@cofhe/sdk 0.4.0 → 0.5.1

package/dist/node.cjs

@@ -12,25 +12,9 @@ var fs = require('fs');
 var path = require('path');
 var nodeTfhe = require('node-tfhe');
 
-function _interopNamespace(e) {
-  if (e && e.__esModule) return e;
-  var n = Object.create(null);
-  if (e) {
-    Object.keys(e).forEach(function (k) {
-      if (k !== 'default') {
-        var d = Object.getOwnPropertyDescriptor(e, k);
-        Object.defineProperty(n, k, d.get ? d : {
-          enumerable: true,
-          get: function () { return e[k]; }
-        });
-      }
-    });
-  }
-  n.default = e;
-  return Object.freeze(n);
-}
+function _interopDefault (e) { return e && e.__esModule ? e : { default: e }; }
 
-var nacl__namespace = /*#__PURE__*/_interopNamespace(nacl);
+var nacl__default = /*#__PURE__*/_interopDefault(nacl);
 
 // core/client.ts
 
@@ -123,6 +107,16 @@ var bigintSafeJsonStringify = (value) => {
 };
 var isCofheError = (error) => error instanceof CofheError;
 
+// core/consts.ts
+var TASK_MANAGER_ADDRESS = "0xeA30c4B8b44078Bbf8a6ef5b9f1eC1626C7848D9";
+var MOCKS_ZK_VERIFIER_ADDRESS = "0x0000000000000000000000000000000000005001";
+var MOCKS_THRESHOLD_NETWORK_ADDRESS = "0x0000000000000000000000000000000000005002";
+var MOCKS_ZK_VERIFIER_SIGNER_PRIVATE_KEY = "0x6C8D7F768A6BB4AAFE85E8A2F5A9680355239C7E14646ED62B044E39DE154512";
+var MOCKS_DECRYPT_RESULT_SIGNER_PRIVATE_KEY = "0x59c6995e998f97a5a0044966f0945389dc9e86dae88c7a8412f4603b6b78690d";
+var TFHE_RS_ZK_MAX_BITS = 2048;
+var TFHE_RS_SAFE_SERIALIZATION_SIZE_LIMIT = BigInt(1 << 30);
+var TFHE_RS_KEY_VERSION = 2;
+
 // core/types.ts
 var FheUintUTypes = [
   2 /* Uint8 */,
@@ -209,7 +203,6 @@ var MAX_UINT32 = 4294967295n;
 var MAX_UINT64 = 18446744073709551615n;
 var MAX_UINT128 = 340282366920938463463374607431768211455n;
 var MAX_UINT160 = 1461501637330902918203684832716283019655932542975n;
-var MAX_ENCRYPTABLE_BITS = 2048;
 var zkPack = (items, builder) => {
   let totalBits = 0;
   for (const item of items) {
@@ -273,14 +266,14 @@ var zkPack = (items, builder) => {
       }
     }
   }
-  if (totalBits > MAX_ENCRYPTABLE_BITS) {
+  if (totalBits > TFHE_RS_ZK_MAX_BITS) {
     throw new CofheError({
       code: "ZK_PACK_FAILED" /* ZkPackFailed */,
-      message: `Total bits ${totalBits} exceeds ${MAX_ENCRYPTABLE_BITS}`,
-      hint: `Ensure that the total bits of the items to encrypt does not exceed ${MAX_ENCRYPTABLE_BITS}`,
+      message: `Total bits ${totalBits} exceeds ${TFHE_RS_ZK_MAX_BITS}`,
+      hint: `Ensure that the total bits of the items to encrypt does not exceed ${TFHE_RS_ZK_MAX_BITS}`,
       context: {
         totalBits,
-        maxBits: MAX_ENCRYPTABLE_BITS,
+        maxBits: TFHE_RS_ZK_MAX_BITS,
         items
       }
     });
@@ -299,7 +292,7 @@ var zkProve = async (builder, crs, metadata) => {
         1
         // ZkComputeLoad.Verify
       );
-      resolve(compactList.serialize());
+      resolve(compactList.safe_serialize(TFHE_RS_SAFE_SERIALIZATION_SIZE_LIMIT));
     }, 0);
   });
 };
@@ -475,15 +468,6 @@ var MockZkVerifierAbi = [
   },
   { type: "error", name: "InvalidInputs", inputs: [] }
 ];
-
-// core/consts.ts
-var TASK_MANAGER_ADDRESS = "0xeA30c4B8b44078Bbf8a6ef5b9f1eC1626C7848D9";
-var MOCKS_ZK_VERIFIER_ADDRESS = "0x0000000000000000000000000000000000005001";
-var MOCKS_THRESHOLD_NETWORK_ADDRESS = "0x0000000000000000000000000000000000005002";
-var MOCKS_ZK_VERIFIER_SIGNER_PRIVATE_KEY = "0x6C8D7F768A6BB4AAFE85E8A2F5A9680355239C7E14646ED62B044E39DE154512";
-var MOCKS_DECRYPT_RESULT_SIGNER_PRIVATE_KEY = "0x59c6995e998f97a5a0044966f0945389dc9e86dae88c7a8412f4603b6b78690d";
-
-// core/encrypt/cofheMocksZkVerifySign.ts
 function createMockZkVerifierSigner() {
   return viem.createWalletClient({
     chain: chains.hardhat,
@@ -525,14 +509,14 @@ async function cofheMocksCheckEncryptableBits(items) {
       }
     }
   }
-  if (totalBits > MAX_ENCRYPTABLE_BITS) {
+  if (totalBits > TFHE_RS_ZK_MAX_BITS) {
     throw new CofheError({
       code: "ZK_PACK_FAILED" /* ZkPackFailed */,
-      message: `Total bits ${totalBits} exceeds ${MAX_ENCRYPTABLE_BITS}`,
-      hint: `Ensure that the total bits of the items to encrypt does not exceed ${MAX_ENCRYPTABLE_BITS}`,
+      message: `Total bits ${totalBits} exceeds ${TFHE_RS_ZK_MAX_BITS}`,
+      hint: `Ensure that the total bits of the items to encrypt does not exceed ${TFHE_RS_ZK_MAX_BITS}`,
       context: {
         totalBits,
-        maxBits: MAX_ENCRYPTABLE_BITS,
+        maxBits: TFHE_RS_ZK_MAX_BITS,
         items
       }
     });
@@ -803,6 +787,7 @@ function getThresholdNetworkUrlOrThrow(config, chainId) {
   }
   return url;
 }
+var KEYSTORE_NAME = `cofhesdk-keys-v${TFHE_RS_KEY_VERSION}`;
 function isValidPersistedState(state) {
   if (state && typeof state === "object") {
     if ("fhe" in state && "crs" in state) {
