@hsuite/smart-engines-sdk 3.3.0 → 3.4.1

package/dist/index.js

@@ -123,12 +123,12 @@ var require_lib = __commonJS({
       if (lengths.length > 0 && !lengths.includes(b.length))
         throw new Error("Uint8Array expected of length " + lengths + ", got length=" + b.length);
     }
-    function isArrayOf(isString, arr) {
+    function isArrayOf(isString2, arr) {
       if (!Array.isArray(arr))
         return false;
       if (arr.length === 0)
         return true;
-      if (isString) {
+      if (isString2) {
         return arr.every((item) => typeof item === "string");
       } else {
         return arr.every((item) => Number.isSafeInteger(item));
@@ -6003,9 +6003,11 @@ zod.z.object({
 var discovery_exports = {};
 __export(discovery_exports, {
   ClusterDiscoveryClient: () => ClusterDiscoveryClient,
+  DiscoveryClient: () => DiscoveryClient,
   MIRROR_NODE_URLS: () => MIRROR_NODE_URLS,
   MirrorNodeClient: () => MirrorNodeClient,
   MirrorNodeError: () => MirrorNodeError,
+  PlatformImagesClient: () => PlatformImagesClient,
   ValidatorDiscoveryClient: () => ValidatorDiscoveryClient
 });
 
@@ -6554,6 +6556,99 @@ var ClusterDiscoveryClient = class {
   }
 };
 
+// src/discovery/discovery-client.ts
+var DiscoveryClient = class {
+  constructor(http) {
+    this.http = http;
+    this.platformImages = new PlatformImagesClient(http);
+  }
+  http;
+  /** Platform-image manifest discovery endpoints. */
+  platformImages;
+  /**
+   * `GET /api/v3/discovery/clusters` — active-set cluster registry,
+   * grouped by `clusterId`. This is the same data the bootstrap-seed
+   * flow consumes for random-pick connect.
+   */
+  async listClusters() {
+    return this.http.get("/discovery/clusters");
+  }
+  /**
+   * `GET /api/v3/discovery/clusters/all` — every node-level record
+   * (debug / audit view). Includes nodes that the active-set filter
+   * dropped (e.g. recently-departed validators still in the registry's
+   * eventual-consistency window).
+   */
+  async listAllClusters() {
+    return this.http.get("/discovery/clusters/all");
+  }
+  /**
+   * `GET /api/v3/discovery/clusters/:nodeId` — per-nodeId registry row.
+   * Returns `{ record: null }` (not 404) when the nodeId is unknown to
+   * this validator's registry view, so callers can branch without
+   * try/catch.
+   */
+  async getClusterByNode(nodeId) {
+    return this.http.get(`/discovery/clusters/${encodeURIComponent(nodeId)}`);
+  }
+};
+var PlatformImagesClient = class {
+  constructor(http) {
+    this.http = http;
+  }
+  http;
+  /**
+   * `GET /api/v3/discovery/platform-images` — every signed manifest the
+   * cluster has on record. One row per `(imageName, version)` pair.
+   */
+  async list() {
+    return this.http.get("/discovery/platform-images");
+  }
+  /**
+   * `GET /api/v3/discovery/platform-images/envelopes` — full signed
+   * envelopes (manifest + signature + publicKey). Heavier payload than
+   * {@link list}; for external re-verifiers that want to independently
+   * confirm authenticity.
+   */
+  async listEnvelopes() {
+    return this.http.get("/discovery/platform-images/envelopes");
+  }
+  /**
+   * `GET /api/v3/discovery/platform-images/:imageName` — every version
+   * of a single image. Useful for "which tags has the cluster
+   * authorized?" queries.
+   */
+  async get(imageName) {
+    return this.http.get(`/discovery/platform-images/${encodeURIComponent(imageName)}`);
+  }
+  /**
+   * `GET /api/v3/discovery/platform-images/:imageName/:version` —
+   * single signed manifest. Returns `{ manifest: null }` when the
+   * `(imageName, version)` pair is unknown.
+   */
+  async getVersion(imageName, version) {
+    return this.http.get(
+      `/discovery/platform-images/${encodeURIComponent(imageName)}/${encodeURIComponent(version)}`
+    );
+  }
+  /**
+   * `GET /api/v3/discovery/platform-images/:imageName/:version/verify?digest=...`
+   * — content-addressed verify gate. Returns `{ verified: true }` only
+   * when the supplied SHA-256 digest matches the on-record manifest.
+   *
+   * Use before pulling an image off a registry to make sure you're
+   * about to run cluster-signed bits and not whatever drifted into
+   * the registry namespace.
+   */
+  async verify(imageName, version, digest) {
+    return this.http.get(
+      `/discovery/platform-images/${encodeURIComponent(imageName)}/${encodeURIComponent(
+        version
+      )}/verify?digest=${encodeURIComponent(digest)}`
+    );
+  }
+};
+
 // src/auth/index.ts
 var auth_exports = {};
 __export(auth_exports, {
@@ -6858,7 +6953,7 @@ function createHttpClient(config) {
   const timeout = config.timeout ?? 3e4;
   function getHeaders(contentType) {
     const headers = {};
-    {
+    if (contentType) {
       headers["Content-Type"] = contentType;
     }
     if (config.authToken) {
@@ -6908,6 +7003,36 @@ function createHttpClient(config) {
       throw new SdkHttpError(`Network error: ${err.message}`, 0, error);
     }
   }
+  async function getText(path) {
+    const url = `${config.baseUrl}${path}`;
+    const controller = new AbortController();
+    const timeoutId = setTimeout(() => controller.abort(), timeout);
+    try {
+      const response = await fetch(url, {
+        method: "GET",
+        headers: getHeaders(),
+        signal: controller.signal
+      });
+      clearTimeout(timeoutId);
+      if (!response.ok) {
+        const errBody = await response.json().catch(() => ({}));
+        throw new SdkHttpError(
+          errBody.message || `API error: ${response.status} ${response.statusText}`,
+          response.status,
+          errBody
+        );
+      }
+      return await response.text();
+    } catch (error) {
+      clearTimeout(timeoutId);
+      if (error instanceof SdkHttpError) throw error;
+      const err = error;
+      if (err.name === "AbortError") {
+        throw new SdkHttpError("Request timeout", 408);
+      }
+      throw new SdkHttpError(`Network error: ${err.message}`, 0, error);
+    }
+  }
   async function upload(path, file, filename, metadata, fieldName = "file") {
     const url = `${config.baseUrl}${path}`;
     const controller = new AbortController();
@@ -6958,7 +7083,9 @@ function createHttpClient(config) {
     post: (path, body) => request("POST", path, body),
     get: (path) => request("GET", path),
     put: (path, body) => request("PUT", path, body),
+    patch: (path, body) => request("PATCH", path, body),
     delete: (path) => request("DELETE", path),
+    getText,
     upload: ((path, file, filename, metadata, fieldName) => upload(path, file, filename, metadata, fieldName)),
     setAuthToken
   };
@@ -7112,6 +7239,80 @@ var SubscriptionClient = class {
   async getBalance(appId) {
     return this.http.get(`/subscription/balance/${encodeURIComponent(appId)}`);
   }
+  // ─── Tier-Change Endpoints ────────────────────────────────────────────────
+  /**
+   * Schedule a tier downgrade. The downgrade takes effect at the next
+   * renewal — the deposit is NOT partially refunded mid-lock. Excess
+   * collateral returns on eventual cancel.
+   */
+  async downgrade(request) {
+    return this.http.post("/subscription/downgrade", request);
+  }
+  /**
+   * Request a tier upgrade. The server records the upgrade and returns
+   * top-up deposit instructions for the price delta. The new tier flips
+   * only once the on-chain top-up is confirmed by the deposit monitor.
+   */
+  async upgrade(request) {
+    return this.http.post("/subscription/upgrade", request);
+  }
+  /** Cancel a pending (not-yet-applied) tier change. */
+  async cancelTierChange(request) {
+    return this.http.post("/subscription/tier-change/cancel", request);
+  }
+  // ─── Internal / Usage / Billing ───────────────────────────────────────────
+  /**
+   * Check whether a developer wallet has any active subscription. Used by
+   * smart-host's deploy gate via the cluster-internal API-key path; smart-app
+   * callers should not rely on this endpoint (server-side it requires the
+   * `INTERNAL_SERVICE_MESH_ROUTES` allowlist + an `X-API-Key` header).
+   */
+  async getActiveFor(walletAddress) {
+    return this.http.get(
+      `/subscription/active-for/${encodeURIComponent(walletAddress)}`
+    );
+  }
+  /** Today's consumption breakdown by category for an app. Owner-only. */
+  async getUsage(appId) {
+    return this.http.get(`/subscription/usage/${encodeURIComponent(appId)}`);
+  }
+  /**
+   * Current usage with overage info: usage percent, grace status,
+   * upgrade suggestion, projected days until limit. Owner-only.
+   */
+  async getUsageStatus(appId) {
+    return this.http.get(`/subscription/usage/status/${encodeURIComponent(appId)}`);
+  }
+  /**
+   * Subscription balance deduction history. Pagination + ISO-8601 range
+   * filtering supported. Owner-only.
+   */
+  async getBilling(appId, options) {
+    const params = new URLSearchParams();
+    if (options?.limit !== void 0) params.append("limit", String(options.limit));
+    if (options?.offset !== void 0) params.append("offset", String(options.offset));
+    if (options?.from) params.append("from", options.from);
+    if (options?.to) params.append("to", options.to);
+    const qs = params.toString();
+    return this.http.get(
+      `/subscription/billing/${encodeURIComponent(appId)}${qs ? `?${qs}` : ""}`
+    );
+  }
+  /**
+   * Mint a customer-subscription NFT on behalf of a smart-app.
+   *
+   * Distinct from `mintNft(appId)`, which mints the smart-app's own
+   * developer-level subscription NFT. This endpoint mints a *customer*
+   * NFT held by an end-user wallet — used by smart-host's
+   * `XrplCustomerNftIssuerAdapter` when an app calls
+   * `SubscriptionService.issueCustomerSubscription()` from the sandbox.
+   *
+   * v1 is XRPL-only (the `customerChain` field is a literal `'xrpl'`).
+   * Internal-by-design — server-side gated by `X-API-Key`.
+   */
+  async mintCustomer(request) {
+    return this.http.post("/subscription/customer/mint", request);
+  }
 };
 
 // src/tss/index.ts
@@ -7140,14 +7341,19 @@ var TSSClient = class {
     return this.http.get(`/tss/entity/${encodeURIComponent(entityId)}`);
   }
   /**
-   * Sign a transaction using MPC — chain-agnostic.
-   * Routes to the correct chain backend based on the `chain` parameter.
+   * Sign a transaction using MPC.
    *
-   * @param request - MPC signing request with chain, entityId, and transaction bytes
+   * Routes to `POST /api/v3/tss/hedera/sign-mpc`. Only `'hedera'` is wired
+   * server-side today (see
+   * `apps/smart-validator/src/tss/tss.controller.ts:279`); other chain
+   * signing paths run via their own controllers (XRPL multisig, Polkadot
+   * MPC) and are not exposed through this sub-client. The `chain` field is
+   * carried into the request body so the validator can log + route, but
+   * any non-`'hedera'` value will 404.
    */
   async signMPC(request) {
-    const chain = request.chain || "hedera";
-    return this.http.post(`/tss/${encodeURIComponent(chain)}/sign-mpc`, request);
+    const chain = "hedera";
+    return this.http.post(`/tss/${chain}/sign-mpc`, { ...request, chain });
   }
   /**
    * Get known validators and their public keys
@@ -7191,6 +7397,42 @@ var TSSClient = class {
   async getMultiSigStatus(txId) {
     return this.http.get(`/tss/multisig/transactions/${encodeURIComponent(txId)}`);
   }
+  /**
+   * Async-job variant of {@link createEntity}.
+   *
+   * Server returns 202 + `{ jobId, statusUrl, status: 'pending' }` immediately;
+   * the DKG ceremony runs in the background. Poll {@link getJob} until the
+   * status reaches `'success'` or `'failed'`.
+   */
+  async createEntityAsync(options) {
+    return this.http.post("/tss/entity/create/async", options);
+  }
+  /**
+   * Async-job variant of {@link reshareCluster}. Returns 202 + a polling
+   * descriptor; resharing runs in the background.
+   */
+  async reshareClusterAsync(request) {
+    return this.http.post("/tss/cluster/reshare/async", request);
+  }
+  /**
+   * Poll the status of an async TSS-ceremony job kicked off via
+   * {@link createEntityAsync} or {@link reshareClusterAsync}.
+   */
+  async getJob(jobId) {
+    return this.http.get(`/tss/jobs/${encodeURIComponent(jobId)}`);
+  }
+  /**
+   * Sign a hex payload as smart-app entity `appId` via the cluster's TSS
+   * quorum. Used by smart-deployer for per-entity BLS12-381 signatures over
+   * deployment-context payloads (trustless APP_TOKEN replacement).
+   *
+   * Payload constraints (enforced server-side):
+   *   - even-length lowercase hex
+   *   - ≥32 bytes, ≤8KB
+   */
+  async signForApp(appId, request) {
+    return this.http.post(`/tss/entity/${encodeURIComponent(appId)}/sign`, request);
+  }
 };
 
