@hsuite/smart-engines-sdk 3.5.0 → 3.6.0

package/dist/index.js

@@ -5674,7 +5674,7 @@ var CreateAccountRequestSchema = zod.z.object({
    * Smart node security mode for the account key structure.
    * - 'partial': threshold(2, [appOwnerKey, tssKeyList]) — co-control
    * - 'full': TSS KeyList only — full validator network control
-   * Default: 'full' (Arc 5 §7.5.2: 'none' removed).
+   * @defaultValue 'full'
    */
   securityMode: zod.z.enum(["partial", "full"]).default("full"),
   /**
@@ -6701,14 +6701,34 @@ function createHttpClient(config) {
       throw new SdkHttpError(`Upload error: ${err.message}`, 0, error);
     }
   }
+  let reauthInFlight = null;
+  async function withAuthRetry(path, op) {
+    try {
+      return await op();
+    } catch (error) {
+      const refreshable = !!config.onUnauthorized && !path.startsWith("/api/auth/") && error instanceof SdkHttpError && error.statusCode === 401;
+      if (!refreshable) throw error;
+      if (!reauthInFlight) {
+        reauthInFlight = Promise.resolve(config.onUnauthorized()).finally(() => {
+          reauthInFlight = null;
+        });
+      }
+      try {
+        await reauthInFlight;
+      } catch {
+        throw error;
+      }
+      return await op();
+    }
+  }
   const client = {
-    post: (path, body) => request("POST", path, body),
-    get: (path) => request("GET", path),
-    put: (path, body) => request("PUT", path, body),
-    patch: (path, body) => request("PATCH", path, body),
-    delete: (path) => request("DELETE", path),
-    getText,
-    upload: ((path, file, filename, metadata, fieldName) => upload(path, file, filename, metadata, fieldName)),
+    post: (path, body) => withAuthRetry(path, () => request("POST", path, body)),
+    get: (path) => withAuthRetry(path, () => request("GET", path)),
+    put: (path, body) => withAuthRetry(path, () => request("PUT", path, body)),
+    patch: (path, body) => withAuthRetry(path, () => request("PATCH", path, body)),
+    delete: (path) => withAuthRetry(path, () => request("DELETE", path)),
+    getText: (path) => withAuthRetry(path, () => getText(path)),
+    upload: ((path, file, filename, metadata, fieldName) => withAuthRetry(path, () => upload(path, file, filename, metadata, fieldName))),
     setAuthToken,
     getAuthToken
   };
@@ -7116,8 +7136,8 @@ var ValidatorAuthClient = class {
    *
    * Structurally typed against the surface of xrpl's `Wallet` — see the
    * comment on {@link HederaSigner} for the "no direct import" rationale.
-   * Accepts both the modern `{ signedTransaction }` envelope and the
-   * legacy bare-string return shape.
+   * Accepts both the `{ signedTransaction }` envelope and the bare-string
+   * return shapes that xrpl signer libraries expose.
    *
    * @param challenge - Challenge string from validator
    * @param wallet - XRPL Wallet instance (or compatible signer)
@@ -7360,6 +7380,44 @@ var SubscriptionClient = class {
   }
 };
 
+// src/faucet/index.ts
+var faucet_exports = {};
+__export(faucet_exports, {
+  FaucetClient: () => FaucetClient
+});
+var FaucetClient = class {
+  constructor(http) {
+    this.http = http;
+  }
+  http;
+  /**
+   * Request a signing challenge for a recipient address. The returned
+   * `message` must be signed by the key controlling `recipientAddress`.
+   */
+  async requestChallenge(chain, recipientAddress) {
+    return this.http.post("/faucet/hsuite/challenge", { chain, recipientAddress });
+  }
+  /**
+   * Submit a signed challenge to dispense HST. The result is a discriminated
+   * union on `status` — branch on `'dispensed' | 'trustline_required' |
+   * 'rate_limited'`. On `'trustline_required'`, set the returned trust line on
+   * the recipient and re-dispense with a fresh challenge.