@@ -857,7 +842,7 @@ function createKeysStore(storage) {
   };
   const clearKeysStorage = async () => {
     if (storage) {
-      await storage.removeItem("cofhesdk-keys");
+      await storage.removeItem(KEYSTORE_NAME);
     }
   };
   const rehydrateKeysStore = async () => {
@@ -887,7 +872,7 @@ function createStoreWithPersit(storage) {
         if (_error)
           throw new Error(`onRehydrateStorage: Error rehydrating keys store: ${_error}`);
       },
-      name: "cofhesdk-keys",
+      name: KEYSTORE_NAME,
       storage: middleware.createJSONStorage(() => storage),
       merge: (persistedState, currentState) => {
         const persisted = isValidPersistedState(persistedState) ? persistedState : DEFAULT_KEYS_STORE;
@@ -1612,7 +1597,7 @@ var SealingKey = class _SealingKey {
     const ephemPublicKey = parsedData.public_key instanceof Uint8Array ? parsedData.public_key : new Uint8Array(parsedData.public_key);
     const dataToDecrypt = parsedData.data instanceof Uint8Array ? parsedData.data : new Uint8Array(parsedData.data);
     const privateKeyBytes = fromHexString(this.privateKey);
-    const decryptedMessage = nacl__namespace.box.open(dataToDecrypt, nonce, ephemPublicKey, privateKeyBytes);
+    const decryptedMessage = nacl__default.default.box.open(dataToDecrypt, nonce, ephemPublicKey, privateKeyBytes);
     if (!decryptedMessage) {
       throw new Error("Failed to decrypt message");
     }
@@ -1645,9 +1630,9 @@ var SealingKey = class _SealingKey {
   static seal = (value, publicKey) => {
     isString(publicKey);
     isBigIntOrNumber(value);
-    const ephemeralKeyPair = nacl__namespace.box.keyPair();
-    const nonce = nacl__namespace.randomBytes(nacl__namespace.box.nonceLength);
-    const encryptedMessage = nacl__namespace.box(toBeArray(value), nonce, fromHexString(publicKey), ephemeralKeyPair.secretKey);
+    const ephemeralKeyPair = nacl__default.default.box.keyPair();
+    const nonce = nacl__default.default.randomBytes(nacl__default.default.box.nonceLength);
+    const encryptedMessage = nacl__default.default.box(toBeArray(value), nonce, fromHexString(publicKey), ephemeralKeyPair.secretKey);
     return {
       data: encryptedMessage,
       public_key: ephemeralKeyPair.publicKey,
@@ -1656,7 +1641,7 @@ var SealingKey = class _SealingKey {
   };
 };
 var GenerateSealingKey = () => {
-  const sodiumKeypair = nacl__namespace.box.keyPair();
+  const sodiumKeypair = nacl__default.default.box.keyPair();
   return new SealingKey(toHexString2(sodiumKeypair.secretKey), toHexString2(sodiumKeypair.publicKey));
 };
 var SerializedSealingPair = zod.z.object({
@@ -1814,9 +1799,9 @@ var ValidationUtils = {
     return false;
   },
   /**
-   * Overall validity checker of a permit
+   * Checks that a permit is signed and not expired.
    */
-  isValid: (permit) => {
+  isSignedAndNotExpired: (permit) => {
     if (ValidationUtils.isExpired(permit)) {
       return { valid: false, error: "expired" };
     }
@@ -1824,6 +1809,34 @@ var ValidationUtils = {
       return { valid: false, error: "not-signed" };
     }
     return { valid: true, error: null };
+  },
+  /**
+   * Asserts that a permit is signed and not expired.
+   *
+   * Throws `Error` with message:
+   * - `Permit is expired`
+   * - `Permit is not signed`
+   */
+  assertSignedAndNotExpired: (permit) => {
+    const result = ValidationUtils.isSignedAndNotExpired(permit);
+    if (result.valid)
+      return;
+    if (result.error === "expired") {
+      throw new Error("Permit is expired");
+    }
+    if (result.error === "not-signed") {
+      throw new Error("Permit is not signed");
+    }
+    throw new Error("Permit is invalid");
+  },
+  isValid: (permit) => {
+    const schema = permit.type === "self" ? SelfPermitValidator : permit.type === "sharing" ? SharingPermitValidator : permit.type === "recipient" ? ImportPermitValidator : null;
+    if (schema == null)
+      return { valid: false, error: "invalid-schema" };
+    const schemaResult = schema.safeParse(permit);
+    if (!schemaResult.success)
+      return { valid: false, error: "invalid-schema" };
+    return ValidationUtils.isSignedAndNotExpired(permit);
   }
 };
 
@@ -2205,9 +2218,9 @@ var PermitUtils = {
     };
   },
   /**
-   * Validate a permit
+   * Validate a permit (schema-level validation)
    */
-  validate: (permit) => {
+  validateSchema: (permit) => {
     if (permit.type === "self") {
       return validateSelfPermit(permit);
     } else if (permit.type === "sharing") {
@@ -2218,12 +2231,27 @@ var PermitUtils = {
       throw new Error("Invalid permit type");
     }
   },
+  /**
+   * Validate a permit (holistic validation).
+   *
+   * This validates:
+   * - Permit schema (shape + invariants)
+   * - Permit is signed
+   * - Permit is not expired
+   *
+   * For schema-only validation, use `validateSchema(permit)`.
