@cofhe/sdk 0.4.0 → 0.5.1

package/dist/{chunk-MXND5SVN.js → chunk-S7OKGLFD.js}

@@ -1,7 +1,8 @@
 import { hardhat as hardhat$1 } from './chunk-TBLR7NNE.js';
-import { permitStore, PermitUtils, MOCKS_THRESHOLD_NETWORK_ADDRESS, MOCKS_DECRYPT_RESULT_SIGNER_PRIVATE_KEY, MOCKS_ZK_VERIFIER_SIGNER_PRIVATE_KEY, MOCKS_ZK_VERIFIER_ADDRESS } from './chunk-NWDKXBIP.js';
+import { permitStore, PermitUtils } from './chunk-MRCKUMOS.js';
+import { TFHE_RS_KEY_VERSION, TASK_MANAGER_ADDRESS, TFHE_RS_ZK_MAX_BITS, TFHE_RS_SAFE_SERIALIZATION_SIZE_LIMIT, MOCKS_THRESHOLD_NETWORK_ADDRESS, MOCKS_DECRYPT_RESULT_SIGNER_PRIVATE_KEY, MOCKS_ZK_VERIFIER_SIGNER_PRIVATE_KEY, MOCKS_ZK_VERIFIER_ADDRESS } from './chunk-4FP4V35O.js';
 import { createStore } from 'zustand/vanilla';
-import { encodePacked, keccak256, createWalletClient, http, getAddress, parseSignature, serializeSignature } from 'viem';
+import { parseAbi, isAddressEqual, zeroAddress, recoverAddress, encodePacked, keccak256, createWalletClient, http, getAddress, parseSignature, serializeSignature } from 'viem';
 import { hardhat } from 'viem/chains';
 import { sign, privateKeyToAccount } from 'viem/accounts';
 import { z } from 'zod';
@@ -372,7 +373,6 @@ var MAX_UINT32 = 4294967295n;
 var MAX_UINT64 = 18446744073709551615n;
 var MAX_UINT128 = 340282366920938463463374607431768211455n;
 var MAX_UINT160 = 1461501637330902918203684832716283019655932542975n;
-var MAX_ENCRYPTABLE_BITS = 2048;
 var zkPack = (items, builder) => {
   let totalBits = 0;
   for (const item of items) {
@@ -436,14 +436,14 @@ var zkPack = (items, builder) => {
       }
     }
   }
-  if (totalBits > MAX_ENCRYPTABLE_BITS) {
+  if (totalBits > TFHE_RS_ZK_MAX_BITS) {
     throw new CofheError({
       code: "ZK_PACK_FAILED" /* ZkPackFailed */,
-      message: `Total bits ${totalBits} exceeds ${MAX_ENCRYPTABLE_BITS}`,
-      hint: `Ensure that the total bits of the items to encrypt does not exceed ${MAX_ENCRYPTABLE_BITS}`,
+      message: `Total bits ${totalBits} exceeds ${TFHE_RS_ZK_MAX_BITS}`,
+      hint: `Ensure that the total bits of the items to encrypt does not exceed ${TFHE_RS_ZK_MAX_BITS}`,
       context: {
         totalBits,
-        maxBits: MAX_ENCRYPTABLE_BITS,
+        maxBits: TFHE_RS_ZK_MAX_BITS,
         items
       }
     });
@@ -462,7 +462,7 @@ var zkProve = async (builder, crs, metadata) => {
         1
         // ZkComputeLoad.Verify
       );
-      resolve(compactList.serialize());
+      resolve(compactList.safe_serialize(TFHE_RS_SAFE_SERIALIZATION_SIZE_LIMIT));
     }, 0);
   });
 };
@@ -679,14 +679,14 @@ async function cofheMocksCheckEncryptableBits(items) {
       }
     }
   }
-  if (totalBits > MAX_ENCRYPTABLE_BITS) {
+  if (totalBits > TFHE_RS_ZK_MAX_BITS) {
     throw new CofheError({
       code: "ZK_PACK_FAILED" /* ZkPackFailed */,
-      message: `Total bits ${totalBits} exceeds ${MAX_ENCRYPTABLE_BITS}`,
-      hint: `Ensure that the total bits of the items to encrypt does not exceed ${MAX_ENCRYPTABLE_BITS}`,
+      message: `Total bits ${totalBits} exceeds ${TFHE_RS_ZK_MAX_BITS}`,
+      hint: `Ensure that the total bits of the items to encrypt does not exceed ${TFHE_RS_ZK_MAX_BITS}`,
       context: {
         totalBits,
-        maxBits: MAX_ENCRYPTABLE_BITS,
+        maxBits: TFHE_RS_ZK_MAX_BITS,
         items
       }
     });
@@ -924,6 +924,7 @@ function getThresholdNetworkUrlOrThrow(config, chainId) {
   }
   return url;
 }
+var KEYSTORE_NAME = `cofhesdk-keys-v${TFHE_RS_KEY_VERSION}`;
 function isValidPersistedState(state) {
   if (state && typeof state === "object") {
     if ("fhe" in state && "crs" in state) {
@@ -978,7 +979,7 @@ function createKeysStore(storage) {
   };
   const clearKeysStorage = async () => {
     if (storage) {
-      await storage.removeItem("cofhesdk-keys");
+      await storage.removeItem(KEYSTORE_NAME);
     }
   };
   const rehydrateKeysStore = async () => {
@@ -1008,7 +1009,7 @@ function createStoreWithPersit(storage) {
         if (_error)
           throw new Error(`onRehydrateStorage: Error rehydrating keys store: ${_error}`);
       },
-      name: "cofhesdk-keys",
+      name: KEYSTORE_NAME,
       storage: createJSONStorage(() => storage),
       merge: (persistedState, currentState) => {
         const persisted = isValidPersistedState(persistedState) ? persistedState : DEFAULT_KEYS_STORE;
@@ -1672,6 +1673,9 @@ var importShared = async (options, publicClient, walletClient) => {
 var getHash = (permit) => {
   return PermitUtils.getHash(permit);
 };
+var exportShared = (permit) => {
+  return PermitUtils.export(permit);
+};
 var serialize = (permit) => {