+   */
+  async dispense(req) {
+    return this.http.post("/faucet/hsuite", req);
+  }
+  /**
+   * Get today's dispense status for a recipient (e.g. amount already
+   * dispensed today).
+   */
+  async getStatus(chain, recipientAddress) {
+    const params = new URLSearchParams();
+    params.append("chain", chain);
+    params.append("recipientAddress", recipientAddress);
+    return this.http.get(`/faucet/hsuite/status?${params.toString()}`);
+  }
+};
+
 // src/tss/index.ts
 var TSSClient = class {
   constructor(http) {
@@ -7367,20 +7425,29 @@ var TSSClient = class {
   }
   http;
   /**
-   * Create a multi-sig entity with TSS
+   * Create a multi-sig entity via a synchronous DKG ceremony.
+   *
+   * @param options Entity-creation parameters (chain, threshold, participants).
+   * @returns The created entity's identity (ids + group public keys).
    */
   async createEntity(options) {
     return this.http.post("/tss/entity/create", options);
   }
   /**
-   * Reshare keys when cluster membership changes.
-   * Redistributes secret shares WITHOUT changing public keys.
+   * Reshare keys when cluster membership changes. Redistributes secret shares
+   * WITHOUT changing public keys.
+   *
+   * @param request The new membership / threshold to reshare to.
+   * @returns The reshare outcome.
    */
   async reshareCluster(request) {
     return this.http.post("/tss/cluster/reshare", request);
   }
   /**
-   * Get entity details by ID
+   * Get entity details by id.
+   *
+   * @param entityId The entity id to look up.
+   * @returns The entity's details.
    */
   async getEntity(entityId) {
     return this.http.get(`/tss/entity/${encodePathParam(entityId)}`);
@@ -7389,55 +7456,71 @@ var TSSClient = class {
    * Sign a transaction using MPC.
    *
    * Routes to `POST /api/v3/tss/hedera/sign-mpc`. Only `'hedera'` is wired
-   * server-side today (see
-   * `apps/smart-validator/src/tss/tss.controller.ts:279`); other chain
-   * signing paths run via their own controllers (XRPL multisig, Polkadot
-   * MPC) and are not exposed through this sub-client. The `chain` field is
-   * carried into the request body so the validator can log + route, but
-   * any non-`'hedera'` value will 404.
+   * server-side; other chain signing paths run via their own controllers (XRPL
+   * multisig, Polkadot MPC) and are not exposed through this sub-client. The
+   * `chain` field is carried into the request body so the validator can log +
+   * route, but any non-`'hedera'` value will 404.
+   *
+   * @param request The MPC signing request; `chain` is forced to `'hedera'`.
+   * @returns The MPC signing result.
    */
   async signMPC(request) {
     const chain = "hedera";
     return this.http.post(`/tss/${chain}/sign-mpc`, { ...request, chain });
   }
   /**
-   * Get known validators and their public keys
+   * Get known validators and their public keys.
+   *
+   * @returns The validator list with public keys.
    */
   async getValidators() {
     return this.http.get("/tss/validators");
   }
   /**
-   * Force announcement of this node's public key
+   * Force announcement of this node's public key.
+   *
+   * @returns Whether the announcement was accepted, plus a status message.
    */
   async announceKey() {
     return this.http.post("/tss/announce", {});
   }
   /**
-   * Get TSS statistics
+   * Get TSS statistics.
+   *
+   * @returns Aggregate TSS statistics.
    */
   async getStats() {
     return this.http.get("/tss/stats");
   }
   /**
-   * List all TSS entities
+   * List all TSS entities.
+   *
+   * @returns The full entity list.
    */
   async listEntities() {
     return this.http.get("/tss/entities");
   }
   /**
-   * TSS health check
+   * TSS health check.
+   *
+   * @returns The TSS subsystem health report.