+   */
+  validate: (permit) => {
+    const validated = PermitUtils.validateSchema(permit);
+    ValidationUtils.assertSignedAndNotExpired(validated);
+    return validated;
+  },
   /**
    * Get the permission object from a permit (for use in contracts)
    */
   getPermission: (permit, skipValidation = false) => {
     if (!skipValidation) {
-      PermitUtils.validate(permit);
+      PermitUtils.validateSchema(permit);
     }
     return {
       issuer: permit.issuer,
@@ -2289,8 +2317,17 @@ var PermitUtils = {
     return ValidationUtils.isSigned(permit);
   },
   /**
-   * Check if permit is valid
+   * Check if permit is signed and not expired
    */
+  isSignedAndNotExpired: (permit) => {
+    return ValidationUtils.isSignedAndNotExpired(permit);
+  },
+  /**
+   * Assert that permit is signed and not expired
+   */
+  assertSignedAndNotExpired: (permit) => {
+    return ValidationUtils.assertSignedAndNotExpired(permit);
+  },
   isValid: (permit) => {
     return ValidationUtils.isValid(permit);
   },
@@ -2468,6 +2505,9 @@ var importShared = async (options, publicClient, walletClient) => {
 var getHash = (permit) => {
   return PermitUtils.getHash(permit);
 };
+var exportShared = (permit) => {
+  return PermitUtils.export(permit);
+};
 var serialize = (permit) => {
   return PermitUtils.serialize(permit);
 };
@@ -2518,6 +2558,7 @@ var permits = {
   getOrCreateSelfPermit,
   getOrCreateSharingPermit,
   getHash,
+  export: exportShared,
   serialize,
   deserialize,
   getPermit: getPermit2,
@@ -2760,9 +2801,19 @@ async function cofheMocksDecryptForView(ctHash, utype, permit, publicClient) {
   return unsealed;
 }
 
+// core/decrypt/polling.ts
+function computeMinuteRampPollIntervalMs(elapsedMs, params) {
+  const elapsedSeconds = Math.floor(elapsedMs / 1e3);
+  const intervalSeconds = 1 + Math.floor(elapsedSeconds / 60);
+  const intervalMs = intervalSeconds * 1e3;
+  return Math.min(params.maxIntervalMs, Math.max(params.minIntervalMs, intervalMs));
+}
+
 // core/decrypt/tnSealOutputV2.ts
 var POLL_INTERVAL_MS = 1e3;
-var POLL_TIMEOUT_MS = 5 * 60 * 1e3;
+var POLL_MAX_INTERVAL_MS = 1e4;
+var SEAL_OUTPUT_TIMEOUT_MS = 5 * 60 * 1e3;
+var SUBMIT_RETRY_INTERVAL_MS = 1e3;
 function numberArrayToUint8Array(arr) {
   return new Uint8Array(arr);
 }
@@ -2779,93 +2830,193 @@ function convertSealedData(sealed) {
     nonce: numberArrayToUint8Array(sealed.nonce)
   };
 }
-async function submitSealOutputRequest(thresholdNetworkUrl, ctHash, chainId, permission) {
-  const body = {
-    ct_tempkey: BigInt(ctHash).toString(16).padStart(64, "0"),
-    host_chain_id: chainId,
-    permit: permission
-  };
-  let response;
-  try {
-    response = await fetch(`${thresholdNetworkUrl}/v2/sealoutput`, {
-      method: "POST",
-      headers: {
-        "Content-Type": "application/json"
-      },
-      body: JSON.stringify(body)
-    });
-  } catch (e) {
-    throw new CofheError({
-      code: "SEAL_OUTPUT_FAILED" /* SealOutputFailed */,
-      message: `sealOutput request failed`,
-      hint: "Ensure the threshold network URL is valid and reachable.",
-      cause: e instanceof Error ? e : void 0,
-      context: {
-        thresholdNetworkUrl,
-        body
-      }
-    });
+function getSealedDataFromSubmitResponse(value) {
+  if (value.sealed)
+    return value.sealed;
+  if (Array.isArray(value.sealed_data) && Array.isArray(value.ephemeral_public_key) && Array.isArray(value.nonce)) {
+    return {
+      data: value.sealed_data,
+      public_key: value.ephemeral_public_key,
+      nonce: value.nonce
+    };
   }
-  if (!response.ok) {
-    let errorMessage = `HTTP ${response.status}`;
-    try {
-      const errorBody = await response.json();
-      errorMessage = errorBody.error_message || errorBody.message || errorMessage;
-    } catch {
-      errorMessage = response.statusText || errorMessage;
-    }
+  return void 0;
+}
+function parseCompletedSealOutputResponse(params) {
+  const { value, thresholdNetworkUrl, requestId } = params;
+  if (value.is_succeed === false) {
+    const errorMessage = value.error_message || "Unknown error";
     throw new CofheError({
       code: "SEAL_OUTPUT_FAILED" /* SealOutputFailed */,
       message: `sealOutput request failed: ${errorMessage}`,
-      hint: "Check the threshold network URL and request parameters.",
       context: {
         thresholdNetworkUrl,
-        status: response.status,
-        statusText: response.statusText,
-        body
+        requestId,
+        response: value
       }
     });
   }
-  let submitResponse;
-  try {
-    submitResponse = await response.json();
-  } catch (e) {
+  const sealed = "sealed" in value ? value.sealed : getSealedDataFromSubmitResponse(value);
+  if (!sealed) {
     throw new CofheError({
-      code: "SEAL_OUTPUT_FAILED" /* SealOutputFailed */,
-      message: `Failed to parse sealOutput submit response`,
-      cause: e instanceof Error ? e : void 0,
+      code: "SEAL_OUTPUT_RETURNED_NULL" /* SealOutputReturnedNull */,
+      message: `sealOutput request completed but returned no sealed data`,
       context: {
         thresholdNetworkUrl,
-        body
+        requestId,
+        response: value
       }
     });
   }
-  if (!submitResponse.request_id) {
+  return convertSealedData(sealed);
+}
+async function submitSealOutputRequest(thresholdNetworkUrl, ctHash, chainId, permission, overallStartTime, onPoll) {
+  const body = {
+    ct_tempkey: BigInt(ctHash).toString(16).padStart(64, "0"),
+    host_chain_id: chainId,
+    permit: permission
+  };
+  let attemptIndex = 0;
+  for (; ; ) {
+    let response;
+    try {
+      response = await fetch(`${thresholdNetworkUrl}/v2/sealoutput`, {
