@hsuite/smart-engines-sdk 3.6.1 → 3.10.0

package/dist/nestjs/index.js

@@ -199,6 +199,14 @@ var PreparedTransactionSovereigntySchema = zod.z.discriminatedUnion("mode", [
     authorizationSet: PreparedTransactionAuthorizationSetSchema.optional()
   })
 ]);
+var RuleRefSchema = zod.z.object({
+  /** Chain whose HCS the rule was published on (canonically 'hedera'). */
+  chain: ChainTypeSchema,
+  /** HCS topic ID the rule message was published to. */
+  topicId: zod.z.string().min(1),
+  /** HCS consensus timestamp of the rule message. */
+  consensusTimestamp: zod.z.string().min(1)
+});
 var CreateAccountRequestSchema = zod.z.object({
   chain: ChainTypeSchema,
   initialBalance: zod.z.string(),
@@ -238,6 +246,22 @@ var CreateAccountRequestSchema = zod.z.object({
    * The owner key + TSS network key form a threshold-2 multi-sig.
    */
   appOwnerPublicKey: zod.z.string().optional(),
+  /**
+   * The entity's canonical `ruleRef` (HCS pointer to its `ValidatorRules`). When
+   * present, the chain adapter stamps the IMMUTABLE creation-tx rule anchor
+   * (`rule:<topicId>@<consensusTimestamp>:<entityType>`) — distinct from the
+   * mutable validator-binding memo — so the sign-gate resolves the rule on-chain
+   * (kind:'ref') rather than trusting the replicated binding
+   * (RFC 2026-06-15-onchain-rule-anchor §6.1). Absent ⇒ the degraded
+   * `rule:bootstrap:<entityType>` marker when `entityType` is supplied.
+   */
+  ruleRef: RuleRefSchema.optional(),
+  /**
+   * Entity-type tag stamped into the rule anchor (e.g. 'wallet', 'account').
+   * Supply it to enable the on-chain anchor; omit for the prior memo-less
+   * (legacy) behaviour.
+   */
+  entityType: zod.z.string().min(1).optional(),
   metadata: zod.z.record(zod.z.any()).optional()
 });
 zod.z.object({
@@ -325,6 +349,21 @@ var CreateTokenRequestSchema = zod.z.object({
   immutable: zod.z.boolean().default(true),
   /** See CreateAccountRequestSchema.payerAccountId — same resolution rules. */
   payerAccountId: zod.z.string().optional(),
+  /**
+   * The entity's canonical `ruleRef` (HCS pointer to its `ValidatorRules`). When
+   * present, the chain adapter stamps the IMMUTABLE creation-tx rule anchor
+   * (`rule:<topicId>@<consensusTimestamp>:<entityType>`) — distinct from the
+   * mutable validator-binding token memo — so the sign-gate resolves the rule
+   * on-chain (kind:'ref') rather than trusting the replicated binding
+   * (RFC 2026-06-15-onchain-rule-anchor §6.1). Absent ⇒ the degraded
+   * `rule:bootstrap:<entityType>` marker when `entityType` is supplied.
+   */
+  ruleRef: RuleRefSchema.optional(),
+  /**
+   * Entity-type tag stamped into the rule anchor (e.g. 'token'). Supply it to
+   * enable the on-chain anchor; omit for the prior memo-less behaviour.
+   */
+  entityType: zod.z.string().min(1).optional(),
   metadata: zod.z.record(zod.z.any()).optional()
 });
 zod.z.object({
@@ -1249,7 +1288,7 @@ function createHttpClient(config) {
     try {
       return await op();
     } catch (error) {
-      const refreshable = !!config.onUnauthorized && !path.startsWith("/api/auth/") && error instanceof SdkHttpError && error.statusCode === 401;
+      const refreshable = !!config.onUnauthorized && !path.startsWith("/api/v3/baas/auth/") && !path.startsWith("/api/v3/auth/") && error instanceof SdkHttpError && error.statusCode === 401;
       if (!refreshable) throw error;
       if (!reauthInFlight) {
         reauthInFlight = Promise.resolve(config.onUnauthorized()).finally(() => {
@@ -2189,7 +2228,7 @@ var HederaTransactionsClient = class {
    *   - `client.hedera.tss.createTopic(...)` makes the cluster sign+submit in one call.
    *
    * `tssHttp` is the validator's `/api/v3`-rooted HTTP client (different from
-   * the `/api/transactions` one this class uses for prepare paths). Both
+   * the `/api/v3/transactions` one this class uses for prepare paths). Both
    * clients are required — the previous single-arg fallback to `http` was
    * unreachable through `SmartEngineClient` (the only call site always
    * passes both).