 // src/ipfs/index.ts
@@ -7260,12 +7502,59 @@ var IPFSClient = class {
   }
 };
 
+// src/hedera-tss/index.ts
+var HederaTssClient = class {
+  constructor(http) {
+    this.http = http;
+  }
+  http;
+  /** Create a Hedera account whose keys are controlled by the TSS cluster. */
+  async createAccount(request) {
+    return this.http.post("/hedera/tss/create-account", request);
+  }
+  /** Update an existing account's memo via TSS-signed transaction. */
+  async updateMemo(request) {
+    return this.http.post("/hedera/tss/update-memo", request);
+  }
+  /** Create a TSS-controlled HCS topic. */
+  async createTopic(request) {
+    return this.http.post("/hedera/tss/create-topic", request);
+  }
+  /** Submit a message to an HCS topic via TSS signing. */
+  async submitMessage(request) {
+    return this.http.post("/hedera/tss/submit-message", request);
+  }
+  /** Create an HTS token with TSS-controlled admin/supply/freeze/pause/wipe keys. */
+  async createToken(request) {
+    return this.http.post("/hedera/tss/create-token", request);
+  }
+  /** Mint tokens via TSS signing — optionally rule-validated via `validatorTopicId`. */
+  async mintToken(request) {
+    return this.http.post("/hedera/tss/mint-token", request);
+  }
+};
+
 // src/transactions/chains/hedera.ts
 var HederaTransactionsClient = class {
-  constructor(http) {
+  constructor(http, tssHttp) {
     this.http = http;
+    this.tss = new HederaTssClient(tssHttp ?? http);
   }
   http;
+  /**
+   * TSS-signed Hedera operations (`/api/v3/hedera/tss/*`).
+   *
+   * Distinct from the prepare-only routes on this class:
+   *   - `client.hedera.prepareTopicCreate(...)` returns bytes for local sign+submit.
+   *   - `client.hedera.tss.createTopic(...)` makes the cluster sign+submit in one call.
+   *
+   * `tssHttp` is the validator's `/api/v3`-rooted HTTP client (different from
+   * the `/api/transactions` one this class uses for prepare paths). When the
+   * legacy single-arg constructor is used (no tssHttp passed), `tss` falls
+   * back to the same `http` instance for backwards compatibility — callers
+   * outside `SmartEngineClient` rarely use the TSS surface.
+   */
+  tss;
   /** Prepare an HCS topic creation transaction. */
   async prepareTopicCreate(request) {
     return this.http.post("/topic/create/prepare", { ...request, chain: "hedera" });
@@ -7298,6 +7587,16 @@ var XrplTransactionsClient = class {
   async prepareTrustLine(request) {
     return this.http.post("/trustline/prepare", { ...request, chain: "xrpl" });
   }
+  /**
+   * Prepare the ordered XRPL account-setup transaction set
+   * (SignerListSet + AccountSet DisableMaster) for sovereignty mode.
+   *
+   * Returns `{ steps, sovereignty }`. Caller signs + submits each step in
+   * order; the master key remains usable until the final AccountSet lands.
+   */
+  async prepareAccountSetup(request) {
+    return this.http.post("/xrpl/account-setup/prepare", { ...request, chain: "xrpl" });
+  }
 };
 
 // src/transactions/chains/solana.ts
@@ -7354,6 +7653,28 @@ var TransactionsClient = class {
   async prepareNftTransfer(request) {
     return this.http.post("/nft/transfer/prepare", request);
   }
+  /**
+   * Prepare an NFT collection-create transaction (Polkadot pallet-nfts /
+   * Solana Metaplex master-edition).
+   */
+  async prepareNftCollectionCreate(request) {
+    return this.http.post("/nft/collection/create/prepare", request);
+  }
+  /** Prepare an NFT item set-metadata transaction (Polkadot pallet-nfts/uniques). */
+  async prepareNftSetMetadata(request) {
+    return this.http.post("/nft/set-metadata/prepare", request);
+  }
+  /** Prepare an NFT collection set-metadata transaction (Polkadot pallet-nfts/uniques). */
+  async prepareNftCollectionSetMetadata(request) {
+    return this.http.post("/nft/collection/set-metadata/prepare", request);
+  }
+  /**
+   * Prepare an NFT collection-lock transaction (Polkadot pallet-nfts only).
+   * Asset Hub runtimes on pallet-uniques fallback will reject with a 4xx.
+   */
+  async prepareNftCollectionLock(request) {
+    return this.http.post("/nft/collection/lock/prepare", request);
+  }
   /** Prepare a token creation transaction (Hedera, Solana, Polkadot, Cardano). */
   async prepareTokenCreate(request) {
     return this.http.post("/token/create/prepare", request);
@@ -7674,6 +7995,253 @@ var GovernanceClient = class {
   }
 };
 
