@hsuite/smart-engines-sdk 3.4.1 → 3.6.0

package/CHANGELOG.md

@@ -1,5 +1,64 @@
 # Changelog
 
+## 3.5.0 — 2026-06-01
+
+**100% prod-ready arc.** Final cleanup pass after the 3.4.x publication. Closes every finding from two rounds of adversarial verification: legacy/dead-API code removed, BaaS dual-transport collapsed onto the shared HttpClient, path-traversal exposure closed via `encodePathParam` repo-wide, typed signer surfaces narrowed off `any`, test coverage taken from 62% → 90% statements / 49% → 81% branches / 64% → 85% functions / 63% → 91% lines, README + compodoc shipped, and one phantom test spec (615 lines that never imported the class it claimed to test) replaced with 43 real tests.
+
+Shipped as 4 parallel PRs (#1032 docs/compodoc, #1033 legacy cleanup, #1034 arch+security, #1036 test coverage).
+
+### Breaking changes (typed-surface only; runtime preserved)
+
+- **`BaasClientConfig.http` removed.** Field was typed as `ResilientHttpConfig` and accepted "for backward compatibility / future resilience layer integration" but was never wired at runtime — public users passing it got silently ignored. Removing the inert type closes the discrepancy. Callers passing `new BaasClient({ http: {} })` now get a TS2353 excess-property error; runtime behaviour unchanged. (#1033)
+- **`SmartEngineClientConfig.http` removed.** Same pattern as above. (#1033)
+- **`TokensClient.getDetails(chain, tokenId)` deleted.** Method was shadowed at the Nest route layer (`ValidatorController` won registration order vs `TokenMigrationController`) and never reached its declared handler. JSDoc itself said "prefer `client.getTokenInfo(...)` instead". Shipping a public method for a 404-shadowed endpoint = dead-on-arrival. (#1033)
+- **`HederaTransactionsClient` constructor now requires `tssHttp`.** The previous `tssHttp ?? http` fallback was dead in this repo (single call site always passed both args). External callers passing one arg now get "Expected 2 arguments, but got 1". (#1033)
+- **`signChallengeXRPL(wallet: XrplSigner)` narrowed**, was `wallet: any`. `XrplSigner.sign(message: string): string | { signedTransaction: string }`. Callers passing a hand-rolled `{ sign: () => Uint8Array }` no longer compile — the runtime never handled Uint8Array. (#1034)
+- **`signChallengeHedera(privateKey: HederaSigner)` narrowed**, was `privateKey: any`. Structural type matches `@hashgraph/sdk`'s PrivateKey shape without importing the peer dep. (#1034)
+
+### Security
+
+- **Path-traversal exposure closed**: replaced raw `encodeURIComponent` with the `%2F`-stripping `encodePathParam` helper across ~135 sites (collection IDs, document IDs, agent IDs, function IDs, DAO IDs, etc.). Regression test in `__tests__/path-traversal.spec.ts` feeds `'../../../etc/passwd'` style inputs and asserts the resulting URL stays sandboxed. (#1034)
+
+### Refactor
+
+- **`BaasClient` dual transport collapsed.** Top-level `BaasClient.<method>` calls (e.g., `authenticate`) used a private fetch-based `request/get/post` infra; sub-clients used the shared `HttpClient`. Now everything goes through the shared client. Auth token state moved from `this.authToken` onto `HttpClient` via the new typed `setAuthToken/getAuthToken` accessors. Every `(this.http as any).authToken` peek across the SDK removed. (#1034)
+- **`connectToCluster` bootstrap-resolution DRY'd.** ~25 lines of identical scaffolding between `SmartEngineClient.connectToCluster` and `BaasClient.connectToCluster` extracted to `discovery/resolve-cluster.ts`'s `resolveClusterEndpoint`. (#1034)
+- `StorageClient.getFile` `@deprecated` JSDoc now pins removal to **4.0.0**. Forwards to `download(cid)` until then. (#1033)
+- `SupportedChain` alias inlined to direct `ChainType` use. (#1033)
+- `ValidatorDiscoveryClient` JSDoc no longer calls itself "legacy" — it's the intentional HCS-direct discovery fallback. (#1033)
+
+### Tests
+
+- **Phantom `validator-auth.spec.ts` replaced**: the original 615 lines tested `new URL(...)` against the stdlib and never imported `ValidatorAuthClient`. Production was at 2.97% line coverage. Replaced with 43 real tests covering every public method + `ValidatorAuthError` + every failure path. (#1036)
+- Added specs for `chains/{hedera,polkadot,solana,xrpl}.ts` (0% → 100%), `discovery/{mirror-node,validator-discovery}` (11-18% → 95%+), `nestjs/smart-engine.service` (30% → 100%), `_vendor/{retry,rate-limiter,errors-and-breaker,network-types}` (9-55% → 100%), gateway sub-clients, residual `client.ts` token/cluster/monitoring branches. (#1036)
+- `jest.config.js` `**/index.ts` blanket exclusion replaced with a narrow allowlist of true barrel files — sub-client implementations in `index.ts` now count toward coverage. (#1036)
+
+**Coverage gate (CLAUDE.md ≥80% bar):**
+
+| Axis | 3.4.1 | 3.5.0 |
+|------|-------|-------|
+| Statements | 62.17% | **89.95%** |
+| Branches | 49.51% | **81.33%** |
+| Functions | 64.12% | **85.10%** |
+| Lines | 62.63% | **91.39%** |
+
+Test count: 637 → **1037** (+400).
+
+### Docs
+
+- **README rewritten** for the 3.4.x+ surface: leads with `BaasClient.connectToCluster({ network: 'testnet' })` as the canonical entrypoint, sub-clients table enumerates every public field on `SmartEngineClient` + `BaasClient`, bundle section refreshed off the actual 3.5.0 figures. Stale 3.0.0 / 3.2.0 references gone. (#1032)
+- **Compodoc wired**: `yarn workspace @hsuite/smart-engines-sdk docs` now generates `dist/docs/` against the repo-root `.compodocrc.json`. (#1032)
+- **Stale `hsuite-smart-engines-sdk-3.2.0.tgz` deleted** from the package source. (#1032)
+- Package-level `@example` in `src/index.ts` rewritten to lead with `connectToCluster`. (#1032)
+- `@example` blocks added to `BridgeClient` / `EnvelopeClient` / `OperatorClient` / `ResourcesClient` / `HederaTssClient` / `DiscoveryClient`. (#1032)
+
+### Verified
+
+- `yarn jest`: 67 suites, 1037 passing + 1 skipped = 1038 total, 0 failures.
+- `yarn build:tsc`: clean.
+- `yarn build`: all 6 subpath dist artifacts produced cleanly.
+- `yarn workspace @hsuite/smart-engines-sdk docs`: compodoc generates `dist/docs/` cleanly.
+
 ## 3.4.1 — 2026-06-01
 