@@ -2899,15 +2938,15 @@ var AgentsClient = class {
   http;
   /** Register a new agent */
   async register(request) {
-    return this.http.post("/api/agents/register", request);
+    return this.http.post("/api/v3/baas/agents/register", request);
   }
   /** Get agent details */
   async get(agentId) {
-    return this.http.get(`/api/agents/${encodePathParam(agentId)}`);
+    return this.http.get(`/api/v3/baas/agents/${encodePathParam(agentId)}`);
   }
   /** List all agents */
   async list() {
-    return this.http.get("/api/agents");
+    return this.http.get("/api/v3/baas/agents");
   }
   /**
    * Fund agent treasury (owner-only). Returns a
@@ -2915,60 +2954,60 @@ var AgentsClient = class {
    * the caller is expected to sign and submit the prepared bytes.
    */
   async fund(agentId, request) {
-    return this.http.post(`/api/agents/${encodePathParam(agentId)}/fund`, request);
+    return this.http.post(`/api/v3/baas/agents/${encodePathParam(agentId)}/fund`, request);
   }
   /**
    * Execute a trade (agent-wallet OR owner). Returns a
    * `PreparedTransactionResponse` wrapped in a `success: true` envelope.
    */
   async trade(agentId, request) {
-    return this.http.post(`/api/agents/${encodePathParam(agentId)}/trade`, request);
+    return this.http.post(`/api/v3/baas/agents/${encodePathParam(agentId)}/trade`, request);
   }
   /**
    * Withdraw from agent treasury (owner-only). Returns a
    * `PreparedTransactionResponse` wrapped in a `success: true` envelope.
    */
   async withdraw(agentId, request) {
-    return this.http.post(`/api/agents/${encodePathParam(agentId)}/withdraw`, request);
+    return this.http.post(`/api/v3/baas/agents/${encodePathParam(agentId)}/withdraw`, request);
   }
   /** Pause an agent */
   async pause(agentId) {
-    return this.http.post(`/api/agents/${encodePathParam(agentId)}/pause`, {});
+    return this.http.post(`/api/v3/baas/agents/${encodePathParam(agentId)}/pause`, {});
   }
   /** Resume a paused agent */
   async resume(agentId) {
-    return this.http.post(`/api/agents/${encodePathParam(agentId)}/resume`, {});
+    return this.http.post(`/api/v3/baas/agents/${encodePathParam(agentId)}/resume`, {});
   }
   /** Revoke an agent (permanent) */
   async revoke(agentId) {
-    return this.http.post(`/api/agents/${encodePathParam(agentId)}/revoke`, {});
+    return this.http.post(`/api/v3/baas/agents/${encodePathParam(agentId)}/revoke`, {});
   }
   /**
    * Update agent rules.
    *
-   * Server route is PATCH `/api/agents/:agentId/rules`
+   * Server route is PATCH `/api/v3/baas/agents/:agentId/rules`
    * (`agents.controller.ts:375`). The previous PUT variant 404'd because
    * Nest matched the dynamic `:agentId` GET/POST handlers and rejected
    * the verb mismatch.
    */
   async updateRules(agentId, rules) {
-    return this.http.patch(`/api/agents/${encodePathParam(agentId)}/rules`, rules);
+    return this.http.patch(`/api/v3/baas/agents/${encodePathParam(agentId)}/rules`, rules);
   }
   /** Get agent events */
   async getEvents(agentId) {
-    return this.http.get(`/api/agents/${encodePathParam(agentId)}/events`);
+    return this.http.get(`/api/v3/baas/agents/${encodePathParam(agentId)}/events`);
   }
   /** Get agent balances across chains */
   async getBalances(agentId) {
-    return this.http.get(`/api/agents/${encodePathParam(agentId)}/balances`);
+    return this.http.get(`/api/v3/baas/agents/${encodePathParam(agentId)}/balances`);
   }
   /** Approve a pending agent operation */
   async approve(agentId, operationId) {
-    return this.http.post(`/api/agents/${encodePathParam(agentId)}/approve/${encodePathParam(operationId)}`, {});
+    return this.http.post(`/api/v3/baas/agents/${encodePathParam(agentId)}/approve/${encodePathParam(operationId)}`, {});
   }
   /** Reject a pending agent operation */
   async reject(agentId, operationId) {
-    return this.http.post(`/api/agents/${encodePathParam(agentId)}/reject/${encodePathParam(operationId)}`, {});
+    return this.http.post(`/api/v3/baas/agents/${encodePathParam(agentId)}/reject/${encodePathParam(operationId)}`, {});
   }
 };
 
@@ -2996,7 +3035,56 @@ var DeploymentClient = class {
    * {@link deploy} with the pushed image tag.
