        status
       }
     });
   }
-  let rawJson;
-  try {
-    rawJson = JSON.parse(responseText);
-  } catch (e) {
+  if (typeof submittedAt !== "string" || submittedAt.trim().length === 0) {
     throw new CofheError({
       code: "DECRYPT_FAILED" /* DecryptFailed */,
-      message: `Failed to parse decrypt response`,
-      cause: e instanceof Error ? e : void 0,
+      message: "decrypt status response missing submitted_at",
       context: {
-        thresholdNetworkUrl,
-        body,
-        responseText
+        value
       }
     });
   }
-  const decryptResponse = assertTnDecryptResponse(rawJson);
-  if (decryptResponse.error_message) {
+  return value;
+}
+async function submitDecryptRequestV2(thresholdNetworkUrl, ctHash, chainId, permission, overallStartTime, onPoll) {
+  const body = {
+    ct_tempkey: BigInt(ctHash).toString(16).padStart(64, "0"),
+    host_chain_id: chainId
+  };
+  if (permission) {
+    body.permit = permission;
+  }
+  let attemptIndex = 0;
+  for (; ; ) {
+    let response;
+    try {
+      response = await fetch(`${thresholdNetworkUrl}/v2/decrypt`, {
+        method: "POST",
+        headers: {
+          "Content-Type": "application/json"
+        },
+        body: JSON.stringify(body)
+      });
+    } catch (e) {
+      throw new CofheError({
+        code: "DECRYPT_FAILED" /* DecryptFailed */,
+        message: `decrypt request failed`,
+        hint: "Ensure the threshold network URL is valid and reachable.",
+        cause: e instanceof Error ? e : void 0,
+        context: {
+          thresholdNetworkUrl,
+          body,
+          attemptIndex
+        }
+      });
+    }
+    if (!response.ok) {
+      let errorMessage = `HTTP ${response.status}`;
+      try {
+        const errorBody = await response.json();
+        const maybeMessage = errorBody.error_message || errorBody.message;
+        if (typeof maybeMessage === "string" && maybeMessage.length > 0)
+          errorMessage = maybeMessage;
+      } catch {
+        errorMessage = response.statusText || errorMessage;
+      }
+      throw new CofheError({
+        code: "DECRYPT_FAILED" /* DecryptFailed */,
+        message: `decrypt request failed: ${errorMessage}`,
+        hint: "Check the threshold network URL and request parameters.",
+        context: {
+          thresholdNetworkUrl,
+          status: response.status,
+          statusText: response.statusText,
+          body,
+          attemptIndex
+        }
+      });
+    }
+    let submitResponse;
+    if (response.status !== 204) {
+      let rawJson;
+      try {
+        rawJson = await response.json();
+      } catch (e) {
+        throw new CofheError({
+          code: "DECRYPT_FAILED" /* DecryptFailed */,
+          message: `Failed to parse decrypt submit response`,
+          cause: e instanceof Error ? e : void 0,
+          context: {
+            thresholdNetworkUrl,
+            body,
+            attemptIndex
+          }
+        });
+      }
+      submitResponse = assertDecryptSubmitResponseV2(rawJson);
+      if (Array.isArray(submitResponse.decrypted) && typeof submitResponse.signature === "string") {
+        return {
+          kind: "completed",
+          ...parseCompletedDecryptResponseV2({
+            value: submitResponse,
+            thresholdNetworkUrl,
+            requestId: submitResponse.request_id
+          })
+        };
+      }
+      if (submitResponse.request_id) {
+        return { kind: "request_id", requestId: submitResponse.request_id };
+      }
+    }
+    if (response.status === 204) {
+      const elapsedMs = Date.now() - overallStartTime;
+      if (elapsedMs > DECRYPT_TIMEOUT_MS) {
+        throw new CofheError({
