npm - @hsuite/smart-engines-sdk - Versions diffs - 3.5.0 → 3.6.1 - Mend

@hsuite/smart-engines-sdk 3.5.0 → 3.6.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (14) hide show

package/CHANGELOG.md +6 -0
package/dist/index.d.ts +59 -2
package/dist/index.js +231 -125
package/dist/index.js.map +1 -1
package/dist/ipfs-access-key/index.js.map +1 -1
package/dist/k8s-secret-reader/index.js.map +1 -1
package/dist/nestjs/index.d.ts +53 -1
package/dist/nestjs/index.js +232 -87
package/dist/nestjs/index.js.map +1 -1
package/dist/pqc-verify/index.js.map +1 -1
package/dist/pqc-verify-envelope/index.d.ts +1 -1
package/dist/pqc-verify-envelope/index.js +2 -37
package/dist/pqc-verify-envelope/index.js.map +1 -1
package/package.json +16 -1

package/dist/index.js CHANGED Viewed

@@ -5674,7 +5674,7 @@ var CreateAccountRequestSchema = zod.z.object({
    * Smart node security mode for the account key structure.
    * - 'partial': threshold(2, [appOwnerKey, tssKeyList]) — co-control
    * - 'full': TSS KeyList only — full validator network control
-   * Default: 'full' (Arc 5 §7.5.2: 'none' removed).
+   * @defaultValue 'full'
    */
   securityMode: zod.z.enum(["partial", "full"]).default("full"),
   /**
@@ -6701,14 +6701,34 @@ function createHttpClient(config) {
       throw new SdkHttpError(`Upload error: ${err.message}`, 0, error);
     }
   }
+  let reauthInFlight = null;
+  async function withAuthRetry(path, op) {
+    try {
+      return await op();
+    } catch (error) {
+      const refreshable = !!config.onUnauthorized && !path.startsWith("/api/auth/") && error instanceof SdkHttpError && error.statusCode === 401;
+      if (!refreshable) throw error;
+      if (!reauthInFlight) {
+        reauthInFlight = Promise.resolve(config.onUnauthorized()).finally(() => {
+          reauthInFlight = null;
+        });
+      }
+      try {
+        await reauthInFlight;
+      } catch {
+        throw error;
+      }
+      return await op();
+    }
+  }
   const client = {
-    post: (path, body) => request("POST", path, body),
-    get: (path) => request("GET", path),
-    put: (path, body) => request("PUT", path, body),
-    patch: (path, body) => request("PATCH", path, body),
-    delete: (path) => request("DELETE", path),
-    getText,
-    upload: ((path, file, filename, metadata, fieldName) => upload(path, file, filename, metadata, fieldName)),
+    post: (path, body) => withAuthRetry(path, () => request("POST", path, body)),
+    get: (path) => withAuthRetry(path, () => request("GET", path)),
+    put: (path, body) => withAuthRetry(path, () => request("PUT", path, body)),
+    patch: (path, body) => withAuthRetry(path, () => request("PATCH", path, body)),
+    delete: (path) => withAuthRetry(path, () => request("DELETE", path)),
+    getText: (path) => withAuthRetry(path, () => getText(path)),
+    upload: ((path, file, filename, metadata, fieldName) => withAuthRetry(path, () => upload(path, file, filename, metadata, fieldName))),
     setAuthToken,
     getAuthToken
   };
@@ -7116,8 +7136,8 @@ var ValidatorAuthClient = class {
    *
    * Structurally typed against the surface of xrpl's `Wallet` — see the
    * comment on {@link HederaSigner} for the "no direct import" rationale.
-   * Accepts both the modern `{ signedTransaction }` envelope and the
-   * legacy bare-string return shape.
+   * Accepts both the `{ signedTransaction }` envelope and the bare-string
+   * return shapes that xrpl signer libraries expose.
    *
    * @param challenge - Challenge string from validator
    * @param wallet - XRPL Wallet instance (or compatible signer)
@@ -7360,6 +7380,44 @@ var SubscriptionClient = class {
   }
 };
+// src/faucet/index.ts
+var faucet_exports = {};
+__export(faucet_exports, {
+  FaucetClient: () => FaucetClient
+});
+var FaucetClient = class {
+  constructor(http) {
+    this.http = http;
+  }
+  http;
+  /**
+   * Request a signing challenge for a recipient address. The returned
+   * `message` must be signed by the key controlling `recipientAddress`.