    */
   async init(request) {
-    return this.http.post("/api/deployment/apps/init", request);
+    return this.http.post("/api/v3/baas/deployment/apps/init", request);
+  }
+  /**
+   * Issue ephemeral Harbor push credentials for a smart-app that ALREADY
+   * EXISTS — the MINT-FIRST / DEPLOY-LAST credentials-push call.
+   *
+   * Unlike {@link init} (which historically allocated a fresh entity), this
+   * takes the developer's pre-existing `appId` — the `SUBSCRIPTION_APP_ID`
+   * minted by `hsuite subscribe` (`appId == DKG entityId`) — and ONLY
+   * (re)provisions the per-app Harbor project + push robot. The server creates
+   * no DKG entity and no subscription; it asserts the caller owns the app and
+   * that its subscription is ACTIVE (402 otherwise) first.
+   *
+   * Returns the same `{ appId, registry }` shape as {@link init}. Single-use
+   * secret discipline applies to `registry.password` exactly as in `init`.
+   *
+   * This is the credentials path the mint-first `hsuite deploy` uses to obtain
+   * push creds for the developer's already-minted subscription app
+   * (`POST /apps/:appId/credentials/push`). The `hsuite redeploy` re-push path
+   * uses {@link reissuePushCredentials} instead, which targets a dedicated
+   * `credentials/reissue` route with stricter SUSPENDED-app + Harbor-failure
+   * handling.
+   */
+  async pushCredentials(appId) {
+    return this.http.post(
+      `/api/v3/baas/deployment/apps/${encodePathParam(appId)}/credentials/push`,
+      {}
+    );
+  }
+  /**
+   * Reissue ephemeral Harbor push credentials for an EXISTING app, WITHOUT
+   * allocating a new appId / entity. Unlike {@link init} — which historically
+   * forked a fresh smart-app entity (and a fresh paid subscription) on every
+   * call — this re-binds to an app the developer already owns: the `appId` is
+   * echoed back unchanged and only a new single-use `registry.password` push
+   * robot is minted. Same `{ appId, registry }` response shape as `init`.
+   *
+   * Owner-only + active-subscription gated server-side. This is the credential
+   * path `hsuite redeploy` uses so a re-push does not cost a new entity +
+   * subscription each run. Targets the dedicated
+   * `POST /apps/:appId/credentials/reissue` route (distinct from
+   * {@link pushCredentials}'s first-deploy `credentials/push`): the reissue
+   * route additionally refuses SUSPENDED apps and surfaces Harbor failures
+   * loudly rather than returning placeholder creds.
+   */
+  async reissuePushCredentials(appId) {
+    return this.http.post(
+      `/api/v3/baas/deployment/apps/${encodePathParam(appId)}/credentials/reissue`,
+      {}
+    );
   }
   /**
    * Step 3 (optional) — upload the SPA tarball.
@@ -3007,7 +3095,7 @@ var DeploymentClient = class {
    */
   async uploadFrontend(appId, bundle, filename = "bundle.tar.gz") {
     return this.http.upload(
-      `/api/deployment/apps/${encodePathParam(appId)}/frontend`,
+      `/api/v3/baas/deployment/apps/${encodePathParam(appId)}/frontend`,
       bundle,
       filename,
       void 0,
@@ -3021,32 +3109,32 @@ var DeploymentClient = class {
    * until `runtime.runtimeState === 'RUNNING'` for the URL to be live.
    */
   async deploy(appId, request) {
-    return this.http.post(`/api/deployment/apps/${encodePathParam(appId)}/deploy`, request);
+    return this.http.post(`/api/v3/baas/deployment/apps/${encodePathParam(appId)}/deploy`, request);
   }
   /**
    * Roll back to a previously-deployed image tag (must exist in
    * `runtime.deploymentHistory[]`).
    */
   async rollback(appId, request) {
-    return this.http.post(`/api/deployment/apps/${encodePathParam(appId)}/rollback`, request);
+    return this.http.post(`/api/v3/baas/deployment/apps/${encodePathParam(appId)}/rollback`, request);
   }
   /**
    * Live combined lifecycle + runtime status of an app.
    */
   async status(appId) {
-    return this.http.get(`/api/deployment/apps/${encodePathParam(appId)}/status`);
+    return this.http.get(`/api/v3/baas/deployment/apps/${encodePathParam(appId)}/status`);
   }
   /**
    * List all deployed apps for the authenticated developer.
    */
   async list() {
-    return this.http.get("/api/deployment/apps");
+    return this.http.get("/api/v3/smart-apps");
   }
   /**
    * Get app details.
    */
   async get(appId) {
-    return this.http.get(`/api/deployment/apps/${encodePathParam(appId)}`);
+    return this.http.get(`/api/v3/smart-apps/${encodePathParam(appId)}`);
   }
   /**
    * Update app configuration.
