@hsuite/smart-engines-sdk 3.6.1 → 3.10.0

package/dist/index.js

@@ -78,11 +78,11 @@ var require_utils = __commonJS({
       u8Array[OriginalBuffer] = buffer;
       return u8Array;
     }
-    var bytesToHex2 = (bytes) => {
+    var bytesToHex3 = (bytes) => {
       const buf = Buffer.from(bytes);
       return buf.toString("hex").toUpperCase();
     };
-    exports.bytesToHex = bytesToHex2;
+    exports.bytesToHex = bytesToHex3;
     var hexToBytes2 = (hex) => {
       if (!shared_1.HEX_REGEX.test(hex)) {
         throw new Error("Invalid hex string");
@@ -479,7 +479,7 @@ var require_lib = __commonJS({
         return Uint8Array.from(res);
       }
     };
-    var createBase58check = (sha2562) => /* @__PURE__ */ chain(checksum(4, (data) => sha2562(sha2562(data))), exports.base58);
+    var createBase58check = (sha2563) => /* @__PURE__ */ chain(checksum(4, (data) => sha2563(sha2563(data))), exports.base58);
     exports.createBase58check = createBase58check;
     exports.base58check = exports.createBase58check;
     var BECH_ALPHABET = /* @__PURE__ */ chain(/* @__PURE__ */ alphabet("qpzry9x8gf2tvdw0s3jn54khce6mua7l"), /* @__PURE__ */ join(""));
@@ -3062,7 +3062,7 @@ var require_weierstrass = __commonJS({
         }
         return { seed, k2sig };
       }
-      function sign(message, secretKey, opts = {}) {
+      function sign2(message, secretKey, opts = {}) {
         message = (0, utils_ts_1.ensureBytes)("message", message);
         const { seed, k2sig } = prepSig(message, secretKey, opts);
         const drbg = (0, utils_ts_1.createHmacDrbg)(hash.outputLen, Fn.BYTES, hmac);
@@ -3096,7 +3096,7 @@ var require_weierstrass = __commonJS({
           return false;
         return sig;
       }
-      function verify(signature, message, publicKey, opts = {}) {
+      function verify2(signature, message, publicKey, opts = {}) {
         const { lowS, prehash, format } = validateSigOpts(opts, defaultSigOpts);
         publicKey = (0, utils_ts_1.ensureBytes)("publicKey", publicKey);
         message = validateMsgAndHash((0, utils_ts_1.ensureBytes)("message", message), prehash);
@@ -3135,8 +3135,8 @@ var require_weierstrass = __commonJS({
         utils,
         lengths,
         Point,
-        sign,
-        verify,
+        sign: sign2,
+        verify: verify2,
         recoverPublicKey,
         Signature,
         hash
@@ -4326,7 +4326,7 @@ var require_edwards = __commonJS({
         const msg = (0, utils_ts_1.concatBytes)(...msgs);
         return modN_LE(cHash(domain(msg, (0, utils_ts_1.ensureBytes)("context", context), !!prehash)));
       }
-      function sign(msg, secretKey, options = {}) {
+      function sign2(msg, secretKey, options = {}) {
         msg = (0, utils_ts_1.ensureBytes)("message", msg);
         if (prehash)
           msg = prehash(msg);
@@ -4341,7 +4341,7 @@ var require_edwards = __commonJS({
         return (0, utils_ts_1._abytes2)(rs, lengths.signature, "result");
       }
       const verifyOpts = { zip215: true };
-      function verify(sig, msg, publicKey, options = verifyOpts) {
+      function verify2(sig, msg, publicKey, options = verifyOpts) {
         const { context, zip215 } = options;
         const len = lengths.signature;
         sig = (0, utils_ts_1.ensureBytes)("signature", sig, len);
@@ -4431,8 +4431,8 @@ var require_edwards = __commonJS({
       return Object.freeze({
         keygen,
         getPublicKey,
-        sign,
-        verify,
+        sign: sign2,
+        verify: verify2,
         utils,
         Point,
         lengths
@@ -5053,7 +5053,7 @@ var require_dist2 = __commonJS({
       return (0, ripple_address_codec_1.encodeSeed)(entropy, type);
     }
     exports.generateSeed = generateSeed;
-    function deriveKeypair(seed, options) {
+    function deriveKeypair2(seed, options) {
       var _a;
       const decoded = (0, ripple_address_codec_1.decodeSeed)(seed);
       const proposedAlgorithm = (_a = options === null || options === void 0 ? void 0 : options.algorithm) !== null && _a !== void 0 ? _a : decoded.type;
@@ -5067,27 +5067,27 @@ var require_dist2 = __commonJS({
       }
       return keypair;
     }
-    exports.deriveKeypair = deriveKeypair;
-    function sign(messageHex, privateKey) {
+    exports.deriveKeypair = deriveKeypair2;
+    function sign2(messageHex, privateKey) {
       const algorithm = (0, getAlgorithmFromKey_1.getAlgorithmFromPrivateKey)(privateKey);
       return getSigningScheme(algorithm).sign((0, utils_1.hexToBytes)(messageHex), privateKey);
     }
-    exports.sign = sign;
-    function verify(messageHex, signature, publicKey) {
+    exports.sign = sign2;
+    function verify2(messageHex, signature, publicKey) {
       const algorithm = (0, getAlgorithmFromKey_1.getAlgorithmFromPublicKey)(publicKey);
       return getSigningScheme(algorithm).verify((0, utils_1.hexToBytes)(messageHex), signature, publicKey);
     }
-    exports.verify = verify;
+    exports.verify = verify2;
     function computePublicKeyHash(publicKeyBytes) {
       return (0, ripemd160_1.ripemd160)((0, sha256_1.sha256)(publicKeyBytes));
     }
     function deriveAddressFromBytes(publicKeyBytes) {
       return (0, ripple_address_codec_1.encodeAccountID)(computePublicKeyHash(publicKeyBytes));
     }
-    function deriveAddress(publicKey) {
+    function deriveAddress2(publicKey) {
       return deriveAddressFromBytes((0, utils_1.hexToBytes)(publicKey));
     }
-    exports.deriveAddress = deriveAddress;
+    exports.deriveAddress = deriveAddress2;
     function deriveNodeAddress(publicKey) {
       const generatorBytes = (0, ripple_address_codec_1.decodeNodePublic)(publicKey);
       const accountPublicBytes = (0, utils_2.accountPublicFromPublicGenerator)(generatorBytes);
@@ -5643,6 +5643,14 @@ var PreparedTransactionSovereigntySchema = zod.z.discriminatedUnion("mode", [
     authorizationSet: PreparedTransactionAuthorizationSetSchema.optional()
   })
 ]);
+var RuleRefSchema = zod.z.object({
+  /** Chain whose HCS the rule was published on (canonically 'hedera'). */
+  chain: ChainTypeSchema,
+  /** HCS topic ID the rule message was published to. */
+  topicId: zod.z.string().min(1),
+  /** HCS consensus timestamp of the rule message. */
+  consensusTimestamp: zod.z.string().min(1)
+});
 var CreateAccountRequestSchema = zod.z.object({
   chain: ChainTypeSchema,
   initialBalance: zod.z.string(),
@@ -5682,6 +5690,22 @@ var CreateAccountRequestSchema = zod.z.object({
    * The owner key + TSS network key form a threshold-2 multi-sig.
    */
   appOwnerPublicKey: zod.z.string().optional(),
+  /**
+   * The entity's canonical `ruleRef` (HCS pointer to its `ValidatorRules`). When
+   * present, the chain adapter stamps the IMMUTABLE creation-tx rule anchor
+   * (`rule:<topicId>@<consensusTimestamp>:<entityType>`) — distinct from the
+   * mutable validator-binding memo — so the sign-gate resolves the rule on-chain
+   * (kind:'ref') rather than trusting the replicated binding
+   * (RFC 2026-06-15-onchain-rule-anchor §6.1). Absent ⇒ the degraded
+   * `rule:bootstrap:<entityType>` marker when `entityType` is supplied.
+   */
+  ruleRef: RuleRefSchema.optional(),
+  /**
+   * Entity-type tag stamped into the rule anchor (e.g. 'wallet', 'account').
+   * Supply it to enable the on-chain anchor; omit for the prior memo-less
+   * (legacy) behaviour.