   return PermitUtils.serialize(permit);
 };
@@ -1722,6 +1726,7 @@ var permits = {
   getOrCreateSelfPermit,
   getOrCreateSharingPermit,
   getHash,
+  export: exportShared,
   serialize,
   deserialize,
   getPermit,
@@ -1964,9 +1969,19 @@ async function cofheMocksDecryptForView(ctHash, utype, permit, publicClient) {
   return unsealed;
 }
 
+// core/decrypt/polling.ts
+function computeMinuteRampPollIntervalMs(elapsedMs, params) {
+  const elapsedSeconds = Math.floor(elapsedMs / 1e3);
+  const intervalSeconds = 1 + Math.floor(elapsedSeconds / 60);
+  const intervalMs = intervalSeconds * 1e3;
+  return Math.min(params.maxIntervalMs, Math.max(params.minIntervalMs, intervalMs));
+}
+
 // core/decrypt/tnSealOutputV2.ts
 var POLL_INTERVAL_MS = 1e3;
-var POLL_TIMEOUT_MS = 5 * 60 * 1e3;
+var POLL_MAX_INTERVAL_MS = 1e4;
+var SEAL_OUTPUT_TIMEOUT_MS = 5 * 60 * 1e3;
+var SUBMIT_RETRY_INTERVAL_MS = 1e3;
 function numberArrayToUint8Array(arr) {
   return new Uint8Array(arr);
 }
@@ -1983,93 +1998,193 @@ function convertSealedData(sealed) {
     nonce: numberArrayToUint8Array(sealed.nonce)
   };
 }
-async function submitSealOutputRequest(thresholdNetworkUrl, ctHash, chainId, permission) {
-  const body = {
-    ct_tempkey: BigInt(ctHash).toString(16).padStart(64, "0"),
-    host_chain_id: chainId,
-    permit: permission
-  };
-  let response;
-  try {
-    response = await fetch(`${thresholdNetworkUrl}/v2/sealoutput`, {
-      method: "POST",
-      headers: {
-        "Content-Type": "application/json"
-      },
-      body: JSON.stringify(body)
-    });
-  } catch (e) {
-    throw new CofheError({
-      code: "SEAL_OUTPUT_FAILED" /* SealOutputFailed */,
-      message: `sealOutput request failed`,
-      hint: "Ensure the threshold network URL is valid and reachable.",
-      cause: e instanceof Error ? e : void 0,
-      context: {
-        thresholdNetworkUrl,
-        body
-      }
-    });
+function getSealedDataFromSubmitResponse(value) {
+  if (value.sealed)
+    return value.sealed;
+  if (Array.isArray(value.sealed_data) && Array.isArray(value.ephemeral_public_key) && Array.isArray(value.nonce)) {
+    return {
+      data: value.sealed_data,
+      public_key: value.ephemeral_public_key,
+      nonce: value.nonce
+    };
   }
-  if (!response.ok) {
-    let errorMessage = `HTTP ${response.status}`;
-    try {
-      const errorBody = await response.json();
-      errorMessage = errorBody.error_message || errorBody.message || errorMessage;
-    } catch {
-      errorMessage = response.statusText || errorMessage;
-    }
+  return void 0;
+}
+function parseCompletedSealOutputResponse(params) {
+  const { value, thresholdNetworkUrl, requestId } = params;
+  if (value.is_succeed === false) {
+    const errorMessage = value.error_message || "Unknown error";
     throw new CofheError({
       code: "SEAL_OUTPUT_FAILED" /* SealOutputFailed */,
       message: `sealOutput request failed: ${errorMessage}`,
-      hint: "Check the threshold network URL and request parameters.",
       context: {
         thresholdNetworkUrl,
-        status: response.status,
-        statusText: response.statusText,
-        body
+        requestId,
+        response: value
       }
     });
   }
-  let submitResponse;
-  try {
-    submitResponse = await response.json();
-  } catch (e) {
+  const sealed = "sealed" in value ? value.sealed : getSealedDataFromSubmitResponse(value);
+  if (!sealed) {
     throw new CofheError({
-      code: "SEAL_OUTPUT_FAILED" /* SealOutputFailed */,
-      message: `Failed to parse sealOutput submit response`,
-      cause: e instanceof Error ? e : void 0,
+      code: "SEAL_OUTPUT_RETURNED_NULL" /* SealOutputReturnedNull */,
+      message: `sealOutput request completed but returned no sealed data`,
       context: {
         thresholdNetworkUrl,
-        body
+        requestId,
+        response: value
       }
     });
   }
-  if (!submitResponse.request_id) {
+  return convertSealedData(sealed);
+}
+async function submitSealOutputRequest(thresholdNetworkUrl, ctHash, chainId, permission, overallStartTime, onPoll) {
+  const body = {
+    ct_tempkey: BigInt(ctHash).toString(16).padStart(64, "0"),
+    host_chain_id: chainId,
+    permit: permission
+  };
+  let attemptIndex = 0;
+  for (; ; ) {
+    let response;
+    try {
+      response = await fetch(`${thresholdNetworkUrl}/v2/sealoutput`, {
+        method: "POST",
+        headers: {
+          "Content-Type": "application/json"
+        },
+        body: JSON.stringify(body)
+      });
+    } catch (e) {
+      throw new CofheError({
+        code: "SEAL_OUTPUT_FAILED" /* SealOutputFailed */,