 **Patch release** restoring 3 subpath exports that the 3.4.0 publish dropped despite being present in source:

package/README.md

@@ -21,9 +21,14 @@ npm install zod                  # peer (likely transitive in your app already)
 
 ---
 
-## Quick start — Web3 auth + register a smart-app
+## Quick start — `connectToCluster`
 
-The canonical smart-app bootstrap flow:
+`connectToCluster` is the canonical entrypoint: it auto-discovers an active
+cluster via the service registry, picks one at random, runs Web3 auth, and
+hands back a wired client. Zero hand-rolled URLs, zero validator pinning,
+permissionless cluster join/leave is invisible to the SDK caller.
+
+### BaaS (smart-app primary path)
 
 ```ts
 import { BaasClient } from '@hsuite/smart-engines-sdk';
@@ -33,15 +38,12 @@ import { sign as xrplSign } from 'ripple-keypairs';
 // 1. Your XRPL wallet (real production: load XRPL_SEED from env / secret store)
 const wallet = Wallet.fromSeed(process.env.XRPL_SEED!);
 
-// 2. Construct the BaaS client
-const baas = new BaasClient({
-  hostUrl: 'https://v3-testnet-gateway.hsuite.network',
-  appId: 'pending',          // will be replaced after register()
-  pathPrefix: '/host',       // gateway routes /host/* → smart-host
+// 2. Connect to the network (zero-config — testnet | mainnet)
+const baas = await BaasClient.connectToCluster({
+  network: 'testnet',
 });
 
-// 3. Authenticate via Web3 challenge-response
-//    Cluster verifies with ripple-keypairs.verify(messageHex.toUpperCase(), signature, publicKey)
+// 3. Web3 auth (challenge-response over the discovered cluster's gateway)
 await baas.authenticate({
   chain: 'xrpl',
   walletAddress: wallet.address,
@@ -72,6 +74,24 @@ baas.setAppId(init.appId);
 // (deploy)      await baas.deployment.deploy(init.appId, { tag: 'v1', replicas: 1 });
 ```
 
+### SmartEngineClient (direct chain operations)
+
+```ts
+import { SmartEngineClient } from '@hsuite/smart-engines-sdk';
+
+const { client, cluster, session } = await SmartEngineClient.connectToCluster({
+  network: 'testnet',           // resolves canonical gateway entrypoint
+  chain: 'xrpl',
+  address: wallet.address,
+  publicKey: wallet.publicKey,
+  signFn: (challenge) => /* sign the challenge */ '',
+});
+
+// All sub-clients are wired against the discovered cluster
+await client.tss.signMPC({ chain: 'hedera', entityId: '...', transactionBytes: '0x...' });
+await client.ipfs.upload(file, 'document.pdf');
+```
+
 **Why XRPL?** Per the Smart Engines V3 architecture, XRPL is canonical for
 smart-app authentication and registration. The cluster's validator/host pods
 pay their own HCS fees from pod-local operator accounts; smart-apps never
@@ -81,22 +101,90 @@ from the dev wallet used to authenticate.
 