+   */
+  async requestChallenge(chain, recipientAddress) {
+    return this.http.post("/faucet/hsuite/challenge", { chain, recipientAddress });
+  }
+  /**
+   * Submit a signed challenge to dispense HST. The result is a discriminated
+   * union on `status` — branch on `'dispensed' | 'trustline_required' |
+   * 'rate_limited'`. On `'trustline_required'`, set the returned trust line on
+   * the recipient and re-dispense with a fresh challenge.
+   */
+  async dispense(req) {
+    return this.http.post("/faucet/hsuite", req);
+  }
+  /**
+   * Get today's dispense status for a recipient (e.g. amount already
+   * dispensed today).
+   */
+  async getStatus(chain, recipientAddress) {
+    const params = new URLSearchParams();
+    params.append("chain", chain);
+    params.append("recipientAddress", recipientAddress);
+    return this.http.get(`/faucet/hsuite/status?${params.toString()}`);
+  }
+};
 // src/tss/index.ts
 var TSSClient = class {
   constructor(http) {
@@ -7367,20 +7425,29 @@ var TSSClient = class {
   }
   http;
   /**
-   * Create a multi-sig entity with TSS
+   * Create a multi-sig entity via a synchronous DKG ceremony.
+   *
+   * @param options Entity-creation parameters (chain, threshold, participants).
+   * @returns The created entity's identity (ids + group public keys).
    */
   async createEntity(options) {
     return this.http.post("/tss/entity/create", options);
   }
   /**
-   * Reshare keys when cluster membership changes.
-   * Redistributes secret shares WITHOUT changing public keys.
+   * Reshare keys when cluster membership changes. Redistributes secret shares
+   * WITHOUT changing public keys.
+   *
+   * @param request The new membership / threshold to reshare to.
+   * @returns The reshare outcome.
    */
   async reshareCluster(request) {
     return this.http.post("/tss/cluster/reshare", request);
   }
   /**
-   * Get entity details by ID
+   * Get entity details by id.
+   *
+   * @param entityId The entity id to look up.
+   * @returns The entity's details.
    */
   async getEntity(entityId) {
     return this.http.get(`/tss/entity/${encodePathParam(entityId)}`);
@@ -7389,55 +7456,71 @@ var TSSClient = class {
    * Sign a transaction using MPC.
    *
    * Routes to `POST /api/v3/tss/hedera/sign-mpc`. Only `'hedera'` is wired
-   * server-side today (see
-   * `apps/smart-validator/src/tss/tss.controller.ts:279`); other chain
-   * signing paths run via their own controllers (XRPL multisig, Polkadot
-   * MPC) and are not exposed through this sub-client. The `chain` field is
-   * carried into the request body so the validator can log + route, but
-   * any non-`'hedera'` value will 404.
+   * server-side; other chain signing paths run via their own controllers (XRPL
+   * multisig, Polkadot MPC) and are not exposed through this sub-client. The
+   * `chain` field is carried into the request body so the validator can log +
+   * route, but any non-`'hedera'` value will 404.
+   *
+   * @param request The MPC signing request; `chain` is forced to `'hedera'`.
+   * @returns The MPC signing result.
    */
   async signMPC(request) {
     const chain = "hedera";
     return this.http.post(`/tss/${chain}/sign-mpc`, { ...request, chain });
   }
   /**
-   * Get known validators and their public keys
+   * Get known validators and their public keys.
+   *
+   * @returns The validator list with public keys.
    */
   async getValidators() {
     return this.http.get("/tss/validators");
   }
   /**
-   * Force announcement of this node's public key
+   * Force announcement of this node's public key.
+   *
+   * @returns Whether the announcement was accepted, plus a status message.
    */
   async announceKey() {
     return this.http.post("/tss/announce", {});
   }
   /**
-   * Get TSS statistics
+   * Get TSS statistics.
+   *
+   * @returns Aggregate TSS statistics.
    */
   async getStats() {
     return this.http.get("/tss/stats");
   }
   /**
-   * List all TSS entities
+   * List all TSS entities.