+        message: `sealOutput request failed`,
+        hint: "Ensure the threshold network URL is valid and reachable.",
+        cause: e instanceof Error ? e : void 0,
+        context: {
+          thresholdNetworkUrl,
+          body,
+          attemptIndex
+        }
+      });
+    }
+    if (!response.ok) {
+      let errorMessage = `HTTP ${response.status}`;
+      try {
+        const errorBody = await response.json();
+        errorMessage = errorBody.error_message || errorBody.message || errorMessage;
+      } catch {
+        errorMessage = response.statusText || errorMessage;
+      }
+      throw new CofheError({
+        code: "SEAL_OUTPUT_FAILED" /* SealOutputFailed */,
+        message: `sealOutput request failed: ${errorMessage}`,
+        hint: "Check the threshold network URL and request parameters.",
+        context: {
+          thresholdNetworkUrl,
+          status: response.status,
+          statusText: response.statusText,
+          body,
+          attemptIndex
+        }
+      });
+    }
+    let submitResponse;
+    if (response.status !== 204) {
+      try {
+        submitResponse = await response.json();
+      } catch (e) {
+        throw new CofheError({
+          code: "SEAL_OUTPUT_FAILED" /* SealOutputFailed */,
+          message: `Failed to parse sealOutput submit response`,
+          cause: e instanceof Error ? e : void 0,
+          context: {
+            thresholdNetworkUrl,
+            body,
+            attemptIndex
+          }
+        });
+      }
+      if (getSealedDataFromSubmitResponse(submitResponse)) {
+        return {
+          kind: "completed",
+          sealed: parseCompletedSealOutputResponse({
+            value: submitResponse,
+            thresholdNetworkUrl,
+            requestId: submitResponse.request_id
+          })
+        };
+      }
+      if (submitResponse.request_id) {
+        return { kind: "request_id", requestId: submitResponse.request_id };
+      }
+    }
+    if (response.status === 204) {
+      const elapsedMs = Date.now() - overallStartTime;
+      if (elapsedMs > SEAL_OUTPUT_TIMEOUT_MS) {
+        throw new CofheError({
+          code: "SEAL_OUTPUT_FAILED" /* SealOutputFailed */,
+          message: `sealOutput submit retried without receiving request_id for ${SEAL_OUTPUT_TIMEOUT_MS}ms`,
+          hint: "The ciphertext may still be propagating. Try again later.",
+          context: {
+            thresholdNetworkUrl,
+            body,
+            attemptIndex,
+            timeoutMs: SEAL_OUTPUT_TIMEOUT_MS,
+            submitResponse,
+            status: response.status
+          }
+        });
+      }
+      onPoll?.({
+        operation: "sealoutput",
+        requestId: "",
+        attemptIndex,
+        elapsedMs,
+        intervalMs: SUBMIT_RETRY_INTERVAL_MS,
+        timeoutMs: SEAL_OUTPUT_TIMEOUT_MS
+      });
+      await new Promise((resolve) => setTimeout(resolve, SUBMIT_RETRY_INTERVAL_MS));
+      attemptIndex += 1;
+      continue;
+    }
     throw new CofheError({
       code: "SEAL_OUTPUT_FAILED" /* SealOutputFailed */,
       message: `sealOutput submit response missing request_id`,
       context: {
         thresholdNetworkUrl,
         body,
-        submitResponse
+        submitResponse,
+        attemptIndex
       }
     });
   }
-  return submitResponse.request_id;
 }
-async function pollSealOutputStatus(thresholdNetworkUrl, requestId) {
-  const startTime = Date.now();
-  let completed = false;
-  while (!completed) {
-    if (Date.now() - startTime > POLL_TIMEOUT_MS) {
+async function pollSealOutputStatus(thresholdNetworkUrl, requestId, overallStartTime, onPoll) {
+  let attemptIndex = 0;
+  while (true) {
+    const elapsedMs = Date.now() - overallStartTime;
+    const intervalMs = computeMinuteRampPollIntervalMs(elapsedMs, {
+      minIntervalMs: POLL_INTERVAL_MS,
+      maxIntervalMs: POLL_MAX_INTERVAL_MS
+    });
+    onPoll?.({
+      operation: "sealoutput",
+      requestId,
+      attemptIndex,
+      elapsedMs,
+      intervalMs,
+      timeoutMs: SEAL_OUTPUT_TIMEOUT_MS
+    });
+    if (elapsedMs > SEAL_OUTPUT_TIMEOUT_MS) {
       throw new CofheError({
         code: "SEAL_OUTPUT_FAILED" /* SealOutputFailed */,
-        message: `sealOutput polling timed out after ${POLL_TIMEOUT_MS}ms`,
+        message: `sealOutput polling timed out after ${SEAL_OUTPUT_TIMEOUT_MS}ms`,
         hint: "The request may still be processing. Try again later.",
         context: {
           thresholdNetworkUrl,
           requestId,
-          timeoutMs: POLL_TIMEOUT_MS