 **Faster bootstrap?** Use the [`@hsuite/smart-engines-cli`](https://www.npmjs.com/package/@hsuite/smart-engines-cli) — `hsuite init` generates a fresh XRPL wallet + funds it via the testnet faucet + writes `.env.local`, then `hsuite subscribe` registers the smart-app in one command.
 
+### Manual override — pin a host directly
+
+If you need to point the SDK at a specific gateway / host (private deployment,
+local k3d cluster, conformance harness), bypass discovery and pass a URL:
+
+```ts
+import { BaasClient, SmartEngineClient } from '@hsuite/smart-engines-sdk';
+
+const baas = new BaasClient({
+  hostUrl: 'https://v3-testnet-gateway.hsuite.network',
+  appId: 'pending',
+  pathPrefix: '/host',          // gateway routes /host/* → smart-host
+});
+
+const client = new SmartEngineClient({
+  baseUrl: 'https://v3-testnet-gateway.hsuite.network',
+  authToken: '<jwt-from-validator-auth-verify>',
+});
+```
+
+You can also pass `bootstrap: string[]` to `connectToCluster` for explicit
+seed lists (private deployments).
+
 ---
 
 ## Available clients
 
+The root `SmartEngineClient` exposes every sub-client below — each maps 1:1
+to a server-side controller. `BaasClient` mirrors the host/BaaS surface.
+
+### Top-level clients
+
 | Client | Purpose |
 |---|---|
-| `BaasClient` | Authentication + database + storage + functions + messaging + deployment + agents |
-| `baas.rules.*` | Publish / get / list / simulate / deprecate canonical `ValidatorRules` documents on HCS |
-| `baas.entities.*` | Create canonical token / account / topic / agent entities (plus launchpad mega-helper), each bound to a published `ruleRef` |
-| `SmartEngineClient` | Chain operations: account create, token create / mint / burn / freeze / wipe, transfers, HCS topics, TSS, IPFS |
+| `BaasClient` | Authentication + database + storage + functions + messaging + deployment + agents + rules + entities |
+| `SmartEngineClient` | Chain operations + every typed sub-client below |
 | `SmartGatewayClient` | Gateway operations: routing, domains, DNS |
 | `ValidatorAuthClient` | Standalone Web3 challenge-response auth (lower-level than `BaasClient.authenticate`) |
-| `ValidatorDiscoveryClient` | HCS-registry-based validator discovery |
-| `TSSClient`, `IPFSClient`, `TransactionsClient`, `SettlementClient`, `SnapshotsClient` | Direct sub-client access for advanced flows |
+| `ClusterDiscoveryClient` | Bootstrap-seed → active-cluster discovery (powers `connectToCluster`) |
+| `ValidatorDiscoveryClient` | HCS-registry-based validator discovery (legacy `connectToNetwork` path) |
 | `MirrorNodeClient` | Hedera mirror-node helper (when your app does Hedera-side queries) |
 