+// src/dao/index.ts
+var dao_exports = {};
+__export(dao_exports, {
+  DaoClient: () => DaoClient,
+  DaoDashboardClient: () => DaoDashboardClient
+});
+
+// src/dao/dashboard-client.ts
+function buildQuery(params) {
+  const search = new URLSearchParams();
+  for (const [key, value] of Object.entries(params)) {
+    if (value === void 0) continue;
+    search.set(key, String(value));
+  }
+  const qs = search.toString();
+  return qs ? `?${qs}` : "";
+}
+var DaoDashboardClient = class {
+  constructor(http) {
+    this.http = http;
+  }
+  http;
+  /** Aggregated dashboard counters for a user's governance home screen. */
+  async getStats(userAddress) {
+    return this.http.get(
+      `/dao/dashboard/stats/${encodeURIComponent(userAddress)}`
+    );
+  }
+  /** Active proposals across every DAO the user belongs to, with vote state. */
+  async getActiveProposals(userAddress) {
+    return this.http.get(
+      `/dao/dashboard/active-proposals/${encodeURIComponent(userAddress)}`
+    );
+  }
+  /** Paginated vote history across DAOs. */
+  async getVoteHistory(userAddress, opts = {}) {
+    const qs = buildQuery({ limit: opts.limit, offset: opts.offset });
+    return this.http.get(
+      `/dao/dashboard/vote-history/${encodeURIComponent(userAddress)}${qs}`
+    );
+  }
+  /** Activity feed (proposal-created/vote-cast/etc.) across user's DAOs. */
+  async getActivity(userAddress, opts = {}) {
+    const qs = buildQuery({ limit: opts.limit, daoId: opts.daoId });
+    return this.http.get(
+      `/dao/dashboard/activity/${encodeURIComponent(userAddress)}${qs}`
+    );
+  }
+  /** Items the user must act on (sign prepared messages, claim NFTs, …). */
+  async getPendingActions(userAddress) {
+    return this.http.get(
+      `/dao/dashboard/pending-actions/${encodeURIComponent(userAddress)}`
+    );
+  }
+  /** Governance impact metrics — weight delivered, success rate, streak. */
+  async getImpact(userAddress) {
+    return this.http.get(
+      `/dao/dashboard/impact/${encodeURIComponent(userAddress)}`
+    );
+  }
+};
+
+// src/dao/dao-client.ts
+function buildQuery2(params) {
+  const search = new URLSearchParams();
+  for (const [key, value] of Object.entries(params)) {
+    if (value === void 0) continue;
+    search.set(key, String(value));
+  }
+  const qs = search.toString();
+  return qs ? `?${qs}` : "";
+}
+function encodeDaoId(daoId) {
+  return encodeURIComponent(daoId);
+}
+function encodeProposalId(proposalId) {
+  return encodeURIComponent(proposalId);
+}
+function encodeAddress(address) {
+  return encodeURIComponent(address);
+}
+var DaoClient = class {
+  constructor(http) {
+    this.http = http;
+    this.dashboard = new DaoDashboardClient(http);
+  }
+  http;
+  /** Per-user rollups for the smart-app's governance home screen. */
+  dashboard;
+  // ─── Lifecycle ────────────────────────────────────────────────────────────
+  /** Create a new DAO. */
+  async create(request) {
+    return this.http.post("/dao/create", request);
+  }
+  /** List DAOs with optional status / creator filters. */
+  async list(opts = {}) {
+    const qs = buildQuery2({ status: opts.status, createdBy: opts.createdBy });
+    return this.http.get(`/dao/list${qs}`);
+  }
+  /** Fetch a single DAO by ID. */
+  async get(daoId) {
+    return this.http.get(`/dao/${encodeDaoId(daoId)}`);
+  }
+  /** Fetch a DAO together with its proposals (single round-trip). */
+  async getWithProposals(daoId) {
+    return this.http.get(`/dao/${encodeDaoId(daoId)}/with-proposals`);
+  }
+  // ─── Proposals ────────────────────────────────────────────────────────────
+  /** List proposals for a DAO, optionally filtered by status / proposer. */
+  async listProposals(daoId, opts = {}) {
+    const qs = buildQuery2({ status: opts.status, proposer: opts.proposer });
+    return this.http.get(`/dao/${encodeDaoId(daoId)}/proposals${qs}`);
+  }
+  /** Create a proposal (server activates the proposal immediately). */
+  async createProposal(daoId, request) {
+    return this.http.post(`/dao/${encodeDaoId(daoId)}/proposals`, request);
+  }
+  /**
+   * Prepare a proposal for off-chain signing (returns the message to sign).
+   * Use {@link signProposal} to submit the signature once captured.
+   */
+  async prepareProposal(daoId, request) {
+    return this.http.post(
+      `/dao/${encodeDaoId(daoId)}/proposals/prepare`,
+      request
+    );
+  }
+  /** Submit the signed prepared-proposal payload. */
+  async signProposal(daoId, proposalId, request) {
+    return this.http.post(
+      `/dao/${encodeDaoId(daoId)}/proposals/${encodeProposalId(proposalId)}/sign`,
+      request
+    );
+  }
+  /** Prepare a vote message for off-chain signing. */
+  async prepareVote(daoId, proposalId, request) {
+    return this.http.post(
+      `/dao/${encodeDaoId(daoId)}/proposals/${encodeProposalId(proposalId)}/prepare-vote`,
+      request
+    );
+  }
+  /** Submit the signed prepared-vote payload. */
+  async submitVote(daoId, proposalId, request) {
+    return this.http.post(
+      `/dao/${encodeDaoId(daoId)}/proposals/${encodeProposalId(proposalId)}/submit-vote`,
+      request
+    );
+  }
+  /**
+   * Cast a vote directly (no separate prepare/sign hop — server records the
+   * vote on the caller's behalf). Use {@link prepareVote} + {@link submitVote}
+   * when the smart-app's signing model requires client-side signing.
+   */
+  async vote(daoId, proposalId, request) {
+    return this.http.post(
+      `/dao/${encodeDaoId(daoId)}/proposals/${encodeProposalId(proposalId)}/vote`,
+      request
+    );
+  }
+  /**
+   * Manually execute a passed proposal via TSS. Proposals auto-execute after
+   * the execution delay; this endpoint is for the governance-admin override
+   * path.
+   */
+  async execute(daoId, proposalId) {
+    return this.http.post(
+      `/dao/${encodeDaoId(daoId)}/proposals/${encodeProposalId(proposalId)}/execute`,
+      {}
+    );
+  }
+  /** Paginated vote list for a proposal. */
+  async getVotes(daoId, proposalId, opts = {}) {
+    const qs = buildQuery2({ limit: opts.limit, offset: opts.offset });
+    return this.http.get(
+      `/dao/${encodeDaoId(daoId)}/proposals/${encodeProposalId(proposalId)}/votes${qs}`
+    );
+  }
+  /** Resolved tally / quorum / pass-fail for a proposal. */
+  async getResults(daoId, proposalId) {
+    return this.http.get(
+      `/dao/${encodeDaoId(daoId)}/proposals/${encodeProposalId(proposalId)}/results`
+    );
+  }
+  /** Raw vote counts by option ID (no quorum / pass logic). */
+  async getVoteCounts(daoId, proposalId) {
+    return this.http.get(
+      `/dao/${encodeDaoId(daoId)}/proposals/${encodeProposalId(proposalId)}/vote-counts`
+    );
+  }
+  /** Fetch a single voter's vote on a proposal. */
+  async getVoterRecord(daoId, proposalId, voterAddress) {
+    return this.http.get(
+      `/dao/${encodeDaoId(daoId)}/proposals/${encodeProposalId(proposalId)}/voter/${encodeAddress(voterAddress)}`
+    );
+  }
+  /** Fetch a single proposal by ID. */
+  async getProposal(daoId, proposalId) {
+    return this.http.get(
+      `/dao/${encodeDaoId(daoId)}/proposals/${encodeProposalId(proposalId)}`
+    );
+  }
+  // ─── Treasury ─────────────────────────────────────────────────────────────
+  /** Per-chain treasury balances for a DAO. */
+  async getTreasury(daoId, chain) {
+    const qs = buildQuery2({ chain });
+    return this.http.get(`/dao/${encodeDaoId(daoId)}/treasury${qs}`);
+  }
+  /** Paginated treasury transaction history (in/out/swap). */
+  async getTreasuryHistory(daoId, opts = {}) {
+    const qs = buildQuery2({
+      chain: opts.chain,
+      limit: opts.limit,
+      offset: opts.offset
+    });
+    return this.http.get(`/dao/${encodeDaoId(daoId)}/treasury/history${qs}`);
+  }
+  // ─── Members ──────────────────────────────────────────────────────────────
+  /** List a DAO's members, optionally filtered by status. */
+  async listMembers(daoId, opts = {}) {
+    const qs = buildQuery2({ status: opts.status });
+    return this.http.get(`/dao/${encodeDaoId(daoId)}/members${qs}`);
+  }
+  /** Add a member to a DAO. */
+  async addMember(daoId, request) {
+    return this.http.post(`/dao/${encodeDaoId(daoId)}/members`, request);
+  }
+  /** Remove a member from a DAO. */
+  async removeMember(daoId, address) {
+    return this.http.delete(
+      `/dao/${encodeDaoId(daoId)}/members/${encodeAddress(address)}`
+    );
+  }
+  /** Bind a held membership NFT serial to a member record. */
+  async claimMemberNft(daoId, address, request) {
+    return this.http.post(
+      `/dao/${encodeDaoId(daoId)}/members/${encodeAddress(address)}/claim-nft`,
+      request
+    );
+  }
+  /** Fetch the NFT serials + status for a member. */
+  async getMemberNft(daoId, address) {
+    return this.http.get(
+      `/dao/${encodeDaoId(daoId)}/members/${encodeAddress(address)}/nft`
+    );
+  }
+};
+
 // src/personhood/index.ts
 var personhood_exports = {};
 __export(personhood_exports, {
@@ -7793,15 +8361,25 @@ var AgentsClient = class {
   async list() {
     return this.http.get("/api/agents");
   }
-  /** Fund an agent */
+  /**
+   * Fund agent treasury (owner-only). Returns a
+   * `PreparedTransactionResponse` wrapped in a `success: true` envelope —
+   * the caller is expected to sign and submit the prepared bytes.
+   */
   async fund(agentId, request) {
     return this.http.post(`/api/agents/${encodeURIComponent(agentId)}/fund`, request);
   }
-  /** Execute a trade */
+  /**
+   * Execute a trade (agent-wallet OR owner). Returns a
+   * `PreparedTransactionResponse` wrapped in a `success: true` envelope.
+   */
   async trade(agentId, request) {
     return this.http.post(`/api/agents/${encodeURIComponent(agentId)}/trade`, request);
   }
-  /** Withdraw funds from agent */
+  /**
+   * Withdraw from agent treasury (owner-only). Returns a
+   * `PreparedTransactionResponse` wrapped in a `success: true` envelope.
+   */
   async withdraw(agentId, request) {
     return this.http.post(`/api/agents/${encodeURIComponent(agentId)}/withdraw`, request);
   }
@@ -7817,9 +8395,16 @@ var AgentsClient = class {
   async revoke(agentId) {
     return this.http.post(`/api/agents/${encodeURIComponent(agentId)}/revoke`, {});
   }
-  /** Update agent rules */
+  /**
+   * Update agent rules.
+   *
+   * Server route is PATCH `/api/agents/:agentId/rules`
+   * (`agents.controller.ts:375`). The previous PUT variant 404'd because
+   * Nest matched the dynamic `:agentId` GET/POST handlers and rejected
+   * the verb mismatch.
+   */
   async updateRules(agentId, rules) {
-    return this.http.put(`/api/agents/${encodeURIComponent(agentId)}/rules`, rules);
+    return this.http.patch(`/api/agents/${encodeURIComponent(agentId)}/rules`, rules);
   }
   /** Get agent events */
   async getEvents(agentId) {
@@ -7945,16 +8530,316 @@ var DeploymentClient = class {
   async getStats() {
     return this.http.get("/api/deployment/stats");
   }
-};
-
-// src/client.ts
-var SmartEngineClient = class _SmartEngineClient {
-  baseUrl;
-  allowInsecure;
-  http;
-  /** Separate HTTP client for /api/transactions (non-v3 base path) */
-  txHttp;
-  /** Last HTTP error (for getHttpHealth) */
+  /**
+   * Register or update the developer-facing webhook URL for runtime
+   * lifecycle events (`runtime.deploying` / `running` / `failed` /
+   * `suspended` / `resumed` / `retired`).
+   *
+   * The host's `DeployWebhookDispatcher` POSTs to this URL whenever the
+   * smart-deployer reconciler emits a `runtime.*` NATS event, signed with
+   * the returned `webhookSecret`:
+   *
+   *   `X-HSuite-Signature: sha256=<hmac-sha256(secret, raw-body)>`
+   *
+   * Store `webhookSecret` server-side and re-compute the signature over
+   * the raw delivery body to verify authenticity. The secret is surfaced
+   * only on PUT — re-call this method to rotate.
+   *
+   * Server validates: HTTPS only, no loopback / RFC1918 / link-local /
+   * CGNAT / cloud metadata destinations (SSRF guard).
+   */
+  async setWebhook(appId, webhookUrl) {
+    return this.http.put(`/api/deployment/apps/${encodeURIComponent(appId)}/webhook`, {
+      webhookUrl
+    });
+  }
+  /**
+   * Per-app Prometheus metrics in the standard exposition format
+   * (text/plain; version=0.0.4). The server filters smart-deployer's
+   * `/metrics` to lines that mention this app's `appId` label, while
+   * preserving HELP / TYPE comment lines and cluster-wide metrics.
+   *
+   * Returned as a raw string so callers can pipe directly into a
+   * Prometheus parser (`prom-client`, `parse-prometheus-text-format`,
+   * etc.) without an intermediate JSON decode that would corrupt the
+   * exposition format.
+   */
+  async getMetrics(appId) {
+    return this.http.getText(`/api/deployment/apps/${encodeURIComponent(appId)}/metrics`);
+  }
+  /**
+   * Rotate the smart-app's tenant-secret KEK (ADR-011 Phase 6).
+   *
+   * Re-encrypts every `runtime.env` envelope at the new KEK version
+   * transparently. Previous versions remain valid until explicitly
+   * revoked via {@link revokeKek}. Owner-only.
+   */
+  async rotateKek(appId) {
+    return this.http.post(
+      `/api/deployment/apps/${encodeURIComponent(appId)}/credentials/rotate-kek`,
+      {}
+    );
+  }
+  /**
+   * Revoke a tenant-secret KEK version (ADR-011 Phase 6 emergency burn).
+   *
+   * Envelopes at the revoked version become operationally dead —
+   * decryption inside the smart-app pod fails. Owner-only and
+   * **irreversible**. Returns the cumulative list of revoked versions
+   * for this app.
+   */
+  async revokeKek(appId, version) {
+    return this.http.post(
+      `/api/deployment/apps/${encodeURIComponent(appId)}/credentials/revoke-kek`,
+      { version }
+    );
+  }
+};
+
+// src/bridge/index.ts
+var bridge_exports = {};
+__export(bridge_exports, {
+  BridgeClient: () => BridgeClient
+});
+
+// src/bridge/bridge-client.ts
+var BridgeClient = class {
+  constructor(http) {
+    this.http = http;
+  }
+  http;
+  /** Create a new bridge instance — triggers DKG + TSS entity creation server-side. */
+  async create(request) {
+    return this.http.post("/bridge/create", request);
+  }
+  /** List bridges. Both filters are optional. */
+  async list(options) {
+    const params = new URLSearchParams();
+    if (options?.status) params.append("status", options.status);
+    if (options?.sourceChain) params.append("sourceChain", options.sourceChain);
+    const qs = params.toString();
+    return this.http.get(`/bridge/list${qs ? `?${qs}` : ""}`);
+  }
+  /** Get bridge configuration. */
+  async get(bridgeId) {
+    return this.http.get(`/bridge/${encodePathParam(bridgeId)}`);
+  }
+  /** Port tokens from source → destination. */
+  async port(bridgeId, request) {
+    return this.http.post(`/bridge/${encodePathParam(bridgeId)}/port`, request);
+  }
+  /**
+   * Return tokens from destination → source. Only meaningful on two-way
+   * bridges; the validator rejects the call on one-way bridges with a 400.
+   *
+   * Method name is `return_` to avoid colliding with the reserved JS
+   * keyword in some downstream codegen. Prefer `client.bridge.return(...)`
+   * via the named alias below.
+   */
+  async return(bridgeId, request) {
+    return this.http.post(`/bridge/${encodePathParam(bridgeId)}/return`, request);
+  }
+  /** Get claim status by claim ID under a given bridge. */
+  async getStatus(bridgeId, claimId) {
+    return this.http.get(
+      `/bridge/${encodePathParam(bridgeId)}/status/${encodePathParam(claimId)}`
+    );
+  }
+  /** Get aggregate supply view for a bridge. */
+  async getSupply(bridgeId) {
+    return this.http.get(`/bridge/${encodePathParam(bridgeId)}/supply`);
+  }
+  /** List bridge claims with optional pagination. */
+  async listClaims(bridgeId, options) {
+    const params = new URLSearchParams();
+    if (options?.limit !== void 0) params.append("limit", String(options.limit));
+    if (options?.offset !== void 0) params.append("offset", String(options.offset));
+    const qs = params.toString();
+    return this.http.get(
+      `/bridge/${encodePathParam(bridgeId)}/claims${qs ? `?${qs}` : ""}`
+    );
+  }
+};
+
+// src/resources/index.ts
+var resources_exports = {};
+__export(resources_exports, {
+  ResourcesClient: () => ResourcesClient
+});
+
+// src/resources/resources-client.ts
+var ResourcesClient = class {
+  constructor(http) {
+    this.http = http;
+  }
+  http;
+  /** Network-wide consumption summary across all nodes. */
+  async getSummary() {
+    return this.http.get("/resources/summary");
+  }
+  /** Current-day consumption breakdown for an app. */
+  async getConsumption(appId) {
+    return this.http.get(`/resources/consumption/${encodePathParam(appId)}`);
+  }
+  /** Daily usage history from the persistent store. `days` defaults to 30 server-side. */
+  async getHistory(appId, days) {
+    const qs = days !== void 0 ? `?days=${days}` : "";
+    return this.http.get(
+      `/resources/consumption/${encodePathParam(appId)}/history${qs}`
+    );
+  }
+  /** Paginated billing ledger. All filters optional. */
+  async getLedger(appId, options) {
+    const params = new URLSearchParams();
+    if (options?.limit !== void 0) params.append("limit", String(options.limit));
+    if (options?.offset !== void 0) params.append("offset", String(options.offset));
+    if (options?.since) params.append("since", options.since);
+    if (options?.until) params.append("until", options.until);
+    if (options?.category) params.append("category", options.category);
+    const qs = params.toString();
+    return this.http.get(
+      `/resources/consumption/${encodePathParam(appId)}/ledger${qs ? `?${qs}` : ""}`
+    );
+  }
+  /**
+   * Current consumption status with threshold warnings and upgrade hints.
+   * `dailyLimit` overrides the per-app tier default and is rare —
+   * smart-app callers should leave it unset.
+   */
+  async getStatus(appId, dailyLimit) {
+    const qs = dailyLimit !== void 0 ? `?dailyLimit=${dailyLimit}` : "";
+    return this.http.get(
+      `/resources/consumption/${encodePathParam(appId)}/status${qs}`
+    );
+  }
+  /** Consumption aggregated by category over the supplied window. */
+  async getBreakdown(appId, options) {
+    const params = new URLSearchParams();
+    if (options?.since) params.append("since", options.since);
+    if (options?.until) params.append("until", options.until);
+    const qs = params.toString();
+    return this.http.get(
+      `/resources/consumption/${encodePathParam(appId)}/breakdown${qs ? `?${qs}` : ""}`
+    );
+  }
+  /** Per-node consumption reports. */
+  async listNodes() {
+    return this.http.get("/resources/nodes");
+  }
+  /** Single node's report. */
+  async getNode(nodeId) {
+    return this.http.get(`/resources/nodes/${encodePathParam(nodeId)}`);
+  }
+};
+
+// src/envelope/index.ts
+var envelope_exports = {};
+__export(envelope_exports, {
+  EnvelopeClient: () => EnvelopeClient
+});
+
+// src/envelope/envelope-client.ts
+var EnvelopeClient = class {
+  constructor(http) {
+    this.http = http;
+  }
+  http;
+  /**
+   * Seal `plaintext` under the per-app KEK for `appId` at `kekVersion`.
+   * Returns the canonical envelope shape suitable for persistence in
+   * Mongo / NATS / on the EventBus.
+   */
+  async encrypt(request) {
+    return this.http.post("/envelope/encrypt", request);
+  }
+  /**
+   * Open `envelope` for `appId`. The plaintext is returned in the response
+   * body — callers MUST treat it as ephemeral (no logs, no Mongo, no
+   * NATS broadcast). The validator never persists or replays it.
+   */
+  async decrypt(request) {
+    return this.http.post("/envelope/decrypt", request);
+  }
+};
+
+// src/tokens/index.ts
+var tokens_exports = {};
+__export(tokens_exports, {
+  TokensClient: () => TokensClient
+});
+
+// src/tokens/tokens-client.ts
+var TokensClient = class {
+  constructor(http) {
+    this.http = http;
+  }
+  http;
+  /** Initiate a token migration to TSS-controlled keys. */
+  async migrate(request) {
+    return this.http.post("/tokens/migrate", request);
+  }
+  /** List all known migrations on this validator. */
+  async listMigrations() {
+    return this.http.get("/tokens/migrations");
+  }
+  /**
+   * Get one migration's status by id. The server returns
+   * `{ error: string }` (NOT a 404) when the migration is unknown, so the
+   * union type makes the failure mode explicit.
+   */
+  async getMigration(migrationId) {
+    return this.http.get(`/tokens/migrations/${encodePathParam(migrationId)}`);
+  }
+  /** All migrations recorded against a specific token id. */
+  async getMigrationsForToken(tokenId) {
+    return this.http.get(`/tokens/${encodePathParam(tokenId)}/migrations`);
+  }
+  /**
+   * Get token details. NOTE: collides with `client.getTokenInfo(...)` —
+   * see the class JSDoc above for the route-order details. Prefer
+   * `client.getTokenInfo(...)` unless you have a reason to call this one.
+   */
+  async getDetails(chain, tokenId) {
+    return this.http.get(
+      `/tokens/${encodePathParam(chain)}/${encodePathParam(tokenId)}`
+    );
+  }
+};
+
+// src/operator/index.ts
+var operator_exports = {};
+__export(operator_exports, {
+  OperatorClient: () => OperatorClient
+});
+
+// src/operator/operator-client.ts
+var OperatorClient = class {
+  constructor(http) {
+    this.http = http;
+  }
+  http;
+  /** Get the on-chain HBAR + token balance of an operator account. */
+  async getBalance(chain, accountId) {
+    return this.http.get(
+      `/operator/balance/${encodePathParam(chain)}/${encodePathParam(accountId)}`
+    );
+  }
+  /** Get top-up guidance for an operator account (recommended balance + status). */
+  async getTopup(chain, accountId) {
+    return this.http.get(
+      `/operator/topup/${encodePathParam(chain)}/${encodePathParam(accountId)}`
+    );
+  }
+};
+
+// src/client.ts
+var SmartEngineClient = class _SmartEngineClient {
+  baseUrl;
+  allowInsecure;
+  http;
+  /** Separate HTTP client for /api/transactions (non-v3 base path) */
+  txHttp;
+  /** Last HTTP error (for getHttpHealth) */
   lastHttpError;
   // ========== Sub-Clients ==========
   /** Application subscription management */
@@ -7981,12 +8866,26 @@ var SmartEngineClient = class _SmartEngineClient {
   settlement;
   /** Governance proposal dry-run (simulate-only) */
   governance;
+  /** DAO governance — DAOs, proposals, votes, treasury, members, dashboard */
+  dao;
   /** Personhood verification (HPP one-human-one-member) */
   personhood;
   /** BaaS smart-agent lifecycle (register/fund/trade/withdraw/pause/resume/revoke/...) */
   agents;
   /** BaaS smart-app deployment lifecycle (init/uploadFrontend/deploy/rollback/status/...) */
   deployments;
+  /** Universal Token Bridge — port/return/claim across chains */
+  bridge;
+  /** Network + per-app resource consumption (summary, history, ledger, nodes) */
+  resources;
+  /** AES-256-GCM envelope encrypt/decrypt under the TSS-backed master KEK */
+  envelope;
+  /** Token migration — move existing tokens to TSS-controlled keys */
+  tokens;
+  /** Operator account funding helpers (balance + top-up guidance) */
+  operator;
+  /** Discovery endpoints — cluster registry + platform-image manifests */
+  discovery;
   constructor(config) {
     this.allowInsecure = config.allowInsecure ?? false;
     this.baseUrl = validateClientUrl(config.baseUrl, this.allowInsecure);
@@ -8006,7 +8905,7 @@ var SmartEngineClient = class _SmartEngineClient {
     this.tss = new TSSClient(this.http);
     this.ipfs = new IPFSClient(this.http);
     this.transactions = new TransactionsClient(this.txHttp);
-    this.hedera = new HederaTransactionsClient(this.txHttp);
+    this.hedera = new HederaTransactionsClient(this.txHttp, this.http);
     this.xrpl = new XrplTransactionsClient(this.txHttp);
     this.solana = new SolanaTransactionsClient(this.txHttp);
     this.polkadot = new PolkadotTransactionsClient(this.txHttp);
@@ -8014,6 +8913,7 @@ var SmartEngineClient = class _SmartEngineClient {
     this.historicalBalance = HistoricalBalanceClient.fromHttp(this.http);
     this.settlement = new SettlementClient(this.http);
     this.governance = new GovernanceClient(this.http);
+    this.dao = new DaoClient(this.http);
     this.personhood = new PersonhoodClient(this.http);
     const rootHttp = createHttpClient({
       baseUrl: this.baseUrl,
@@ -8023,6 +8923,12 @@ var SmartEngineClient = class _SmartEngineClient {
     });
     this.agents = new AgentsClient(rootHttp);
     this.deployments = new DeploymentClient(rootHttp);
+    this.bridge = new BridgeClient(this.http);
+    this.resources = new ResourcesClient(this.http);
+    this.envelope = new EnvelopeClient(this.http);
+    this.tokens = new TokensClient(this.http);
+    this.operator = new OperatorClient(this.http);
+    this.discovery = new DiscoveryClient(this.http);
   }
   /**
    * Build a `SmartEngineClient` from a plain env object. Reads:
@@ -8238,7 +9144,19 @@ var SmartEngineClient = class _SmartEngineClient {
     const validated = MintTokenRequestSchema.parse(request);
     return this.http.post("/tokens/mint", validated);
   }
-  /** Get token information */
+  /**
+   * Get token information.
+   *
+   * Route `GET /api/v3/tokens/:chain/:tokenId` is registered twice on the
+   * validator: by `ValidatorController` at
+   * `apps/smart-validator/src/validator.controller.ts:497` and by
+   * `TokenMigrationController` at
+   * `apps/smart-validator/src/token-migration/token-migration.controller.ts:173`.
+   * Nest resolves routes in `controllers: [...]` order — `ValidatorController`
+   * is registered first (`apps/smart-validator/src/smart-validator.module.ts:1222`),
+   * so `multiChain.getTokenInfo(chain, tokenId)` wins and the
+   * token-migration handler is unreachable via this path.
+   */
   async getTokenInfo(chain, tokenId) {
     return this.http.get(`/tokens/${encodePathParam(chain)}/${encodePathParam(tokenId)}`);
   }
@@ -8386,47 +9304,56 @@ var RoutingClient = class {
     this.http = http;
   }
   http;
-  /** Register a new host */
+  /**
+   * Register a new host. The server validates the payload via Zod (appId
+   * pattern, IP/hostname format, port range) and kicks off async
+   * verification. Response includes the registered host plus a status
+   * message about verification.
+   */
   async registerHost(request) {
     return this.http.post("/routing/hosts", request);
   }
-  /** Unregister a host */
+  /** Unregister a host. */
   async unregisterHost(hostId) {
     return this.http.delete(`/routing/hosts/${encodeURIComponent(hostId)}`);
   }
-  /** Get all registered hosts */
+  /** Get all registered hosts. */
   async getAllHosts() {
     return this.http.get("/routing/hosts");
   }
-  /** Get only verified hosts */
+  /** Get only verified hosts. */
   async getVerifiedHosts() {
     return this.http.get("/routing/hosts/verified");
   }
-  /** Get a specific host by ID */
+  /** Get a specific host by ID. */
   async getHost(hostId) {
     return this.http.get(`/routing/hosts/${encodeURIComponent(hostId)}`);
   }
-  /** Verify a host */
+  /** Trigger host re-verification. */
   async verifyHost(hostId) {
     return this.http.post(`/routing/hosts/${encodeURIComponent(hostId)}/verify`, {});
   }
-  /** Set routing configuration for an app */
+  /** Set routing configuration for an app. */
   async setRoutingConfig(appId, config) {
     return this.http.put(`/routing/config/${encodeURIComponent(appId)}`, config);
   }
-  /** Get routing configuration for an app */
+  /** Get routing configuration for an app. */
   async getRoutingConfig(appId) {
     return this.http.get(`/routing/config/${encodeURIComponent(appId)}`);
   }
-  /** Proxy a request through the gateway */
+  /** Proxy a request through the gateway. */
   async proxyRequest(request) {
     return this.http.post("/routing/proxy", request);
   }
-  /** Get routing statistics */
+  /** Get routing statistics. */
   async getStats() {
     return this.http.get("/routing/stats");
   }
-  /** Map a domain to an application */
+  /**
+   * Map a domain/subdomain to an application for hostname-based routing.
+   * The server returns `{ domain, appId, message }` — there is no `success`
+   * field; treat `appId` as the success signal.
+   */
   async mapDomainToApp(domain, appId) {
     return this.http.post(`/routing/domains/${encodeURIComponent(domain)}/map`, { appId });
   }
@@ -8455,7 +9382,11 @@ var DomainsClient = class {
     const params = owner ? `?owner=${encodeURIComponent(owner)}` : "";
     return this.http.get(`/domains${params}`);
   }
-  /** Generate a verification token */
+  /**
+   * Generate a verification token. Server accepts one of `dns-txt`,
+   * `dns-cname`, `http-file`, `email` (see controller Swagger enum at
+   * `apps/smart-gateway/src/domains/domains.controller.ts:226-234`).
+   */
   async generateVerificationToken(domain, method) {
     return this.http.post(`/domains/${encodeURIComponent(domain)}/verification`, { method });
   }
@@ -8571,6 +9502,23 @@ var DnsClient = class {
   }
 };
 