+          timeoutMs: SEAL_OUTPUT_TIMEOUT_MS
         }
       });
     }
@@ -2138,32 +2253,14 @@ async function pollSealOutputStatus(thresholdNetworkUrl, requestId) {
       });
     }
     if (statusResponse.status === "COMPLETED") {
-      if (statusResponse.is_succeed === false) {
-        const errorMessage = statusResponse.error_message || "Unknown error";
-        throw new CofheError({
-          code: "SEAL_OUTPUT_FAILED" /* SealOutputFailed */,
-          message: `sealOutput request failed: ${errorMessage}`,
-          context: {
-            thresholdNetworkUrl,
-            requestId,
-            statusResponse
-          }
-        });
-      }
-      if (!statusResponse.sealed) {
-        throw new CofheError({
-          code: "SEAL_OUTPUT_RETURNED_NULL" /* SealOutputReturnedNull */,
-          message: `sealOutput request completed but returned no sealed data`,
-          context: {
-            thresholdNetworkUrl,
-            requestId,
-            statusResponse
-          }
-        });
-      }
-      return convertSealedData(statusResponse.sealed);
+      return parseCompletedSealOutputResponse({
+        value: statusResponse,
+        thresholdNetworkUrl,
+        requestId
+      });
     }
-    await new Promise((resolve) => setTimeout(resolve, POLL_INTERVAL_MS));
+    await new Promise((resolve) => setTimeout(resolve, intervalMs));
+    attemptIndex += 1;
   }
   throw new CofheError({
     code: "SEAL_OUTPUT_FAILED" /* SealOutputFailed */,
@@ -2174,9 +2271,21 @@ async function pollSealOutputStatus(thresholdNetworkUrl, requestId) {
     }
   });
 }
-async function tnSealOutputV2(ctHash, chainId, permission, thresholdNetworkUrl) {
-  const requestId = await submitSealOutputRequest(thresholdNetworkUrl, ctHash, chainId, permission);
-  return await pollSealOutputStatus(thresholdNetworkUrl, requestId);
+async function tnSealOutputV2(params) {
+  const { thresholdNetworkUrl, ctHash, chainId, permission, onPoll } = params;
+  const overallStartTime = Date.now();
+  const submitResult = await submitSealOutputRequest(
+    thresholdNetworkUrl,
+    ctHash,
+    chainId,
+    permission,
+    overallStartTime,
+    onPoll
+  );
+  if (submitResult.kind === "completed") {
+    return submitResult.sealed;
+  }
+  return await pollSealOutputStatus(thresholdNetworkUrl, submitResult.requestId, overallStartTime, onPoll);
 }
 
 // core/decrypt/decryptForViewBuilder.ts
@@ -2185,6 +2294,7 @@ var DecryptForViewBuilder = class extends BaseBuilder {
   utype;
   permitHash;
   permit;
+  pollCallback;
   constructor(params) {
     super({
       config: params.config,
@@ -2241,6 +2351,10 @@ var DecryptForViewBuilder = class extends BaseBuilder {
   getAccount() {
     return this.account;
   }
+  onPoll(callback) {
+    this.pollCallback = callback;
+    return this;
+  }
   withPermit(permitOrPermitHash) {
     if (typeof permitOrPermitHash === "string") {
       this.permitHash = permitOrPermitHash;
@@ -2364,7 +2478,13 @@ var DecryptForViewBuilder = class extends BaseBuilder {
     this.assertPublicClient();
     const thresholdNetworkUrl = await this.getThresholdNetworkUrl();
     const permission = PermitUtils.getPermission(permit, true);
-    const sealed = await tnSealOutputV2(this.ctHash, this.chainId, permission, thresholdNetworkUrl);
+    const sealed = await tnSealOutputV2({
+      ctHash: this.ctHash,
+      chainId: this.chainId,
+      permission,
+      thresholdNetworkUrl,
+      onPoll: this.pollCallback
+    });
     return PermitUtils.unseal(permit, sealed);
   }
   /**
@@ -2392,7 +2512,6 @@ var DecryptForViewBuilder = class extends BaseBuilder {
     this.validateUtypeOrThrow();
     const permit = await this.getResolvedPermit();
     PermitUtils.validate(permit);
-    PermitUtils.isValid(permit);
     const chainId = permit._signedDomain.chainId;
     let unsealed;
     if (chainId === hardhat$1.id) {
@@ -2403,6 +2522,9 @@ var DecryptForViewBuilder = class extends BaseBuilder {
     return convertViaUtype(this.utype, unsealed);
   }
 };
+var UINT_TYPE_MASK = 0x7fn;
+var TYPE_BYTE_OFFSET = 8n;
+var getEncryptionTypeFromCtHash = (ctHash) => Number(ctHash >> TYPE_BYTE_OFFSET & UINT_TYPE_MASK);
 async function cofheMocksDecryptForTx(ctHash, utype, permit, publicClient) {
   let allowed;
   let error;
@@ -2440,7 +2562,13 @@ async function cofheMocksDecryptForTx(ctHash, utype, permit, publicClient) {
       message: `mocks decryptForTx call failed: ACL Access Denied (NotAllowed)`
     });
   }
-  const packed = encodePacked(["uint256", "uint256"], [BigInt(ctHash), decryptedValue]);