+        method: "POST",
+        headers: {
+          "Content-Type": "application/json"
+        },
+        body: JSON.stringify(body)
+      });
+    } catch (e) {
+      throw new CofheError({
+        code: "SEAL_OUTPUT_FAILED" /* SealOutputFailed */,
+        message: `sealOutput request failed`,
+        hint: "Ensure the threshold network URL is valid and reachable.",
+        cause: e instanceof Error ? e : void 0,
+        context: {
+          thresholdNetworkUrl,
+          body,
+          attemptIndex
+        }
+      });
+    }
+    if (!response.ok) {
+      let errorMessage = `HTTP ${response.status}`;
+      try {
+        const errorBody = await response.json();
+        errorMessage = errorBody.error_message || errorBody.message || errorMessage;
+      } catch {
+        errorMessage = response.statusText || errorMessage;
+      }
+      throw new CofheError({
+        code: "SEAL_OUTPUT_FAILED" /* SealOutputFailed */,
+        message: `sealOutput request failed: ${errorMessage}`,
+        hint: "Check the threshold network URL and request parameters.",
+        context: {
+          thresholdNetworkUrl,
+          status: response.status,
+          statusText: response.statusText,
+          body,
+          attemptIndex
+        }
+      });
+    }
+    let submitResponse;
+    if (response.status !== 204) {
+      try {
+        submitResponse = await response.json();
+      } catch (e) {
+        throw new CofheError({
+          code: "SEAL_OUTPUT_FAILED" /* SealOutputFailed */,
+          message: `Failed to parse sealOutput submit response`,
+          cause: e instanceof Error ? e : void 0,
+          context: {
+            thresholdNetworkUrl,
+            body,
+            attemptIndex
+          }
+        });
+      }
+      if (getSealedDataFromSubmitResponse(submitResponse)) {
+        return {
+          kind: "completed",
+          sealed: parseCompletedSealOutputResponse({
+            value: submitResponse,
+            thresholdNetworkUrl,
+            requestId: submitResponse.request_id
+          })
+        };
+      }
+      if (submitResponse.request_id) {
+        return { kind: "request_id", requestId: submitResponse.request_id };
+      }
+    }
+    if (response.status === 204) {
+      const elapsedMs = Date.now() - overallStartTime;
+      if (elapsedMs > SEAL_OUTPUT_TIMEOUT_MS) {
+        throw new CofheError({
+          code: "SEAL_OUTPUT_FAILED" /* SealOutputFailed */,
+          message: `sealOutput submit retried without receiving request_id for ${SEAL_OUTPUT_TIMEOUT_MS}ms`,
+          hint: "The ciphertext may still be propagating. Try again later.",
+          context: {
+            thresholdNetworkUrl,
+            body,
+            attemptIndex,
+            timeoutMs: SEAL_OUTPUT_TIMEOUT_MS,
+            submitResponse,
+            status: response.status
+          }
+        });
+      }
+      onPoll?.({
+        operation: "sealoutput",
+        requestId: "",
+        attemptIndex,
+        elapsedMs,
+        intervalMs: SUBMIT_RETRY_INTERVAL_MS,
+        timeoutMs: SEAL_OUTPUT_TIMEOUT_MS
+      });
+      await new Promise((resolve) => setTimeout(resolve, SUBMIT_RETRY_INTERVAL_MS));
+      attemptIndex += 1;
+      continue;
+    }
     throw new CofheError({
       code: "SEAL_OUTPUT_FAILED" /* SealOutputFailed */,
       message: `sealOutput submit response missing request_id`,
       context: {
         thresholdNetworkUrl,
         body,
-        submitResponse
+        submitResponse,
+        attemptIndex
       }
     });
   }
-  return submitResponse.request_id;
 }
-async function pollSealOutputStatus(thresholdNetworkUrl, requestId) {
-  const startTime = Date.now();
-  let completed = false;
-  while (!completed) {
-    if (Date.now() - startTime > POLL_TIMEOUT_MS) {
+async function pollSealOutputStatus(thresholdNetworkUrl, requestId, overallStartTime, onPoll) {
+  let attemptIndex = 0;
+  while (true) {
+    const elapsedMs = Date.now() - overallStartTime;
+    const intervalMs = computeMinuteRampPollIntervalMs(elapsedMs, {
+      minIntervalMs: POLL_INTERVAL_MS,
+      maxIntervalMs: POLL_MAX_INTERVAL_MS
+    });
+    onPoll?.({
+      operation: "sealoutput",
+      requestId,
+      attemptIndex,
+      elapsedMs,
+      intervalMs,
+      timeoutMs: SEAL_OUTPUT_TIMEOUT_MS
+    });
+    if (elapsedMs > SEAL_OUTPUT_TIMEOUT_MS) {
       throw new CofheError({
         code: "SEAL_OUTPUT_FAILED" /* SealOutputFailed */,
-        message: `sealOutput polling timed out after ${POLL_TIMEOUT_MS}ms`,
+        message: `sealOutput polling timed out after ${SEAL_OUTPUT_TIMEOUT_MS}ms`,
         hint: "The request may still be processing. Try again later.",
         context: {
           thresholdNetworkUrl,
           requestId,
-          timeoutMs: POLL_TIMEOUT_MS
+          timeoutMs: SEAL_OUTPUT_TIMEOUT_MS
         }
       });
     }
@@ -2934,32 +3085,14 @@ async function pollSealOutputStatus(thresholdNetworkUrl, requestId) {
       });
     }
     if (statusResponse.status === "COMPLETED") {
-      if (statusResponse.is_succeed === false) {
-        const errorMessage = statusResponse.error_message || "Unknown error";
-        throw new CofheError({
-          code: "SEAL_OUTPUT_FAILED" /* SealOutputFailed */,
-          message: `sealOutput request failed: ${errorMessage}`,
-          context: {
-            thresholdNetworkUrl,
-            requestId,
-            statusResponse
-          }
-        });
-      }
-      if (!statusResponse.sealed) {
-        throw new CofheError({
-          code: "SEAL_OUTPUT_RETURNED_NULL" /* SealOutputReturnedNull */,