    */
   async getHealth() {
     return this.http.get("/tss/health");
   }
   /**
-   * List DKG ceremonies and their statistics
+   * List DKG ceremonies and their statistics.
+   *
+   * @returns The ceremony list.
    */
   async listCeremonies() {
     return this.http.get("/tss/multisig/ceremonies");
   }
   /**
-   * Get multi-sig transaction status by transaction ID
+   * Get multi-sig transaction status by transaction id.
+   *
+   * @param txId The multi-sig transaction id.
+   * @returns The current status of that transaction.
    */
   async getMultiSigStatus(txId) {
     return this.http.get(`/tss/multisig/transactions/${encodePathParam(txId)}`);
@@ -7448,6 +7531,9 @@ var TSSClient = class {
    * Server returns 202 + `{ jobId, statusUrl, status: 'pending' }` immediately;
    * the DKG ceremony runs in the background. Poll {@link getJob} until the
    * status reaches `'success'` or `'failed'`.
+   *
+   * @param options Entity-creation parameters.
+   * @returns A job descriptor (`jobId`, `statusUrl`, initial status).
    */
   async createEntityAsync(options) {
     return this.http.post("/tss/entity/create/async", options);
@@ -7455,6 +7541,9 @@ var TSSClient = class {
   /**
    * Async-job variant of {@link reshareCluster}. Returns 202 + a polling
    * descriptor; resharing runs in the background.
+   *
+   * @param request The new membership / threshold to reshare to.
+   * @returns A job descriptor to poll via {@link getJob}.
    */
   async reshareClusterAsync(request) {
     return this.http.post("/tss/cluster/reshare/async", request);
@@ -7462,6 +7551,9 @@ var TSSClient = class {
   /**
    * Poll the status of an async TSS-ceremony job kicked off via
    * {@link createEntityAsync} or {@link reshareClusterAsync}.
+   *
+   * @param jobId The job id returned by the async kickoff call.
+   * @returns The job's current status (and result once terminal).
    */
   async getJob(jobId) {
     return this.http.get(`/tss/jobs/${encodePathParam(jobId)}`);
@@ -7474,6 +7566,10 @@ var TSSClient = class {
    * Payload constraints (enforced server-side):
    *   - even-length lowercase hex
    *   - ≥32 bytes, ≤8KB
+   *
+   * @param appId The smart-app entity id to sign as.
+   * @param request The hex payload to sign.
+   * @returns The aggregate signature over the payload.
    */
   async signForApp(appId, request) {
     return this.http.post(`/tss/entity/${encodePathParam(appId)}/sign`, request);
@@ -8546,25 +8642,29 @@ var DeploymentClient = class {
     return this.http.get(`/api/deployment/apps/${encodePathParam(appId)}`);
   }
   /**
-   * Update app configuration. Runtime effect lands in PR-H.
+   * Update app configuration.
+   *
+   * @param appId - The app to update.
+   * @param updates - Partial deploy-request fields to apply.
+   * @returns The updated app info.
    */
   async update(appId, updates) {
     return this.http.put(`/api/deployment/apps/${encodePathParam(appId)}`, updates);
   }
   /**
-   * Delete an app. Runtime effect (namespace teardown) lands in PR-H.
+   * Delete an app (runtime effect: namespace teardown).
    */
   async delete(appId) {
     return this.http.delete(`/api/deployment/apps/${encodePathParam(appId)}`);
   }
   /**
-   * Suspend an app. Runtime effect (scale to zero) lands in PR-H.
+   * Suspend an app (runtime effect: scale to zero).
    */
   async suspend(appId) {
     return this.http.post(`/api/deployment/apps/${encodePathParam(appId)}/suspend`, {});
   }
   /**
-   * Resume a suspended app. Runtime effect (scale back up) lands in PR-H.
+   * Resume a suspended app (runtime effect: scale back up).