+   */
+  entityType: zod.z.string().min(1).optional(),
   metadata: zod.z.record(zod.z.any()).optional()
 });
 zod.z.object({
@@ -5769,6 +5793,21 @@ var CreateTokenRequestSchema = zod.z.object({
   immutable: zod.z.boolean().default(true),
   /** See CreateAccountRequestSchema.payerAccountId — same resolution rules. */
   payerAccountId: zod.z.string().optional(),
+  /**
+   * The entity's canonical `ruleRef` (HCS pointer to its `ValidatorRules`). When
+   * present, the chain adapter stamps the IMMUTABLE creation-tx rule anchor
+   * (`rule:<topicId>@<consensusTimestamp>:<entityType>`) — distinct from the
+   * mutable validator-binding token memo — so the sign-gate resolves the rule
+   * on-chain (kind:'ref') rather than trusting the replicated binding
+   * (RFC 2026-06-15-onchain-rule-anchor §6.1). Absent ⇒ the degraded
+   * `rule:bootstrap:<entityType>` marker when `entityType` is supplied.
+   */
+  ruleRef: RuleRefSchema.optional(),
+  /**
+   * Entity-type tag stamped into the rule anchor (e.g. 'token'). Supply it to
+   * enable the on-chain anchor; omit for the prior memo-less behaviour.
+   */
+  entityType: zod.z.string().min(1).optional(),
   metadata: zod.z.record(zod.z.any()).optional()
 });
 zod.z.object({
@@ -6706,7 +6745,7 @@ function createHttpClient(config) {
     try {
       return await op();
     } catch (error) {
-      const refreshable = !!config.onUnauthorized && !path.startsWith("/api/auth/") && error instanceof SdkHttpError && error.statusCode === 401;
+      const refreshable = !!config.onUnauthorized && !path.startsWith("/api/v3/baas/auth/") && !path.startsWith("/api/v3/auth/") && error instanceof SdkHttpError && error.statusCode === 401;
       if (!refreshable) throw error;
       if (!reauthInFlight) {
         reauthInFlight = Promise.resolve(config.onUnauthorized()).finally(() => {
@@ -7690,7 +7729,7 @@ var HederaTransactionsClient = class {
    *   - `client.hedera.tss.createTopic(...)` makes the cluster sign+submit in one call.
    *
    * `tssHttp` is the validator's `/api/v3`-rooted HTTP client (different from
-   * the `/api/transactions` one this class uses for prepare paths). Both
+   * the `/api/v3/transactions` one this class uses for prepare paths). Both
    * clients are required — the previous single-arg fallback to `http` was
    * unreachable through `SmartEngineClient` (the only call site always
    * passes both).
@@ -8492,15 +8531,15 @@ var AgentsClient = class {
   http;
   /** Register a new agent */
   async register(request) {
-    return this.http.post("/api/agents/register", request);
+    return this.http.post("/api/v3/baas/agents/register", request);
   }
   /** Get agent details */
   async get(agentId) {
-    return this.http.get(`/api/agents/${encodePathParam(agentId)}`);
+    return this.http.get(`/api/v3/baas/agents/${encodePathParam(agentId)}`);
   }
   /** List all agents */
   async list() {
-    return this.http.get("/api/agents");
+    return this.http.get("/api/v3/baas/agents");
   }
   /**
    * Fund agent treasury (owner-only). Returns a
@@ -8508,60 +8547,60 @@ var AgentsClient = class {
    * the caller is expected to sign and submit the prepared bytes.
    */
   async fund(agentId, request) {
-    return this.http.post(`/api/agents/${encodePathParam(agentId)}/fund`, request);
+    return this.http.post(`/api/v3/baas/agents/${encodePathParam(agentId)}/fund`, request);
   }
   /**
    * Execute a trade (agent-wallet OR owner). Returns a
    * `PreparedTransactionResponse` wrapped in a `success: true` envelope.
    */
   async trade(agentId, request) {
-    return this.http.post(`/api/agents/${encodePathParam(agentId)}/trade`, request);
+    return this.http.post(`/api/v3/baas/agents/${encodePathParam(agentId)}/trade`, request);
   }
   /**
    * Withdraw from agent treasury (owner-only). Returns a
    * `PreparedTransactionResponse` wrapped in a `success: true` envelope.
    */
   async withdraw(agentId, request) {
-    return this.http.post(`/api/agents/${encodePathParam(agentId)}/withdraw`, request);
+    return this.http.post(`/api/v3/baas/agents/${encodePathParam(agentId)}/withdraw`, request);
   }
   /** Pause an agent */
   async pause(agentId) {
-    return this.http.post(`/api/agents/${encodePathParam(agentId)}/pause`, {});
+    return this.http.post(`/api/v3/baas/agents/${encodePathParam(agentId)}/pause`, {});
   }
   /** Resume a paused agent */
   async resume(agentId) {
-    return this.http.post(`/api/agents/${encodePathParam(agentId)}/resume`, {});
+    return this.http.post(`/api/v3/baas/agents/${encodePathParam(agentId)}/resume`, {});
   }
   /** Revoke an agent (permanent) */
   async revoke(agentId) {
-    return this.http.post(`/api/agents/${encodePathParam(agentId)}/revoke`, {});
+    return this.http.post(`/api/v3/baas/agents/${encodePathParam(agentId)}/revoke`, {});
   }
   /**
    * Update agent rules.
    *
-   * Server route is PATCH `/api/agents/:agentId/rules`
+   * Server route is PATCH `/api/v3/baas/agents/:agentId/rules`
    * (`agents.controller.ts:375`). The previous PUT variant 404'd because
    * Nest matched the dynamic `:agentId` GET/POST handlers and rejected
    * the verb mismatch.
    */
   async updateRules(agentId, rules) {
-    return this.http.patch(`/api/agents/${encodePathParam(agentId)}/rules`, rules);
+    return this.http.patch(`/api/v3/baas/agents/${encodePathParam(agentId)}/rules`, rules);
   }
   /** Get agent events */
   async getEvents(agentId) {
-    return this.http.get(`/api/agents/${encodePathParam(agentId)}/events`);
+    return this.http.get(`/api/v3/baas/agents/${encodePathParam(agentId)}/events`);
   }
   /** Get agent balances across chains */
   async getBalances(agentId) {
-    return this.http.get(`/api/agents/${encodePathParam(agentId)}/balances`);
+    return this.http.get(`/api/v3/baas/agents/${encodePathParam(agentId)}/balances`);
   }
   /** Approve a pending agent operation */
   async approve(agentId, operationId) {
-    return this.http.post(`/api/agents/${encodePathParam(agentId)}/approve/${encodePathParam(operationId)}`, {});
+    return this.http.post(`/api/v3/baas/agents/${encodePathParam(agentId)}/approve/${encodePathParam(operationId)}`, {});
   }
   /** Reject a pending agent operation */
   async reject(agentId, operationId) {
-    return this.http.post(`/api/agents/${encodePathParam(agentId)}/reject/${encodePathParam(operationId)}`, {});
+    return this.http.post(`/api/v3/baas/agents/${encodePathParam(agentId)}/reject/${encodePathParam(operationId)}`, {});
   }
 };
 
@@ -8589,7 +8628,56 @@ var DeploymentClient = class {
    * {@link deploy} with the pushed image tag.
    */
   async init(request) {
-    return this.http.post("/api/deployment/apps/init", request);
+    return this.http.post("/api/v3/baas/deployment/apps/init", request);
+  }
+  /**
+   * Issue ephemeral Harbor push credentials for a smart-app that ALREADY
+   * EXISTS — the MINT-FIRST / DEPLOY-LAST credentials-push call.
+   *
+   * Unlike {@link init} (which historically allocated a fresh entity), this
+   * takes the developer's pre-existing `appId` — the `SUBSCRIPTION_APP_ID`
+   * minted by `hsuite subscribe` (`appId == DKG entityId`) — and ONLY
+   * (re)provisions the per-app Harbor project + push robot. The server creates
+   * no DKG entity and no subscription; it asserts the caller owns the app and
+   * that its subscription is ACTIVE (402 otherwise) first.
+   *
+   * Returns the same `{ appId, registry }` shape as {@link init}. Single-use
+   * secret discipline applies to `registry.password` exactly as in `init`.
+   *
+   * This is the credentials path the mint-first `hsuite deploy` uses to obtain
+   * push creds for the developer's already-minted subscription app
+   * (`POST /apps/:appId/credentials/push`). The `hsuite redeploy` re-push path
+   * uses {@link reissuePushCredentials} instead, which targets a dedicated
+   * `credentials/reissue` route with stricter SUSPENDED-app + Harbor-failure
+   * handling.