-          message: `sealOutput request completed but returned no sealed data`,
-          context: {
-            thresholdNetworkUrl,
-            requestId,
-            statusResponse
-          }
-        });
-      }
-      return convertSealedData(statusResponse.sealed);
+      return parseCompletedSealOutputResponse({
+        value: statusResponse,
+        thresholdNetworkUrl,
+        requestId
+      });
     }
-    await new Promise((resolve) => setTimeout(resolve, POLL_INTERVAL_MS));
+    await new Promise((resolve) => setTimeout(resolve, intervalMs));
+    attemptIndex += 1;
   }
   throw new CofheError({
     code: "SEAL_OUTPUT_FAILED" /* SealOutputFailed */,
@@ -2970,9 +3103,21 @@ async function pollSealOutputStatus(thresholdNetworkUrl, requestId) {
     }
   });
 }
-async function tnSealOutputV2(ctHash, chainId, permission, thresholdNetworkUrl) {
-  const requestId = await submitSealOutputRequest(thresholdNetworkUrl, ctHash, chainId, permission);
-  return await pollSealOutputStatus(thresholdNetworkUrl, requestId);
+async function tnSealOutputV2(params) {
+  const { thresholdNetworkUrl, ctHash, chainId, permission, onPoll } = params;
+  const overallStartTime = Date.now();
+  const submitResult = await submitSealOutputRequest(
+    thresholdNetworkUrl,
+    ctHash,
+    chainId,
+    permission,
+    overallStartTime,
+    onPoll
+  );
+  if (submitResult.kind === "completed") {
+    return submitResult.sealed;
+  }
+  return await pollSealOutputStatus(thresholdNetworkUrl, submitResult.requestId, overallStartTime, onPoll);
 }
 
 // core/decrypt/decryptForViewBuilder.ts
@@ -2981,6 +3126,7 @@ var DecryptForViewBuilder = class extends BaseBuilder {
   utype;
   permitHash;
   permit;
+  pollCallback;
   constructor(params) {
     super({
       config: params.config,
@@ -3037,6 +3183,10 @@ var DecryptForViewBuilder = class extends BaseBuilder {
   getAccount() {
     return this.account;
   }
+  onPoll(callback) {
+    this.pollCallback = callback;
+    return this;
+  }
   withPermit(permitOrPermitHash) {
     if (typeof permitOrPermitHash === "string") {
       this.permitHash = permitOrPermitHash;
@@ -3160,7 +3310,13 @@ var DecryptForViewBuilder = class extends BaseBuilder {
     this.assertPublicClient();
     const thresholdNetworkUrl = await this.getThresholdNetworkUrl();
     const permission = PermitUtils.getPermission(permit, true);
-    const sealed = await tnSealOutputV2(this.ctHash, this.chainId, permission, thresholdNetworkUrl);
+    const sealed = await tnSealOutputV2({
+      ctHash: this.ctHash,
+      chainId: this.chainId,
+      permission,
+      thresholdNetworkUrl,
+      onPoll: this.pollCallback
+    });
     return PermitUtils.unseal(permit, sealed);
   }
   /**
@@ -3188,7 +3344,6 @@ var DecryptForViewBuilder = class extends BaseBuilder {
     this.validateUtypeOrThrow();
     const permit = await this.getResolvedPermit();
     PermitUtils.validate(permit);
-    PermitUtils.isValid(permit);
     const chainId = permit._signedDomain.chainId;
     let unsealed;
     if (chainId === hardhat2.id) {
@@ -3199,6 +3354,9 @@ var DecryptForViewBuilder = class extends BaseBuilder {
     return convertViaUtype(this.utype, unsealed);
   }
 };
+var UINT_TYPE_MASK = 0x7fn;
+var TYPE_BYTE_OFFSET = 8n;
+var getEncryptionTypeFromCtHash = (ctHash) => Number(ctHash >> TYPE_BYTE_OFFSET & UINT_TYPE_MASK);
 async function cofheMocksDecryptForTx(ctHash, utype, permit, publicClient) {
   let allowed;
   let error;
@@ -3236,7 +3394,13 @@ async function cofheMocksDecryptForTx(ctHash, utype, permit, publicClient) {
       message: `mocks decryptForTx call failed: ACL Access Denied (NotAllowed)`
     });
   }
-  const packed = viem.encodePacked(["uint256", "uint256"], [BigInt(ctHash), decryptedValue]);
+  const chainId = publicClient.chain?.id ?? await publicClient.getChainId();
+  const normalizedCtHash = BigInt(ctHash);
+  const encryptionType = getEncryptionTypeFromCtHash(normalizedCtHash);
+  const packed = viem.encodePacked(
+    ["uint256", "uint32", "uint64", "uint256"],
+    [decryptedValue, encryptionType, BigInt(chainId), normalizedCtHash]
+  );
   const messageHash = viem.keccak256(packed);
   const signature = await accounts.sign({
     hash: messageHash,
@@ -3308,7 +3472,9 @@ function parseDecryptedBytesToBigInt(decrypted) {
 
 // core/decrypt/tnDecryptV2.ts
 var POLL_INTERVAL_MS2 = 1e3;
-var POLL_TIMEOUT_MS2 = 5 * 60 * 1e3;
+var POLL_MAX_INTERVAL_MS2 = 1e4;
+var DECRYPT_TIMEOUT_MS = 5 * 60 * 1e3;
+var SUBMIT_RETRY_INTERVAL_MS2 = 1e3;
 function assertDecryptSubmitResponseV2(value) {
   if (value == null || typeof value !== "object") {
     throw new CofheError({
@@ -3320,16 +3486,65 @@ function assertDecryptSubmitResponseV2(value) {
     });
   }
   const v = value;
-  if (typeof v.request_id !== "string" || v.request_id.trim().length === 0) {
+  if (v.request_id !== null && typeof v.request_id !== "string") {
     throw new CofheError({
       code: "DECRYPT_FAILED" /* DecryptFailed */,
-      message: "decrypt submit response missing request_id",
+      message: "decrypt submit response has invalid request_id",
       context: {
         value
       }
     });
   }
-  return { request_id: v.request_id };
+  return {
+    request_id: v.request_id ?? null,
+    status: typeof v.status === "string" ? v.status : void 0,
+    is_succeed: typeof v.is_succeed === "boolean" ? v.is_succeed : void 0,
+    decrypted: Array.isArray(v.decrypted) ? v.decrypted : void 0,
+    signature: typeof v.signature === "string" ? v.signature : void 0,
+    encryption_type: typeof v.encryption_type === "number" ? v.encryption_type : void 0,