@@ -3056,31 +3144,31 @@ var DeploymentClient = class {
    * @returns The updated app info.
    */
   async update(appId, updates) {
-    return this.http.put(`/api/deployment/apps/${encodePathParam(appId)}`, updates);
+    return this.http.put(`/api/v3/smart-apps/${encodePathParam(appId)}`, updates);
   }
   /**
    * Delete an app (runtime effect: namespace teardown).
    */
   async delete(appId) {
-    return this.http.delete(`/api/deployment/apps/${encodePathParam(appId)}`);
+    return this.http.delete(`/api/v3/smart-apps/${encodePathParam(appId)}`);
   }
   /**
    * Suspend an app (runtime effect: scale to zero).
    */
   async suspend(appId) {
-    return this.http.post(`/api/deployment/apps/${encodePathParam(appId)}/suspend`, {});
+    return this.http.post(`/api/v3/smart-apps/${encodePathParam(appId)}/suspend`, {});
   }
   /**
    * Resume a suspended app (runtime effect: scale back up).
    */
   async resume(appId) {
-    return this.http.post(`/api/deployment/apps/${encodePathParam(appId)}/resume`, {});
+    return this.http.post(`/api/v3/smart-apps/${encodePathParam(appId)}/resume`, {});
   }
   /**
    * Get deployment statistics.
    */
   async getStats() {
-    return this.http.get("/api/deployment/stats");
+    return this.http.get("/api/v3/smart-apps/stats");
   }
   /**
    * Register or update the developer-facing webhook URL for runtime
@@ -3101,7 +3189,7 @@ var DeploymentClient = class {
    * CGNAT / cloud metadata destinations (SSRF guard).
    */
   async setWebhook(appId, webhookUrl) {
-    return this.http.put(`/api/deployment/apps/${encodePathParam(appId)}/webhook`, {
+    return this.http.put(`/api/v3/baas/deployment/apps/${encodePathParam(appId)}/webhook`, {
       webhookUrl
     });
   }
@@ -3117,7 +3205,7 @@ var DeploymentClient = class {
    * exposition format.
    */
   async getMetrics(appId) {
-    return this.http.getText(`/api/deployment/apps/${encodePathParam(appId)}/metrics`);
+    return this.http.getText(`/api/v3/baas/deployment/apps/${encodePathParam(appId)}/metrics`);
   }
   /**
    * Rotate the smart-app's tenant-secret KEK.
@@ -3128,7 +3216,7 @@ var DeploymentClient = class {
    */
   async rotateKek(appId) {
     return this.http.post(
-      `/api/deployment/apps/${encodePathParam(appId)}/credentials/rotate-kek`,
+      `/api/v3/baas/deployment/apps/${encodePathParam(appId)}/credentials/rotate-kek`,
       {}
     );
   }
@@ -3142,7 +3230,7 @@ var DeploymentClient = class {
    */
   async revokeKek(appId, version) {
     return this.http.post(
-      `/api/deployment/apps/${encodePathParam(appId)}/credentials/revoke-kek`,
+      `/api/v3/baas/deployment/apps/${encodePathParam(appId)}/credentials/revoke-kek`,
       { version }
     );
   }
@@ -3349,7 +3437,7 @@ var SmartEngineClient = class _SmartEngineClient {
   baseUrl;
   allowInsecure;
   http;
-  /** Separate HTTP client for /api/transactions (non-v3 base path) */
+  /** Separate HTTP client for /api/v3/transactions */
   txHttp;
   /** Last HTTP error (for getHttpHealth) */
   lastHttpError;
@@ -3410,7 +3498,7 @@ var SmartEngineClient = class _SmartEngineClient {
       timeout: config.timeout
     });
     this.txHttp = createHttpClient({
-      baseUrl: `${this.baseUrl}/api/transactions`,
+      baseUrl: `${this.baseUrl}/api/v3/transactions`,
       apiKey: config.apiKey,
       authToken: config.authToken,
       timeout: config.timeout
@@ -3744,7 +3832,17 @@ var SmartEngineClient = class _SmartEngineClient {
     return this.http.get("/status");
   }
   // ========== Messaging Operations ==========
-  /** Submit a message to consensus */
+  /**
+   * Submit a message to consensus.
+   *
+   * @deprecated Operator-funded message submission is RETIRED on the validator
+   *   under transaction sovereignty — `POST /api/v3/messages/:chain/:topicId`
+   *   now returns `403 Forbidden` (the operator must never front the chain fee
+   *   for a customer-supplied message). Use the payer-funded prepare path
+   *   instead: prepare a topic-message transaction via
+   *   `POST /api/transactions/topic/message/prepare`, then have the payer sign
+   *   and submit the returned bytes.