+   */
+  async pushCredentials(appId) {
+    return this.http.post(
+      `/api/v3/baas/deployment/apps/${encodePathParam(appId)}/credentials/push`,
+      {}
+    );
+  }
+  /**
+   * Reissue ephemeral Harbor push credentials for an EXISTING app, WITHOUT
+   * allocating a new appId / entity. Unlike {@link init} — which historically
+   * forked a fresh smart-app entity (and a fresh paid subscription) on every
+   * call — this re-binds to an app the developer already owns: the `appId` is
+   * echoed back unchanged and only a new single-use `registry.password` push
+   * robot is minted. Same `{ appId, registry }` response shape as `init`.
+   *
+   * Owner-only + active-subscription gated server-side. This is the credential
+   * path `hsuite redeploy` uses so a re-push does not cost a new entity +
+   * subscription each run. Targets the dedicated
+   * `POST /apps/:appId/credentials/reissue` route (distinct from
+   * {@link pushCredentials}'s first-deploy `credentials/push`): the reissue
+   * route additionally refuses SUSPENDED apps and surfaces Harbor failures
+   * loudly rather than returning placeholder creds.
+   */
+  async reissuePushCredentials(appId) {
+    return this.http.post(
+      `/api/v3/baas/deployment/apps/${encodePathParam(appId)}/credentials/reissue`,
+      {}
+    );
   }
   /**
    * Step 3 (optional) — upload the SPA tarball.
@@ -8600,7 +8688,7 @@ var DeploymentClient = class {
    */
   async uploadFrontend(appId, bundle, filename = "bundle.tar.gz") {
     return this.http.upload(
-      `/api/deployment/apps/${encodePathParam(appId)}/frontend`,
+      `/api/v3/baas/deployment/apps/${encodePathParam(appId)}/frontend`,
       bundle,
       filename,
       void 0,
@@ -8614,32 +8702,32 @@ var DeploymentClient = class {
    * until `runtime.runtimeState === 'RUNNING'` for the URL to be live.
    */
   async deploy(appId, request) {
-    return this.http.post(`/api/deployment/apps/${encodePathParam(appId)}/deploy`, request);
+    return this.http.post(`/api/v3/baas/deployment/apps/${encodePathParam(appId)}/deploy`, request);
   }
   /**
    * Roll back to a previously-deployed image tag (must exist in
    * `runtime.deploymentHistory[]`).
    */
   async rollback(appId, request) {
-    return this.http.post(`/api/deployment/apps/${encodePathParam(appId)}/rollback`, request);
+    return this.http.post(`/api/v3/baas/deployment/apps/${encodePathParam(appId)}/rollback`, request);
   }
   /**
    * Live combined lifecycle + runtime status of an app.
    */
   async status(appId) {
-    return this.http.get(`/api/deployment/apps/${encodePathParam(appId)}/status`);
+    return this.http.get(`/api/v3/baas/deployment/apps/${encodePathParam(appId)}/status`);
   }
   /**
    * List all deployed apps for the authenticated developer.
    */
   async list() {
-    return this.http.get("/api/deployment/apps");
+    return this.http.get("/api/v3/smart-apps");
   }
   /**
    * Get app details.
    */
   async get(appId) {
-    return this.http.get(`/api/deployment/apps/${encodePathParam(appId)}`);
+    return this.http.get(`/api/v3/smart-apps/${encodePathParam(appId)}`);
   }
   /**
    * Update app configuration.
@@ -8649,31 +8737,31 @@ var DeploymentClient = class {
    * @returns The updated app info.
    */
   async update(appId, updates) {
-    return this.http.put(`/api/deployment/apps/${encodePathParam(appId)}`, updates);
+    return this.http.put(`/api/v3/smart-apps/${encodePathParam(appId)}`, updates);
   }
   /**
    * Delete an app (runtime effect: namespace teardown).
    */
   async delete(appId) {
-    return this.http.delete(`/api/deployment/apps/${encodePathParam(appId)}`);
+    return this.http.delete(`/api/v3/smart-apps/${encodePathParam(appId)}`);
   }
   /**
    * Suspend an app (runtime effect: scale to zero).
    */
   async suspend(appId) {
-    return this.http.post(`/api/deployment/apps/${encodePathParam(appId)}/suspend`, {});
+    return this.http.post(`/api/v3/smart-apps/${encodePathParam(appId)}/suspend`, {});
   }
   /**
    * Resume a suspended app (runtime effect: scale back up).
    */
   async resume(appId) {
-    return this.http.post(`/api/deployment/apps/${encodePathParam(appId)}/resume`, {});
+    return this.http.post(`/api/v3/smart-apps/${encodePathParam(appId)}/resume`, {});
   }
   /**
    * Get deployment statistics.
    */
   async getStats() {
-    return this.http.get("/api/deployment/stats");
+    return this.http.get("/api/v3/smart-apps/stats");
   }
   /**
    * Register or update the developer-facing webhook URL for runtime
@@ -8694,7 +8782,7 @@ var DeploymentClient = class {
    * CGNAT / cloud metadata destinations (SSRF guard).
    */
   async setWebhook(appId, webhookUrl) {
-    return this.http.put(`/api/deployment/apps/${encodePathParam(appId)}/webhook`, {
+    return this.http.put(`/api/v3/baas/deployment/apps/${encodePathParam(appId)}/webhook`, {
       webhookUrl
     });
   }
@@ -8710,7 +8798,7 @@ var DeploymentClient = class {
    * exposition format.
    */
   async getMetrics(appId) {
-    return this.http.getText(`/api/deployment/apps/${encodePathParam(appId)}/metrics`);
+    return this.http.getText(`/api/v3/baas/deployment/apps/${encodePathParam(appId)}/metrics`);
   }
   /**
    * Rotate the smart-app's tenant-secret KEK.
@@ -8721,7 +8809,7 @@ var DeploymentClient = class {
    */
   async rotateKek(appId) {
     return this.http.post(
-      `/api/deployment/apps/${encodePathParam(appId)}/credentials/rotate-kek`,
+      `/api/v3/baas/deployment/apps/${encodePathParam(appId)}/credentials/rotate-kek`,
       {}
     );
   }
@@ -8735,7 +8823,7 @@ var DeploymentClient = class {
    */
   async revokeKek(appId, version) {
     return this.http.post(
-      `/api/deployment/apps/${encodePathParam(appId)}/credentials/revoke-kek`,
+      `/api/v3/baas/deployment/apps/${encodePathParam(appId)}/credentials/revoke-kek`,
       { version }
     );
   }
@@ -8972,7 +9060,7 @@ var SmartEngineClient = class _SmartEngineClient {
   baseUrl;
   allowInsecure;
   http;
-  /** Separate HTTP client for /api/transactions (non-v3 base path) */
+  /** Separate HTTP client for /api/v3/transactions */
   txHttp;
   /** Last HTTP error (for getHttpHealth) */
   lastHttpError;
@@ -9033,7 +9121,7 @@ var SmartEngineClient = class _SmartEngineClient {
       timeout: config.timeout
     });
     this.txHttp = createHttpClient({
-      baseUrl: `${this.baseUrl}/api/transactions`,
+      baseUrl: `${this.baseUrl}/api/v3/transactions`,
       apiKey: config.apiKey,
       authToken: config.authToken,
       timeout: config.timeout
@@ -9367,7 +9455,17 @@ var SmartEngineClient = class _SmartEngineClient {
     return this.http.get("/status");
   }
   // ========== Messaging Operations ==========
-  /** Submit a message to consensus */
+  /**
+   * Submit a message to consensus.
+   *
+   * @deprecated Operator-funded message submission is RETIRED on the validator
+   *   under transaction sovereignty — `POST /api/v3/messages/:chain/:topicId`
+   *   now returns `403 Forbidden` (the operator must never front the chain fee
+   *   for a customer-supplied message). Use the payer-funded prepare path
+   *   instead: prepare a topic-message transaction via
+   *   `POST /api/transactions/topic/message/prepare`, then have the payer sign
+   *   and submit the returned bytes.