+          code: "DECRYPT_FAILED" /* DecryptFailed */,
+          message: `decrypt submit retried without receiving request_id for ${DECRYPT_TIMEOUT_MS}ms`,
+          hint: "The ciphertext may still be propagating. Try again later.",
+          context: {
+            thresholdNetworkUrl,
+            body,
+            attemptIndex,
+            timeoutMs: DECRYPT_TIMEOUT_MS,
+            submitResponse,
+            status: response.status
+          }
+        });
+      }
+      onPoll?.({
+        operation: "decrypt",
+        requestId: "",
+        attemptIndex,
+        elapsedMs,
+        intervalMs: SUBMIT_RETRY_INTERVAL_MS2,
+        timeoutMs: DECRYPT_TIMEOUT_MS
+      });
+      await new Promise((resolve) => setTimeout(resolve, SUBMIT_RETRY_INTERVAL_MS2));
+      attemptIndex += 1;
+      continue;
+    }
     throw new CofheError({
       code: "DECRYPT_FAILED" /* DecryptFailed */,
-      message: `decrypt request failed: ${decryptResponse.error_message}`,
+      message: `decrypt submit response missing request_id`,
       context: {
         thresholdNetworkUrl,
         body,
-        decryptResponse
+        submitResponse,
+        attemptIndex
       }
     });
   }
-  const decryptedValue = parseDecryptedBytesToBigInt(decryptResponse.decrypted);
-  const signature = normalizeSignature(decryptResponse.signature);
-  return { decryptedValue, signature };
+}
+async function pollDecryptStatusV2(thresholdNetworkUrl, requestId, overallStartTime, onPoll) {
+  let attemptIndex = 0;
+  while (true) {
+    const elapsedMs = Date.now() - overallStartTime;
+    const intervalMs = computeMinuteRampPollIntervalMs(elapsedMs, {
+      minIntervalMs: POLL_INTERVAL_MS2,
+      maxIntervalMs: POLL_MAX_INTERVAL_MS2
+    });
+    onPoll?.({
+      operation: "decrypt",
+      requestId,
+      attemptIndex,
+      elapsedMs,
+      intervalMs,
+      timeoutMs: DECRYPT_TIMEOUT_MS
+    });
+    if (elapsedMs > DECRYPT_TIMEOUT_MS) {
+      throw new CofheError({
+        code: "DECRYPT_FAILED" /* DecryptFailed */,
+        message: `decrypt polling timed out after ${DECRYPT_TIMEOUT_MS}ms`,
+        hint: "The request may still be processing. Try again later.",
+        context: {
+          thresholdNetworkUrl,
+          requestId,
+          timeoutMs: DECRYPT_TIMEOUT_MS
+        }
+      });
+    }
+    let response;
+    try {
+      response = await fetch(`${thresholdNetworkUrl}/v2/decrypt/${requestId}`, {
+        method: "GET",
+        headers: {
+          "Content-Type": "application/json"
+        }
+      });
+    } catch (e) {
+      throw new CofheError({
+        code: "DECRYPT_FAILED" /* DecryptFailed */,
+        message: `decrypt status poll failed`,
+        hint: "Ensure the threshold network URL is valid and reachable.",
+        cause: e instanceof Error ? e : void 0,
+        context: {
+          thresholdNetworkUrl,
+          requestId
+        }
+      });
+    }
+    if (response.status === 404) {
+      throw new CofheError({
+        code: "DECRYPT_FAILED" /* DecryptFailed */,
+        message: `decrypt request not found: ${requestId}`,
+        hint: "The request may have expired or been invalid.",
+        context: {
+          thresholdNetworkUrl,
+          requestId
+        }
+      });
+    }
+    if (!response.ok) {
+      let errorMessage = `HTTP ${response.status}`;
+      try {
+        const errorBody = await response.json();
+        const maybeMessage = errorBody.error_message || errorBody.message;
+        if (typeof maybeMessage === "string" && maybeMessage.length > 0)
+          errorMessage = maybeMessage;
+      } catch {
+        errorMessage = response.statusText || errorMessage;
+      }
+      throw new CofheError({