+   */
   async submitMessage(chain, topicId, message) {
     if (message.length > 1024 * 1024) {
       throw new SmartEngineError("Message too large (max 1MB)", 400);
@@ -4121,7 +4219,7 @@ var DatabaseClient = class {
   async insert(collection, document) {
     const appId = this.getAppId();
     return this.http.post(
-      `/api/db/${encodePathParam(appId)}/${encodePathParam(collection)}`,
+      `/api/v3/baas/db/${encodePathParam(appId)}/${encodePathParam(collection)}`,
       document
     );
   }
@@ -4139,7 +4237,7 @@ var DatabaseClient = class {
     if (options?.sort) params.set("sort", options.sort);
     const qs = params.toString();
     return this.http.get(
-      `/api/db/${encodePathParam(appId)}/${encodePathParam(collection)}${qs ? `?${qs}` : ""}`
+      `/api/v3/baas/db/${encodePathParam(appId)}/${encodePathParam(collection)}${qs ? `?${qs}` : ""}`
     );
   }
   /**
@@ -4148,7 +4246,7 @@ var DatabaseClient = class {
   async update(collection, documentId, updates) {
     const appId = this.getAppId();
     return this.http.put(
-      `/api/db/${encodePathParam(appId)}/${encodePathParam(collection)}/${encodePathParam(documentId)}`,
+      `/api/v3/baas/db/${encodePathParam(appId)}/${encodePathParam(collection)}/${encodePathParam(documentId)}`,
       updates
     );
   }
@@ -4158,19 +4256,19 @@ var DatabaseClient = class {
   async delete(collection, documentId) {
     const appId = this.getAppId();
     return this.http.delete(
-      `/api/db/${encodePathParam(appId)}/${encodePathParam(collection)}/${encodePathParam(documentId)}`
+      `/api/v3/baas/db/${encodePathParam(appId)}/${encodePathParam(collection)}/${encodePathParam(documentId)}`
     );
   }
   /**
    * List collections for the app.
    *
-   * Server route is `/api/db/:appId/collections`
+   * Server route is `/api/v3/baas/db/:appId/collections`
    * (`database.controller.ts:106`). The previous bare-`:appId` GET 404'd
    * — Nest reserves that pattern for the document-find router below.
    */
   async listCollections() {
     const appId = this.getAppId();
-    return this.http.get(`/api/db/${encodePathParam(appId)}/collections`);
+    return this.http.get(`/api/v3/baas/db/${encodePathParam(appId)}/collections`);
   }
   /**
    * Create a new collection in the database.
@@ -4180,7 +4278,7 @@ var DatabaseClient = class {
    */
   async createCollection(name) {
     const appId = this.getAppId();
-    return this.http.post(`/api/db/${encodePathParam(appId)}/collections`, { name });
+    return this.http.post(`/api/v3/baas/db/${encodePathParam(appId)}/collections`, { name });
   }
   /**
    * Drop a collection and all its documents.
@@ -4191,7 +4289,7 @@ var DatabaseClient = class {
   async dropCollection(name) {
     const appId = this.getAppId();
     return this.http.delete(
-      `/api/db/${encodePathParam(appId)}/collections/${encodePathParam(name)}`
+      `/api/v3/baas/db/${encodePathParam(appId)}/collections/${encodePathParam(name)}`
     );
   }
   // ========== State Proofs ==========
@@ -4200,7 +4298,7 @@ var DatabaseClient = class {
    */
   async getStateRoot() {
     const appId = this.getAppId();
-    return this.http.get(`/api/db/${encodePathParam(appId)}/state/root`);
+    return this.http.get(`/api/v3/baas/db/${encodePathParam(appId)}/state/root`);
   }
   /**
    * Get a Merkle proof for a specific document
@@ -4208,7 +4306,7 @@ var DatabaseClient = class {
   async getDocumentProof(documentId) {
     const appId = this.getAppId();
     return this.http.get(
-      `/api/db/${encodePathParam(appId)}/${encodePathParam(documentId)}/proof`
+      `/api/v3/baas/db/${encodePathParam(appId)}/${encodePathParam(documentId)}/proof`
     );
   }
   /**
@@ -4222,7 +4320,7 @@ var DatabaseClient = class {
     if (options?.limit !== void 0) params.set("limit", String(options.limit));
     const qs = params.toString();
     return this.http.get(
-      `/api/db/${encodePathParam(appId)}/state/transitions${qs ? `?${qs}` : ""}`
+      `/api/v3/baas/db/${encodePathParam(appId)}/state/transitions${qs ? `?${qs}` : ""}`
     );
   }
   /**
@@ -4230,7 +4328,7 @@ var DatabaseClient = class {
    */
   async getDbStats() {