+   */
   async submitMessage(chain, topicId, message) {
     if (message.length > 1024 * 1024) {
       throw new SmartEngineError2("Message too large (max 1MB)", 400);
@@ -10256,7 +10354,7 @@ var DatabaseClient = class {
   async insert(collection, document) {
     const appId = this.getAppId();
     return this.http.post(
-      `/api/db/${encodePathParam(appId)}/${encodePathParam(collection)}`,
+      `/api/v3/baas/db/${encodePathParam(appId)}/${encodePathParam(collection)}`,
       document
     );
   }
@@ -10274,7 +10372,7 @@ var DatabaseClient = class {
     if (options?.sort) params.set("sort", options.sort);
     const qs = params.toString();
     return this.http.get(
-      `/api/db/${encodePathParam(appId)}/${encodePathParam(collection)}${qs ? `?${qs}` : ""}`
+      `/api/v3/baas/db/${encodePathParam(appId)}/${encodePathParam(collection)}${qs ? `?${qs}` : ""}`
     );
   }
   /**
@@ -10283,7 +10381,7 @@ var DatabaseClient = class {
   async update(collection, documentId, updates) {
     const appId = this.getAppId();
     return this.http.put(
-      `/api/db/${encodePathParam(appId)}/${encodePathParam(collection)}/${encodePathParam(documentId)}`,
+      `/api/v3/baas/db/${encodePathParam(appId)}/${encodePathParam(collection)}/${encodePathParam(documentId)}`,
       updates
     );
   }
@@ -10293,19 +10391,19 @@ var DatabaseClient = class {
   async delete(collection, documentId) {
     const appId = this.getAppId();
     return this.http.delete(
-      `/api/db/${encodePathParam(appId)}/${encodePathParam(collection)}/${encodePathParam(documentId)}`
+      `/api/v3/baas/db/${encodePathParam(appId)}/${encodePathParam(collection)}/${encodePathParam(documentId)}`
     );
   }
   /**
    * List collections for the app.
    *
-   * Server route is `/api/db/:appId/collections`
+   * Server route is `/api/v3/baas/db/:appId/collections`
    * (`database.controller.ts:106`). The previous bare-`:appId` GET 404'd
    * — Nest reserves that pattern for the document-find router below.
    */
   async listCollections() {
     const appId = this.getAppId();
-    return this.http.get(`/api/db/${encodePathParam(appId)}/collections`);
+    return this.http.get(`/api/v3/baas/db/${encodePathParam(appId)}/collections`);
   }
   /**
    * Create a new collection in the database.
@@ -10315,7 +10413,7 @@ var DatabaseClient = class {
    */
   async createCollection(name) {
     const appId = this.getAppId();
-    return this.http.post(`/api/db/${encodePathParam(appId)}/collections`, { name });
+    return this.http.post(`/api/v3/baas/db/${encodePathParam(appId)}/collections`, { name });
   }
   /**
    * Drop a collection and all its documents.
@@ -10326,7 +10424,7 @@ var DatabaseClient = class {
   async dropCollection(name) {
     const appId = this.getAppId();
     return this.http.delete(
-      `/api/db/${encodePathParam(appId)}/collections/${encodePathParam(name)}`
+      `/api/v3/baas/db/${encodePathParam(appId)}/collections/${encodePathParam(name)}`
     );
   }
   // ========== State Proofs ==========
@@ -10335,7 +10433,7 @@ var DatabaseClient = class {
    */
   async getStateRoot() {
     const appId = this.getAppId();
-    return this.http.get(`/api/db/${encodePathParam(appId)}/state/root`);
+    return this.http.get(`/api/v3/baas/db/${encodePathParam(appId)}/state/root`);
   }
   /**
    * Get a Merkle proof for a specific document
@@ -10343,7 +10441,7 @@ var DatabaseClient = class {
   async getDocumentProof(documentId) {
     const appId = this.getAppId();
     return this.http.get(
-      `/api/db/${encodePathParam(appId)}/${encodePathParam(documentId)}/proof`
+      `/api/v3/baas/db/${encodePathParam(appId)}/${encodePathParam(documentId)}/proof`
     );
   }
   /**
@@ -10357,7 +10455,7 @@ var DatabaseClient = class {
     if (options?.limit !== void 0) params.set("limit", String(options.limit));
     const qs = params.toString();
     return this.http.get(
-      `/api/db/${encodePathParam(appId)}/state/transitions${qs ? `?${qs}` : ""}`
+      `/api/v3/baas/db/${encodePathParam(appId)}/state/transitions${qs ? `?${qs}` : ""}`
     );
   }
   /**
@@ -10365,7 +10463,7 @@ var DatabaseClient = class {
    */
   async getDbStats() {
     const appId = this.getAppId();
-    return this.http.get(`/api/db/${encodePathParam(appId)}/stats`);
+    return this.http.get(`/api/v3/baas/db/${encodePathParam(appId)}/stats`);
   }
 };
 
@@ -10382,28 +10480,28 @@ var StorageClient = class {
    */
   async upload(file, filename, metadata) {
     const appId = this.getAppId();
-    return this.http.upload(`/api/storage/${encodePathParam(appId)}/upload`, file, filename, metadata);
+    return this.http.upload(`/api/v3/baas/storage/${encodePathParam(appId)}/upload`, file, filename, metadata);
   }
   /**
    * Download a file by CID
    */
   async download(cid) {
     const appId = this.getAppId();
-    return this.http.get(`/api/storage/${encodePathParam(appId)}/download/${encodePathParam(cid)}`);
+    return this.http.get(`/api/v3/baas/storage/${encodePathParam(appId)}/download/${encodePathParam(cid)}`);
   }
   /**
    * Get file metadata
    */
   async getMetadata(cid) {
     const appId = this.getAppId();
-    return this.http.get(`/api/storage/${encodePathParam(appId)}/metadata/${encodePathParam(cid)}`);
+    return this.http.get(`/api/v3/baas/storage/${encodePathParam(appId)}/metadata/${encodePathParam(cid)}`);
   }
   /**
    * Delete a file
    */
   async delete(cid) {
     const appId = this.getAppId();
-    return this.http.delete(`/api/storage/${encodePathParam(appId)}/${encodePathParam(cid)}`);
+    return this.http.delete(`/api/v3/baas/storage/${encodePathParam(appId)}/${encodePathParam(cid)}`);
   }
   /**
    * List all files for the app.
@@ -10418,21 +10516,21 @@ var StorageClient = class {
     if (pagination?.limit !== void 0) params.set("limit", String(pagination.limit));
     if (pagination?.offset !== void 0) params.set("offset", String(pagination.offset));
     const qs = params.toString();
-    return this.http.get(`/api/storage/${encodePathParam(appId)}/files${qs ? `?${qs}` : ""}`);
+    return this.http.get(`/api/v3/baas/storage/${encodePathParam(appId)}/files${qs ? `?${qs}` : ""}`);
   }
   /**
    * Get storage usage for the current app
    */
   async getUsage() {
     const appId = this.getAppId();
-    return this.http.get(`/api/storage/${encodePathParam(appId)}/usage`);
+    return this.http.get(`/api/v3/baas/storage/${encodePathParam(appId)}/usage`);
   }
   /**
    * Check if a file exists
    */
   async exists(cid) {
     const appId = this.getAppId();
-    return this.http.get(`/api/storage/${encodePathParam(appId)}/exists/${encodePathParam(cid)}`);
+    return this.http.get(`/api/v3/baas/storage/${encodePathParam(appId)}/exists/${encodePathParam(cid)}`);
   }
 };
 
@@ -10449,7 +10547,7 @@ var FunctionsClient = class {
    */
   async deploy(request) {
     const appId = this.getAppId();
-    return this.http.post(`/api/functions/${encodePathParam(appId)}`, request);
+    return this.http.post(`/api/v3/baas/functions/${encodePathParam(appId)}`, request);
   }
   /**
    * Invoke a function
@@ -10457,7 +10555,7 @@ var FunctionsClient = class {
   async invoke(functionId, payload) {
     const appId = this.getAppId();
     return this.http.post(
-      `/api/functions/${encodePathParam(appId)}/${encodePathParam(functionId)}/invoke`,
+      `/api/v3/baas/functions/${encodePathParam(appId)}/${encodePathParam(functionId)}/invoke`,
       payload ?? {}
     );
   }
@@ -10466,7 +10564,7 @@ var FunctionsClient = class {
    */
   async list() {
     const appId = this.getAppId();
-    return this.http.get(`/api/functions/${encodePathParam(appId)}`);
+    return this.http.get(`/api/v3/baas/functions/${encodePathParam(appId)}`);
   }
   /**
    * Get function details
@@ -10474,7 +10572,7 @@ var FunctionsClient = class {
   async get(functionId) {
     const appId = this.getAppId();
     return this.http.get(
-      `/api/functions/${encodePathParam(appId)}/${encodePathParam(functionId)}`