+   *
+   * @returns The full entity list.
    */
   async listEntities() {
     return this.http.get("/tss/entities");
   }
   /**
-   * TSS health check
+   * TSS health check.
+   *
+   * @returns The TSS subsystem health report.
    */
   async getHealth() {
     return this.http.get("/tss/health");
   }
   /**
-   * List DKG ceremonies and their statistics
+   * List DKG ceremonies and their statistics.
+   *
+   * @returns The ceremony list.
    */
   async listCeremonies() {
     return this.http.get("/tss/multisig/ceremonies");
   }
   /**
-   * Get multi-sig transaction status by transaction ID
+   * Get multi-sig transaction status by transaction id.
+   *
+   * @param txId The multi-sig transaction id.
+   * @returns The current status of that transaction.
    */
   async getMultiSigStatus(txId) {
     return this.http.get(`/tss/multisig/transactions/${encodePathParam(txId)}`);
@@ -7448,6 +7531,9 @@ var TSSClient = class {
    * Server returns 202 + `{ jobId, statusUrl, status: 'pending' }` immediately;
    * the DKG ceremony runs in the background. Poll {@link getJob} until the
    * status reaches `'success'` or `'failed'`.
+   *
+   * @param options Entity-creation parameters.
+   * @returns A job descriptor (`jobId`, `statusUrl`, initial status).
    */
   async createEntityAsync(options) {
     return this.http.post("/tss/entity/create/async", options);
@@ -7455,6 +7541,9 @@ var TSSClient = class {
   /**
    * Async-job variant of {@link reshareCluster}. Returns 202 + a polling
    * descriptor; resharing runs in the background.
+   *
+   * @param request The new membership / threshold to reshare to.
+   * @returns A job descriptor to poll via {@link getJob}.
    */
   async reshareClusterAsync(request) {
     return this.http.post("/tss/cluster/reshare/async", request);
@@ -7462,6 +7551,9 @@ var TSSClient = class {
   /**
    * Poll the status of an async TSS-ceremony job kicked off via
    * {@link createEntityAsync} or {@link reshareClusterAsync}.
+   *
+   * @param jobId The job id returned by the async kickoff call.
+   * @returns The job's current status (and result once terminal).
    */
   async getJob(jobId) {
     return this.http.get(`/tss/jobs/${encodePathParam(jobId)}`);
@@ -7474,6 +7566,10 @@ var TSSClient = class {
    * Payload constraints (enforced server-side):
    *   - even-length lowercase hex
    *   - ≥32 bytes, ≤8KB
+   *
+   * @param appId The smart-app entity id to sign as.
+   * @param request The hex payload to sign.
+   * @returns The aggregate signature over the payload.
    */
   async signForApp(appId, request) {
     return this.http.post(`/tss/entity/${encodePathParam(appId)}/sign`, request);
@@ -8546,25 +8642,29 @@ var DeploymentClient = class {
     return this.http.get(`/api/deployment/apps/${encodePathParam(appId)}`);
   }
   /**
-   * Update app configuration. Runtime effect lands in PR-H.
+   * Update app configuration.
+   *
+   * @param appId - The app to update.
+   * @param updates - Partial deploy-request fields to apply.
+   * @returns The updated app info.
    */
   async update(appId, updates) {
     return this.http.put(`/api/deployment/apps/${encodePathParam(appId)}`, updates);
   }
   /**
-   * Delete an app. Runtime effect (namespace teardown) lands in PR-H.
+   * Delete an app (runtime effect: namespace teardown).
    */
   async delete(appId) {
     return this.http.delete(`/api/deployment/apps/${encodePathParam(appId)}`);
   }
   /**
-   * Suspend an app. Runtime effect (scale to zero) lands in PR-H.
+   * Suspend an app (runtime effect: scale to zero).
    */
   async suspend(appId) {
     return this.http.post(`/api/deployment/apps/${encodePathParam(appId)}/suspend`, {});
   }
   /**
-   * Resume a suspended app. Runtime effect (scale back up) lands in PR-H.
+   * Resume a suspended app (runtime effect: scale back up).