    */
   async resume(appId) {
     return this.http.post(`/api/deployment/apps/${encodePathParam(appId)}/resume`, {});
@@ -8613,7 +8713,7 @@ var DeploymentClient = class {
     return this.http.getText(`/api/deployment/apps/${encodePathParam(appId)}/metrics`);
   }
   /**
-   * Rotate the smart-app's tenant-secret KEK (ADR-011 Phase 6).
+   * Rotate the smart-app's tenant-secret KEK.
    *
    * Re-encrypts every `runtime.env` envelope at the new KEK version
    * transparently. Previous versions remain valid until explicitly
@@ -8626,7 +8726,7 @@ var DeploymentClient = class {
     );
   }
   /**
-   * Revoke a tenant-secret KEK version (ADR-011 Phase 6 emergency burn).
+   * Revoke a tenant-secret KEK version (emergency burn).
    *
    * Envelopes at the revoked version become operationally dead —
    * decryption inside the smart-app pod fails. Owner-only and
@@ -8879,6 +8979,8 @@ var SmartEngineClient = class _SmartEngineClient {
   // ========== Sub-Clients ==========
   /** Application subscription management */
   subscription;
+  /** Testnet HST faucet (challenge -> sign -> dispense) */
+  faucet;
   /** Threshold Signature Scheme — chain-agnostic MPC operations */
   tss;
   /** IPFS decentralized file storage */
@@ -8937,6 +9039,7 @@ var SmartEngineClient = class _SmartEngineClient {
       timeout: config.timeout
     });
     this.subscription = new SubscriptionClient(this.http);
+    this.faucet = new FaucetClient(this.http);
     this.tss = new TSSClient(this.http);
     this.ipfs = new IPFSClient(this.http);
     this.transactions = new TransactionsClient(this.txHttp);
@@ -8992,13 +9095,17 @@ var SmartEngineClient = class _SmartEngineClient {
     });
   }
   /**
-   * Connect to the smart-engines network with auto-discovery and authentication
+   * Connect to the smart-engines network with auto-discovery and authentication.
+   *
+   * Steps:
+   * 1. Discovers validators via the HCS registry topic.
+   * 2. Selects a random validator with an API endpoint.
+   * 3. Authenticates with Web3-style challenge-response.
+   * 4. Returns a configured client ready to use.
    *
-   * This method:
-   * 1. Discovers validators via HCS registry topic
-   * 2. Selects a random validator with API endpoint
-   * 3. Authenticates with Web3-style challenge-response
-   * 4. Returns a configured client ready to use
+   * @param config - Network, registry topic, and auth signer config.
+   * @returns The configured client, the chosen validator, and the auth session.
+   * @throws SmartEngineError 503 if no validator with an API endpoint is found.
    */
   static async connectToNetwork(config) {
     const allowInsecure = config.allowInsecure ?? false;
@@ -9035,18 +9142,22 @@ var SmartEngineClient = class _SmartEngineClient {
     return { client, validator, session };
   }
   /**
-   * Connect to the smart-engines network via the **service-registry**
-   * (PR-1 of the cluster-discovery arc). Preferred over
-   * {@link connectToNetwork} once the validator pods in the target network
-   * have published their cluster endpoints — the SDK auto-balances across
-   * the active cluster set and rides permissionless cluster join/leave
-   * without code edits.
+   * Connect to the smart-engines network via the **service-registry**.
+   * Preferred over {@link connectToNetwork} once the validator pods in the
+   * target network have published their cluster endpoints — the SDK
+   * auto-balances across the active cluster set and rides permissionless
+   * cluster join/leave without code edits.
    *
-   * Fallback ladder (per `docs/ops/HANDOFF-service-registry-distribution-layer.md` §6):
+   * Resolution ladder:
    *   1. HTTP fetch `/api/v3/discovery/clusters` from each bootstrap seed.
    *   2. (Optional) HCS trust-anchor membership cross-check.
    *   3. Random-pick over the verified set.
    *
+   * @param config - Seed + auth config. See {@link ClusterConnectionConfig}.