+    error_message: typeof v.error_message === "string" || v.error_message === null ? v.error_message : void 0,
+    message: typeof v.message === "string" ? v.message : void 0
+  };
+}
+function parseCompletedDecryptResponseV2(params) {
+  const { value, thresholdNetworkUrl, requestId } = params;
+  if (value.is_succeed === false) {
+    const errorMessage = value.error_message || "Unknown error";
+    throw new CofheError({
+      code: "DECRYPT_FAILED" /* DecryptFailed */,
+      message: `decrypt request failed: ${errorMessage}`,
+      context: {
+        thresholdNetworkUrl,
+        requestId,
+        response: value
+      }
+    });
+  }
+  if (value.error_message) {
+    throw new CofheError({
+      code: "DECRYPT_FAILED" /* DecryptFailed */,
+      message: `decrypt request failed: ${value.error_message}`,
+      context: {
+        thresholdNetworkUrl,
+        requestId,
+        response: value
+      }
+    });
+  }
+  if (!Array.isArray(value.decrypted)) {
+    throw new CofheError({
+      code: "DECRYPT_RETURNED_NULL" /* DecryptReturnedNull */,
+      message: "decrypt completed but response missing <decrypted> byte array",
+      context: {
+        thresholdNetworkUrl,
+        requestId,
+        response: value
+      }
+    });
+  }
+  const decryptedValue = parseDecryptedBytesToBigInt(value.decrypted);
+  const signature = normalizeTnSignature(value.signature);
+  return { decryptedValue, signature };
 }
 function assertDecryptStatusResponseV2(value) {
   if (value == null || typeof value !== "object") {
@@ -3375,7 +3590,7 @@ function assertDecryptStatusResponseV2(value) {
   }
   return value;
 }
-async function submitDecryptRequestV2(thresholdNetworkUrl, ctHash, chainId, permission) {
+async function submitDecryptRequestV2(thresholdNetworkUrl, ctHash, chainId, permission, overallStartTime, onPoll) {
   const body = {
     ct_tempkey: BigInt(ctHash).toString(16).padStart(64, "0"),
     host_chain_id: chainId
@@ -3383,79 +3598,151 @@ async function submitDecryptRequestV2(thresholdNetworkUrl, ctHash, chainId, perm
   if (permission) {
     body.permit = permission;
   }
-  let response;
-  try {
-    response = await fetch(`${thresholdNetworkUrl}/v2/decrypt`, {
-      method: "POST",
-      headers: {
-        "Content-Type": "application/json"
-      },
-      body: JSON.stringify(body)
-    });
-  } catch (e) {
-    throw new CofheError({
-      code: "DECRYPT_FAILED" /* DecryptFailed */,
-      message: `decrypt request failed`,
-      hint: "Ensure the threshold network URL is valid and reachable.",
-      cause: e instanceof Error ? e : void 0,
-      context: {
-        thresholdNetworkUrl,
-        body
-      }
-    });
-  }
-  if (!response.ok) {
-    let errorMessage = `HTTP ${response.status}`;
+  let attemptIndex = 0;
+  for (; ; ) {
+    let response;
     try {
-      const errorBody = await response.json();
-      const maybeMessage = errorBody.error_message || errorBody.message;
-      if (typeof maybeMessage === "string" && maybeMessage.length > 0)
-        errorMessage = maybeMessage;
-    } catch {
-      errorMessage = response.statusText || errorMessage;
+      response = await fetch(`${thresholdNetworkUrl}/v2/decrypt`, {
+        method: "POST",
+        headers: {
+          "Content-Type": "application/json"
+        },
+        body: JSON.stringify(body)
+      });
+    } catch (e) {
+      throw new CofheError({
+        code: "DECRYPT_FAILED" /* DecryptFailed */,
+        message: `decrypt request failed`,
+        hint: "Ensure the threshold network URL is valid and reachable.",
+        cause: e instanceof Error ? e : void 0,
+        context: {
+          thresholdNetworkUrl,
+          body,
+          attemptIndex
+        }
+      });
     }
-    throw new CofheError({
-      code: "DECRYPT_FAILED" /* DecryptFailed */,
-      message: `decrypt request failed: ${errorMessage}`,
-      hint: "Check the threshold network URL and request parameters.",
-      context: {
-        thresholdNetworkUrl,
-        status: response.status,
-        statusText: response.statusText,
-        body
+    if (!response.ok) {
+      let errorMessage = `HTTP ${response.status}`;
+      try {
+        const errorBody = await response.json();
+        const maybeMessage = errorBody.error_message || errorBody.message;
+        if (typeof maybeMessage === "string" && maybeMessage.length > 0)
+          errorMessage = maybeMessage;
+      } catch {
+        errorMessage = response.statusText || errorMessage;
       }
-    });
-  }
-  let rawJson;
-  try {
-    rawJson = await response.json();
-  } catch (e) {
+      throw new CofheError({
+        code: "DECRYPT_FAILED" /* DecryptFailed */,
+        message: `decrypt request failed: ${errorMessage}`,
+        hint: "Check the threshold network URL and request parameters.",
+        context: {
+          thresholdNetworkUrl,
+          status: response.status,
+          statusText: response.statusText,
+          body,
+          attemptIndex
+        }
+      });
+    }
+    let submitResponse;
+    if (response.status !== 204) {
+      let rawJson;
+      try {
+        rawJson = await response.json();
+      } catch (e) {
+        throw new CofheError({
+          code: "DECRYPT_FAILED" /* DecryptFailed */,
+          message: `Failed to parse decrypt submit response`,
+          cause: e instanceof Error ? e : void 0,
+          context: {
+            thresholdNetworkUrl,
+            body,
+            attemptIndex
+          }
+        });
+      }
+      submitResponse = assertDecryptSubmitResponseV2(rawJson);
+      if (Array.isArray(submitResponse.decrypted) && typeof submitResponse.signature === "string") {