+      `/api/v3/baas/functions/${encodePathParam(appId)}/${encodePathParam(functionId)}`
     );
   }
   /**
@@ -10483,7 +10581,7 @@ var FunctionsClient = class {
   async update(functionId, updates) {
     const appId = this.getAppId();
     return this.http.put(
-      `/api/functions/${encodePathParam(appId)}/${encodePathParam(functionId)}`,
+      `/api/v3/baas/functions/${encodePathParam(appId)}/${encodePathParam(functionId)}`,
       updates
     );
   }
@@ -10493,7 +10591,7 @@ var FunctionsClient = class {
   async delete(functionId) {
     const appId = this.getAppId();
     return this.http.delete(
-      `/api/functions/${encodePathParam(appId)}/${encodePathParam(functionId)}`
+      `/api/v3/baas/functions/${encodePathParam(appId)}/${encodePathParam(functionId)}`
     );
   }
   /**
@@ -10507,7 +10605,7 @@ var FunctionsClient = class {
     if (options?.level) params.set("level", options.level);
     const qs = params.toString();
     return this.http.get(
-      `/api/functions/${encodePathParam(appId)}/${encodePathParam(functionId)}/logs${qs ? `?${qs}` : ""}`
+      `/api/v3/baas/functions/${encodePathParam(appId)}/${encodePathParam(functionId)}/logs${qs ? `?${qs}` : ""}`
     );
   }
   /**
@@ -10515,7 +10613,7 @@ var FunctionsClient = class {
    */
   async getStats() {
     const appId = this.getAppId();
-    return this.http.get(`/api/functions/${encodePathParam(appId)}/stats`);
+    return this.http.get(`/api/v3/baas/functions/${encodePathParam(appId)}/stats`);
   }
 };
 
@@ -10532,28 +10630,28 @@ var MessagingClient = class {
    */
   async createChannel(config) {
     const appId = this.getAppId();
-    return this.http.post(`/api/messaging/${encodePathParam(appId)}/channels`, config);
+    return this.http.post(`/api/v3/baas/messaging/${encodePathParam(appId)}/channels`, config);
   }
   /**
    * Delete a channel
    */
   async deleteChannel(channelId) {
     const appId = this.getAppId();
-    return this.http.delete(`/api/messaging/${encodePathParam(appId)}/channels/${encodePathParam(channelId)}`);
+    return this.http.delete(`/api/v3/baas/messaging/${encodePathParam(appId)}/channels/${encodePathParam(channelId)}`);
   }
   /**
    * Get a channel by ID
    */
   async getChannel(channelId) {
     const appId = this.getAppId();
-    return this.http.get(`/api/messaging/${encodePathParam(appId)}/channels/${encodePathParam(channelId)}`);
+    return this.http.get(`/api/v3/baas/messaging/${encodePathParam(appId)}/channels/${encodePathParam(channelId)}`);
   }
   /**
    * List all channels for the app
    */
   async listChannels() {
     const appId = this.getAppId();
-    return this.http.get(`/api/messaging/${encodePathParam(appId)}/channels`);
+    return this.http.get(`/api/v3/baas/messaging/${encodePathParam(appId)}/channels`);
   }
   /**
    * Publish a message to a channel
@@ -10561,7 +10659,7 @@ var MessagingClient = class {
   async publish(channel, message, metadata) {
     const appId = this.getAppId();
     return this.http.post(
-      `/api/messaging/${encodePathParam(appId)}/channels/${encodePathParam(channel)}/publish`,
+      `/api/v3/baas/messaging/${encodePathParam(appId)}/channels/${encodePathParam(channel)}/publish`,
       { data: message, metadata }
     );
   }
@@ -10576,7 +10674,7 @@ var MessagingClient = class {
     if (options?.after) params.set("after", options.after);
     const qs = params.toString();
     return this.http.get(
-      `/api/messaging/${encodePathParam(appId)}/channels/${encodePathParam(channel)}/history${qs ? `?${qs}` : ""}`
+      `/api/v3/baas/messaging/${encodePathParam(appId)}/channels/${encodePathParam(channel)}/history${qs ? `?${qs}` : ""}`
     );
   }
   /**
@@ -10590,7 +10688,7 @@ var MessagingClient = class {
   async setPresence(channel, member) {
     const appId = this.getAppId();
     return this.http.post(
-      `/api/messaging/${encodePathParam(appId)}/channels/${encodePathParam(channel)}/presence`,
+      `/api/v3/baas/messaging/${encodePathParam(appId)}/channels/${encodePathParam(channel)}/presence`,
       member
     );
   }
@@ -10598,7 +10696,7 @@ var MessagingClient = class {
    * Remove a member's presence from a channel.
    *
    * BREAKING CHANGE (SDK 3.3.0): server route is
-   * `/api/messaging/:appId/channels/:channel/presence/:clientId`
+   * `/api/v3/baas/messaging/:appId/channels/:channel/presence/:clientId`
    * (`messaging.controller.ts:352`). `channel` is now the first arg and
    * `clientId` (not `memberId`) the second — they're the same identifier
    * but renamed to match the server param.
@@ -10606,7 +10704,7 @@ var MessagingClient = class {
   async removePresence(channel, clientId) {
     const appId = this.getAppId();
     return this.http.delete(
-      `/api/messaging/${encodePathParam(appId)}/channels/${encodePathParam(channel)}/presence/${encodePathParam(clientId)}`
+      `/api/v3/baas/messaging/${encodePathParam(appId)}/channels/${encodePathParam(channel)}/presence/${encodePathParam(clientId)}`
     );
   }
   /**
@@ -10615,7 +10713,7 @@ var MessagingClient = class {
   async getPresence(channel) {
     const appId = this.getAppId();
     return this.http.get(
-      `/api/messaging/${encodePathParam(appId)}/channels/${encodePathParam(channel)}/presence`
+      `/api/v3/baas/messaging/${encodePathParam(appId)}/channels/${encodePathParam(channel)}/presence`
     );
   }
   /**
@@ -10623,7 +10721,7 @@ var MessagingClient = class {
    */
   async getStats() {
     const appId = this.getAppId();
-    return this.http.get(`/api/messaging/${encodePathParam(appId)}/stats`);
+    return this.http.get(`/api/v3/baas/messaging/${encodePathParam(appId)}/stats`);
   }
 };
 
@@ -10639,21 +10737,21 @@ var CustomerSessionClient = class {
    * Step 1: ask the host to issue a fresh challenge for the customer to sign.
    */
   async challenge(input) {
-    return this.fetch("POST", "/api/customer-session/challenge", input);
+    return this.fetch("POST", "/api/v3/baas/customer-session/challenge", input);
   }
   /**
    * Step 2: submit the customer's signed challenge. On success returns a
    * short-lived bearer JWT scoped to {appId, chain, address}.
    */
   async verify(req) {
-    return this.fetch("POST", "/api/customer-session/verify", req);
+    return this.fetch("POST", "/api/v3/baas/customer-session/verify", req);
   }
   /**
    * Validate a customer bearer + return the decoded session info. Used by
    * smart-app backends to authorise incoming customer requests.
    */
   async validate(bearer) {
-    return this.fetch("GET", "/api/customer-session/validate", void 0, bearer);
+    return this.fetch("GET", "/api/v3/baas/customer-session/validate", void 0, bearer);
   }
   /**
    * Revoke a customer session. Idempotent.
@@ -10661,7 +10759,7 @@ var CustomerSessionClient = class {
   async end(bearer) {
     return this.fetch(
       "POST",
-      "/api/customer-session/end",
+      "/api/v3/baas/customer-session/end",
       void 0,
       bearer
     );
@@ -10707,15 +10805,15 @@ var RulesClient = class {
   http;
   /** Publish a canonical ValidatorRules document to HCS. */
   async publish(rule) {
-    return this.http.post("/api/rules/publish", rule);
+    return this.http.post("/api/v3/baas/rules/publish", rule);
   }
   /** Fetch a published rule by its HCS consensus timestamp. */
   async get(consensusTimestamp) {
-    return this.http.get(`/api/rules/${encodePathParam(consensusTimestamp)}`);
+    return this.http.get(`/api/v3/baas/rules/${encodePathParam(consensusTimestamp)}`);
   }
   /** List rules owned by the authenticated entity, optionally filtered by type. */
   async listByOwner(filter) {
-    const path = filter?.type ? `/api/rules?type=${encodeURIComponent(filter.type)}` : "/api/rules";
+    const path = filter?.type ? `/api/v3/baas/rules?type=${encodeURIComponent(filter.type)}` : "/api/v3/baas/rules";
     return this.http.get(path);
   }
   /**
@@ -10723,44 +10821,332 @@ var RulesClient = class {
    * `ruleRef` (published) or `rule` (inline) must be supplied by the caller.