    */
   async resume(appId) {
     return this.http.post(`/api/deployment/apps/${encodePathParam(appId)}/resume`, {});
@@ -8613,7 +8713,7 @@ var DeploymentClient = class {
     return this.http.getText(`/api/deployment/apps/${encodePathParam(appId)}/metrics`);
   }
   /**
-   * Rotate the smart-app's tenant-secret KEK (ADR-011 Phase 6).
+   * Rotate the smart-app's tenant-secret KEK.
    *
    * Re-encrypts every `runtime.env` envelope at the new KEK version
    * transparently. Previous versions remain valid until explicitly
@@ -8626,7 +8726,7 @@ var DeploymentClient = class {
     );
   }
   /**
-   * Revoke a tenant-secret KEK version (ADR-011 Phase 6 emergency burn).
+   * Revoke a tenant-secret KEK version (emergency burn).
    *
    * Envelopes at the revoked version become operationally dead —
    * decryption inside the smart-app pod fails. Owner-only and
@@ -8879,6 +8979,8 @@ var SmartEngineClient = class _SmartEngineClient {
   // ========== Sub-Clients ==========
   /** Application subscription management */
   subscription;
+  /** Testnet HST faucet (challenge -> sign -> dispense) */
+  faucet;
   /** Threshold Signature Scheme — chain-agnostic MPC operations */
   tss;
   /** IPFS decentralized file storage */
@@ -8937,6 +9039,7 @@ var SmartEngineClient = class _SmartEngineClient {
       timeout: config.timeout
     });
     this.subscription = new SubscriptionClient(this.http);
+    this.faucet = new FaucetClient(this.http);
     this.tss = new TSSClient(this.http);
     this.ipfs = new IPFSClient(this.http);
     this.transactions = new TransactionsClient(this.txHttp);
@@ -8992,13 +9095,17 @@ var SmartEngineClient = class _SmartEngineClient {
     });
   }
   /**
-   * Connect to the smart-engines network with auto-discovery and authentication
+   * Connect to the smart-engines network with auto-discovery and authentication.
    *
-   * This method:
-   * 1. Discovers validators via HCS registry topic
-   * 2. Selects a random validator with API endpoint
-   * 3. Authenticates with Web3-style challenge-response
-   * 4. Returns a configured client ready to use
+   * Steps:
+   * 1. Discovers validators via the HCS registry topic.
+   * 2. Selects a random validator with an API endpoint.
+   * 3. Authenticates with Web3-style challenge-response.
+   * 4. Returns a configured client ready to use.
+   *
+   * @param config - Network, registry topic, and auth signer config.
+   * @returns The configured client, the chosen validator, and the auth session.
+   * @throws SmartEngineError 503 if no validator with an API endpoint is found.
    */
   static async connectToNetwork(config) {
     const allowInsecure = config.allowInsecure ?? false;
@@ -9035,18 +9142,22 @@ var SmartEngineClient = class _SmartEngineClient {
     return { client, validator, session };
   }
   /**
-   * Connect to the smart-engines network via the **service-registry**
-   * (PR-1 of the cluster-discovery arc). Preferred over
-   * {@link connectToNetwork} once the validator pods in the target network
-   * have published their cluster endpoints — the SDK auto-balances across
-   * the active cluster set and rides permissionless cluster join/leave
-   * without code edits.
+   * Connect to the smart-engines network via the **service-registry**.
+   * Preferred over {@link connectToNetwork} once the validator pods in the
+   * target network have published their cluster endpoints — the SDK
+   * auto-balances across the active cluster set and rides permissionless
+   * cluster join/leave without code edits.
    *
-   * Fallback ladder (per `docs/ops/HANDOFF-service-registry-distribution-layer.md` §6):
+   * Resolution ladder:
    *   1. HTTP fetch `/api/v3/discovery/clusters` from each bootstrap seed.
    *   2. (Optional) HCS trust-anchor membership cross-check.
    *   3. Random-pick over the verified set.
    *
+   * @param config - Seed + auth config. See {@link ClusterConnectionConfig}.
+   * @returns The configured client, the selected cluster, and the auth session.
+   * @throws SmartEngineError 400 if neither `bootstrap` nor `network` is given.
+   * @throws SmartEngineError 503 if no active cluster can be reached.