+        return {
+          kind: "completed",
+          ...parseCompletedDecryptResponseV2({
+            value: submitResponse,
+            thresholdNetworkUrl,
+            requestId: submitResponse.request_id
+          })
+        };
+      }
+      if (submitResponse.request_id) {
+        return { kind: "request_id", requestId: submitResponse.request_id };
+      }
+    }
+    if (response.status === 204) {
+      const elapsedMs = Date.now() - overallStartTime;
+      if (elapsedMs > DECRYPT_TIMEOUT_MS) {
+        throw new CofheError({
+          code: "DECRYPT_FAILED" /* DecryptFailed */,
+          message: `decrypt submit retried without receiving request_id for ${DECRYPT_TIMEOUT_MS}ms`,
+          hint: "The ciphertext may still be propagating. Try again later.",
+          context: {
+            thresholdNetworkUrl,
+            body,
+            attemptIndex,
+            timeoutMs: DECRYPT_TIMEOUT_MS,
+            submitResponse,
+            status: response.status
+          }
+        });
+      }
+      onPoll?.({
+        operation: "decrypt",
+        requestId: "",
+        attemptIndex,
+        elapsedMs,
+        intervalMs: SUBMIT_RETRY_INTERVAL_MS2,
+        timeoutMs: DECRYPT_TIMEOUT_MS
+      });
+      await new Promise((resolve) => setTimeout(resolve, SUBMIT_RETRY_INTERVAL_MS2));
+      attemptIndex += 1;
+      continue;
+    }
     throw new CofheError({
       code: "DECRYPT_FAILED" /* DecryptFailed */,
-      message: `Failed to parse decrypt submit response`,
-      cause: e instanceof Error ? e : void 0,
+      message: `decrypt submit response missing request_id`,
       context: {
         thresholdNetworkUrl,
-        body
+        body,
+        submitResponse,
+        attemptIndex
       }
     });
   }
-  const submitResponse = assertDecryptSubmitResponseV2(rawJson);
-  return submitResponse.request_id;
 }
-async function pollDecryptStatusV2(thresholdNetworkUrl, requestId) {
-  const startTime = Date.now();
-  let completed = false;
-  while (!completed) {
-    if (Date.now() - startTime > POLL_TIMEOUT_MS2) {
+async function pollDecryptStatusV2(thresholdNetworkUrl, requestId, overallStartTime, onPoll) {
+  let attemptIndex = 0;
+  while (true) {
+    const elapsedMs = Date.now() - overallStartTime;
+    const intervalMs = computeMinuteRampPollIntervalMs(elapsedMs, {
+      minIntervalMs: POLL_INTERVAL_MS2,
+      maxIntervalMs: POLL_MAX_INTERVAL_MS2
+    });
+    onPoll?.({
+      operation: "decrypt",
+      requestId,
+      attemptIndex,
+      elapsedMs,
+      intervalMs,
+      timeoutMs: DECRYPT_TIMEOUT_MS
+    });
+    if (elapsedMs > DECRYPT_TIMEOUT_MS) {
       throw new CofheError({
         code: "DECRYPT_FAILED" /* DecryptFailed */,
-        message: `decrypt polling timed out after ${POLL_TIMEOUT_MS2}ms`,
+        message: `decrypt polling timed out after ${DECRYPT_TIMEOUT_MS}ms`,
         hint: "The request may still be processing. Try again later.",
         context: {
           thresholdNetworkUrl,
           requestId,
-          timeoutMs: POLL_TIMEOUT_MS2
+          timeoutMs: DECRYPT_TIMEOUT_MS
         }
       });
     }
@@ -3527,45 +3814,14 @@ async function pollDecryptStatusV2(thresholdNetworkUrl, requestId) {
     }
     const statusResponse = assertDecryptStatusResponseV2(rawJson);
     if (statusResponse.status === "COMPLETED") {
-      if (statusResponse.is_succeed === false) {
-        const errorMessage = statusResponse.error_message || "Unknown error";
-        throw new CofheError({
-          code: "DECRYPT_FAILED" /* DecryptFailed */,
-          message: `decrypt request failed: ${errorMessage}`,
-          context: {
-            thresholdNetworkUrl,
-            requestId,
-            statusResponse
-          }
-        });
-      }
-      if (statusResponse.error_message) {
-        throw new CofheError({
-          code: "DECRYPT_FAILED" /* DecryptFailed */,
-          message: `decrypt request failed: ${statusResponse.error_message}`,
-          context: {
-            thresholdNetworkUrl,
-            requestId,
-            statusResponse
-          }
-        });
-      }
-      if (!Array.isArray(statusResponse.decrypted)) {
-        throw new CofheError({
-          code: "DECRYPT_RETURNED_NULL" /* DecryptReturnedNull */,
-          message: "decrypt completed but response missing <decrypted> byte array",
-          context: {
-            thresholdNetworkUrl,
-            requestId,
-            statusResponse
-          }
-        });
-      }
-      const decryptedValue = parseDecryptedBytesToBigInt(statusResponse.decrypted);
-      const signature = normalizeTnSignature(statusResponse.signature);
-      return { decryptedValue, signature };
+      return parseCompletedDecryptResponseV2({
+        value: statusResponse,
+        thresholdNetworkUrl,
+        requestId
+      });
     }
-    await new Promise((resolve) => setTimeout(resolve, POLL_INTERVAL_MS2));
+    await new Promise((resolve) => setTimeout(resolve, intervalMs));
+    attemptIndex += 1;
   }
   throw new CofheError({
     code: "DECRYPT_FAILED" /* DecryptFailed */,
@@ -3576,9 +3832,21 @@ async function pollDecryptStatusV2(thresholdNetworkUrl, requestId) {
     }
   });
 }
-async function tnDecryptV2(ctHash, chainId, permission, thresholdNetworkUrl) {
-  const requestId = await submitDecryptRequestV2(thresholdNetworkUrl, ctHash, chainId, permission);
-  return await pollDecryptStatusV2(thresholdNetworkUrl, requestId);
+async function tnDecryptV2(params) {
+  const { thresholdNetworkUrl, ctHash, chainId, permission, onPoll } = params;
+  const overallStartTime = Date.now();