+   * @returns The configured client, the selected cluster, and the auth session.
+   * @throws SmartEngineError 400 if neither `bootstrap` nor `network` is given.
+   * @throws SmartEngineError 503 if no active cluster can be reached.
+   *
    * @example Zero-config (recommended for smart-app callers)
    * ```ts
    * const { client, cluster, session } = await SmartEngineClient.connectToCluster({
@@ -9175,17 +9286,11 @@ var SmartEngineClient = class _SmartEngineClient {
     return this.http.post("/tokens/mint", validated);
   }
   /**
-   * Get token information.
+   * Get token information for a token on the given chain.
    *
-   * Route `GET /api/v3/tokens/:chain/:tokenId` is registered twice on the
-   * validator: by `ValidatorController` at
-   * `apps/smart-validator/src/validator.controller.ts:497` and by
-   * `TokenMigrationController` at
-   * `apps/smart-validator/src/token-migration/token-migration.controller.ts:173`.
-   * Nest resolves routes in `controllers: [...]` order — `ValidatorController`
-   * is registered first (`apps/smart-validator/src/smart-validator.module.ts:1222`),
-   * so `multiChain.getTokenInfo(chain, tokenId)` wins and the
-   * token-migration handler is unreachable via this path.
+   * @param chain - Chain identifier (e.g. `'hedera'`, `'xrpl'`).
+   * @param tokenId - Chain-native token identifier.
+   * @returns Token metadata and supply information.
    */
   async getTokenInfo(chain, tokenId) {
     return this.http.get(`/tokens/${encodePathParam(chain)}/${encodePathParam(tokenId)}`);
@@ -9414,8 +9519,7 @@ var DomainsClient = class {
   }
   /**
    * Generate a verification token. Server accepts one of `dns-txt`,
-   * `dns-cname`, `http-file`, `email` (see controller Swagger enum at
-   * `apps/smart-gateway/src/domains/domains.controller.ts:226-234`).
+   * `dns-cname`, `http-file`, `email`.
    */
   async generateVerificationToken(domain, method) {
     return this.http.post(`/domains/${encodePathParam(domain)}/verification`, { method });
@@ -9539,10 +9643,8 @@ var HealthClient = class {
   }
   http;
   /**
-   * Per-cluster aggregate health probe. Wraps
-   * `GET /api/v3/cluster/health` — see
-   * `apps/smart-gateway/src/health/health.controller.ts:213-263`. Returns
-   * local validator + host + genesis state in a single payload.
+   * Per-cluster aggregate health probe. Wraps `GET /api/v3/cluster/health`.
+   * Returns local validator + host + genesis state in a single payload.
    */
   async getCluster() {
     return this.http.get("/cluster/health");
@@ -10287,23 +10389,11 @@ var StorageClient = class {
     return this.http.delete(`/api/storage/${encodePathParam(appId)}/${encodePathParam(cid)}`);
   }
   /**
-   * Get file info.
+   * List all files for the app.
    *
-   * @deprecated The smart-host storage controller does not expose a
-   * bare-CID metadata route — every metadata lookup must go through
-   * `getMetadata(cid)` (`/api/storage/:appId/metadata/:cid`) or the
-   * stream body via `download(cid)`. This alias forwards to `download`
-   * for back-compat; **scheduled for removal in 4.0.0**.
-   */
-  async getFile(cid) {
-    return this.download(cid);
-  }
-  /**
-   * List all files for the app
-   *
-   * @param pagination.offset Server reads `offset`; the legacy `skip`
-   *   option was a client-only synonym that the server silently ignored.
-   *   Use `offset` going forward.
+   * @param pagination - Optional `limit` and `offset` (the server reads
+   *   `offset` for pagination).
+   * @returns The file list and total count.