+   *
    * @example Zero-config (recommended for smart-app callers)
    * ```ts
    * const { client, cluster, session } = await SmartEngineClient.connectToCluster({
@@ -9175,17 +9286,11 @@ var SmartEngineClient = class _SmartEngineClient {
     return this.http.post("/tokens/mint", validated);
   }
   /**
-   * Get token information.
+   * Get token information for a token on the given chain.
    *
-   * Route `GET /api/v3/tokens/:chain/:tokenId` is registered twice on the
-   * validator: by `ValidatorController` at
-   * `apps/smart-validator/src/validator.controller.ts:497` and by
-   * `TokenMigrationController` at
-   * `apps/smart-validator/src/token-migration/token-migration.controller.ts:173`.
-   * Nest resolves routes in `controllers: [...]` order — `ValidatorController`
-   * is registered first (`apps/smart-validator/src/smart-validator.module.ts:1222`),
-   * so `multiChain.getTokenInfo(chain, tokenId)` wins and the
-   * token-migration handler is unreachable via this path.
+   * @param chain - Chain identifier (e.g. `'hedera'`, `'xrpl'`).
+   * @param tokenId - Chain-native token identifier.
+   * @returns Token metadata and supply information.
    */
   async getTokenInfo(chain, tokenId) {
     return this.http.get(`/tokens/${encodePathParam(chain)}/${encodePathParam(tokenId)}`);
@@ -9414,8 +9519,7 @@ var DomainsClient = class {
   }
   /**
    * Generate a verification token. Server accepts one of `dns-txt`,
-   * `dns-cname`, `http-file`, `email` (see controller Swagger enum at
-   * `apps/smart-gateway/src/domains/domains.controller.ts:226-234`).
+   * `dns-cname`, `http-file`, `email`.
    */
   async generateVerificationToken(domain, method) {
     return this.http.post(`/domains/${encodePathParam(domain)}/verification`, { method });
@@ -9539,10 +9643,8 @@ var HealthClient = class {
   }
   http;
   /**
-   * Per-cluster aggregate health probe. Wraps
-   * `GET /api/v3/cluster/health` — see
-   * `apps/smart-gateway/src/health/health.controller.ts:213-263`. Returns
-   * local validator + host + genesis state in a single payload.
+   * Per-cluster aggregate health probe. Wraps `GET /api/v3/cluster/health`.
+   * Returns local validator + host + genesis state in a single payload.
    */
   async getCluster() {
     return this.http.get("/cluster/health");
@@ -9586,11 +9688,28 @@ var SmartGatewayClient = class {
     return this.http.get("/status");
   }
   /**
-   * Check gateway readiness. Returns either `{ status: 'ready', ... }` with
-   * a verified host count or `{ status: 'not_ready', reason, ... }`.
+   * Check gateway readiness. Resolves to either `{ status: 'ready', ... }`
+   * with a verified host count or `{ status: 'not_ready', reason, ... }`.
+   *
+   * NOTE: `/api/v3/ready` returns **HTTP 503** when not ready (so load
+   * balancers / k8s probes drain the origin). This method unwraps that 503's
+   * body and still RESOLVES to a `GatewayReadinessResponse` — it does not
+   * throw for a not-ready gateway. Genuine errors (non-readiness 503s, 5xx,
+   * network) still throw.
    */
   async getReadiness() {
-    return this.http.get("/ready");
+    try {
+      return await this.http.get("/ready");
+    } catch (err) {
+      if (err instanceof SdkHttpError && err.statusCode === 503) {
+        const d = err.details;
+        const body = d?.context ?? d;
+        if (body?.status === "not_ready") {
+          return body;
+        }
+      }
+      throw err;
+    }
   }
   /** Check gateway liveness. */
   async getLiveness() {
@@ -10287,23 +10406,11 @@ var StorageClient = class {
     return this.http.delete(`/api/storage/${encodePathParam(appId)}/${encodePathParam(cid)}`);
   }
   /**
-   * Get file info.
+   * List all files for the app.
    *
-   * @deprecated The smart-host storage controller does not expose a
-   * bare-CID metadata route — every metadata lookup must go through
-   * `getMetadata(cid)` (`/api/storage/:appId/metadata/:cid`) or the
-   * stream body via `download(cid)`. This alias forwards to `download`
-   * for back-compat; **scheduled for removal in 4.0.0**.