+// src/gateway/health/index.ts
+var HealthClient = class {
+  constructor(http) {
+    this.http = http;
+  }
+  http;
+  /**
+   * Per-cluster aggregate health probe. Wraps
+   * `GET /api/v3/cluster/health` — see
+   * `apps/smart-gateway/src/health/health.controller.ts:213-263`. Returns
+   * local validator + host + genesis state in a single payload.
+   */
+  async getCluster() {
+    return this.http.get("/cluster/health");
+  }
+};
+
 // src/gateway/client.ts
 var SmartGatewayClient = class {
   http;
@@ -8580,6 +9528,8 @@ var SmartGatewayClient = class {
   domains;
   /** DNS resolution and zone management */
   dns;
+  /** Per-cluster aggregate health probe (validator + host + genesis state) */
+  health;
   constructor(config) {
     const baseUrl = config.baseUrl.replace(/\/+$/, "");
     this.http = createHttpClient({
@@ -8591,30 +9541,41 @@ var SmartGatewayClient = class {
     this.routing = new RoutingClient(this.http);
     this.domains = new DomainsClient(this.http);
     this.dns = new DnsClient(this.http);
+    this.health = new HealthClient(this.http);
   }
   // ========== Health & Metrics ==========
-  /** Get gateway health status */
+  /** Get gateway-only health status (binary `status: 'ok'` snapshot). */
   async getHealth() {
     return this.http.get("/health");
   }
-  /** Get gateway status with host and domain counts */
+  /**
+   * Get detailed gateway status — `subsystems` tree (dns/routing/verification)
+   * plus the operating `mode` snapshot. Aggregated counts live on `getMetrics()`.
+   */
   async getStatus() {
     return this.http.get("/status");
   }
-  /** Check gateway readiness */
+  /**
+   * Check gateway readiness. Returns either `{ status: 'ready', ... }` with
+   * a verified host count or `{ status: 'not_ready', reason, ... }`.
+   */
   async getReadiness() {
     return this.http.get("/ready");
   }
-  /** Check gateway liveness */
+  /** Check gateway liveness. */
   async getLiveness() {
     return this.http.get("/live");
   }
-  /** Get detailed gateway metrics */
+  /**
+   * Get aggregated network metrics across all clusters — per-cluster health,
+   * chain connectivity, gateway counts, and genesis state. Server caches the
+   * payload (default 30s); pass `refresh=true` to force a fresh fetch.
+   */
   async getMetrics(refresh) {
     const params = refresh ? "?refresh=true" : "";
     return this.http.get(`/metrics${params}`);
   }
-  /** Get metrics summary */
+  /** Get lightweight network summary (status-badge-friendly). */
   async getMetricsSummary() {
     return this.http.get("/metrics/summary");
   }
@@ -9187,11 +10148,37 @@ var DatabaseClient = class {
     );
   }
   /**
-   * List collections for the app
+   * List collections for the app.
+   *
+   * Server route is `/api/db/:appId/collections`
+   * (`database.controller.ts:106`). The previous bare-`:appId` GET 404'd
+   * — Nest reserves that pattern for the document-find router below.
    */
   async listCollections() {
     const appId = this.getAppId();
-    return this.http.get(`/api/db/${encodeURIComponent(appId)}`);
+    return this.http.get(`/api/db/${encodeURIComponent(appId)}/collections`);
+  }
+  /**
+   * Create a new collection in the database.
+   *
+   * Server returns `{ success: true; collection: string }`
+   * (`database.controller.ts:96`).
+   */
+  async createCollection(name) {
+    const appId = this.getAppId();
+    return this.http.post(`/api/db/${encodeURIComponent(appId)}/collections`, { name });
+  }
+  /**
+   * Drop a collection and all its documents.
+   *
+   * Server returns `{ success: true }`
+   * (`database.controller.ts:133`).
+   */
+  async dropCollection(name) {
+    const appId = this.getAppId();
+    return this.http.delete(
+      `/api/db/${encodeURIComponent(appId)}/collections/${encodeURIComponent(name)}`
+    );
   }
   // ========== State Proofs ==========
   /**
@@ -9252,13 +10239,15 @@ var StorageClient = class {
    * Download a file by CID
    */
   async download(cid) {
-    return this.http.get(`/api/storage/download/${encodeURIComponent(cid)}`);
+    const appId = this.getAppId();
+    return this.http.get(`/api/storage/${encodeURIComponent(appId)}/download/${encodeURIComponent(cid)}`);
   }
   /**
    * Get file metadata
    */
   async getMetadata(cid) {
-    return this.http.get(`/api/storage/metadata/${encodeURIComponent(cid)}`);
+    const appId = this.getAppId();
+    return this.http.get(`/api/storage/${encodeURIComponent(appId)}/metadata/${encodeURIComponent(cid)}`);
   }
   /**
    * Delete a file
@@ -9268,20 +10257,29 @@ var StorageClient = class {
     return this.http.delete(`/api/storage/${encodeURIComponent(appId)}/${encodeURIComponent(cid)}`);
   }
   /**
-   * Get file info
+   * Get file info.
+   *
+   * @deprecated The smart-host storage controller does not expose a
+   * bare-CID metadata route — every metadata lookup must go through
+   * `getMetadata(cid)` (`/api/storage/:appId/metadata/:cid`) or the
+   * stream body via `download(cid)`. This alias forwards to `download`
+   * for back-compat; remove in the next major SDK release.
    */
   async getFile(cid) {
-    const appId = this.getAppId();
-    return this.http.get(`/api/storage/${encodeURIComponent(appId)}/${encodeURIComponent(cid)}`);
+    return this.download(cid);
   }
   /**
    * List all files for the app
+   *
+   * @param pagination.offset Server reads `offset`; the legacy `skip`
+   *   option was a client-only synonym that the server silently ignored.
+   *   Use `offset` going forward.
    */
   async listFiles(pagination) {
     const appId = this.getAppId();
     const params = new URLSearchParams();
     if (pagination?.limit !== void 0) params.set("limit", String(pagination.limit));
-    if (pagination?.skip !== void 0) params.set("skip", String(pagination.skip));
+    if (pagination?.offset !== void 0) params.set("offset", String(pagination.offset));
     const qs = params.toString();
     return this.http.get(`/api/storage/${encodeURIComponent(appId)}/files${qs ? `?${qs}` : ""}`);
   }
@@ -9289,13 +10287,15 @@ var StorageClient = class {
    * Get storage usage for the current app
    */
   async getUsage() {
-    return this.http.get("/api/storage/usage");
+    const appId = this.getAppId();
+    return this.http.get(`/api/storage/${encodeURIComponent(appId)}/usage`);
   }
   /**
    * Check if a file exists
    */
   async exists(cid) {
-    return this.http.get(`/api/storage/exists/${encodeURIComponent(cid)}`);
+    const appId = this.getAppId();
+    return this.http.get(`/api/storage/${encodeURIComponent(appId)}/exists/${encodeURIComponent(cid)}`);
   }
 };
 