    */
   async listFiles(pagination) {
     const appId = this.getAppId();
@@ -10684,6 +10774,13 @@ var BaasClient = class _BaasClient {
   http;
   /** Last HTTP error (for getHttpHealth) */
   lastHttpError;
+  /**
+   * Auth options from the last {@link authenticate} call, retained so the
+   * client can transparently re-authenticate when the session token expires
+   * (the http client invokes {@link reauthenticate} on a 401). Undefined until
+   * the first successful authenticate.
+   */
+  authContext;
   // ========== Sub-Clients ==========
   /** Trustless database with state proofs and Merkle verification */
   db;
@@ -10713,7 +10810,11 @@ var BaasClient = class _BaasClient {
     const baseUrlWithPrefix = this.pathPrefix ? this.hostUrl.replace(/\/$/, "") + this.pathPrefix : this.hostUrl;
     this.http = createHttpClient({
       baseUrl: baseUrlWithPrefix,
-      timeout: this.timeout
+      timeout: this.timeout,
+      // Transparent session refresh: on a 401, re-run the challenge-response
+      // with the retained signer and retry once. No-op until authenticate() has
+      // been called (authContext set). Excludes /api/auth/* (see http client).
+      onUnauthorized: () => this.reauthenticate()
     });
     const getAppId = () => this.requireAppId();
     this.db = new DatabaseClient(this.http, getAppId);
@@ -10849,6 +10950,7 @@ var BaasClient = class _BaasClient {
    */
   async authenticate(options) {
     const { chain, walletAddress, publicKey, signFn } = options;
+    this.authContext = options;
     let challenge;
     try {
       challenge = await this.http.post("/api/auth/challenge", {
@@ -10873,6 +10975,30 @@ var BaasClient = class _BaasClient {
     this.http.setAuthToken(result.token);
     return result;
   }
+  /**
+   * Re-run the challenge-response with the retained signer to mint a fresh
+   * session token. Invoked by the http client's `onUnauthorized` hook when a
+   * request 401s because the token expired — so long-lived clients keep working
+   * without the caller re-implementing refresh. No-op if {@link authenticate}
+   * was never called. The `/api/auth/*` calls below are excluded from the http
+   * client's 401-retry path, so this can never recurse.
+   */
+  async reauthenticate() {
+    const ctx = this.authContext;
+    if (!ctx) return;
+    const challenge = await this.http.post("/api/auth/challenge", {
+      chain: ctx.chain,
+      walletAddress: ctx.walletAddress,
+      appId: this.appId
+    });
+    const signature = await ctx.signFn(challenge.message);
+    const result = await this.http.post("/api/auth/verify", {
+      challengeId: challenge.challengeId,
+      signature,
+      publicKey: ctx.publicKey
+    });
+    this.http.setAuthToken(result.token);
+  }
   /** Validate the current session */
   async validateSession() {
     this.requireAuth();
@@ -11149,9 +11275,6 @@ function validateEnvelopeSchema(envelope) {
   if (version === "kyber-aes-v1") {
     return validateKyberAesV1(envelope);
   }
-  if (version === "aes-v0") {
-    return validateAesV0(envelope);
-  }
   return {
     ok: false,
     reason: `unknown envelope version: ${JSON.stringify(version)}`
@@ -11245,38 +11368,6 @@ function validateKyberAesV1(env) {
   }
   return { ok: true, version: "kyber-aes-v1" };
 }
-function validateAesV0(env) {
-  if (!isNonEmptyString(env.aesIv)) {
-    return { ok: false, reason: "aesIv must be a non-empty base64 string" };
-  }
-  const ivBytes = tryDecodeBase64(env.aesIv);
-  if (!ivBytes) return { ok: false, reason: "aesIv is not valid base64" };