+### `client.*` sub-clients on `SmartEngineClient`
+
+| Field | Purpose |
+|---|---|
+| `client.subscription` | Application subscription management |
+| `client.tss` | Threshold Signature Scheme — chain-agnostic MPC operations |
+| `client.ipfs` | IPFS decentralized file storage |
+| `client.transactions` | Chain-agnostic prepare-sign-submit (transaction sovereignty) |
+| `client.hedera` | Hedera-specific transaction preparation (HCS topics, KYC, wipe) |
+| `client.hedera.tss` | Hedera TSS immediate-execute (cluster signs + submits in one call) |
+| `client.xrpl` | XRPL-specific transaction preparation (trust lines) |
+| `client.solana` | Solana-specific transaction preparation (close-account) |
+| `client.polkadot` | Polkadot-specific transaction preparation (asset setTeam/setMetadata) |
+| `client.snapshots` | Token holder snapshot generation and retrieval |
+| `client.historicalBalance` | Historical balance archive reads |
+| `client.settlement` | Cross-chain settlement operations |
+| `client.governance` | Governance proposal dry-run (simulate-only) |
+| `client.dao` | DAO governance — DAOs, proposals, votes, treasury, members, dashboard |
+| `client.personhood` | Personhood verification (HPP one-human-one-member) |
+| `client.agents` | BaaS smart-agent lifecycle (register/fund/trade/withdraw/pause/resume/revoke) |
+| `client.deployments` | BaaS smart-app deployment lifecycle (init/uploadFrontend/deploy/rollback/status) |
+| `client.bridge` | Universal Token Bridge — port/return/claim across chains |
+| `client.resources` | Network + per-app resource consumption (summary, history, ledger, nodes) |
+| `client.envelope` | AES-256-GCM envelope encrypt/decrypt under the TSS-backed master KEK |
+| `client.tokens` | Token migration — move existing tokens to TSS-controlled keys |
+| `client.operator` | Operator account funding helpers (balance + top-up guidance) |
+| `client.discovery` | Discovery — cluster registry + `client.discovery.platformImages` manifests |
+
+### `baas.*` sub-clients on `BaasClient`
+
+| Field | Purpose |
+|---|---|
+| `baas.db` | Trustless database with state proofs and Merkle verification |
+| `baas.storage` | Decentralized file storage |
+| `baas.functions` | Serverless function deployment and invocation |
+| `baas.messaging` | Real-time pub/sub messaging with channels, history, presence |
+| `baas.deployment` | App deployment lifecycle (init/uploadFrontend/deploy/rollback/...) |
+| `baas.agents` | Autonomous smart-agent management |
+| `baas.customerSession` | Customer→smart-app session bridge (TokenGate Face B) |
+| `baas.rules` | Publish / get / list / simulate / deprecate canonical `ValidatorRules` documents on HCS |
+| `baas.entities` | Create canonical token / account / topic / agent entities (plus launchpad mega-helper), each bound to a published `ruleRef` |
+
 All clients accept the same `pathPrefix: '/host'` option when consumed via
 the cluster gateway. Set `pathPrefix: ''` for direct host access.
 
@@ -268,15 +356,18 @@ await baas.deployment.rollback(init.appId, { toTag: 'v0' });
 ## Chain operations via `SmartEngineClient`
 
 For direct chain operations independent of BaaS — e.g., a custodial backend
-that creates accounts and tokens on behalf of users:
+that creates accounts and tokens on behalf of users — use the methods on the
+`SmartEngineClient` returned by `connectToCluster`:
 
 ```ts
 import { SmartEngineClient } from '@hsuite/smart-engines-sdk';
 
-const client = new SmartEngineClient({
-  baseUrl: 'https://v3-testnet-gateway.hsuite.network',
-  // Auth via authToken (set after the Web3 challenge flow):
-  authToken: '<jwt-from-validator-auth-verify>',
+const { client } = await SmartEngineClient.connectToCluster({
+  network: 'testnet',
+  chain: 'xrpl',
+  address: wallet.address,
+  publicKey: wallet.publicKey,
+  signFn: async (challenge) => /* sign challenge */ '',
 });
 
 // Create an account on any supported chain
@@ -405,17 +496,23 @@ try {
 
 ## Bundle
 
-The SDK is a single 134 KB CJS bundle with workspace-only primitives
-vendored in. Single-file `.d.ts` (84 KB) for full type ergonomics.
+The SDK ships as a single CJS bundle with workspace-only primitives
+vendored in, plus subpath exports for the optional NestJS integration and
+the customer-facing PQC verifiers. Build artifacts live under `dist/`:
 