+  const chainId = publicClient.chain?.id ?? await publicClient.getChainId();
+  const normalizedCtHash = BigInt(ctHash);
+  const encryptionType = getEncryptionTypeFromCtHash(normalizedCtHash);
+  const packed = encodePacked(
+    ["uint256", "uint32", "uint64", "uint256"],
+    [decryptedValue, encryptionType, BigInt(chainId), normalizedCtHash]
+  );
   const messageHash = keccak256(packed);
   const signature = await sign({
     hash: messageHash,
@@ -2512,7 +2640,9 @@ function parseDecryptedBytesToBigInt(decrypted) {
 
 // core/decrypt/tnDecryptV2.ts
 var POLL_INTERVAL_MS2 = 1e3;
-var POLL_TIMEOUT_MS2 = 5 * 60 * 1e3;
+var POLL_MAX_INTERVAL_MS2 = 1e4;
+var DECRYPT_TIMEOUT_MS = 5 * 60 * 1e3;
+var SUBMIT_RETRY_INTERVAL_MS2 = 1e3;
 function assertDecryptSubmitResponseV2(value) {
   if (value == null || typeof value !== "object") {
     throw new CofheError({
@@ -2524,16 +2654,65 @@ function assertDecryptSubmitResponseV2(value) {
     });
   }
   const v = value;
-  if (typeof v.request_id !== "string" || v.request_id.trim().length === 0) {
+  if (v.request_id !== null && typeof v.request_id !== "string") {
     throw new CofheError({
       code: "DECRYPT_FAILED" /* DecryptFailed */,
-      message: "decrypt submit response missing request_id",
+      message: "decrypt submit response has invalid request_id",
       context: {
         value
       }
     });
   }
-  return { request_id: v.request_id };
+  return {
+    request_id: v.request_id ?? null,
+    status: typeof v.status === "string" ? v.status : void 0,
+    is_succeed: typeof v.is_succeed === "boolean" ? v.is_succeed : void 0,
+    decrypted: Array.isArray(v.decrypted) ? v.decrypted : void 0,
+    signature: typeof v.signature === "string" ? v.signature : void 0,
+    encryption_type: typeof v.encryption_type === "number" ? v.encryption_type : void 0,
+    error_message: typeof v.error_message === "string" || v.error_message === null ? v.error_message : void 0,
+    message: typeof v.message === "string" ? v.message : void 0
+  };
+}
+function parseCompletedDecryptResponseV2(params) {
+  const { value, thresholdNetworkUrl, requestId } = params;
+  if (value.is_succeed === false) {
+    const errorMessage = value.error_message || "Unknown error";
+    throw new CofheError({
+      code: "DECRYPT_FAILED" /* DecryptFailed */,
+      message: `decrypt request failed: ${errorMessage}`,
+      context: {
+        thresholdNetworkUrl,
+        requestId,
+        response: value
+      }
+    });
+  }
+  if (value.error_message) {
+    throw new CofheError({
+      code: "DECRYPT_FAILED" /* DecryptFailed */,
+      message: `decrypt request failed: ${value.error_message}`,
+      context: {
+        thresholdNetworkUrl,
+        requestId,
+        response: value
+      }
+    });
+  }
+  if (!Array.isArray(value.decrypted)) {
+    throw new CofheError({
+      code: "DECRYPT_RETURNED_NULL" /* DecryptReturnedNull */,
+      message: "decrypt completed but response missing <decrypted> byte array",
+      context: {
+        thresholdNetworkUrl,
+        requestId,
+        response: value
+      }
+    });
+  }
+  const decryptedValue = parseDecryptedBytesToBigInt(value.decrypted);
+  const signature = normalizeTnSignature(value.signature);
+  return { decryptedValue, signature };
 }
 function assertDecryptStatusResponseV2(value) {
   if (value == null || typeof value !== "object") {
@@ -2579,7 +2758,7 @@ function assertDecryptStatusResponseV2(value) {
   }
   return value;
 }
-async function submitDecryptRequestV2(thresholdNetworkUrl, ctHash, chainId, permission) {
+async function submitDecryptRequestV2(thresholdNetworkUrl, ctHash, chainId, permission, overallStartTime, onPoll) {
   const body = {
     ct_tempkey: BigInt(ctHash).toString(16).padStart(64, "0"),
     host_chain_id: chainId
@@ -2587,79 +2766,151 @@ async function submitDecryptRequestV2(thresholdNetworkUrl, ctHash, chainId, perm
   if (permission) {
     body.permit = permission;
   }
-  let response;
-  try {
-    response = await fetch(`${thresholdNetworkUrl}/v2/decrypt`, {
-      method: "POST",
-      headers: {
-        "Content-Type": "application/json"
-      },
-      body: JSON.stringify(body)
-    });
-  } catch (e) {
-    throw new CofheError({
-      code: "DECRYPT_FAILED" /* DecryptFailed */,
-      message: `decrypt request failed`,
-      hint: "Ensure the threshold network URL is valid and reachable.",
-      cause: e instanceof Error ? e : void 0,
-      context: {
-        thresholdNetworkUrl,
-        body
-      }
-    });
-  }
-  if (!response.ok) {
-    let errorMessage = `HTTP ${response.status}`;
+  let attemptIndex = 0;