+        code: "DECRYPT_FAILED" /* DecryptFailed */,
+        message: `decrypt status poll failed: ${errorMessage}`,
+        context: {
+          thresholdNetworkUrl,
+          requestId,
+          status: response.status,
+          statusText: response.statusText
+        }
+      });
+    }
+    let rawJson;
+    try {
+      rawJson = await response.json();
+    } catch (e) {
+      throw new CofheError({
+        code: "DECRYPT_FAILED" /* DecryptFailed */,
+        message: `Failed to parse decrypt status response`,
+        cause: e instanceof Error ? e : void 0,
+        context: {
+          thresholdNetworkUrl,
+          requestId
+        }
+      });
+    }
+    const statusResponse = assertDecryptStatusResponseV2(rawJson);
+    if (statusResponse.status === "COMPLETED") {
+      return parseCompletedDecryptResponseV2({
+        value: statusResponse,
+        thresholdNetworkUrl,
+        requestId
+      });
+    }
+    await new Promise((resolve) => setTimeout(resolve, intervalMs));
+    attemptIndex += 1;
+  }
+  throw new CofheError({
+    code: "DECRYPT_FAILED" /* DecryptFailed */,
+    message: "Polling loop exited unexpectedly",
+    context: {
+      thresholdNetworkUrl,
+      requestId
+    }
+  });
+}
+async function tnDecryptV2(params) {
+  const { thresholdNetworkUrl, ctHash, chainId, permission, onPoll } = params;
+  const overallStartTime = Date.now();
+  const submitResult = await submitDecryptRequestV2(
+    thresholdNetworkUrl,
+    ctHash,
+    chainId,
+    permission,
+    overallStartTime,
+    onPoll
+  );
+  if (submitResult.kind === "completed") {
+    return submitResult;
+  }
+  return await pollDecryptStatusV2(thresholdNetworkUrl, submitResult.requestId, overallStartTime, onPoll);
 }
 
 // core/decrypt/decryptForTxBuilder.ts
@@ -3487,6 +3892,7 @@ var DecryptForTxBuilder = class extends BaseBuilder {
   permitHash;
   permit;
   permitSelection = "unset";
+  pollCallback;
   constructor(params) {
     super({
       config: params.config,
@@ -3512,6 +3918,10 @@ var DecryptForTxBuilder = class extends BaseBuilder {
   getAccount() {
     return this.account;
   }
+  onPoll(callback) {
+    this.pollCallback = callback;
+    return this;
+  }
   withPermit(permitOrPermitHash) {
     if (this.permitSelection === "with-permit") {
       throw new CofheError({
@@ -3639,7 +4049,13 @@ var DecryptForTxBuilder = class extends BaseBuilder {
     this.assertPublicClient();
     const thresholdNetworkUrl = await this.getThresholdNetworkUrl();
     const permission = permit ? PermitUtils.getPermission(permit, true) : null;
-    const { decryptedValue, signature } = await tnDecrypt(this.ctHash, this.chainId, permission, thresholdNetworkUrl);
+    const { decryptedValue, signature } = await tnDecryptV2({
+      ctHash: this.ctHash,
+      chainId: this.chainId,
+      permission,
+      thresholdNetworkUrl,
+      onPoll: this.pollCallback
+    });
     return {
       ctHash: this.ctHash,
       decryptedValue,
@@ -3657,7 +4073,6 @@ var DecryptForTxBuilder = class extends BaseBuilder {
     const permit = await this.getResolvedPermit();
     if (permit !== null) {
       PermitUtils.validate(permit);
-      PermitUtils.isValid(permit);
       const chainId = permit._signedDomain.chainId;
       if (chainId === hardhat2.id) {
         return await this.mocksDecryptForTx(permit);
@@ -3678,6 +4093,35 @@ var DecryptForTxBuilder = class extends BaseBuilder {
     }
   }
 };
+var decryptResultSignerAbi = viem.parseAbi(["function decryptResultSigner() view returns (address)"]);
+var UINT_TYPE_MASK2 = 0x7fn;
+var TYPE_BYTE_OFFSET2 = 8n;
+var getEncryptionTypeFromCtHash2 = (ctHash) => Number(ctHash >> TYPE_BYTE_OFFSET2 & UINT_TYPE_MASK2);