-   */
-  async getFile(cid) {
-    return this.download(cid);
-  }
-  /**
-   * List all files for the app
-   *
-   * @param pagination.offset Server reads `offset`; the legacy `skip`
-   *   option was a client-only synonym that the server silently ignored.
-   *   Use `offset` going forward.
+   * @param pagination - Optional `limit` and `offset` (the server reads
+   *   `offset` for pagination).
+   * @returns The file list and total count.
    */
   async listFiles(pagination) {
     const appId = this.getAppId();
@@ -10684,6 +10791,13 @@ var BaasClient = class _BaasClient {
   http;
   /** Last HTTP error (for getHttpHealth) */
   lastHttpError;
+  /**
+   * Auth options from the last {@link authenticate} call, retained so the
+   * client can transparently re-authenticate when the session token expires
+   * (the http client invokes {@link reauthenticate} on a 401). Undefined until
+   * the first successful authenticate.
+   */
+  authContext;
   // ========== Sub-Clients ==========
   /** Trustless database with state proofs and Merkle verification */
   db;
@@ -10713,7 +10827,11 @@ var BaasClient = class _BaasClient {
     const baseUrlWithPrefix = this.pathPrefix ? this.hostUrl.replace(/\/$/, "") + this.pathPrefix : this.hostUrl;
     this.http = createHttpClient({
       baseUrl: baseUrlWithPrefix,
-      timeout: this.timeout
+      timeout: this.timeout,
+      // Transparent session refresh: on a 401, re-run the challenge-response
+      // with the retained signer and retry once. No-op until authenticate() has
+      // been called (authContext set). Excludes /api/auth/* (see http client).
+      onUnauthorized: () => this.reauthenticate()
     });
     const getAppId = () => this.requireAppId();
     this.db = new DatabaseClient(this.http, getAppId);
@@ -10849,6 +10967,7 @@ var BaasClient = class _BaasClient {
    */
   async authenticate(options) {
     const { chain, walletAddress, publicKey, signFn } = options;
+    this.authContext = options;
     let challenge;
     try {
       challenge = await this.http.post("/api/auth/challenge", {
@@ -10873,6 +10992,30 @@ var BaasClient = class _BaasClient {
     this.http.setAuthToken(result.token);
     return result;
   }
+  /**
+   * Re-run the challenge-response with the retained signer to mint a fresh
+   * session token. Invoked by the http client's `onUnauthorized` hook when a
+   * request 401s because the token expired — so long-lived clients keep working
+   * without the caller re-implementing refresh. No-op if {@link authenticate}
+   * was never called. The `/api/auth/*` calls below are excluded from the http
+   * client's 401-retry path, so this can never recurse.
+   */
+  async reauthenticate() {
+    const ctx = this.authContext;
+    if (!ctx) return;
+    const challenge = await this.http.post("/api/auth/challenge", {
+      chain: ctx.chain,
+      walletAddress: ctx.walletAddress,
+      appId: this.appId
+    });
+    const signature = await ctx.signFn(challenge.message);
+    const result = await this.http.post("/api/auth/verify", {
+      challengeId: challenge.challengeId,
+      signature,
+      publicKey: ctx.publicKey
+    });
+    this.http.setAuthToken(result.token);
+  }
   /** Validate the current session */
   async validateSession() {
     this.requireAuth();
@@ -11149,9 +11292,6 @@ function validateEnvelopeSchema(envelope) {
   if (version === "kyber-aes-v1") {
     return validateKyberAesV1(envelope);
   }
-  if (version === "aes-v0") {
-    return validateAesV0(envelope);
-  }
   return {
     ok: false,
     reason: `unknown envelope version: ${JSON.stringify(version)}`
@@ -11245,38 +11385,6 @@ function validateKyberAesV1(env) {
   }
   return { ok: true, version: "kyber-aes-v1" };
 }
-function validateAesV0(env) {