@@ -9318,42 +10318,60 @@ var FunctionsClient = class {
    * Invoke a function
    */
   async invoke(functionId, payload) {
-    return this.http.post(`/api/functions/${encodeURIComponent(functionId)}/invoke`, payload ?? {});
+    const appId = this.getAppId();
+    return this.http.post(
+      `/api/functions/${encodeURIComponent(appId)}/${encodeURIComponent(functionId)}/invoke`,
+      payload ?? {}
+    );
   }
   /**
-   * List all functions
+   * List all functions for the current app
    */
   async list() {
-    return this.http.get("/api/functions");
+    const appId = this.getAppId();
+    return this.http.get(`/api/functions/${encodeURIComponent(appId)}`);
   }
   /**
    * Get function details
    */
   async get(functionId) {
-    return this.http.get(`/api/functions/${encodeURIComponent(functionId)}`);
+    const appId = this.getAppId();
+    return this.http.get(
+      `/api/functions/${encodeURIComponent(appId)}/${encodeURIComponent(functionId)}`
+    );
   }
   /**
    * Update a function
    */
   async update(functionId, updates) {
-    return this.http.put(`/api/functions/${encodeURIComponent(functionId)}`, updates);
+    const appId = this.getAppId();
+    return this.http.put(
+      `/api/functions/${encodeURIComponent(appId)}/${encodeURIComponent(functionId)}`,
+      updates
+    );
   }
   /**
    * Delete a function
    */
   async delete(functionId) {
-    return this.http.delete(`/api/functions/${encodeURIComponent(functionId)}`);
+    const appId = this.getAppId();
+    return this.http.delete(
+      `/api/functions/${encodeURIComponent(appId)}/${encodeURIComponent(functionId)}`
+    );
   }
   /**
    * Get function execution logs
    */
   async getLogs(functionId, options) {
+    const appId = this.getAppId();
     const params = new URLSearchParams();
     if (options?.limit !== void 0) params.set("limit", String(options.limit));
     if (options?.startTime) params.set("startTime", options.startTime);
     if (options?.level) params.set("level", options.level);
     const qs = params.toString();
-    return this.http.get(`/api/functions/${encodeURIComponent(functionId)}/logs${qs ? `?${qs}` : ""}`);
+    return this.http.get(
+      `/api/functions/${encodeURIComponent(appId)}/${encodeURIComponent(functionId)}/logs${qs ? `?${qs}` : ""}`
+    );
   }
   /**
    * Get function statistics for an app
@@ -9425,25 +10443,43 @@ var MessagingClient = class {
     );
   }
   /**
-   * Set presence for a member
+   * Set presence for a member in a channel.
+   *
+   * BREAKING CHANGE (SDK 3.3.0): presence is channel-scoped on the server
+   * (`messaging.controller.ts:312`). Previous signature
+   * `setPresence(member)` hit a non-existent appId-scoped route and 404'd
+   * in production. The channel is now the first argument.
    */
-  async setPresence(member) {
+  async setPresence(channel, member) {
     const appId = this.getAppId();
-    return this.http.post(`/api/messaging/${encodeURIComponent(appId)}/presence`, member);
+    return this.http.post(
+      `/api/messaging/${encodeURIComponent(appId)}/channels/${encodeURIComponent(channel)}/presence`,
+      member
+    );
   }
   /**
-   * Remove presence for a member
+   * Remove a member's presence from a channel.
+   *
+   * BREAKING CHANGE (SDK 3.3.0): server route is
+   * `/api/messaging/:appId/channels/:channel/presence/:clientId`
+   * (`messaging.controller.ts:352`). `channel` is now the first arg and
+   * `clientId` (not `memberId`) the second — they're the same identifier
+   * but renamed to match the server param.
    */
-  async removePresence(memberId) {
+  async removePresence(channel, clientId) {
     const appId = this.getAppId();
-    return this.http.delete(`/api/messaging/${encodeURIComponent(appId)}/presence/${encodeURIComponent(memberId)}`);
+    return this.http.delete(
+      `/api/messaging/${encodeURIComponent(appId)}/channels/${encodeURIComponent(channel)}/presence/${encodeURIComponent(clientId)}`
+    );
   }
   /**
    * Get presence info for a channel
    */
   async getPresence(channel) {
     const appId = this.getAppId();
-    return this.http.get(`/api/messaging/${encodeURIComponent(appId)}/presence/${encodeURIComponent(channel)}`);
+    return this.http.get(
+      `/api/messaging/${encodeURIComponent(appId)}/channels/${encodeURIComponent(channel)}/presence`
+    );
   }
   /**
    * Get messaging statistics
@@ -10068,40 +11104,429 @@ async function verifyPqcAttestation(cert, payload, registrySnapshot) {
   };
 }
 