-  if (ivBytes.length !== AES_IV_LEN) {
-    return {
-      ok: false,
-      reason: `aesIv length ${ivBytes.length} != expected ${AES_IV_LEN} (AES-GCM 96-bit nonce)`
-    };
-  }
-  if (typeof env.aesCiphertext !== "string") {
-    return { ok: false, reason: "aesCiphertext must be a base64 string" };
-  }
-  if (env.aesCiphertext.length > 0) {
-    const ctBytes = tryDecodeBase64(env.aesCiphertext);
-    if (!ctBytes) return { ok: false, reason: "aesCiphertext is not valid base64" };
-  }
-  if (!isNonEmptyString(env.aesAuthTag)) {
-    return { ok: false, reason: "aesAuthTag must be a non-empty base64 string" };
-  }
-  const tagBytes = tryDecodeBase64(env.aesAuthTag);
-  if (!tagBytes) return { ok: false, reason: "aesAuthTag is not valid base64" };
-  if (tagBytes.length !== AES_TAG_LEN) {
-    return {
-      ok: false,
-      reason: `aesAuthTag length ${tagBytes.length} != expected ${AES_TAG_LEN} (AES-GCM 128-bit tag)`
-    };
-  }
-  return { ok: true, version: "aes-v0" };
-}
 
 // src/pqc-verify-envelope/verify-pqc-envelope.ts
 var KYBER_MIN_TIMESTAMP_MS = 17040672e5;
@@ -11295,10 +11386,10 @@ async function verifyPqcEnvelope(envelope, options = {}) {
     version,
     schemaValid: true,
     base64Valid: true,
-    // computed below for kyber-aes-v1; legacy has no encryptedAt so treat as plausible.
+    // Set to false below if the timestamp plausibility check fails.
     timestampPlausible: true
   };
-  if (version === "kyber-aes-v1") {
+  {
     details.kemAlgorithm = env.kemAlgorithm;
     details.recipientPkFingerprint = env.recipientPkFingerprint;
     details.kdfLabel = env.kdfLabel;
@@ -12160,17 +12251,13 @@ var AgentRulesBuilder = class extends BaseRuleBuilder {
     return this;
   }
   // ────────────────────────────────────────────────────────────────────────
-  // PR F — Phase-6.6 AI atom shortcuts
+  // AI atom shortcuts
   //
   // `MaxTradesPerWindow` and `RequireStructuredOutput` are optional atoms
   // (NOT registered as builtin organism modules) wired in the AI-inference
   // path of the smart-app's BaaS function. Attached here as canonical
   // `ModuleEntry`s so they ship inside the published rule and the cluster's
   // canonical evaluator can dispatch them.
-  //
-  // Atom sources:
-  //   libs/rules-engine/src/atoms/max-trades-per-window.atom.ts
-  //   libs/rules-engine/src/atoms/require-structured-output.atom.ts
   // ────────────────────────────────────────────────────────────────────────
   /**
    * Cap the agent at `maxTradesPerWindow` trades within a rolling `windowMs`
@@ -12282,7 +12369,7 @@ var module_ = {
     version: "1.0.0",
     config: withDexDefaults(config)
   })
-  // PR F — `agent` retired per Arc 6 Phase 6.5. Use `Rules.forAgent()` instead.
+  // No `agent` module — use `Rules.forAgent()` instead.
 };
 
 // src/rules/templates/index.ts
@@ -12770,6 +12857,7 @@ exports.DomainsClient = DomainsClient;
 exports.EntitiesClient = EntitiesClient;
 exports.EnvelopeClient = EnvelopeClient;
 exports.ErrorCode = ErrorCode;
+exports.FaucetClient = FaucetClient;
 exports.FeeConditionsSchema = FeeConditionsSchema;
 exports.FixedFeeConditionSchema = FixedFeeConditionSchema;
 exports.FractionalFeeConditionSchema = FractionalFeeConditionSchema;
@@ -12862,6 +12950,7 @@ exports.discovery = discovery_exports;
 exports.encodePathParam = encodePathParam;
 exports.envelope = envelope_exports;
 exports.fairLaunch = fairLaunch;
+exports.faucet = faucet_exports;
 exports.fetchRegistrySnapshot = fetchRegistrySnapshot;
 exports.forAccount = forAccount;
 exports.forAgent = forAgent;