 ```
-@hsuite/smart-engines-sdk@3.0.0
-  dist/index.js              134 KB    — main bundle
-  dist/index.d.ts             84 KB    — types
-  dist/nestjs/index.js       104 KB    — NestJS integration
-  dist/nestjs/index.d.ts      64 KB
+dist/index.{js,d.ts}                    — main bundle + types
+dist/nestjs/index.{js,d.ts}             — NestJS integration (optional)
+dist/pqc-verify/index.{js,d.ts}         — PQC attestation verifier
+dist/pqc-verify-envelope/index.{js,d.ts} — PQC envelope verifier
+dist/ipfs-access-key/index.{js,d.ts}    — IPFS access-key helper
+dist/k8s-secret-reader/index.{js,d.ts}  — k8s secret reader (NestJS)
 ```
 
+The PQC and k8s-secret-reader entries are subpath exports — import from
+`@hsuite/smart-engines-sdk/pqc-verify` etc. so callers that don't need
+`@noble/post-quantum` (~120 KB compressed) don't pull it in.
+
 ---
 
 ## License

package/dist/index.d.ts

@@ -1866,12 +1866,15 @@ export type HttpClient = {
 	delete<T = any>(path: string): Promise<T>;
 	getText(path: string): Promise<string>;
 	upload<T = any>(path: string, file: Blob | Buffer, filename: string, metadata?: Record<string, string>, fieldName?: string): Promise<T>;
+	setAuthToken(token: string | undefined): void;
+	getAuthToken(): string | undefined;
 };
 export type HttpClientConfig = {
 	baseUrl: string;
 	authToken?: string;
 	apiKey?: string;
 	timeout?: number;
+	onUnauthorized?: () => Promise<void>;
 };
 export declare class SdkHttpError extends Error {
 	readonly statusCode: number;
@@ -1958,10 +1961,49 @@ export declare class PlatformImagesClient {
 	}>;
 	verify(imageName: string, version: string, digest: string): Promise<DiscoveryVerifyResult>;
 }
+export type NetworkName = "testnet" | "mainnet";
+export interface NetworkPreset {
+	readonly bootstrap: readonly string[];
+}
+export declare const KNOWN_NETWORKS: Readonly<Record<NetworkName, NetworkPreset>>;
+export declare function resolveNetwork(name: NetworkName): NetworkPreset;
+export declare function isKnownNetwork(name: string): name is NetworkName;
+export type ResolveClusterSeed = {
+	bootstrap?: string[];
+	network?: NetworkName;
+};
+export type ResolveClusterTrustAnchor = {
+	network: "mainnet" | "testnet" | "previewnet";
+	registryTopicId: string;
+	mirrorNodeUrl?: string;
+};
+export type ResolveClusterConfig = ResolveClusterSeed & {
+	allowInsecure?: boolean;
+	trustAnchor?: ResolveClusterTrustAnchor;
+};
+export type ResolveClusterFailure = "no-seeds" | "no-clusters";
+export type ResolveClusterResult = {
+	ok: true;
+	cluster: ClusterInfo;
+} | {
+	ok: false;
+	reason: ResolveClusterFailure;
+};
+declare function resolveClusterEndpoint(config: ResolveClusterConfig): Promise<ResolveClusterResult>;
 export type AuthChain = "hedera" | "xrpl" | "polkadot" | "stellar" | "solana";
 export interface SecurityConfig {
 	allowInsecure?: boolean;
 }
+export type HederaSigner = {
+	sign(message: Uint8Array): Uint8Array | Buffer | {
+		toBytes(): Uint8Array;
+	};
+};
+export type XrplSigner = {
+	sign(message: string): string | {
+		signedTransaction: string;
+	};
+};
 export interface ChallengeResponse {
 	success: boolean;
 	challenge: string;
@@ -2009,8 +2051,8 @@ export declare class ValidatorAuthClient {
 	requestChallenge(validatorUrl: string, chain: AuthChain, address: string): Promise<ChallengeResponse>;
 	authenticate(validatorUrl: string, request: AuthenticateRequest): Promise<AuthenticateResponse>;
 	getSession(validatorUrl: string, token: string): Promise<SessionInfo>;
-	signChallengeHedera(challenge: string, privateKey: any): string;
-	signChallengeXRPL(challenge: string, wallet: any): string;
+	signChallengeHedera(challenge: string, privateKey: HederaSigner): string;
+	signChallengeXRPL(challenge: string, wallet: XrplSigner): string;
 	authenticateWithSigner(validatorUrl: string, chain: AuthChain, address: string, publicKey: string, signFn: (challenge: string) => string | Promise<string>, metadata?: AuthenticateRequest["metadata"]): Promise<AuthenticateResponse>;
 }
 export declare class ValidatorAuthError extends Error {
@@ -2026,33 +2068,6 @@ export type Web3Signer = {
 	wallet: Wallet;
 };
 export declare function createXrplWeb3Signer(seed: string): Web3Signer;
-interface RetryConfig$1 {
-	maxRetries: number;
-	initialDelayMs: number;