     const appId = this.getAppId();
-    return this.http.get(`/api/db/${encodePathParam(appId)}/stats`);
+    return this.http.get(`/api/v3/baas/db/${encodePathParam(appId)}/stats`);
   }
 };
 
@@ -4247,28 +4345,28 @@ var StorageClient = class {
    */
   async upload(file, filename, metadata) {
     const appId = this.getAppId();
-    return this.http.upload(`/api/storage/${encodePathParam(appId)}/upload`, file, filename, metadata);
+    return this.http.upload(`/api/v3/baas/storage/${encodePathParam(appId)}/upload`, file, filename, metadata);
   }
   /**
    * Download a file by CID
    */
   async download(cid) {
     const appId = this.getAppId();
-    return this.http.get(`/api/storage/${encodePathParam(appId)}/download/${encodePathParam(cid)}`);
+    return this.http.get(`/api/v3/baas/storage/${encodePathParam(appId)}/download/${encodePathParam(cid)}`);
   }
   /**
    * Get file metadata
    */
   async getMetadata(cid) {
     const appId = this.getAppId();
-    return this.http.get(`/api/storage/${encodePathParam(appId)}/metadata/${encodePathParam(cid)}`);
+    return this.http.get(`/api/v3/baas/storage/${encodePathParam(appId)}/metadata/${encodePathParam(cid)}`);
   }
   /**
    * Delete a file
    */
   async delete(cid) {
     const appId = this.getAppId();
-    return this.http.delete(`/api/storage/${encodePathParam(appId)}/${encodePathParam(cid)}`);
+    return this.http.delete(`/api/v3/baas/storage/${encodePathParam(appId)}/${encodePathParam(cid)}`);
   }
   /**
    * List all files for the app.
@@ -4283,21 +4381,21 @@ var StorageClient = class {
     if (pagination?.limit !== void 0) params.set("limit", String(pagination.limit));
     if (pagination?.offset !== void 0) params.set("offset", String(pagination.offset));
     const qs = params.toString();
-    return this.http.get(`/api/storage/${encodePathParam(appId)}/files${qs ? `?${qs}` : ""}`);
+    return this.http.get(`/api/v3/baas/storage/${encodePathParam(appId)}/files${qs ? `?${qs}` : ""}`);
   }
   /**
    * Get storage usage for the current app
    */
   async getUsage() {
     const appId = this.getAppId();
-    return this.http.get(`/api/storage/${encodePathParam(appId)}/usage`);
+    return this.http.get(`/api/v3/baas/storage/${encodePathParam(appId)}/usage`);
   }
   /**
    * Check if a file exists
    */
   async exists(cid) {
     const appId = this.getAppId();
-    return this.http.get(`/api/storage/${encodePathParam(appId)}/exists/${encodePathParam(cid)}`);
+    return this.http.get(`/api/v3/baas/storage/${encodePathParam(appId)}/exists/${encodePathParam(cid)}`);
   }
 };
 
@@ -4314,7 +4412,7 @@ var FunctionsClient = class {
    */
   async deploy(request) {
     const appId = this.getAppId();
-    return this.http.post(`/api/functions/${encodePathParam(appId)}`, request);
+    return this.http.post(`/api/v3/baas/functions/${encodePathParam(appId)}`, request);
   }
   /**
    * Invoke a function
@@ -4322,7 +4420,7 @@ var FunctionsClient = class {
   async invoke(functionId, payload) {
     const appId = this.getAppId();
     return this.http.post(
-      `/api/functions/${encodePathParam(appId)}/${encodePathParam(functionId)}/invoke`,
+      `/api/v3/baas/functions/${encodePathParam(appId)}/${encodePathParam(functionId)}/invoke`,
       payload ?? {}
     );
   }
@@ -4331,7 +4429,7 @@ var FunctionsClient = class {
    */
   async list() {
     const appId = this.getAppId();
-    return this.http.get(`/api/functions/${encodePathParam(appId)}`);
+    return this.http.get(`/api/v3/baas/functions/${encodePathParam(appId)}`);
   }
   /**
    * Get function details
@@ -4339,7 +4437,7 @@ var FunctionsClient = class {
   async get(functionId) {
     const appId = this.getAppId();
     return this.http.get(
-      `/api/functions/${encodePathParam(appId)}/${encodePathParam(functionId)}`
+      `/api/v3/baas/functions/${encodePathParam(appId)}/${encodePathParam(functionId)}`
     );
   }
   /**
@@ -4348,7 +4446,7 @@ var FunctionsClient = class {
   async update(functionId, updates) {
     const appId = this.getAppId();
     return this.http.put(
-      `/api/functions/${encodePathParam(appId)}/${encodePathParam(functionId)}`,