-  if (!isNonEmptyString(env.aesIv)) {
-    return { ok: false, reason: "aesIv must be a non-empty base64 string" };
-  }
-  const ivBytes = tryDecodeBase64(env.aesIv);
-  if (!ivBytes) return { ok: false, reason: "aesIv is not valid base64" };
-  if (ivBytes.length !== AES_IV_LEN) {
-    return {
-      ok: false,
-      reason: `aesIv length ${ivBytes.length} != expected ${AES_IV_LEN} (AES-GCM 96-bit nonce)`
-    };
-  }
-  if (typeof env.aesCiphertext !== "string") {
-    return { ok: false, reason: "aesCiphertext must be a base64 string" };
-  }
-  if (env.aesCiphertext.length > 0) {
-    const ctBytes = tryDecodeBase64(env.aesCiphertext);
-    if (!ctBytes) return { ok: false, reason: "aesCiphertext is not valid base64" };
-  }
-  if (!isNonEmptyString(env.aesAuthTag)) {
-    return { ok: false, reason: "aesAuthTag must be a non-empty base64 string" };
-  }
-  const tagBytes = tryDecodeBase64(env.aesAuthTag);
-  if (!tagBytes) return { ok: false, reason: "aesAuthTag is not valid base64" };
-  if (tagBytes.length !== AES_TAG_LEN) {
-    return {
-      ok: false,
-      reason: `aesAuthTag length ${tagBytes.length} != expected ${AES_TAG_LEN} (AES-GCM 128-bit tag)`
-    };
-  }
-  return { ok: true, version: "aes-v0" };
-}
 // src/pqc-verify-envelope/verify-pqc-envelope.ts
 var KYBER_MIN_TIMESTAMP_MS = 17040672e5;
@@ -11295,10 +11403,10 @@ async function verifyPqcEnvelope(envelope, options = {}) {
     version,
     schemaValid: true,
     base64Valid: true,
-    // computed below for kyber-aes-v1; legacy has no encryptedAt so treat as plausible.
+    // Set to false below if the timestamp plausibility check fails.
     timestampPlausible: true
   };
-  if (version === "kyber-aes-v1") {
+  {
     details.kemAlgorithm = env.kemAlgorithm;
     details.recipientPkFingerprint = env.recipientPkFingerprint;
     details.kdfLabel = env.kdfLabel;
@@ -12160,17 +12268,13 @@ var AgentRulesBuilder = class extends BaseRuleBuilder {
     return this;
   }
   // ────────────────────────────────────────────────────────────────────────
-  // PR F — Phase-6.6 AI atom shortcuts
+  // AI atom shortcuts
   //
   // `MaxTradesPerWindow` and `RequireStructuredOutput` are optional atoms
   // (NOT registered as builtin organism modules) wired in the AI-inference
   // path of the smart-app's BaaS function. Attached here as canonical
   // `ModuleEntry`s so they ship inside the published rule and the cluster's
   // canonical evaluator can dispatch them.
-  //
-  // Atom sources:
-  //   libs/rules-engine/src/atoms/max-trades-per-window.atom.ts
-  //   libs/rules-engine/src/atoms/require-structured-output.atom.ts
   // ────────────────────────────────────────────────────────────────────────
   /**
    * Cap the agent at `maxTradesPerWindow` trades within a rolling `windowMs`
@@ -12282,7 +12386,7 @@ var module_ = {
     version: "1.0.0",
     config: withDexDefaults(config)
   })
-  // PR F — `agent` retired per Arc 6 Phase 6.5. Use `Rules.forAgent()` instead.
+  // No `agent` module — use `Rules.forAgent()` instead.
 };
 // src/rules/templates/index.ts
@@ -12770,6 +12874,7 @@ exports.DomainsClient = DomainsClient;
 exports.EntitiesClient = EntitiesClient;
 exports.EnvelopeClient = EnvelopeClient;
 exports.ErrorCode = ErrorCode;
+exports.FaucetClient = FaucetClient;
 exports.FeeConditionsSchema = FeeConditionsSchema;
 exports.FixedFeeConditionSchema = FixedFeeConditionSchema;
 exports.FractionalFeeConditionSchema = FractionalFeeConditionSchema;
@@ -12862,6 +12967,7 @@ exports.discovery = discovery_exports;
 exports.encodePathParam = encodePathParam;
 exports.envelope = envelope_exports;
 exports.fairLaunch = fairLaunch;
+exports.faucet = faucet_exports;
 exports.fetchRegistrySnapshot = fetchRegistrySnapshot;
 exports.forAccount = forAccount;
 exports.forAgent = forAgent;