-	maxDelayMs: number;
-	backoffMultiplier: number;
-	jitterFactor?: number;
-}
-export declare const DEFAULT_RETRY_CONFIG: RetryConfig$1;
-export interface ResilientHttpConfig {
-	timeoutMs?: number;
-	retry?: Partial<RetryConfig$1>;
-	circuitBreaker?: Partial<CircuitBreakerConfig> | false;
-	onRetry?: (attempt: number, delay: number, status?: number) => void;
-	onCircuitBreakerStateChange?: (state: "closed" | "open" | "half_open") => void;
-}
-export declare function resilientFetch(url: string, init?: RequestInit, config?: ResilientHttpConfig): Promise<Response>;
-export declare function createResilientFetchWithBreaker(config?: ResilientHttpConfig): {
-	fetch: (url: string, init?: RequestInit) => Promise<Response>;
-	getCircuitBreakerSnapshot: () => CircuitBreakerSnapshot | null;
-};
-export type NetworkName = "testnet" | "mainnet";
-export interface NetworkPreset {
-	readonly bootstrap: readonly string[];
-}
-export declare const KNOWN_NETWORKS: Readonly<Record<NetworkName, NetworkPreset>>;
-export declare function resolveNetwork(name: NetworkName): NetworkPreset;
-export declare function isKnownNetwork(name: string): name is NetworkName;
 export type SubscriptionTierName = "free_testnet" | "starter" | "professional" | "enterprise";
 export type SubscriptionStatus = "pending_deposit" | "deposit_confirmed" | "active" | "expired" | "cancelled";
 export type DepositWalletStatus = "pending" | "locked" | "expired" | "slashed" | "released";
@@ -2104,6 +2119,13 @@ export type SubscriptionStatusResponse = {
 		lockedUntil?: string;
 	};
 	subscriptionNftSerial?: number;
+	chainNfts?: {
+		xrpl?: {
+			nftId?: string;
+			issuerAddress?: string;
+			offerTxId?: string;
+		};
+	} & Record<string, unknown>;
 	expiresAt?: string;
 	remainingBalance?: string;
 	createdAt?: string;
@@ -2290,6 +2312,48 @@ export declare class SubscriptionClient {
 	getBilling(appId: string, options?: GetBillingOptions): Promise<SubscriptionBillingResponse>;
 	mintCustomer(request: MintCustomerSubscriptionRequest): Promise<MintCustomerSubscriptionResponse>;
 }
+export type FaucetChallenge = {
+	challengeId: string;
+	message: string;
+	expiresInSeconds: number;
+};
+export type FaucetDispenseRequest = {
+	chain: string;
+	recipientAddress: string;
+	challengeId: string;
+	signature: string;
+	publicKey?: string;
+};
+export type FaucetDispensed = {
+	status: "dispensed";
+	amount: string;
+	txHash: string;
+	remainingDailyAllowance: string;
+};
+export type FaucetTrustlineRequired = {
+	status: "trustline_required";
+	trustLine: {
+		currency: string;
+		issuer: string;
+		limit: string;
+	};
+};
+export type FaucetRateLimited = {
+	status: "rate_limited";
+	retryAfterSeconds: number;
+};
+export type FaucetDispenseResult = FaucetDispensed | FaucetTrustlineRequired | FaucetRateLimited;
+export type FaucetStatusResponse = {
+	dispensedToday: string;
+	[key: string]: unknown;
+};
+export declare class FaucetClient {
+	private readonly http;
+	constructor(http: HttpClient);
+	requestChallenge(chain: string, recipientAddress: string): Promise<FaucetChallenge>;
+	dispense(req: FaucetDispenseRequest): Promise<FaucetDispenseResult>;
+	getStatus(chain: string, recipientAddress: string): Promise<FaucetStatusResponse>;
+}
 export type EntityType = "account" | "token" | "topic";
 export type EntityCreationOptions = {
 	entityType: EntityType;
@@ -2890,7 +2954,7 @@ export type PrepareTokenWipeRequest = {
 export declare class HederaTransactionsClient {
 	private readonly http;
 	readonly tss: HederaTssClient;
-	constructor(http: HttpClient, tssHttp?: HttpClient);
+	constructor(http: HttpClient, tssHttp: HttpClient);
 	prepareTopicCreate(request: PrepareTopicCreateRequest): Promise<PreparedTransaction>;
 	prepareTopicMessage(request: PrepareTopicMessageRequest): Promise<PreparedTransaction>;
 	prepareTokenComplianceEnable(request: PrepareTokenComplianceEnableRequest): Promise<PreparedTransaction>;
@@ -3809,7 +3873,6 @@ export type BaasClientConfig = {
 	services?: BaasService[];
 	timeout?: number;
 	allowInsecure?: boolean;
-	http?: ResilientHttpConfig;
 	pathPrefix?: string;
 };
 export type BaasChallengeRequest = {
@@ -4076,6 +4139,7 @@ export type BaasDeployRequest = {
 	tag: string;
 	port?: number;
 	replicas?: number;
+	degree?: number;