-// src/rules/builders/base-builder.ts
-var RuleBuildError = class extends Error {
-  errors;
-  constructor(message, errors) {
-    super(message);
-    this.name = "RuleBuildError";
-    this.errors = errors;
-  }
+// src/pqc-verify-envelope/index.ts
+var pqc_verify_envelope_exports = {};
+__export(pqc_verify_envelope_exports, {
+  KYBER_MIN_TIMESTAMP_MS: () => KYBER_MIN_TIMESTAMP_MS,
+  validateEnvelopeSchema: () => validateEnvelopeSchema,
+  verifyPqcEnvelope: () => verifyPqcEnvelope
+});
+
+// src/pqc-verify-envelope/envelope-schema-validator.ts
+var KEM_CT_LEN = {
+  "ml-kem-768": 1088,
+  "ml-kem-1024": 1568
 };
-var BaseRuleBuilder = class {
-  state;
-  constructor(type, initial) {
-    this.state = initial ?? {};
-    this.state.version = "3.0";
-    this.state.type = type;
-    this.state.created = (/* @__PURE__ */ new Date()).toISOString();
-    if (!this.state.defaultSecurity) this.state.defaultSecurity = "full";
-    if (!this.state.defaultController) this.state.defaultController = "owner";
+var AES_IV_LEN = 12;
+var AES_TAG_LEN = 16;
+var KDF_SALT_LEN = 16;
+function tryDecodeBase64(s) {
+  if (typeof s !== "string" || s.length === 0) return null;
+  try {
+    const buf = Buffer.from(s, "base64");
+    if (buf.toString("base64").replace(/=+$/, "") !== s.replace(/=+$/, "")) {
+      return null;
+    }
+    return new Uint8Array(buf);
+  } catch {
+    return null;
   }
-  withSecurity(mode) {
-    this.state.defaultSecurity = mode;
-    return this;
+}
+function isString(v) {
+  return typeof v === "string";
+}
+function isNonEmptyString(v) {
+  return typeof v === "string" && v.length > 0;
+}
+function isFiniteNumber(v) {
+  return typeof v === "number" && Number.isFinite(v);
+}
+function isPlainObject(v) {
+  return typeof v === "object" && v !== null && !Array.isArray(v);
+}
+function validateEnvelopeSchema(envelope) {
+  if (!isPlainObject(envelope)) {
+    return { ok: false, reason: "envelope must be a JSON object" };
   }
-  withController(controller) {
-    this.state.defaultController = controller;
-    return this;
+  const version = envelope.version;
+  if (version === "kyber-aes-v1") {
+    return validateKyberAesV1(envelope);
   }
-  withGovernance(governance) {
-    this.state.governance = governance;
-    return this;
+  if (version === "aes-v0") {
+    return validateAesV0(envelope);
   }
-  withTokenGates(tokenGates) {
-    this.state.tokenGates = tokenGates;
-    return this;
+  return {
+    ok: false,
+    reason: `unknown envelope version: ${JSON.stringify(version)}`
+  };
+}
+function validateKyberAesV1(env) {
+  const kemAlgorithm = env.kemAlgorithm;
+  if (kemAlgorithm !== "ml-kem-768" && kemAlgorithm !== "ml-kem-1024") {
+    return {
+      ok: false,
+      reason: `kemAlgorithm must be 'ml-kem-768' or 'ml-kem-1024'`
+    };
+  }
+  if (!isNonEmptyString(env.kemCiphertext)) {
+    return { ok: false, reason: "kemCiphertext must be a non-empty base64 string" };
+  }
+  const kemCtBytes = tryDecodeBase64(env.kemCiphertext);
+  if (!kemCtBytes) {
+    return { ok: false, reason: "kemCiphertext is not valid base64" };
+  }
+  const expectedKemLen = KEM_CT_LEN[kemAlgorithm];
+  if (kemCtBytes.length !== expectedKemLen) {
+    return {
+      ok: false,
+      reason: `kemCiphertext length ${kemCtBytes.length} != expected ${expectedKemLen} for ${kemAlgorithm}`
+    };
+  }
+  if (!isString(env.recipientPkFingerprint) || !/^[0-9a-f]{32}$/i.test(env.recipientPkFingerprint)) {
+    return {
+      ok: false,
+      reason: "recipientPkFingerprint must be a 32-char hex string (16-byte sha384 prefix)"
+    };
+  }
+  if (env.aesAlgorithm !== "aes-256-gcm") {
+    return { ok: false, reason: `aesAlgorithm must be 'aes-256-gcm'` };
+  }
+  if (!isNonEmptyString(env.aesIv)) {
+    return { ok: false, reason: "aesIv must be a non-empty base64 string" };
+  }
+  const ivBytes = tryDecodeBase64(env.aesIv);
+  if (!ivBytes) return { ok: false, reason: "aesIv is not valid base64" };
+  if (ivBytes.length !== AES_IV_LEN) {
+    return {
+      ok: false,
+      reason: `aesIv length ${ivBytes.length} != expected ${AES_IV_LEN} (AES-GCM 96-bit nonce)`
+    };
+  }
+  if (typeof env.aesCiphertext !== "string") {
+    return { ok: false, reason: "aesCiphertext must be a base64 string" };
+  }
+  if (env.aesCiphertext.length > 0) {
+    const ctBytes = tryDecodeBase64(env.aesCiphertext);
+    if (!ctBytes) return { ok: false, reason: "aesCiphertext is not valid base64" };
+  }
+  if (!isNonEmptyString(env.aesAuthTag)) {
+    return { ok: false, reason: "aesAuthTag must be a non-empty base64 string" };
+  }
+  const tagBytes = tryDecodeBase64(env.aesAuthTag);
+  if (!tagBytes) return { ok: false, reason: "aesAuthTag is not valid base64" };
+  if (tagBytes.length !== AES_TAG_LEN) {
+    return {
+      ok: false,
+      reason: `aesAuthTag length ${tagBytes.length} != expected ${AES_TAG_LEN} (AES-GCM 128-bit tag)`
+    };
+  }
+  if (env.kdfAlgorithm !== "hkdf-sha384") {
+    return { ok: false, reason: `kdfAlgorithm must be 'hkdf-sha384'` };
+  }
+  if (!isNonEmptyString(env.kdfSalt)) {
+    return { ok: false, reason: "kdfSalt must be a non-empty base64 string" };
+  }
+  const saltBytes = tryDecodeBase64(env.kdfSalt);
+  if (!saltBytes) return { ok: false, reason: "kdfSalt is not valid base64" };
+  if (saltBytes.length !== KDF_SALT_LEN) {
+    return {
+      ok: false,
+      reason: `kdfSalt length ${saltBytes.length} != expected ${KDF_SALT_LEN}`
+    };
+  }
+  if (!isNonEmptyString(env.kdfLabel)) {
+    return { ok: false, reason: "kdfLabel must be a non-empty string" };
+  }
+  if (env.kdfLabel.length > 256) {
+    return {
+      ok: false,
+      reason: `kdfLabel length ${env.kdfLabel.length} exceeds 256-char limit`
+    };
+  }
+  if (!isFiniteNumber(env.encryptedAt)) {
+    return { ok: false, reason: "encryptedAt must be a finite number (millis epoch)" };
+  }
+  return { ok: true, version: "kyber-aes-v1" };
+}
+function validateAesV0(env) {
+  if (!isNonEmptyString(env.aesIv)) {
+    return { ok: false, reason: "aesIv must be a non-empty base64 string" };
+  }
+  const ivBytes = tryDecodeBase64(env.aesIv);
+  if (!ivBytes) return { ok: false, reason: "aesIv is not valid base64" };
+  if (ivBytes.length !== AES_IV_LEN) {
+    return {
+      ok: false,
+      reason: `aesIv length ${ivBytes.length} != expected ${AES_IV_LEN} (AES-GCM 96-bit nonce)`
+    };
+  }
+  if (typeof env.aesCiphertext !== "string") {
+    return { ok: false, reason: "aesCiphertext must be a base64 string" };
+  }
+  if (env.aesCiphertext.length > 0) {
+    const ctBytes = tryDecodeBase64(env.aesCiphertext);
+    if (!ctBytes) return { ok: false, reason: "aesCiphertext is not valid base64" };
+  }
+  if (!isNonEmptyString(env.aesAuthTag)) {
+    return { ok: false, reason: "aesAuthTag must be a non-empty base64 string" };
+  }
+  const tagBytes = tryDecodeBase64(env.aesAuthTag);
+  if (!tagBytes) return { ok: false, reason: "aesAuthTag is not valid base64" };
+  if (tagBytes.length !== AES_TAG_LEN) {
+    return {
+      ok: false,
+      reason: `aesAuthTag length ${tagBytes.length} != expected ${AES_TAG_LEN} (AES-GCM 128-bit tag)`
+    };
+  }
+  return { ok: true, version: "aes-v0" };
+}
+
+// src/pqc-verify-envelope/verify-pqc-envelope.ts
+var KYBER_MIN_TIMESTAMP_MS = 17040672e5;
+async function verifyPqcEnvelope(envelope, options = {}) {
+  const schema = validateEnvelopeSchema(envelope);
+  if (!schema.ok) {
+    return {
+      valid: false,
+      reason: `schema-invalid: ${schema.reason}`,
+      details: { schemaValid: false, base64Valid: false, timestampPlausible: false }
+    };
+  }
+  const env = envelope;
+  const version = schema.version;
+  const details = {
+    version,
+    schemaValid: true,
+    base64Valid: true,
+    // computed below for kyber-aes-v1; legacy has no encryptedAt so treat as plausible.
+    timestampPlausible: true
+  };
+  if (version === "kyber-aes-v1") {
+    details.kemAlgorithm = env.kemAlgorithm;
+    details.recipientPkFingerprint = env.recipientPkFingerprint;
+    details.kdfLabel = env.kdfLabel;
+    details.encryptedAt = env.encryptedAt;
+    const minTs = options.minTimestamp ?? KYBER_MIN_TIMESTAMP_MS;
+    const maxTs = options.maxTimestamp ?? Date.now();
+    const ts = details.encryptedAt;
+    if (ts < minTs) {
+      details.timestampPlausible = false;
+      return {
+        valid: false,
+        reason: `timestamp-before-minimum: encryptedAt=${ts} < min=${minTs}`,
+        details
+      };
+    }
+    if (ts > maxTs) {
+      details.timestampPlausible = false;
+      return {
+        valid: false,
+        reason: `timestamp-in-future: encryptedAt=${ts} > max=${maxTs}`,
+        details
+      };
+    }
+    if (options.expectedLabel !== void 0) {
+      if (details.kdfLabel !== options.expectedLabel) {
+        return {
+          valid: false,
+          reason: `label-mismatch: expected='${options.expectedLabel}' actual='${details.kdfLabel}'`,
+          details
+        };
+      }
+    }
+    if (options.expectedRecipientPkFingerprint !== void 0) {
+      const a = (details.recipientPkFingerprint ?? "").toLowerCase();
+      const b = options.expectedRecipientPkFingerprint.toLowerCase();
+      if (a !== b) {
+        return {
+          valid: false,
+          reason: `recipient-pk-fingerprint-mismatch: expected='${b}' actual='${a}'`,
+          details
+        };
+      }
+    }
+  }
+  return { valid: true, version, details };
+}
+
+// src/rules/atoms/index.ts
+var atom = {
+  timeRange: (cfg) => ({
+    inclusive: true,
+    timezone: "UTC",
+    ...cfg
+  }),
+  limits: (cfg) => ({
+    decimals: 0,
+    inclusive: true,
+    ...cfg
+  }),
+  permissionList: (cfg) => ({
+    mode: "whitelist",
+    controller: "owner",
+    allowSelfAdd: false,
+    allowWildcards: false,
+    requiredScope: "execute",
+    entries: [],
+    ...cfg
+  }),
+  rateLimiter: (cfg) => ({
+    strategy: "all",
+    includeCurrentOperation: true,
+    ...cfg
+  }),
+  cooldown: (cfg) => ({ ...cfg }),
+  approvalThreshold: (cfg) => ({
+    decimals: 0,
+    ...cfg
+  }),
+  approvedPairs: (cfg) => ({
+    strictMode: true,
+    ...cfg
+  }),
+  tradeLimit: (cfg) => ({
+    periodMs: 864e5,
+    decimals: 0,
+    ...cfg
+  }),
+  snapshot: (cfg) => ({
+    validationMode: "minimum",
+    ...cfg
+  }),
+  cronSchedule: (cfg) => ({
+    allowOutsideSchedule: false,
+    toleranceMs: 0,
+    ...cfg
+  }),
+  countApproval: (cfg) => ({
+    maxCount: 0,
+    allowDuplicates: false,
+    maxApprovalAgeSec: 0,
+    allowSelfApproval: false,
+    ...cfg
+  }),
+  externalEvidence: (cfg) => ({
+    requiredSignatures: 1,
+    maxEvidenceAgeSec: 3600,
+    verifyPayloadHash: true,
+    ...cfg
+  }),
+  fieldValues: (cfg) => ({
+    requireAll: true,
+    ...cfg,
+    constraints: cfg.constraints.map((c) => ({
+      caseInsensitive: false,
+      denyMode: false,
+      ...c
+    }))
+  }),
+  registryReference: (cfg) => ({
+    requireAll: true,
+    ...cfg,
+    references: cfg.references.map((r) => ({ required: true, ...r }))
+  }),
+  schemaValidation: (cfg) => ({
+    strict: false,
+    allErrors: true,
+    validateFormats: false,
+    errorPrefix: "Schema validation failed",
+    removeAdditional: false,
+    useDefaults: false,
+    coerceTypes: false,
+    ...cfg
+  }),
+  stopLoss: (cfg) => ({ ...cfg }),
+  workflowState: (cfg) => ({
+    allowSelfTransition: false,
+    ...cfg
+  })
+};
+
+// src/rules/molecules/index.ts
+var molecule = {
+  tokenGate: (cfg) => ({
+    overallOperator: "AND",
+    allowDelegation: false,
+    ...cfg,
+    fungibles: cfg.fungibles ? { operator: "AND", ...cfg.fungibles } : void 0,
+    nonFungibles: cfg.nonFungibles ? { operator: "OR", ...cfg.nonFungibles } : void 0
+  }),
+  airdrop: (cfg) => ({
+    decimals: 0,
+    claimMethod: "manual",
+    ...cfg
+  }),
+  vesting: (cfg) => ({
+    decimals: 0,
+    cliffDurationMs: 0,
+    initialUnlockPercent: 0,
+    revocable: false,
+    returnToTreasury: true,
+    ...cfg
+  }),
+  governance: (cfg) => ({
+    decimals: 0,
+    votingPowerMethod: "token_balance",
+    quorumPercent: 10,
+    approvalThresholdPercent: 50,
+    timeLockMs: 0,
+    allowDelegation: true,
+    allowVoteChange: false,
+    maxActiveProposalsPerAccount: 3,
+    proposalCooldownMs: 0,
+    ...cfg
+  }),
+  streaming: (cfg) => ({
+    decimals: 0,
+    type: "linear",
+    cancellable: true,
+    pausable: false,
+    cancelController: "sender",
+    cliffDurationMs: 0,
+    autoTopUp: false,
+    ...cfg
+  }),
+  swap: (cfg = {}) => ({
+    type: "atomic",
+    requireAtomicity: true,
+    ...cfg
+  })
+};
+
+// src/rules/builders/base-builder.ts
+var RuleBuildError = class extends Error {
+  errors;
+  constructor(message, errors) {
+    super(message);
+    this.name = "RuleBuildError";
+    this.errors = errors;
+  }
+};
+var BaseRuleBuilder = class {
+  state;
+  constructor(type, initial) {
+    this.state = initial ?? {};
+    this.state.version = "3.0";
+    this.state.type = type;
+    this.state.created = (/* @__PURE__ */ new Date()).toISOString();
+    if (!this.state.defaultSecurity) this.state.defaultSecurity = "full";
+    if (!this.state.defaultController) this.state.defaultController = "owner";
+  }
+  withSecurity(mode) {
+    this.state.defaultSecurity = mode;
+    return this;
+  }
+  withController(controller) {
+    this.state.defaultController = controller;
+    return this;
+  }
+  withGovernance(governance) {
+    this.state.governance = governance;
+    return this;
+  }
+  withTokenGates(tokenGates) {
+    this.state.tokenGates = tokenGates;
+    return this;
   }
   withTimeRange(timeRange) {
     this.state.timeRange = timeRange;
@@ -10124,6 +11549,108 @@ var BaseRuleBuilder = class {
     this.state.invariants = invariants;
     return this;
   }
+  // ────────────────────────────────────────────────────────────────────────
+  // PR F — first-class atom/molecule shortcuts (all arms)
+  //
+  // Each shortcut wraps the atom/molecule config as a canonical `ModuleEntry`
+  // (lowercase-hyphenated type + `1.0.0` semver) and appends it to `modules`.
+  // The cluster's organism registry maps `type → schema` at runtime; unknown
+  // types fail-closed. These methods exist so smart-app authors can compose
+  // atoms/molecules without hand-rolling `ModuleEntry` envelopes.
+  // ────────────────────────────────────────────────────────────────────────
+  /** Attach a per-tx + period + lifetime LimitsAtom config as a module. */
+  withLimits(limits) {
+    return this.addModule({
+      type: "limits",
+      version: "1.0.0",
+      config: atom.limits(limits)
+    });
+  }
+  /** Attach an operation-per-window RateLimiterAtom config as a module. */
+  withRateLimiter(rateLimiter) {
+    return this.addModule({
+      type: "rate-limiter",
+      version: "1.0.0",
+      config: atom.rateLimiter(rateLimiter)
+    });
+  }
+  /** Attach a pinned-state SnapshotAtom config as a module. */
+  withSnapshot(snapshot) {
+    return this.addModule({
+      type: "snapshot",
+      version: "1.0.0",
+      config: atom.snapshot(snapshot)
+    });
+  }
+  /** Attach a swap-molecule config as a module (atomic / pool / order / OTC). */
+  withSwap(swap = {}) {
+    return this.addModule({
+      type: "swap",
+      version: "1.0.0",
+      config: molecule.swap(swap)
+    });
+  }
+  /** Attach an airdrop-molecule config as a module. */
+  withAirdrop(airdrop) {
+    return this.addModule({
+      type: "airdrop",
+      version: "1.0.0",
+      config: molecule.airdrop(airdrop)
+    });
+  }
+  /** Attach a vesting-molecule config as a module (beneficiary-scoped lockup). */
+  withVesting(vesting) {
+    return this.addModule({
+      type: "vesting",
+      version: "1.0.0",
+      config: molecule.vesting(vesting)
+    });
+  }
+  /** Attach a streaming-molecule config as a module (continuous payment). */
+  withStreaming(streaming) {
+    return this.addModule({
+      type: "streaming",
+      version: "1.0.0",
+      config: molecule.streaming(streaming)
+    });
+  }
+  /**
+   * Attach a rich `GovernanceMoleculeConfig` as a module. Distinct from
+   * `withGovernance(GovernanceConfig)` — that one sets the canonical top-level
+   * governance field (DAO token + quorum/timelock/threshold). The molecule
+   * variant exposes the full proposal-lifecycle config (delegation, veto
+   * council, voting eligibility, etc.).
+   */
+  withGovernanceModule(governance) {
+    return this.addModule({
+      type: "governance",
+      version: "1.0.0",
+      config: molecule.governance(governance)
+    });
+  }
+  /**
+   * Attach a CooldownAtom config as a module. Token/account/topic arms only —
+   * the agent arm carries `cooldown` as a first-class canonical field.
+   */
+  withCooldown(cooldown) {
+    return this.addModule({
+      type: "cooldown",
+      version: "1.0.0",
+      config: atom.cooldown(cooldown)
+    });
+  }
+  /**
+   * Attach an ApprovalThresholdAtom config as a module. Token/account/topic
+   * arms only — the agent arm carries `approvalThreshold` as a first-class
+   * canonical field.
+   */
+  withApprovalThreshold(threshold) {
+    return this.addModule({
+      type: "approval-threshold",
+      version: "1.0.0",
+      config: atom.approvalThreshold(threshold)
+    });
+  }
   /** Validate + return the typed, schema-conformant rule. Throws on invalid. */
   build() {
     const result = this.schema().safeParse(this.state);
@@ -10635,6 +12162,42 @@ var AgentRulesBuilder = class extends BaseRuleBuilder {
     this.state.allocationLimits = allocationLimits;
     return this;
   }
+  // ────────────────────────────────────────────────────────────────────────
+  // PR F — Phase-6.6 AI atom shortcuts
+  //
+  // `MaxTradesPerWindow` and `RequireStructuredOutput` are optional atoms
+  // (NOT registered as builtin organism modules) wired in the AI-inference
+  // path of the smart-app's BaaS function. Attached here as canonical
+  // `ModuleEntry`s so they ship inside the published rule and the cluster's
+  // canonical evaluator can dispatch them.
+  //
+  // Atom sources:
+  //   libs/rules-engine/src/atoms/max-trades-per-window.atom.ts
+  //   libs/rules-engine/src/atoms/require-structured-output.atom.ts
+  // ────────────────────────────────────────────────────────────────────────
+  /**
+   * Cap the agent at `maxTradesPerWindow` trades within a rolling `windowMs`
+   * window. Count-based — orthogonal to `withTradeLimits` which is amount-based.
+   */
+  withMaxTradesPerWindow(config) {
+    return this.addModule({
+      type: "max-trades-per-window",
+      version: "1.0.0",
+      config: { ...config }
+    });
+  }
+  /**
+   * Pre-filter LLM responses against a JSON Schema (compiled by the cluster's
+   * SchemaResolver via Ajv) before they are submitted to the agent's trade
+   * endpoint. `outputName` is included in failure reasons for log triage.
+   */
+  withRequireStructuredOutput(config = {}) {
+    return this.addModule({
+      type: "require-structured-output",
+      version: "1.0.0",
+      config: { outputName: config.outputName ?? "LLM output" }
+    });
+  }
 };
 function forAgent() {
   return new AgentRulesBuilder();
@@ -10666,150 +12229,6 @@ function validate(rule) {
   };
 }
 