+var buildDecryptResultHash = (ctHash, cleartext, chainId) => {
+  const encryptionType = getEncryptionTypeFromCtHash2(ctHash);
+  return viem.keccak256(
+    viem.encodePacked(["uint256", "uint32", "uint64", "uint256"], [cleartext, encryptionType, BigInt(chainId), ctHash])
+  );
+};
+async function verifyDecryptResult(handle, cleartext, signature, publicClient) {
+  const chainId = publicClient.chain?.id ?? await publicClient.getChainId();
+  const expectedSigner = await publicClient.readContract({
+    address: TASK_MANAGER_ADDRESS,
+    abi: decryptResultSignerAbi,
+    functionName: "decryptResultSigner",
+    args: []
+  });
+  if (viem.isAddressEqual(expectedSigner, viem.zeroAddress))
+    return true;
+  const ctHash = BigInt(handle);
+  const messageHash = buildDecryptResultHash(ctHash, cleartext, chainId);
+  try {
+    const recovered = await viem.recoverAddress({ hash: messageHash, signature });
+    return viem.isAddressEqual(recovered, expectedSigner);
+  } catch {
+    return false;
+  }
+}
 
 // core/client.ts
 var InitialConnectStore = {
@@ -3796,6 +4240,11 @@ function createCofheClientBase(opts) {
       requireConnected: _requireConnected
     });
   }
+  function verifyDecryptResult2(handle, cleartext, signature) {
+    _requireConnected();
+    const { publicClient } = connectStore.getState();
+    return verifyDecryptResult(handle, cleartext, signature, publicClient);
+  }
   const _getChainIdAndAccount = (chainId, account) => {
     const state = connectStore.getState();
     const _chainId = chainId ?? state.chainId;
@@ -3847,19 +4296,19 @@ function createCofheClientBase(opts) {
       return permits.getOrCreateSharingPermit(publicClient, walletClient, options, _chainId, _account);
     },
     // Retrieval methods (auto-fill chainId/account)
-    getPermit: async (hash, chainId, account) => {
+    getPermit: (hash, chainId, account) => {
       const { chainId: _chainId, account: _account } = _getChainIdAndAccount(chainId, account);
       return permits.getPermit(_chainId, _account, hash);
     },
-    getPermits: async (chainId, account) => {
+    getPermits: (chainId, account) => {
       const { chainId: _chainId, account: _account } = _getChainIdAndAccount(chainId, account);
       return permits.getPermits(_chainId, _account);
     },
-    getActivePermit: async (chainId, account) => {
+    getActivePermit: (chainId, account) => {
       const { chainId: _chainId, account: _account } = _getChainIdAndAccount(chainId, account);
       return permits.getActivePermit(_chainId, _account);
     },
-    getActivePermitHash: async (chainId, account) => {
+    getActivePermitHash: (chainId, account) => {
       const { chainId: _chainId, account: _account } = _getChainIdAndAccount(chainId, account);
       return permits.getActivePermitHash(_chainId, _account);
     },
@@ -3878,6 +4327,7 @@ function createCofheClientBase(opts) {
     },
     // Utils (no context needed)
     getHash: permits.getHash,
+    export: permits.export,
     serialize: permits.serialize,
     deserialize: permits.deserialize
   };
@@ -3906,6 +4356,7 @@ function createCofheClientBase(opts) {
      */
     decryptHandle: decryptForView,
     decryptForTx,
+    verifyDecryptResult: verifyDecryptResult2,
     permits: clientPermits
     // Add SDK-specific methods below that require connection
     // Example:
@@ -3915,12 +4366,19 @@ function createCofheClientBase(opts) {
     // },
   };
 }
-var createWebStorage = () => {
+
+// web/const.ts
+var hasDOM = typeof globalThis?.document !== "undefined" && typeof globalThis?.window !== "undefined";
+
+// web/storage.ts
+var createWebStorage = (opts = { enableLog: false }) => {
+  if (!hasDOM)