 	env?: Record<string, string>;
 	resources?: {
 		cpu?: string;
@@ -4423,18 +4487,6 @@ export type TokenMigrationsForTokenResponse = {
 	migrations: TokenMigrationStatus[];
 	count: number;
 };
-export type TokenDetailsResponse = {
-	chain: string;
-	tokenId: string;
-	name?: string;
-	symbol?: string;
-	totalSupply?: string;
-	adminKey?: string | null;
-	supplyKey?: string | null;
-	tssControlled?: boolean;
-	entityId?: string;
-	message?: string;
-};
 export declare class TokensClient {
 	private readonly http;
 	constructor(http: HttpClient);
@@ -4444,7 +4496,6 @@ export declare class TokensClient {
 		error: string;
 	}>;
 	getMigrationsForToken(tokenId: string): Promise<TokenMigrationsForTokenResponse>;
-	getDetails(chain: string, tokenId: string): Promise<TokenDetailsResponse>;
 }
 export type OperatorChain = "hedera";
 export type OperatorTokenBalance = {
@@ -4479,7 +4530,6 @@ export interface SmartEngineClientConfig {
 	authToken?: string;
 	timeout?: number;
 	allowInsecure?: boolean;
-	http?: ResilientHttpConfig;
 }
 export interface NetworkConnectionConfig {
 	network: "mainnet" | "testnet" | "previewnet";
@@ -4536,6 +4586,7 @@ export declare class SmartEngineClient {
 	private readonly txHttp;
 	private lastHttpError?;
 	readonly subscription: SubscriptionClient;
+	readonly faucet: FaucetClient;
 	readonly tss: TSSClient;
 	readonly ipfs: IPFSClient;
 	readonly transactions: TransactionsClient;
@@ -5131,6 +5182,26 @@ export declare class SmartGatewayClient {
 	getMetrics(refresh?: boolean): Promise<GatewayMetricsResponse>;
 	getMetricsSummary(): Promise<GatewayMetricsSummaryResponse>;
 }
+interface RetryConfig$1 {
+	maxRetries: number;
+	initialDelayMs: number;
+	maxDelayMs: number;
+	backoffMultiplier: number;
+	jitterFactor?: number;
+}
+export declare const DEFAULT_RETRY_CONFIG: RetryConfig$1;
+export interface ResilientHttpConfig {
+	timeoutMs?: number;
+	retry?: Partial<RetryConfig$1>;
+	circuitBreaker?: Partial<CircuitBreakerConfig> | false;
+	onRetry?: (attempt: number, delay: number, status?: number) => void;
+	onCircuitBreakerStateChange?: (state: "closed" | "open" | "half_open") => void;
+}
+export declare function resilientFetch(url: string, init?: RequestInit, config?: ResilientHttpConfig): Promise<Response>;
+export declare function createResilientFetchWithBreaker(config?: ResilientHttpConfig): {
+	fetch: (url: string, init?: RequestInit) => Promise<Response>;
+	getCircuitBreakerSnapshot: () => CircuitBreakerSnapshot | null;
+};
 declare function formatHederaAccountId(id: string): string;
 declare function parseHbar(amount: string): number;
 declare function hbarToTinybars(hbar: string | number): string;
@@ -5224,7 +5295,6 @@ export declare class StorageClient {
 	delete(cid: string): Promise<{
 		success: boolean;
 	}>;
-	getFile(cid: string): Promise<BaasFileInfo>;
 	listFiles(pagination?: {
 		limit?: number;
 		offset?: number;
@@ -25072,9 +25142,9 @@ export declare class BaasClient {
 	private appId;
 	private readonly timeout;
 	private readonly allowInsecure;
-	private authToken;
 	private readonly http;
 	private lastHttpError?;
+	private authContext?;
 	readonly db: DatabaseClient;
 	readonly storage: StorageClient;
 	readonly functions: FunctionsClient;
@@ -25096,13 +25166,10 @@ export declare class BaasClient {
 	};
 	private requireAppId;
 	authenticate(options: AuthenticateOptions): Promise<BaasAuthResult>;
+	private reauthenticate;
 	validateSession(): Promise<BaasSessionInfo>;
 	logout(): Promise<void>;
 	private requireAuth;
-	private getHeaders;
-	private post;
-	private get;
-	private request;
 }
 export declare class BaasError extends Error {
 	readonly statusCode: number;
@@ -25202,7 +25269,7 @@ export type VerifyResult = {
 	readonly thresholdMet?: boolean;
 };
 export declare function verifyPqcAttestation(cert: unknown, payload: unknown, registrySnapshot?: ValidatorRegistrySnapshot): Promise<VerifyResult>;
-export type EnvelopeVersionLiteral = "kyber-aes-v1" | "aes-v0";
+export type EnvelopeVersionLiteral = "kyber-aes-v1";
 export type SchemaValidationResult = {
 	ok: true;
 	version: EnvelopeVersionLiteral;
@@ -25261,10 +25328,10 @@ declare namespace pqcVerifyEnvelope {