    */
   async simulate(params) {
-    return this.http.post("/api/rules/simulate", params);
+    return this.http.post("/api/v3/baas/rules/simulate", params);
   }
   /** Walk the version history of a published rule. */
   async getVersionHistory(consensusTimestamp) {
     return this.http.get(
-      `/api/rules/${encodePathParam(consensusTimestamp)}/versions`
+      `/api/v3/baas/rules/${encodePathParam(consensusTimestamp)}/versions`
     );
   }
   /** Deprecate a published rule (owner-only). */
   async deprecate(consensusTimestamp) {
     return this.http.post(
-      `/api/rules/${encodePathParam(consensusTimestamp)}/deprecate`,
+      `/api/v3/baas/rules/${encodePathParam(consensusTimestamp)}/deprecate`,
       {}
     );
   }
 };
 
 // src/baas/entities/client.ts
-var EntitiesClient = class {
+var EntitiesClient = class _EntitiesClient {
   constructor(http) {
     this.http = http;
   }
   http;
-  /** Create a canonical token entity bound to a published rule. */
+  /**
+   * Chains whose token-create routes through the payer-funded 3-step (prepare →
+   * fund → execute), mirroring `createAccount`. Hedera = real HTS TokenCreate
+   * (admin/supply = the per-entity DKG slot-pubkey KeyList; treasury = the
+   * entity's own account; `0.0.X` token id is network-assigned, resolved from the
+   * receipt via the threaded `createTxId`). Cardano/Solana/Polkadot = the
+   * AUTHORITY entity (the entity IS the policy/mint/Assets-admin multisig — same
+   * address as an account; the asset MINT itself is a later operate-tab payer
+   * call). XRPL/Stellar token = an ISSUER ACCOUNT (reuses the account preparer) +
+   * issuer flags set at finalize: XRPL relays the funding Payment then finalizes
+   * (issuer-flag AccountSets + SignerListSet + disable-master); Stellar relays the
+   * CreateAccount then finalizes (SetOptions install incl. issuer setFlags +
+   * master lock). Every OTHER chain (EVM) stays on the legacy synchronous path.
+   */
+  static PAYER_FUNDED_TOKEN_CHAINS = /* @__PURE__ */ new Set([
+    "hedera",
+    "cardano",
+    "solana",
+    "polkadot",
+    "xrpl",
+    "stellar"
+  ]);
+  /**
+   * PREPARE half of the payer-funded token-create flow.
+   *
+   * POSTs `/api/v3/baas/entities/prepare-create` with `entityType: 'token'`. The cluster
+   * runs the per-entity DKG, builds the payer-funded create (Hedera: TokenCreate
+   * keyed by the slot-pubkey KeyList with the entity account as treasury;
+   * Cardano/Solana/Polkadot: funds/provisions the authority multisig), and returns
+   * the prepared blob. The prepared `transactionId` is the `createTxId` for
+   * execute (Hedera).
+   */
+  async prepareCreateToken(req) {
+    return this.http.post("/api/v3/baas/entities/prepare-create", {
+      entityType: "token",
+      ...req
+    });
+  }
+  /**
+   * EXECUTE half of the payer-funded token-create flow.
+   *
+   * POSTs `/api/v3/baas/entities/execute-create` with `entityType: 'token'`. For Hedera,
+   * pass `createTxId` (the prepared create's `transactionId`) so the validator
+   * resolves the network-assigned `0.0.X` token id from the receipt and stamps
+   * `chainAccounts.hedera`. For the authority-entity chains (cardano/solana/
+   * polkadot) execute just verifies the binding and echoes the stamped authority
+   * address (no `createTxId` needed).
+   */
+  async executeCreateToken(req) {
+    const { createTxId, signedFundingBlob, ...rest } = req;
+    return this.http.post("/api/v3/baas/entities/execute-create", {
+      ...rest,
+      ...createTxId !== void 0 ? { createTxId } : {},
+      ...signedFundingBlob !== void 0 ? { signedFundingBlob } : {},
+      entityType: "token"
+    });
+  }
+  /**
+   * Create a canonical token entity bound to a published rule.
+   *
+   * Dispatches by `chain` (mirrors `createAccount`):
+   *  - **Hedera / Cardano / Solana / Polkadot** = payer-funded 3-step (prepare →
+   *    caller funds via `fundWith` → execute). Hedera resolves the network-assigned
+   *    `0.0.X` token id from the receipt (threads `createTxId`); the authority-
+   *    entity chains verify/echo the stamped authority address. `fundWith` is
+   *    REQUIRED; to drive the steps manually call `prepareCreateToken` /
+   *    `executeCreateToken` directly.
+   *  - **XRPL / Stellar** = payer-funded too (account-model issuer): `fundWith`
+   *    REQUIRED; the caller's signed funding blob is RELAYED to the validator,
+   *    which submits it then finalizes the issuer multisig (master-locked). NO
+   *    issuer flags are set at create — issuer auth flags / DefaultRipple / clawback
+   *    are an operate-tab, rules-validated concern.
+   *  - **EVM / other** = legacy synchronous `POST /api/v3/baas/entities/createToken`
+   *    (payer-funded-only fields ignored) until it migrates.
+   */
   async createToken(req) {
-    return this.http.post("/api/entities/createToken", req);
+    if (_EntitiesClient.PAYER_FUNDED_TOKEN_CHAINS.has(req.chain)) {
+      const { fundWith, ...prepReq } = req;
+      const prep = await this.prepareCreateToken(prepReq);
+      if (!fundWith) {
+        throw new Error(
+          `createToken(${req.chain}): pass fundWith (sign+submit the prepared create tx), or call prepareCreateToken/executeCreateToken directly`
+        );
+      }
+      const funded = await fundWith(prep.prepared, {
+        address: prep.address,
+        reserveRequirement: prep.reserveRequirement
+      });
+      return this.executeCreateToken({
+        entityId: prep.entityId,
+        chain: req.chain,
+        securityMode: req.securityMode,
+        signedFundingBlob: _EntitiesClient.FUNDING_BLOB_RELAY_CHAINS.has(req.chain) ? funded?.signedFundingBlob : void 0,
+        createTxId: req.chain === "hedera" ? prep.prepared?.[0]?.transactionId : void 0
+      });
+    }
+    const {
+      fundWith: _ignoredFundWith,
+      payerAccountId: _ignoredPayer,
+      securityMode: _ignoredSecurityMode,
+      ...legacyReq
+    } = req;
+    return this.http.post("/api/v3/baas/entities/createToken", legacyReq);
   }
-  /** Create a canonical account entity bound to a published rule. */
+  /**
+   * PREPARE half of the payer-funded account-create flow.
+   *
+   * POSTs `/api/v3/baas/entities/prepare-create`. The cluster runs the per-entity DKG
+   * (persists the binding, submits nothing on-chain) and returns the unsigned
+   * payer-funding `Payment`(s) the caller signs + submits with their own wallet.
+   */
+  async prepareCreateAccount(req) {
+    return this.http.post("/api/v3/baas/entities/prepare-create", {
+      entityType: "account",
+      ...req
+    });
+  }
+  /**
+   * EXECUTE half of the payer-funded account-create flow.
+   *
+   * POSTs `/api/v3/baas/entities/execute-create`. The entity already exists (its DKG
+   * ran during prepare); pass `signedFundingBlob` for the validator to submit
+   * the payer's signed funding `Payment` (XRPL only), or omit it when the caller
+   * already submitted the funding tx themselves (then execute just finalizes /
+   * verifies).
+   *
+   * `createTxId` is the HEDERA thread: a Hedera AccountCreate gets its
+   * network-assigned `0.0.X` id only from the on-chain receipt after the payer
+   * submits. The caller threads the prepared create's `transactionId` (from
+   * `prepared[0].transactionId`) back here so the validator resolves the id from
+   * the receipt server-side. Ignored for non-Hedera chains.
+   */
+  async executeCreateAccount(req) {
+    const { createTxId, ...rest } = req;
+    return this.http.post("/api/v3/baas/entities/execute-create", {
+      ...rest,
+      ...createTxId !== void 0 ? { createTxId } : {}
+    });
+  }
+  /**
+   * Chains whose account-create routes through the payer-funded 3-step
+   * (prepare → fund → execute). All are ledgers where the validators never pay:
+   * XRPL funds a reserve; Bitcoin funds a P2WSH UTXO; Cardano funds a
+   * native-script enterprise address above min-UTXO; Polkadot funds a
+   * pallet_multisig SS58 above the existential deposit; Solana funds a Squads
+   * multisig PDA (deterministic from the createKey) via a payer-paid
+   * `multisigCreateV2` — the payer's submission IS the create (no separate
+   * finalizer). Hedera is create-WITH-KEY: the payer submits an AccountCreate
+   * whose controlling key is the per-entity DKG slot-pubkey KeyList, so the
+   * payer's submit IS the create; its `0.0.X` id is network-assigned (resolved
+   * from the receipt at execute-create via the threaded `createTxId`). Stellar is
+   * account-MODEL (like XRPL): the payer funds the entity's slot-0 `G...` master
+   * via a CreateAccount, the validator RELAYS the signed funding blob, then
+   * execute-create finalizes on-chain (threshold-signs a SetOptions installing
+   * the validator chain-key multisig + locking the master). EVM stays on the
+   * legacy synchronous create until it migrates.