+  for (; ; ) {
+    let response;
     try {
-      const errorBody = await response.json();
-      const maybeMessage = errorBody.error_message || errorBody.message;
-      if (typeof maybeMessage === "string" && maybeMessage.length > 0)
-        errorMessage = maybeMessage;
-    } catch {
-      errorMessage = response.statusText || errorMessage;
+      response = await fetch(`${thresholdNetworkUrl}/v2/decrypt`, {
+        method: "POST",
+        headers: {
+          "Content-Type": "application/json"
+        },
+        body: JSON.stringify(body)
+      });
+    } catch (e) {
+      throw new CofheError({
+        code: "DECRYPT_FAILED" /* DecryptFailed */,
+        message: `decrypt request failed`,
+        hint: "Ensure the threshold network URL is valid and reachable.",
+        cause: e instanceof Error ? e : void 0,
+        context: {
+          thresholdNetworkUrl,
+          body,
+          attemptIndex
+        }
+      });
     }
-    throw new CofheError({
-      code: "DECRYPT_FAILED" /* DecryptFailed */,
-      message: `decrypt request failed: ${errorMessage}`,
-      hint: "Check the threshold network URL and request parameters.",
-      context: {
-        thresholdNetworkUrl,
-        status: response.status,
-        statusText: response.statusText,
-        body
+    if (!response.ok) {
+      let errorMessage = `HTTP ${response.status}`;
+      try {
+        const errorBody = await response.json();
+        const maybeMessage = errorBody.error_message || errorBody.message;
+        if (typeof maybeMessage === "string" && maybeMessage.length > 0)
+          errorMessage = maybeMessage;
+      } catch {
+        errorMessage = response.statusText || errorMessage;
       }
-    });
-  }
-  let rawJson;
-  try {
-    rawJson = await response.json();
-  } catch (e) {
+      throw new CofheError({
+        code: "DECRYPT_FAILED" /* DecryptFailed */,
+        message: `decrypt request failed: ${errorMessage}`,
+        hint: "Check the threshold network URL and request parameters.",
+        context: {
+          thresholdNetworkUrl,
+          status: response.status,
+          statusText: response.statusText,
+          body,
+          attemptIndex
+        }
+      });
+    }
+    let submitResponse;
+    if (response.status !== 204) {
+      let rawJson;
+      try {
+        rawJson = await response.json();
+      } catch (e) {
+        throw new CofheError({
+          code: "DECRYPT_FAILED" /* DecryptFailed */,
+          message: `Failed to parse decrypt submit response`,
+          cause: e instanceof Error ? e : void 0,
+          context: {
+            thresholdNetworkUrl,
+            body,
+            attemptIndex
+          }
+        });
+      }
+      submitResponse = assertDecryptSubmitResponseV2(rawJson);
+      if (Array.isArray(submitResponse.decrypted) && typeof submitResponse.signature === "string") {
+        return {
+          kind: "completed",
+          ...parseCompletedDecryptResponseV2({
+            value: submitResponse,
+            thresholdNetworkUrl,
+            requestId: submitResponse.request_id
+          })
+        };
+      }
+      if (submitResponse.request_id) {
+        return { kind: "request_id", requestId: submitResponse.request_id };
+      }
+    }
+    if (response.status === 204) {
+      const elapsedMs = Date.now() - overallStartTime;
+      if (elapsedMs > DECRYPT_TIMEOUT_MS) {
+        throw new CofheError({
+          code: "DECRYPT_FAILED" /* DecryptFailed */,
+          message: `decrypt submit retried without receiving request_id for ${DECRYPT_TIMEOUT_MS}ms`,
+          hint: "The ciphertext may still be propagating. Try again later.",
+          context: {
+            thresholdNetworkUrl,
+            body,
+            attemptIndex,
+            timeoutMs: DECRYPT_TIMEOUT_MS,
+            submitResponse,
+            status: response.status
+          }
+        });
+      }
+      onPoll?.({
+        operation: "decrypt",
+        requestId: "",
+        attemptIndex,
+        elapsedMs,
+        intervalMs: SUBMIT_RETRY_INTERVAL_MS2,
+        timeoutMs: DECRYPT_TIMEOUT_MS
+      });
+      await new Promise((resolve) => setTimeout(resolve, SUBMIT_RETRY_INTERVAL_MS2));
+      attemptIndex += 1;
+      continue;
+    }
     throw new CofheError({
       code: "DECRYPT_FAILED" /* DecryptFailed */,
-      message: `Failed to parse decrypt submit response`,
-      cause: e instanceof Error ? e : void 0,
+      message: `decrypt submit response missing request_id`,
       context: {
         thresholdNetworkUrl,
-        body
+        body,