-// src/rules/atoms/index.ts
-var atom = {
-  timeRange: (cfg) => ({
-    inclusive: true,
-    timezone: "UTC",
-    ...cfg
-  }),
-  limits: (cfg) => ({
-    decimals: 0,
-    inclusive: true,
-    ...cfg
-  }),
-  permissionList: (cfg) => ({
-    mode: "whitelist",
-    controller: "owner",
-    allowSelfAdd: false,
-    allowWildcards: false,
-    requiredScope: "execute",
-    entries: [],
-    ...cfg
-  }),
-  rateLimiter: (cfg) => ({
-    strategy: "all",
-    includeCurrentOperation: true,
-    ...cfg
-  }),
-  cooldown: (cfg) => ({ ...cfg }),
-  approvalThreshold: (cfg) => ({
-    decimals: 0,
-    ...cfg
-  }),
-  approvedPairs: (cfg) => ({
-    strictMode: true,
-    ...cfg
-  }),
-  tradeLimit: (cfg) => ({
-    periodMs: 864e5,
-    decimals: 0,
-    ...cfg
-  }),
-  snapshot: (cfg) => ({
-    validationMode: "minimum",
-    ...cfg
-  }),
-  cronSchedule: (cfg) => ({
-    allowOutsideSchedule: false,
-    toleranceMs: 0,
-    ...cfg
-  }),
-  countApproval: (cfg) => ({
-    maxCount: 0,
-    allowDuplicates: false,
-    maxApprovalAgeSec: 0,
-    allowSelfApproval: false,
-    ...cfg
-  }),
-  externalEvidence: (cfg) => ({
-    requiredSignatures: 1,
-    maxEvidenceAgeSec: 3600,
-    verifyPayloadHash: true,
-    ...cfg
-  }),
-  fieldValues: (cfg) => ({
-    requireAll: true,
-    ...cfg,
-    constraints: cfg.constraints.map((c) => ({
-      caseInsensitive: false,
-      denyMode: false,
-      ...c
-    }))
-  }),
-  registryReference: (cfg) => ({
-    requireAll: true,
-    ...cfg,
-    references: cfg.references.map((r) => ({ required: true, ...r }))
-  }),
-  schemaValidation: (cfg) => ({
-    strict: false,
-    allErrors: true,
-    validateFormats: false,
-    errorPrefix: "Schema validation failed",
-    removeAdditional: false,
-    useDefaults: false,
-    coerceTypes: false,
-    ...cfg
-  }),
-  stopLoss: (cfg) => ({ ...cfg }),
-  workflowState: (cfg) => ({
-    allowSelfTransition: false,
-    ...cfg
-  })
-};
-
-// src/rules/molecules/index.ts
-var molecule = {
-  tokenGate: (cfg) => ({
-    overallOperator: "AND",
-    allowDelegation: false,
-    ...cfg,
-    fungibles: cfg.fungibles ? { operator: "AND", ...cfg.fungibles } : void 0,
-    nonFungibles: cfg.nonFungibles ? { operator: "OR", ...cfg.nonFungibles } : void 0
-  }),
-  airdrop: (cfg) => ({
-    decimals: 0,
-    claimMethod: "manual",
-    ...cfg
-  }),
-  vesting: (cfg) => ({
-    decimals: 0,
-    cliffDurationMs: 0,
-    initialUnlockPercent: 0,
-    revocable: false,
-    returnToTreasury: true,
-    ...cfg
-  }),
-  governance: (cfg) => ({
-    decimals: 0,
-    votingPowerMethod: "token_balance",
-    quorumPercent: 10,
-    approvalThresholdPercent: 50,
-    timeLockMs: 0,
-    allowDelegation: true,
-    allowVoteChange: false,
-    maxActiveProposalsPerAccount: 3,
-    proposalCooldownMs: 0,
-    ...cfg
-  }),
-  streaming: (cfg) => ({
-    decimals: 0,
-    type: "linear",
-    cancellable: true,
-    pausable: false,
-    cancelController: "sender",
-    cliffDurationMs: 0,
-    autoTopUp: false,
-    ...cfg
-  }),
-  swap: (cfg = {}) => ({
-    type: "atomic",
-    requireAtomicity: true,
-    ...cfg
-  })
-};
-
 // src/rules/modules/index.ts
 function withLaunchpadDefaults(c) {
   return {
@@ -10865,12 +12284,8 @@ var module_ = {
     type: "dex",
     version: "1.0.0",
     config: withDexDefaults(config)
-  }),
-  agent: (config) => ({
-    type: "agent",
-    version: "1.0.0",
-    config
   })
+  // PR F — `agent` retired per Arc 6 Phase 6.5. Use `Rules.forAgent()` instead.
 };
 