+   */
+  static PAYER_FUNDED_CREATE_CHAINS = /* @__PURE__ */ new Set([
+    "xrpl",
+    "bitcoin",
+    "cardano",
+    "polkadot",
+    "solana",
+    "hedera",
+    "stellar"
+  ]);
+  /**
+   * Chains whose execute-create RELAYS the payer's signed funding blob for the
+   * validator to submit (then finalizes on-chain). Both are account-model ledgers
+   * with a validator-side finalize step: XRPL (SignerListSet + disable-master),
+   * Stellar (SetOptions install + master lock). Every OTHER payer-funded chain
+   * has the PAYER submit the funding tx directly with their own wallet — their
+   * execute-create REJECTS a non-undefined `signedFundingBlob` (400), so the blob
+   * is omitted for them.
+   */
+  static FUNDING_BLOB_RELAY_CHAINS = /* @__PURE__ */ new Set(["xrpl", "stellar"]);
+  /**
+   * Create a canonical account entity bound to a published rule.
+   *
+   * Dispatches by `chain`:
+   *  - **XRPL / Stellar / Bitcoin / Cardano / Polkadot / Solana / Hedera** =
+   *    payer-funded 3-step (prepare → fund → execute). The cluster runs the
+   *    per-entity DKG and returns the unsigned payer-funding tx(s); the
+   *    caller-supplied `fundWith` callback signs + submits (or just signs) the
+   *    funding tx with their OWN wallet — the SDK never holds the customer's chain
+   *    key nor opens a network connection — then `executeCreateAccount` finalizes
+   *    (XRPL + Stellar finalize on-chain after relaying the funding blob; the
+   *    deterministic ledgers + Solana verify/stamp the binding; Hedera resolves
+   *    the network-assigned id from the receipt). `fundWith` is REQUIRED on these
+   *    chains; to drive the steps manually call `prepareCreateAccount` /
+   *    `executeCreateAccount` directly.
+   *  - **other chains** (EVM) = legacy synchronous create — a single
+   *    `POST /api/v3/baas/entities/createAccount`, unchanged from pre-3.9.0. These chains
+   *    migrate to the payer-funded flow in a later phase; until then the
+   *    payer-funded-only fields (`fundWith` / `payerAccountId` / `securityMode`)
+   *    are ignored.
+   */
   async createAccount(req) {
-    return this.http.post("/api/entities/createAccount", req);
+    if (_EntitiesClient.PAYER_FUNDED_CREATE_CHAINS.has(req.chain)) {
+      const { fundWith, ...prepReq } = req;
+      const prep = await this.prepareCreateAccount(prepReq);
+      if (!fundWith) {
+        throw new Error(
+          `createAccount(${req.chain}): pass fundWith (sign+submit the prepared funding tx), or call prepareCreateAccount/executeCreateAccount directly`
+        );
+      }
+      const funded = await fundWith(prep.prepared, {
+        address: prep.address,
+        reserveRequirement: prep.reserveRequirement
+      });
+      return this.executeCreateAccount({
+        entityId: prep.entityId,
+        chain: req.chain,
+        securityMode: req.securityMode,
+        signedFundingBlob: _EntitiesClient.FUNDING_BLOB_RELAY_CHAINS.has(req.chain) ? funded?.signedFundingBlob : void 0,
+        createTxId: req.chain === "hedera" ? prep.prepared?.[0]?.transactionId : void 0
+      });
+    }
+    const {
+      fundWith: _ignoredFundWith,
+      payerAccountId: _ignoredPayer,
+      securityMode: _ignoredSecurityMode,
+      ...legacyReq
+    } = req;
+    return this.http.post("/api/v3/baas/entities/createAccount", legacyReq);
+  }
+  /**
+   * PREPARE half of the payer-funded topic-create flow (Hedera).
+   *
+   * POSTs `/api/v3/baas/entities/prepare-create` with `entityType: 'topic'`. The cluster
+   * runs the per-entity DKG (persists the binding), builds the payer-funded
+   * TopicCreate keyed by the slot-pubkey KeyList, attaches the validator admin
+   * threshold sig, and returns the prepared blob for the caller to add the fee
+   * sig + submit. The prepared `transactionId` is the `createTxId` for execute.
+   */
+  async prepareCreateTopic(req) {
+    return this.http.post("/api/v3/baas/entities/prepare-create", {
+      entityType: "topic",
+      ...req
+    });
+  }
+  /**
+   * EXECUTE half of the payer-funded topic-create flow (Hedera).
+   *
+   * POSTs `/api/v3/baas/entities/execute-create` with `entityType: 'topic'`. The topic
+   * already exists once the payer submitted the create tx; pass `createTxId` (the
+   * prepared create's `transactionId`) so the validator resolves the network-
+   * assigned `0.0.X` topic id from the receipt and stamps `chainAccounts.hedera`.
+   */
+  async executeCreateTopic(req) {
+    return this.http.post("/api/v3/baas/entities/execute-create", {
+      ...req,
+      entityType: "topic"
+    });
   }
-  /** Create a canonical topic entity bound to a published rule. */
+  /**
+   * Create a canonical topic entity bound to a published rule.
+   *
+   * Dispatches by `chain`:
+   *  - **Hedera** = payer-funded 3-step (prepare → caller submits the TopicCreate
+   *    via `fundWith` → execute resolves the `0.0.X` topic id from the receipt).
+   *    `fundWith` is REQUIRED; to drive the steps manually call
+   *    `prepareCreateTopic` / `executeCreateTopic` directly.
+   *  - **other chains** = legacy synchronous `POST /api/v3/baas/entities/createTopic`
+   *    (topics are a Hedera primitive; the legacy path is unchanged).
+   */
   async createTopic(req) {
-    return this.http.post("/api/entities/createTopic", req);
+    if (req.chain === "hedera") {
+      const { fundWith, ...prepReq } = req;
+      const prep = await this.prepareCreateTopic(prepReq);
+      if (!fundWith) {
+        throw new Error(
+          "createTopic(hedera): pass fundWith (sign+submit the prepared TopicCreate), or call prepareCreateTopic/executeCreateTopic directly"
+        );
+      }
+      await fundWith(prep.prepared, {
+        address: prep.address,
+        reserveRequirement: prep.reserveRequirement
+      });
+      const createTxId = prep.prepared?.[0]?.transactionId;
+      if (!createTxId) {
+        throw new Error(
+          "createTopic(hedera): prepared TopicCreate carries no transactionId \u2014 cannot resolve the topic id from the receipt"
+        );
+      }
+      return this.executeCreateTopic({
+        entityId: prep.entityId,
+        chain: req.chain,
+        createTxId,
+        securityMode: req.securityMode
+      });
+    }
+    const {
+      fundWith: _ignoredFundWith,
+      payerAccountId: _ignoredPayer,
+      securityMode: _ignoredSecurityMode,
+      ...legacyReq
+    } = req;
+    return this.http.post("/api/v3/baas/entities/createTopic", legacyReq);
   }
   /** Create a canonical agent entity bound to a published rule. */
   async createAgent(req) {
-    return this.http.post("/api/entities/createAgent", req);
+    return this.http.post("/api/v3/baas/entities/createAgent", req);
   }
   /**
    * Mega-helper: build a token rule with a launchpad ModuleEntry attached,
@@ -10768,15 +11154,15 @@ var EntitiesClient = class {
    * round-trip.
    */
   async launchpad(req) {
-    return this.http.post("/api/entities/launchpad", req);
+    return this.http.post("/api/v3/baas/entities/launchpad", req);
   }
   /** Fetch an entity by its canonical `entityId`. */
   async get(entityId) {
-    return this.http.get(`/api/entities/${encodePathParam(entityId)}`);
+    return this.http.get(`/api/v3/baas/entities/${encodePathParam(entityId)}`);
   }
   /** List entities owned by the authenticated wallet, optionally filtered by type. */
   async listByOwner(filter) {
-    const path = filter?.type ? `/api/entities?type=${encodeURIComponent(filter.type)}` : "/api/entities";
+    const path = filter?.type ? `/api/v3/baas/entities?type=${encodeURIComponent(filter.type)}` : "/api/v3/baas/entities";
     return this.http.get(path);
   }
 };
@@ -10789,6 +11175,13 @@ var BaasClient = class _BaasClient {
   timeout;
   allowInsecure;
   http;
+  /**
+   * Validator-routed HTTP client for the `/api/v3/transactions/*` prepare/execute
+   * surface — a SIBLING of `/host`, NOT under the `pathPrefix`. Rooted at the
+   * raw gateway/ingress origin (`hostUrl`) so transactions reach the validator
+   * even when BaaS traffic is gateway-routed at `/host/*`.