+  const submitResult = await submitDecryptRequestV2(
+    thresholdNetworkUrl,
+    ctHash,
+    chainId,
+    permission,
+    overallStartTime,
+    onPoll
+  );
+  if (submitResult.kind === "completed") {
+    return submitResult;
+  }
+  return await pollDecryptStatusV2(thresholdNetworkUrl, submitResult.requestId, overallStartTime, onPoll);
 }
 
 // core/decrypt/decryptForTxBuilder.ts
@@ -3587,6 +3855,7 @@ var DecryptForTxBuilder = class extends BaseBuilder {
   permitHash;
   permit;
   permitSelection = "unset";
+  pollCallback;
   constructor(params) {
     super({
       config: params.config,
@@ -3612,6 +3881,10 @@ var DecryptForTxBuilder = class extends BaseBuilder {
   getAccount() {
     return this.account;
   }
+  onPoll(callback) {
+    this.pollCallback = callback;
+    return this;
+  }
   withPermit(permitOrPermitHash) {
     if (this.permitSelection === "with-permit") {
       throw new CofheError({
@@ -3739,7 +4012,13 @@ var DecryptForTxBuilder = class extends BaseBuilder {
     this.assertPublicClient();
     const thresholdNetworkUrl = await this.getThresholdNetworkUrl();
     const permission = permit ? PermitUtils.getPermission(permit, true) : null;
-    const { decryptedValue, signature } = await tnDecryptV2(this.ctHash, this.chainId, permission, thresholdNetworkUrl);
+    const { decryptedValue, signature } = await tnDecryptV2({
+      ctHash: this.ctHash,
+      chainId: this.chainId,
+      permission,
+      thresholdNetworkUrl,
+      onPoll: this.pollCallback
+    });
     return {
       ctHash: this.ctHash,
       decryptedValue,
@@ -3757,7 +4036,6 @@ var DecryptForTxBuilder = class extends BaseBuilder {
     const permit = await this.getResolvedPermit();
     if (permit !== null) {
       PermitUtils.validate(permit);
-      PermitUtils.isValid(permit);
       const chainId = permit._signedDomain.chainId;
       if (chainId === hardhat2.id) {
         return await this.mocksDecryptForTx(permit);
@@ -3778,6 +4056,35 @@ var DecryptForTxBuilder = class extends BaseBuilder {
     }
   }
 };
+var decryptResultSignerAbi = viem.parseAbi(["function decryptResultSigner() view returns (address)"]);
+var UINT_TYPE_MASK2 = 0x7fn;
+var TYPE_BYTE_OFFSET2 = 8n;
+var getEncryptionTypeFromCtHash2 = (ctHash) => Number(ctHash >> TYPE_BYTE_OFFSET2 & UINT_TYPE_MASK2);
+var buildDecryptResultHash = (ctHash, cleartext, chainId) => {
+  const encryptionType = getEncryptionTypeFromCtHash2(ctHash);
+  return viem.keccak256(
+    viem.encodePacked(["uint256", "uint32", "uint64", "uint256"], [cleartext, encryptionType, BigInt(chainId), ctHash])
+  );
+};
+async function verifyDecryptResult(handle, cleartext, signature, publicClient) {
+  const chainId = publicClient.chain?.id ?? await publicClient.getChainId();
+  const expectedSigner = await publicClient.readContract({
+    address: TASK_MANAGER_ADDRESS,
+    abi: decryptResultSignerAbi,
+    functionName: "decryptResultSigner",
+    args: []
+  });
+  if (viem.isAddressEqual(expectedSigner, viem.zeroAddress))
+    return true;
+  const ctHash = BigInt(handle);
+  const messageHash = buildDecryptResultHash(ctHash, cleartext, chainId);
+  try {
+    const recovered = await viem.recoverAddress({ hash: messageHash, signature });
+    return viem.isAddressEqual(recovered, expectedSigner);
+  } catch {
+    return false;
+  }
+}
 
 // core/client.ts
 var InitialConnectStore = {
@@ -3896,6 +4203,11 @@ function createCofheClientBase(opts) {
       requireConnected: _requireConnected
     });
   }
+  function verifyDecryptResult2(handle, cleartext, signature) {
+    _requireConnected();
+    const { publicClient } = connectStore.getState();
+    return verifyDecryptResult(handle, cleartext, signature, publicClient);
+  }
   const _getChainIdAndAccount = (chainId, account) => {
     const state = connectStore.getState();
     const _chainId = chainId ?? state.chainId;
@@ -3978,6 +4290,7 @@ function createCofheClientBase(opts) {
     },
     // Utils (no context needed)
     getHash: permits.getHash,
+    export: permits.export,
     serialize: permits.serialize,
     deserialize: permits.deserialize
   };
@@ -4006,6 +4319,7 @@ function createCofheClientBase(opts) {
      */
     decryptHandle: decryptForView,
     decryptForTx,
+    verifyDecryptResult: verifyDecryptResult2,
     permits: clientPermits
     // Add SDK-specific methods below that require connection
     // Example:
@@ -4069,16 +4383,22 @@ var fromHexString2 = (hexString) => {
     return new Uint8Array();
   return new Uint8Array(arr.map((byte) => parseInt(byte, 16)));
 };
+var _deserializeTfhePublicKey = (buff) => {
+  return nodeTfhe.TfheCompactPublicKey.safe_deserialize(fromHexString2(buff), TFHE_RS_SAFE_SERIALIZATION_SIZE_LIMIT);
+};
+var _deserializeCompactPkeCrs = (buff) => {
+  return nodeTfhe.CompactPkeCrs.safe_deserialize(fromHexString2(buff), TFHE_RS_SAFE_SERIALIZATION_SIZE_LIMIT);
+};
 var tfhePublicKeyDeserializer = (buff) => {
-  nodeTfhe.TfheCompactPublicKey.deserialize(fromHexString2(buff));
+  _deserializeTfhePublicKey(buff);
 };
 var compactPkeCrsDeserializer = (buff) => {
-  nodeTfhe.CompactPkeCrs.deserialize(fromHexString2(buff));
+  _deserializeCompactPkeCrs(buff);
 };
 var zkBuilderAndCrsGenerator = (fhe, crs) => {
-  const fhePublicKey = nodeTfhe.TfheCompactPublicKey.deserialize(fromHexString2(fhe));
+  const fhePublicKey = _deserializeTfhePublicKey(fhe);
   const zkBuilder = nodeTfhe.ProvenCompactCiphertextList.builder(fhePublicKey);
-  const zkCrs = nodeTfhe.CompactPkeCrs.deserialize(fromHexString2(crs));
+  const zkCrs = _deserializeCompactPkeCrs(crs);
   return { zkBuilder, zkCrs };
 };
 function createCofheConfig(config) {