 // src/rules/templates/index.ts
@@ -11117,6 +12532,145 @@ function tradingAgent(p) {
     threshold: p.approvalThreshold ?? "999999999"
   }).withMetadata(meta("tradingAgent", p.description)).build();
 }
+function utilityToken(p = {}) {
+  return forToken().withSecurity("full").withController("owner").withOperations({
+    mint: { enabled: true },
+    burn: { enabled: true, allowHolderBurn: true },
+    transfer: { enabled: true },
+    update: { enabled: true, allowedFields: ["memo", "feeSchedule"] },
+    pause: { enabled: true },
+    freeze: { enabled: true }
+  }).withKeys({
+    admin: { enabled: true },
+    supply: { enabled: true },
+    freeze: { enabled: true },
+    pause: { enabled: true }
+  }).withMetadata(meta("utilityToken", p.description)).build();
+}
+function daoGovernedToken(p) {
+  return forToken().withSecurity("partial").withController("dao").withOperations({
+    mint: {
+      enabled: true,
+      controller: "dao",
+      requiresApproval: true,
+      limits: { maxPerTransaction: "1000000", cooldownSeconds: 86400 }
+    },
+    burn: { enabled: true, allowHolderBurn: true },
+    transfer: { enabled: true },
+    update: {
+      enabled: true,
+      controller: "dao",
+      requiresApproval: true,
+      allowedFields: ["memo", "feeSchedule"]
+    },
+    pause: { enabled: true, controller: "dao", requiresApproval: true },
+    freeze: {
+      enabled: true,
+      controller: "dao",
+      requiresApproval: true,
+      requiresMultisig: true
+    }
+  }).withKeys({
+    admin: { enabled: true, security: "full", controller: "dao", requiresApproval: true },
+    supply: { enabled: true, security: "partial", controller: "dao", requiresApproval: true },
+    freeze: { enabled: true, security: "partial", controller: "dao", requiresApproval: true },
+    pause: { enabled: true, security: "full", controller: "dao", requiresApproval: true }
+  }).withGovernance({
+    daoTokenId: p.daoTokenId,
+    quorumPercentage: 15,
+    proposalThreshold: "1000",
+    votingPeriodSeconds: 604800,
+    timelockSeconds: 172800
+  }).withMetadata(meta("daoGovernedToken", p.description)).build();
+}
+function soulboundNft(p = {}) {
+  return forToken().withSecurity("partial").withController("dao").withOperations({
+    mint: {
+      enabled: true,
+      controller: "dao",
+      requiresApproval: true,
+      limits: { maxPerTransaction: "1" }
+    },
+    burn: { enabled: false },
+    transfer: { enabled: false },
+    update: { enabled: true, allowedFields: [] },
+    pause: { enabled: false },
+    freeze: { enabled: false }
+  }).withKeys({
+    admin: { enabled: true, security: "full", controller: "dao" },
+    supply: { enabled: true, security: "full", controller: "dao" }
+  }).withSoulbound({ enforced: true, allowedActions: ["burn"] }).withMetadata(meta("soulboundNft", p.description)).build();
+}
+function subscriptionNft(p = {}) {
+  return forToken().withSecurity("full").withController("owner").withOperations({
+    mint: { enabled: true, limits: { maxPerTransaction: "1" } },
+    burn: { enabled: true },
+    transfer: { enabled: true },
+    update: { enabled: true, allowedFields: ["memo"] },
+    pause: { enabled: true, controller: "dao", requiresApproval: true },
+    freeze: { enabled: true, controller: "dao", requiresMultisig: true }
+  }).withKeys({
+    admin: { enabled: true },
+    supply: { enabled: true },
+    freeze: { enabled: true, security: "partial", controller: "dao" },
+    pause: { enabled: true, security: "partial", controller: "dao" }
+  }).withMetadata(meta("subscriptionNft", p.description)).build();
+}
+function membershipNft(p = {}) {
+  return forToken().withSecurity("full").withController("dao").withOperations({
+    mint: {
+      enabled: true,
+      controller: "dao",
+      requiresApproval: true,
+      limits: { maxPerTransaction: "1" }
+    },
+    burn: { enabled: true, controller: "dao", requiresApproval: true },
+    transfer: { enabled: false },
+    update: { enabled: true, allowedFields: [] },
+    pause: { enabled: false },
+    freeze: { enabled: false }
+  }).withKeys({
+    admin: { enabled: true, security: "full", controller: "dao", requiresApproval: true },
+    supply: { enabled: true, security: "full", controller: "dao", requiresApproval: true }
+  }).withSoulbound({ enforced: true, allowedActions: ["burn"] }).withMetadata(meta("membershipNft", p.description)).build();
+}
+function managedAccount(p = {}) {
+  return forAccount().withSecurity("partial").withController("dao").withOperations({
+    transfer: { enabled: true, requiresKyc: true },
+    update: { enabled: true, controller: "dao", allowedFields: ["memo"] },
+    delete: { enabled: true, controller: "dao", requiresApproval: true },
+    approveAllowance: { enabled: true, controller: "dao", requiresApproval: true },
+    deleteAllowance: { enabled: true }
+  }).withKeys({
+    admin: { enabled: true, security: "partial", controller: "dao" },
+    signing: { enabled: true, security: "full", controller: "owner" }
+  }).withMetadata(meta("managedAccount", p.description)).build();
+}
+function systemTopic(p = {}) {
+  return forTopic().withSecurity("full").withController("dao").withOperations({
+    submit: {
+      enabled: true,
+      controller: "dao",
+      requiresApproval: true,
+      rateLimit: { maxMessages: 10, periodSeconds: 3600 }
+    },
+    update: { enabled: true, allowedFields: [] },
+    delete: { enabled: false }
+  }).withKeys({
+    admin: { enabled: true, security: "full", controller: "dao", requiresApproval: true },
+    submit: { enabled: true, security: "full", controller: "dao" }
+  }).withMetadata(meta("systemTopic", p.description)).build();
+}
+function appTopic(p = {}) {
+  return forTopic().withSecurity("partial").withController("owner").withOperations({
+    submit: { enabled: true, rateLimit: { maxMessages: 100, periodSeconds: 3600 } },
+    update: { enabled: true, allowedFields: ["memo"] },
+    delete: { enabled: true }
+  }).withKeys({
+    admin: { enabled: true },
+    submit: { enabled: true }
+  }).withMetadata(meta("appTopic", p.description)).build();
+}
 var template = {
   fairLaunch,
   tieredIDO,
@@ -11125,7 +12679,16 @@ var template = {
   multisigDAO,
   simpleAMM,
   vestingSchedule,
-  tradingAgent
+  tradingAgent,
+  // PR F — canonical server-mirror templates
+  utilityToken,
+  daoGovernedToken,
+  soulboundNft,
+  subscriptionNft,
+  membershipNft,
+  managedAccount,
+  systemTopic,
+  appTopic
 };
 
 // src/rules/index.ts
@@ -11190,6 +12753,7 @@ exports.BaasClient = BaasClient;
 exports.BaasError = BaasError;
 exports.BaseOperationConfigSchema = BaseOperationConfigSchema;
 exports.BaseRuleBuilder = BaseRuleBuilder;
+exports.BridgeClient = BridgeClient;
 exports.BurnOperationConfigSchema = BurnOperationConfigSchema;
 exports.CapabilityNotEnabledError = CapabilityNotEnabledError;
 exports.CapabilityValidationError = CapabilityValidationError;
@@ -11199,11 +12763,15 @@ exports.ClusterDiscoveryClient = ClusterDiscoveryClient;
 exports.CustomerSessionClient = CustomerSessionClient;
 exports.DEFAULT_CIRCUIT_BREAKER_CONFIG = DEFAULT_CIRCUIT_BREAKER_CONFIG;
 exports.DEFAULT_RETRY_CONFIG = DEFAULT_RETRY_CONFIG;
+exports.DaoClient = DaoClient;
+exports.DaoDashboardClient = DaoDashboardClient;
 exports.DatabaseClient = DatabaseClient;
 exports.DeploymentClient = DeploymentClient;
+exports.DiscoveryClient = DiscoveryClient;
 exports.DnsClient = DnsClient;
 exports.DomainsClient = DomainsClient;
 exports.EntitiesClient = EntitiesClient;
+exports.EnvelopeClient = EnvelopeClient;
 exports.ErrorCode = ErrorCode;
 exports.FeeConditionsSchema = FeeConditionsSchema;
 exports.FixedFeeConditionSchema = FixedFeeConditionSchema;
@@ -11213,11 +12781,14 @@ exports.FunctionsClient = FunctionsClient;
 exports.FungibleTokenGateSchema = FungibleTokenGateSchema;
 exports.GovernanceClient = GovernanceClient;
 exports.GovernanceConfigSchema = GovernanceConfigSchema;
+exports.HealthClient = HealthClient;
 exports.HederaTransactionsClient = HederaTransactionsClient;
+exports.HederaTssClient = HederaTssClient;
 exports.HistoricalBalanceClient = HistoricalBalanceClient;
 exports.HistoricalBalanceClientError = HistoricalBalanceClientError;
 exports.IPFSClient = IPFSClient;
 exports.KNOWN_NETWORKS = KNOWN_NETWORKS;
+exports.KYBER_MIN_TIMESTAMP_MS = KYBER_MIN_TIMESTAMP_MS;
 exports.KeyConditionSchema = KeyConditionSchema;
 exports.MIRROR_NODE_URLS = MIRROR_NODE_URLS;
 exports.MessagingClient = MessagingClient;
@@ -11228,13 +12799,16 @@ exports.ModuleEntrySchema = ModuleEntrySchema;
 exports.NonFungibleTokenGateSchema = NonFungibleTokenGateSchema;
 exports.OperationControllerSchema = OperationControllerSchema;
 exports.OperationLimitsSchema = OperationLimitsSchema;
+exports.OperatorClient = OperatorClient;
 exports.PERSONHOOD_VERIFIER_NOT_CONFIGURED = PERSONHOOD_VERIFIER_NOT_CONFIGURED;
 exports.PauseOperationConfigSchema = PauseOperationConfigSchema;
 exports.PayloadSchemaRefSchema = PayloadSchemaRefSchema;
 exports.PersonhoodClient = PersonhoodClient;
+exports.PlatformImagesClient = PlatformImagesClient;
 exports.PolkadotTransactionsClient = PolkadotTransactionsClient;
 exports.PqcCertV1Schema = PqcCertV1Schema;
 exports.RateLimiter = RateLimiter;
+exports.ResourcesClient = ResourcesClient;
 exports.RoutingClient = RoutingClient;
 exports.RoyaltyFeeConditionSchema = RoyaltyFeeConditionSchema;
 exports.RuleBuildError = RuleBuildError;
@@ -11261,6 +12835,7 @@ exports.TokenKeyConditionsSchema = TokenKeyConditionsSchema;
 exports.TokenOperationsConfigSchema = TokenOperationsConfigSchema;
 exports.TokenRulesBuilder = TokenRulesBuilder;
 exports.TokenValidatorRulesSchema = TokenValidatorRulesSchema;
+exports.TokensClient = TokensClient;
 exports.TopicKeyConditionsSchema = TopicKeyConditionsSchema;
 exports.TopicOperationsConfigSchema = TopicOperationsConfigSchema;
 exports.TopicRulesBuilder = TopicRulesBuilder;
@@ -11275,15 +12850,20 @@ exports.ValidatorDiscoveryClient = ValidatorDiscoveryClient;
 exports.ValidatorMetadataSchema = ValidatorMetadataSchema;
 exports.ValidatorRulesSchema = ValidatorRulesSchema;
 exports.XrplTransactionsClient = XrplTransactionsClient;
+exports.appTopic = appTopic;
 exports.atom = atom;
 exports.auth = auth_exports;
 exports.baas = baas_exports;
+exports.bridge = bridge_exports;
 exports.chains = chains_exports;
 exports.createHttpClient = createHttpClient;
 exports.createResilientFetchWithBreaker = createResilientFetchWithBreaker;
 exports.createXrplWeb3Signer = createXrplWeb3Signer;
+exports.dao = dao_exports;
+exports.daoGovernedToken = daoGovernedToken;
 exports.discovery = discovery_exports;
 exports.encodePathParam = encodePathParam;
+exports.envelope = envelope_exports;
 exports.fairLaunch = fairLaunch;
 exports.fetchRegistrySnapshot = fetchRegistrySnapshot;
 exports.forAccount = forAccount;
@@ -11294,25 +12874,37 @@ exports.governance = governance_exports;
 exports.isKnownNetwork = isKnownNetwork;
 exports.isPersonhoodVerifierNotConfigured = isPersonhoodVerifierNotConfigured;
 exports.isRuleRejected = isRuleRejected;
+exports.managedAccount = managedAccount;
+exports.membershipNft = membershipNft;
 exports.module_ = module_;
 exports.molecule = molecule;
 exports.multisigDAO = multisigDAO;
+exports.operator = operator_exports;
 exports.parsePqcCert = parsePqcCert;
 exports.personhood = personhood_exports;
 exports.pqcVerify = pqc_verify_exports;
+exports.pqcVerifyEnvelope = pqc_verify_envelope_exports;
 exports.resilientFetch = resilientFetch;
 exports.resolveNetwork = resolveNetwork;
+exports.resources = resources_exports;
 exports.settlement = settlement_exports;
 exports.simpleAMM = simpleAMM;
 exports.simpleStaking = simpleStaking;
+exports.soulboundNft = soulboundNft;
 exports.subscription = subscription_exports;
+exports.subscriptionNft = subscriptionNft;
+exports.systemTopic = systemTopic;
 exports.template = template;
 exports.tieredIDO = tieredIDO;
 exports.tokenDAO = tokenDAO;
+exports.tokens = tokens_exports;
 exports.tradingAgent = tradingAgent;
+exports.utilityToken = utilityToken;
 exports.validate = validate;
 exports.validateAgentRules = validateAgentRules;
+exports.validateEnvelopeSchema = validateEnvelopeSchema;
 exports.verifyPqcAttestation = verifyPqcAttestation;
+exports.verifyPqcEnvelope = verifyPqcEnvelope;
 exports.vestingSchedule = vestingSchedule;
 //# sourceMappingURL=index.js.map
 //# sourceMappingURL=index.js.map