+        submitResponse,
+        attemptIndex
       }
     });
   }
-  const submitResponse = assertDecryptSubmitResponseV2(rawJson);
-  return submitResponse.request_id;
 }
-async function pollDecryptStatusV2(thresholdNetworkUrl, requestId) {
-  const startTime = Date.now();
-  let completed = false;
-  while (!completed) {
-    if (Date.now() - startTime > POLL_TIMEOUT_MS2) {
+async function pollDecryptStatusV2(thresholdNetworkUrl, requestId, overallStartTime, onPoll) {
+  let attemptIndex = 0;
+  while (true) {
+    const elapsedMs = Date.now() - overallStartTime;
+    const intervalMs = computeMinuteRampPollIntervalMs(elapsedMs, {
+      minIntervalMs: POLL_INTERVAL_MS2,
+      maxIntervalMs: POLL_MAX_INTERVAL_MS2
+    });
+    onPoll?.({
+      operation: "decrypt",
+      requestId,
+      attemptIndex,
+      elapsedMs,
+      intervalMs,
+      timeoutMs: DECRYPT_TIMEOUT_MS
+    });
+    if (elapsedMs > DECRYPT_TIMEOUT_MS) {
       throw new CofheError({
         code: "DECRYPT_FAILED" /* DecryptFailed */,
-        message: `decrypt polling timed out after ${POLL_TIMEOUT_MS2}ms`,
+        message: `decrypt polling timed out after ${DECRYPT_TIMEOUT_MS}ms`,
         hint: "The request may still be processing. Try again later.",
         context: {
           thresholdNetworkUrl,
           requestId,
-          timeoutMs: POLL_TIMEOUT_MS2
+          timeoutMs: DECRYPT_TIMEOUT_MS
         }
       });
     }
@@ -2731,45 +2982,14 @@ async function pollDecryptStatusV2(thresholdNetworkUrl, requestId) {
     }
     const statusResponse = assertDecryptStatusResponseV2(rawJson);
     if (statusResponse.status === "COMPLETED") {
-      if (statusResponse.is_succeed === false) {
-        const errorMessage = statusResponse.error_message || "Unknown error";
-        throw new CofheError({
-          code: "DECRYPT_FAILED" /* DecryptFailed */,
-          message: `decrypt request failed: ${errorMessage}`,
-          context: {
-            thresholdNetworkUrl,
-            requestId,
-            statusResponse
-          }
-        });
-      }
-      if (statusResponse.error_message) {
-        throw new CofheError({
-          code: "DECRYPT_FAILED" /* DecryptFailed */,
-          message: `decrypt request failed: ${statusResponse.error_message}`,
-          context: {
-            thresholdNetworkUrl,
-            requestId,
-            statusResponse
-          }
-        });
-      }
-      if (!Array.isArray(statusResponse.decrypted)) {
-        throw new CofheError({
-          code: "DECRYPT_RETURNED_NULL" /* DecryptReturnedNull */,
-          message: "decrypt completed but response missing <decrypted> byte array",
-          context: {
-            thresholdNetworkUrl,
-            requestId,
-            statusResponse
-          }
-        });
-      }
-      const decryptedValue = parseDecryptedBytesToBigInt(statusResponse.decrypted);
-      const signature = normalizeTnSignature(statusResponse.signature);
-      return { decryptedValue, signature };
+      return parseCompletedDecryptResponseV2({
+        value: statusResponse,
+        thresholdNetworkUrl,
+        requestId
+      });
     }
-    await new Promise((resolve) => setTimeout(resolve, POLL_INTERVAL_MS2));
+    await new Promise((resolve) => setTimeout(resolve, intervalMs));
+    attemptIndex += 1;
   }
   throw new CofheError({
     code: "DECRYPT_FAILED" /* DecryptFailed */,
@@ -2780,9 +3000,21 @@ async function pollDecryptStatusV2(thresholdNetworkUrl, requestId) {
     }
   });
 }
-async function tnDecryptV2(ctHash, chainId, permission, thresholdNetworkUrl) {
-  const requestId = await submitDecryptRequestV2(thresholdNetworkUrl, ctHash, chainId, permission);
-  return await pollDecryptStatusV2(thresholdNetworkUrl, requestId);
+async function tnDecryptV2(params) {
+  const { thresholdNetworkUrl, ctHash, chainId, permission, onPoll } = params;
+  const overallStartTime = Date.now();
+  const submitResult = await submitDecryptRequestV2(
+    thresholdNetworkUrl,
+    ctHash,
+    chainId,
+    permission,
+    overallStartTime,
+    onPoll
+  );
+  if (submitResult.kind === "completed") {
+    return submitResult;
+  }
+  return await pollDecryptStatusV2(thresholdNetworkUrl, submitResult.requestId, overallStartTime, onPoll);
 }
 
 // core/decrypt/decryptForTxBuilder.ts
@@ -2791,6 +3023,7 @@ var DecryptForTxBuilder = class extends BaseBuilder {
   permitHash;
   permit;
   permitSelection = "unset";
+  pollCallback;
   constructor(params) {
     super({
       config: params.config,
@@ -2816,6 +3049,10 @@ var DecryptForTxBuilder = class extends BaseBuilder {