+    throw new Error("createWebStorage can only be used in a browser environment");
   const client = iframeSharedStorage.constructClient({
     iframe: {
       src: "https://iframe-shared-storage.vercel.app/hub.html",
       messagingOptions: {
-        enableLog: "both"
+        enableLog: opts.enableLog ? "both" : void 0
       },
       iframeReadyTimeoutMs: 3e4,
       // if the iframe is not initied during this interval AND a reuqest is made, such request will throw an error
@@ -3943,6 +4401,16 @@ var createWebStorage = () => {
     }
   };
 };
+function createSsrStorage() {
+  console.warn("using no-op server-side SSR storage");
+  return {
+    getItem: async () => null,
+    setItem: async () => {
+    },
+    removeItem: async () => {
+    }
+  };
+}
 
 // web/workerManager.ts
 var ZkProveWorkerManager = class {
@@ -3968,7 +4436,7 @@ var ZkProveWorkerManager = class {
           return;
         }
         try {
-          this.worker = new Worker(new URL("./zkProve.worker.js", (typeof document === 'undefined' ? require('u' + 'rl').pathToFileURL(__filename).href : (_documentCurrentScript && _documentCurrentScript.src || new URL('out.js', document.baseURI).href))), { type: "module" });
+          this.worker = new Worker(new URL("./zkProve.worker.js", (typeof document === 'undefined' ? require('u' + 'rl').pathToFileURL(__filename).href : (_documentCurrentScript && _documentCurrentScript.tagName.toUpperCase() === 'SCRIPT' && _documentCurrentScript.src || new URL('out.js', document.baseURI).href))), { type: "module" });
         } catch (error) {
           reject(new Error(`Failed to create worker: ${error}`));
           return;
@@ -4098,16 +4566,22 @@ var fromHexString2 = (hexString) => {
     return new Uint8Array();
   return new Uint8Array(arr.map((byte) => parseInt(byte, 16)));
 };
+var _deserializeTfhePublicKey = (buff) => {
+  return init.TfheCompactPublicKey.safe_deserialize(fromHexString2(buff), TFHE_RS_SAFE_SERIALIZATION_SIZE_LIMIT);
+};
+var _deserializeCompactPkeCrs = (buff) => {
+  return init.CompactPkeCrs.safe_deserialize(fromHexString2(buff), TFHE_RS_SAFE_SERIALIZATION_SIZE_LIMIT);
+};
 var tfhePublicKeyDeserializer = (buff) => {
-  init.TfheCompactPublicKey.deserialize(fromHexString2(buff));
+  _deserializeTfhePublicKey(buff);
 };
 var compactPkeCrsDeserializer = (buff) => {
-  init.CompactPkeCrs.deserialize(fromHexString2(buff));
+  _deserializeCompactPkeCrs(buff);
 };
 var zkBuilderAndCrsGenerator = (fhe, crs) => {
-  const fhePublicKey = init.TfheCompactPublicKey.deserialize(fromHexString2(fhe));
+  const fhePublicKey = _deserializeTfhePublicKey(fhe);
   const zkBuilder = init.ProvenCompactCiphertextList.builder(fhePublicKey);
-  const zkCrs = init.CompactPkeCrs.deserialize(fromHexString2(crs));
+  const zkCrs = _deserializeCompactPkeCrs(crs);
   return { zkBuilder, zkCrs };
 };
 async function zkProveWithWorker2(fheKeyHex, crsHex, items, metadata) {
@@ -4122,7 +4596,7 @@ function createCofheConfig(config) {
   return createCofheConfigBase({
     environment: "web",
     ...config,
-    fheKeyStorage: config.fheKeyStorage === null ? null : config.fheKeyStorage ?? createWebStorage()
+    fheKeyStorage: config.fheKeyStorage === null ? null : config.fheKeyStorage ?? (hasDOM ? createWebStorage() : createSsrStorage())
   });
 }
 function createCofheClient(config) {
@@ -4152,4 +4626,6 @@ exports.areWorkersAvailable = areWorkersAvailable;
 exports.createCofheClient = createCofheClient;
 exports.createCofheClientWithCustomWorker = createCofheClientWithCustomWorker;
 exports.createCofheConfig = createCofheConfig;
+exports.createSsrStorage = createSsrStorage;
+exports.hasDOM = hasDOM;
 exports.terminateWorker = terminateWorker;