 	export { EnvelopeVerificationResult, EnvelopeVersionLiteral, KYBER_MIN_TIMESTAMP_MS, SchemaValidationResult, VerificationDetails, VerifyEnvelopeOptions, validateEnvelopeSchema, verifyPqcEnvelope };
 }
 declare namespace discovery {
-	export { ClusterDiscoveryClient, ClusterDiscoveryConfig, ClusterEndpointsView, ClusterInfo, DiscoveryClient, DiscoveryClusterEndpoints, DiscoveryClusterRecord, DiscoveryNodeRecord, DiscoveryPlatformImageEnvelope, DiscoveryPlatformImageManifest, DiscoveryVerifyResult, MIRROR_NODE_URLS, MirrorNodeClient, MirrorNodeConfig, MirrorNodeError, PlatformImagesClient, TopicMessage, TopicMessagesResponse, ValidatorDiscoveryClient, ValidatorDiscoveryConfig, ValidatorInfo, ValidatorMetadata, ValidatorNetworkEndpoints };
+	export { ClusterDiscoveryClient, ClusterDiscoveryConfig, ClusterEndpointsView, ClusterInfo, DiscoveryClient, DiscoveryClusterEndpoints, DiscoveryClusterRecord, DiscoveryNodeRecord, DiscoveryPlatformImageEnvelope, DiscoveryPlatformImageManifest, DiscoveryVerifyResult, MIRROR_NODE_URLS, MirrorNodeClient, MirrorNodeConfig, MirrorNodeError, PlatformImagesClient, ResolveClusterConfig, ResolveClusterFailure, ResolveClusterResult, ResolveClusterSeed, ResolveClusterTrustAnchor, TopicMessage, TopicMessagesResponse, ValidatorDiscoveryClient, ValidatorDiscoveryConfig, ValidatorInfo, ValidatorMetadata, ValidatorNetworkEndpoints, resolveClusterEndpoint };
 }
 declare namespace auth {
-	export { AuthChain, AuthenticateRequest, AuthenticateResponse, ChallengeResponse, SecurityConfig, SessionInfo, ValidatorAuthClient, ValidatorAuthConfig, ValidatorAuthError, Web3Signer, createXrplWeb3Signer };
+	export { AuthChain, AuthenticateRequest, AuthenticateResponse, ChallengeResponse, HederaSigner, SecurityConfig, SessionInfo, ValidatorAuthClient, ValidatorAuthConfig, ValidatorAuthError, Web3Signer, XrplSigner, createXrplWeb3Signer };
 }
 declare namespace chains {
 	export { bitcoin, hedera, polkadot, solana, stellar, xrpl };
@@ -25272,6 +25339,9 @@ declare namespace chains {
 declare namespace subscription {
 	export { ActiveSubscriptionForWalletResponse, BalanceResponse, CancelTierChangeRequest, CancelTierChangeResponse, DepositWalletStatus, DowngradeSubscriptionRequest, DowngradeSubscriptionResponse, GetBillingOptions, MintCustomerSubscriptionRequest, MintCustomerSubscriptionResponse, MintNftResponse, PendingTierChange, SubscriptionBillingLedgerEntry, SubscriptionBillingResponse, SubscriptionClient, SubscriptionConfig, SubscriptionListResponse, SubscriptionRenewalRequest, SubscriptionRenewalResponse, SubscriptionRequest, SubscriptionResponse, SubscriptionStatus, SubscriptionStatusResponse, SubscriptionTierInfo, SubscriptionTierName, SubscriptionUsageStatusResponse, SubscriptionUsageSummaryResponse, UpgradeSubscriptionRequest, UpgradeSubscriptionResponse };
 }
+declare namespace faucet {
+	export { FaucetChallenge, FaucetClient, FaucetDispenseRequest, FaucetDispenseResult, FaucetDispensed, FaucetRateLimited, FaucetStatusResponse, FaucetTrustlineRequired };
+}
 declare namespace bridge {
 	export { BridgeChain, BridgeClaimRecord, BridgeClaimStatus, BridgeClient, BridgeConfig, BridgeDestinationConfig, BridgeDirection, BridgeGenesisBinding, BridgeMode, BridgeOperationConfig, BridgeRulesConfig, BridgeSourceConfig, BridgeStatus, BridgeSupply, BridgeTrustLevel, CreateBridgeRequest, CreateBridgeResponse, ListBridgesOptions, ListBridgesResponse, ListClaimsOptions, ListClaimsResponse, PortRequest, PortResult, ReturnRequest };
 }
@@ -25282,7 +25352,7 @@ declare namespace envelope {
 	export { DecryptRequest, DecryptResponse, EncryptRequest, EncryptResponse, EncryptedEnvelope, EnvelopeClient };
 }
 declare namespace tokens {
-	export { ListMigrationsResponse, TokenDetailsResponse, TokenMigrationChain, TokenMigrationRequest, TokenMigrationResponse, TokenMigrationStatus, TokenMigrationStatusValue, TokenMigrationsForTokenResponse, TokensClient };
+	export { ListMigrationsResponse, TokenMigrationChain, TokenMigrationRequest, TokenMigrationResponse, TokenMigrationStatus, TokenMigrationStatusValue, TokenMigrationsForTokenResponse, TokensClient };
 }
 declare namespace operator {
 	export { OperatorBalanceResponse, OperatorChain, OperatorClient, OperatorTokenBalance, OperatorTopUpResponse };
@@ -25316,6 +25386,7 @@ export {
 	dao,
 	discovery,
 	envelope,
+	faucet,
 	governance,
 	operator,
 	personhood,