   getAccount() {
     return this.account;
   }
+  onPoll(callback) {
+    this.pollCallback = callback;
+    return this;
+  }
   withPermit(permitOrPermitHash) {
     if (this.permitSelection === "with-permit") {
       throw new CofheError({
@@ -2943,7 +3180,13 @@ var DecryptForTxBuilder = class extends BaseBuilder {
     this.assertPublicClient();
     const thresholdNetworkUrl = await this.getThresholdNetworkUrl();
     const permission = permit ? PermitUtils.getPermission(permit, true) : null;
-    const { decryptedValue, signature } = await tnDecryptV2(this.ctHash, this.chainId, permission, thresholdNetworkUrl);
+    const { decryptedValue, signature } = await tnDecryptV2({
+      ctHash: this.ctHash,
+      chainId: this.chainId,
+      permission,
+      thresholdNetworkUrl,
+      onPoll: this.pollCallback
+    });
     return {
       ctHash: this.ctHash,
       decryptedValue,
@@ -2961,7 +3204,6 @@ var DecryptForTxBuilder = class extends BaseBuilder {
     const permit = await this.getResolvedPermit();
     if (permit !== null) {
       PermitUtils.validate(permit);
-      PermitUtils.isValid(permit);
       const chainId = permit._signedDomain.chainId;
       if (chainId === hardhat$1.id) {
         return await this.mocksDecryptForTx(permit);
@@ -2982,6 +3224,35 @@ var DecryptForTxBuilder = class extends BaseBuilder {
     }
   }
 };
+var decryptResultSignerAbi = parseAbi(["function decryptResultSigner() view returns (address)"]);
+var UINT_TYPE_MASK2 = 0x7fn;
+var TYPE_BYTE_OFFSET2 = 8n;
+var getEncryptionTypeFromCtHash2 = (ctHash) => Number(ctHash >> TYPE_BYTE_OFFSET2 & UINT_TYPE_MASK2);
+var buildDecryptResultHash = (ctHash, cleartext, chainId) => {
+  const encryptionType = getEncryptionTypeFromCtHash2(ctHash);
+  return keccak256(
+    encodePacked(["uint256", "uint32", "uint64", "uint256"], [cleartext, encryptionType, BigInt(chainId), ctHash])
+  );
+};
+async function verifyDecryptResult(handle, cleartext, signature, publicClient) {
+  const chainId = publicClient.chain?.id ?? await publicClient.getChainId();
+  const expectedSigner = await publicClient.readContract({
+    address: TASK_MANAGER_ADDRESS,
+    abi: decryptResultSignerAbi,
+    functionName: "decryptResultSigner",
+    args: []
+  });
+  if (isAddressEqual(expectedSigner, zeroAddress))
+    return true;
+  const ctHash = BigInt(handle);
+  const messageHash = buildDecryptResultHash(ctHash, cleartext, chainId);
+  try {
+    const recovered = await recoverAddress({ hash: messageHash, signature });
+    return isAddressEqual(recovered, expectedSigner);
+  } catch {
+    return false;
+  }
+}
 
 // core/client.ts
 var InitialConnectStore = {
@@ -3100,6 +3371,11 @@ function createCofheClientBase(opts) {
       requireConnected: _requireConnected
     });
   }
+  function verifyDecryptResult2(handle, cleartext, signature) {
+    _requireConnected();
+    const { publicClient } = connectStore.getState();
+    return verifyDecryptResult(handle, cleartext, signature, publicClient);
+  }
   const _getChainIdAndAccount = (chainId, account) => {
     const state = connectStore.getState();
     const _chainId = chainId ?? state.chainId;
@@ -3182,6 +3458,7 @@ function createCofheClientBase(opts) {
     },
     // Utils (no context needed)
     getHash: permits.getHash,
+    export: permits.export,
     serialize: permits.serialize,
     deserialize: permits.deserialize
   };
@@ -3210,6 +3487,7 @@ function createCofheClientBase(opts) {
      */
     decryptHandle: decryptForView,
     decryptForTx,
+    verifyDecryptResult: verifyDecryptResult2,
     permits: clientPermits
     // Add SDK-specific methods below that require connection
     // Example:
@@ -3220,4 +3498,4 @@ function createCofheClientBase(opts) {
   };
 }
 
-export { CofheError, CofheErrorCode, DecryptForTxBuilder, DecryptForViewBuilder, EncryptInputsBuilder, EncryptStep, Encryptable, FheAllUTypes, FheTypes, FheUintUTypes, InitialConnectStore, assertCorrectEncryptedItemInput, createCofheClientBase, createCofheConfigBase, createKeysStore, fetchKeys, fheTypeToString, getCofheConfigItem, isCofheError, isEncryptableItem, isLastEncryptionStep, zkProveWithWorker };
+export { CofheError, CofheErrorCode, DecryptForTxBuilder, DecryptForViewBuilder, EncryptInputsBuilder, EncryptStep, Encryptable, FheAllUTypes, FheTypes, FheUintUTypes, InitialConnectStore, assertCorrectEncryptedItemInput, createCofheClientBase, createCofheConfigBase, createKeysStore, fetchKeys, fheTypeToString, getCofheConfigItem, isCofheError, isEncryptableItem, isLastEncryptionStep, verifyDecryptResult, zkProveWithWorker };