+   */
+  txHttp;
   /** Last HTTP error (for getHttpHealth) */
   lastHttpError;
   /**
@@ -10817,6 +11210,14 @@ var BaasClient = class _BaasClient {
   rules;
   /** Canonical entity authoring surface (token/account/topic/agent + launchpad). */
   entities;
+  /**
+   * Validator-routed transaction prepare/execute (sovereignty model). The
+   * prepare endpoints accept an explicit `payerAccountId` for the session-less
+   * payer path, OR carry the web3-auth session token for the JWT-wallet payer
+   * path (kept in sync with the main client's token — see {@link authenticate}).
+   * Targets `/api/v3/transactions/*`, a sibling of the `/host` BaaS surface.
+   */
+  transactions;
   constructor(config) {
     this.allowInsecure = config.allowInsecure ?? false;
     this.hostUrl = validateUrl2(config.hostUrl, this.allowInsecure);
@@ -10830,7 +11231,12 @@ var BaasClient = class _BaasClient {
       timeout: this.timeout,
       // Transparent session refresh: on a 401, re-run the challenge-response
       // with the retained signer and retry once. No-op until authenticate() has
-      // been called (authContext set). Excludes /api/auth/* (see http client).
+      // been called (authContext set). Excludes /api/v3/{,baas/}auth/* (see http client).
+      onUnauthorized: () => this.reauthenticate()
+    });
+    this.txHttp = createHttpClient({
+      baseUrl: `${this.hostUrl.replace(/\/$/, "")}/api/v3/transactions`,
+      timeout: this.timeout,
       onUnauthorized: () => this.reauthenticate()
     });
     const getAppId = () => this.requireAppId();
@@ -10843,6 +11249,7 @@ var BaasClient = class _BaasClient {
     this.customerSession = new CustomerSessionClient(baseUrlWithPrefix, this.timeout);
     this.rules = new RulesClient(this.http);
     this.entities = new EntitiesClient(this.http);
+    this.transactions = new TransactionsClient(this.txHttp);
   }
   /**
    * Connect to the Smart Engines BaaS via cluster auto-discovery.
@@ -10970,7 +11377,7 @@ var BaasClient = class _BaasClient {
     this.authContext = options;
     let challenge;
     try {
-      challenge = await this.http.post("/api/auth/challenge", {
+      challenge = await this.http.post("/api/v3/baas/auth/challenge", {
         chain,
         walletAddress,
         appId: this.appId
@@ -10981,7 +11388,7 @@ var BaasClient = class _BaasClient {
     const signature = await signFn(challenge.message);
     let result;
     try {
-      result = await this.http.post("/api/auth/verify", {
+      result = await this.http.post("/api/v3/baas/auth/verify", {
         challengeId: challenge.challengeId,
         signature,
         publicKey
@@ -10990,6 +11397,7 @@ var BaasClient = class _BaasClient {
       throw asBaasError(err);
     }
     this.http.setAuthToken(result.token);
+    this.txHttp.setAuthToken(result.token);
     return result;
   }
   /**
@@ -10997,30 +11405,31 @@ var BaasClient = class _BaasClient {
    * session token. Invoked by the http client's `onUnauthorized` hook when a
    * request 401s because the token expired — so long-lived clients keep working
    * without the caller re-implementing refresh. No-op if {@link authenticate}
-   * was never called. The `/api/auth/*` calls below are excluded from the http
+   * was never called. The `/api/v3/baas/auth/*` calls below are excluded from the http
    * client's 401-retry path, so this can never recurse.
    */
   async reauthenticate() {
     const ctx = this.authContext;
     if (!ctx) return;
-    const challenge = await this.http.post("/api/auth/challenge", {
+    const challenge = await this.http.post("/api/v3/baas/auth/challenge", {
       chain: ctx.chain,
       walletAddress: ctx.walletAddress,
       appId: this.appId
     });
     const signature = await ctx.signFn(challenge.message);
-    const result = await this.http.post("/api/auth/verify", {
+    const result = await this.http.post("/api/v3/baas/auth/verify", {
       challengeId: challenge.challengeId,
       signature,
       publicKey: ctx.publicKey
     });
     this.http.setAuthToken(result.token);
+    this.txHttp.setAuthToken(result.token);
   }
   /** Validate the current session */
   async validateSession() {
     this.requireAuth();
     try {
-      return await this.http.get("/api/auth/session");
+      return await this.http.get("/api/v3/baas/auth/session");
     } catch (err) {
       throw asBaasError(err);
     }
@@ -11029,11 +11438,12 @@ var BaasClient = class _BaasClient {
   async logout() {
     if (this.http.getAuthToken()) {
       try {
-        await this.http.post("/api/auth/logout", {});
+        await this.http.post("/api/v3/baas/auth/logout", {});
       } catch {
       }
     }
     this.http.setAuthToken(void 0);
+    this.txHttp.setAuthToken(void 0);
   }
   // ========== HTTP Helpers ==========
   requireAuth() {
@@ -11453,6 +11863,49 @@ async function verifyPqcEnvelope(envelope, options = {}) {
   }
   return { valid: true, version, details };
 }
+var { deriveKeypair, deriveAddress, sign, verify } = require_dist2();
+function canonicalizeAttestation(att) {
+  return JSON.stringify(att, Object.keys(att).sort());
+}
+function computeAttestationHash(att) {
+  const canonical = canonicalizeAttestation(att);
+  const digest = sha256.sha256(new TextEncoder().encode(canonical));
+  return bytesToHex2(digest);
+}
+function signAttestation(att, xrplSeed) {
+  const { publicKey, privateKey } = deriveKeypair(xrplSeed);
+  const messageHex = attestationMessageHex(att);
+  const signature = sign(messageHex, privateKey);
+  return `${publicKey}.${signature}`;
+}
+function verifyAttestation(att, signature, walletAddress) {
+  try {
+    const sep = signature.indexOf(".");
+    if (sep <= 0 || sep === signature.length - 1) {
+      return false;
+    }
+    const publicKey = signature.slice(0, sep);
+    const sigHex = signature.slice(sep + 1);
+    if (deriveAddress(publicKey) !== walletAddress) {
+      return false;
+    }
+    const messageHex = attestationMessageHex(att);
+    return verify(messageHex, sigHex, publicKey);
+  } catch {
+    return false;
+  }
+}
+function attestationMessageHex(att) {
+  const hash = computeAttestationHash(att);
+  return Buffer.from(hash, "utf-8").toString("hex").toUpperCase();
+}
+function bytesToHex2(bytes) {
+  let s = "";
+  for (let i = 0; i < bytes.length; i++) {
+    s += bytes[i].toString(16).padStart(2, "0");
+  }
+  return s;
+}
 
 // src/rules/atoms/index.ts
 var atom = {
@@ -12957,7 +13410,9 @@ exports.atom = atom;
 exports.auth = auth_exports;
 exports.baas = baas_exports;
 exports.bridge = bridge_exports;
+exports.canonicalizeAttestation = canonicalizeAttestation;
 exports.chains = chains_exports;
+exports.computeAttestationHash = computeAttestationHash;
 exports.createHttpClient = createHttpClient;
 exports.createResilientFetchWithBreaker = createResilientFetchWithBreaker;
 exports.createXrplWeb3Signer = createXrplWeb3Signer;
@@ -12991,6 +13446,7 @@ exports.resilientFetch = resilientFetch;
 exports.resolveNetwork = resolveNetwork;
 exports.resources = resources_exports;
 exports.settlement = settlement_exports;
+exports.signAttestation = signAttestation;
 exports.simpleAMM = simpleAMM;
 exports.simpleStaking = simpleStaking;
 exports.soulboundNft = soulboundNft;
@@ -13006,6 +13462,7 @@ exports.utilityToken = utilityToken;
 exports.validate = validate;
 exports.validateAgentRules = validateAgentRules;
 exports.validateEnvelopeSchema = validateEnvelopeSchema;
+exports.verifyAttestation = verifyAttestation;
 exports.verifyPqcAttestation = verifyPqcAttestation;
 exports.verifyPqcEnvelope = verifyPqcEnvelope;
 exports.vestingSchedule = vestingSchedule;