+      `/api/v3/baas/functions/${encodePathParam(appId)}/${encodePathParam(functionId)}`,
       updates
     );
   }
@@ -4358,7 +4456,7 @@ var FunctionsClient = class {
   async delete(functionId) {
     const appId = this.getAppId();
     return this.http.delete(
-      `/api/functions/${encodePathParam(appId)}/${encodePathParam(functionId)}`
+      `/api/v3/baas/functions/${encodePathParam(appId)}/${encodePathParam(functionId)}`
     );
   }
   /**
@@ -4372,7 +4470,7 @@ var FunctionsClient = class {
     if (options?.level) params.set("level", options.level);
     const qs = params.toString();
     return this.http.get(
-      `/api/functions/${encodePathParam(appId)}/${encodePathParam(functionId)}/logs${qs ? `?${qs}` : ""}`
+      `/api/v3/baas/functions/${encodePathParam(appId)}/${encodePathParam(functionId)}/logs${qs ? `?${qs}` : ""}`
     );
   }
   /**
@@ -4380,7 +4478,7 @@ var FunctionsClient = class {
    */
   async getStats() {
     const appId = this.getAppId();
-    return this.http.get(`/api/functions/${encodePathParam(appId)}/stats`);
+    return this.http.get(`/api/v3/baas/functions/${encodePathParam(appId)}/stats`);
   }
 };
 
@@ -4397,28 +4495,28 @@ var MessagingClient = class {
    */
   async createChannel(config) {
     const appId = this.getAppId();
-    return this.http.post(`/api/messaging/${encodePathParam(appId)}/channels`, config);
+    return this.http.post(`/api/v3/baas/messaging/${encodePathParam(appId)}/channels`, config);
   }
   /**
    * Delete a channel
    */
   async deleteChannel(channelId) {
     const appId = this.getAppId();
-    return this.http.delete(`/api/messaging/${encodePathParam(appId)}/channels/${encodePathParam(channelId)}`);
+    return this.http.delete(`/api/v3/baas/messaging/${encodePathParam(appId)}/channels/${encodePathParam(channelId)}`);
   }
   /**
    * Get a channel by ID
    */
   async getChannel(channelId) {
     const appId = this.getAppId();
-    return this.http.get(`/api/messaging/${encodePathParam(appId)}/channels/${encodePathParam(channelId)}`);
+    return this.http.get(`/api/v3/baas/messaging/${encodePathParam(appId)}/channels/${encodePathParam(channelId)}`);
   }
   /**
    * List all channels for the app
    */
   async listChannels() {
     const appId = this.getAppId();
-    return this.http.get(`/api/messaging/${encodePathParam(appId)}/channels`);
+    return this.http.get(`/api/v3/baas/messaging/${encodePathParam(appId)}/channels`);
   }
   /**
    * Publish a message to a channel
@@ -4426,7 +4524,7 @@ var MessagingClient = class {
   async publish(channel, message, metadata) {
     const appId = this.getAppId();
     return this.http.post(
-      `/api/messaging/${encodePathParam(appId)}/channels/${encodePathParam(channel)}/publish`,
+      `/api/v3/baas/messaging/${encodePathParam(appId)}/channels/${encodePathParam(channel)}/publish`,
       { data: message, metadata }
     );
   }
@@ -4441,7 +4539,7 @@ var MessagingClient = class {
     if (options?.after) params.set("after", options.after);
     const qs = params.toString();
     return this.http.get(
-      `/api/messaging/${encodePathParam(appId)}/channels/${encodePathParam(channel)}/history${qs ? `?${qs}` : ""}`
+      `/api/v3/baas/messaging/${encodePathParam(appId)}/channels/${encodePathParam(channel)}/history${qs ? `?${qs}` : ""}`
     );
   }
   /**
@@ -4455,7 +4553,7 @@ var MessagingClient = class {
   async setPresence(channel, member) {
     const appId = this.getAppId();
     return this.http.post(
-      `/api/messaging/${encodePathParam(appId)}/channels/${encodePathParam(channel)}/presence`,
+      `/api/v3/baas/messaging/${encodePathParam(appId)}/channels/${encodePathParam(channel)}/presence`,
       member
     );
   }
@@ -4463,7 +4561,7 @@ var MessagingClient = class {
    * Remove a member's presence from a channel.
    *
    * BREAKING CHANGE (SDK 3.3.0): server route is
-   * `/api/messaging/:appId/channels/:channel/presence/:clientId`
+   * `/api/v3/baas/messaging/:appId/channels/:channel/presence/:clientId`
    * (`messaging.controller.ts:352`). `channel` is now the first arg and
    * `clientId` (not `memberId`) the second — they're the same identifier
    * but renamed to match the server param.
@@ -4471,7 +4569,7 @@ var MessagingClient = class {
   async removePresence(channel, clientId) {
     const appId = this.getAppId();
     return this.http.delete(
-      `/api/messaging/${encodePathParam(appId)}/channels/${encodePathParam(channel)}/presence/${encodePathParam(clientId)}`
+      `/api/v3/baas/messaging/${encodePathParam(appId)}/channels/${encodePathParam(channel)}/presence/${encodePathParam(clientId)}`
     );
   }
   /**
@@ -4480,7 +4578,7 @@ var MessagingClient = class {
   async getPresence(channel) {
     const appId = this.getAppId();
     return this.http.get(
-      `/api/messaging/${encodePathParam(appId)}/channels/${encodePathParam(channel)}/presence`
+      `/api/v3/baas/messaging/${encodePathParam(appId)}/channels/${encodePathParam(channel)}/presence`
     );
   }
   /**
@@ -4488,7 +4586,7 @@ var MessagingClient = class {
    */
   async getStats() {
     const appId = this.getAppId();
-    return this.http.get(`/api/messaging/${encodePathParam(appId)}/stats`);
+    return this.http.get(`/api/v3/baas/messaging/${encodePathParam(appId)}/stats`);
   }
 };
 
@@ -4504,21 +4602,21 @@ var CustomerSessionClient = class {
    * Step 1: ask the host to issue a fresh challenge for the customer to sign.
    */
   async challenge(input) {
-    return this.fetch("POST", "/api/customer-session/challenge", input);
+    return this.fetch("POST", "/api/v3/baas/customer-session/challenge", input);
   }
   /**
    * Step 2: submit the customer's signed challenge. On success returns a
    * short-lived bearer JWT scoped to {appId, chain, address}.
    */
   async verify(req) {
-    return this.fetch("POST", "/api/customer-session/verify", req);
+    return this.fetch("POST", "/api/v3/baas/customer-session/verify", req);
   }
   /**
    * Validate a customer bearer + return the decoded session info. Used by
    * smart-app backends to authorise incoming customer requests.
    */
   async validate(bearer) {
-    return this.fetch("GET", "/api/customer-session/validate", void 0, bearer);
+    return this.fetch("GET", "/api/v3/baas/customer-session/validate", void 0, bearer);
   }
   /**
    * Revoke a customer session. Idempotent.
@@ -4526,7 +4624,7 @@ var CustomerSessionClient = class {
   async end(bearer) {
     return this.fetch(
       "POST",
-      "/api/customer-session/end",
+      "/api/v3/baas/customer-session/end",
       void 0,
       bearer
     );
@@ -4572,15 +4670,15 @@ var RulesClient = class {
   http;
   /** Publish a canonical ValidatorRules document to HCS. */
   async publish(rule) {
-    return this.http.post("/api/rules/publish", rule);
+    return this.http.post("/api/v3/baas/rules/publish", rule);
   }
   /** Fetch a published rule by its HCS consensus timestamp. */
   async get(consensusTimestamp) {
-    return this.http.get(`/api/rules/${encodePathParam(consensusTimestamp)}`);
+    return this.http.get(`/api/v3/baas/rules/${encodePathParam(consensusTimestamp)}`);
   }
   /** List rules owned by the authenticated entity, optionally filtered by type. */
   async listByOwner(filter) {
-    const path = filter?.type ? `/api/rules?type=${encodeURIComponent(filter.type)}` : "/api/rules";
+    const path = filter?.type ? `/api/v3/baas/rules?type=${encodeURIComponent(filter.type)}` : "/api/v3/baas/rules";
     return this.http.get(path);
   }
   /**
@@ -4588,44 +4686,332 @@ var RulesClient = class {
    * `ruleRef` (published) or `rule` (inline) must be supplied by the caller.
    */
   async simulate(params) {
-    return this.http.post("/api/rules/simulate", params);
+    return this.http.post("/api/v3/baas/rules/simulate", params);
   }
   /** Walk the version history of a published rule. */
   async getVersionHistory(consensusTimestamp) {
     return this.http.get(
-      `/api/rules/${encodePathParam(consensusTimestamp)}/versions`
+      `/api/v3/baas/rules/${encodePathParam(consensusTimestamp)}/versions`
     );
   }
   /** Deprecate a published rule (owner-only). */
   async deprecate(consensusTimestamp) {
     return this.http.post(
-      `/api/rules/${encodePathParam(consensusTimestamp)}/deprecate`,
+      `/api/v3/baas/rules/${encodePathParam(consensusTimestamp)}/deprecate`,
       {}
     );
   }
 };
 
 // src/baas/entities/client.ts
-var EntitiesClient = class {
+var EntitiesClient = class _EntitiesClient {
   constructor(http) {
     this.http = http;
   }
   http;
-  /** Create a canonical token entity bound to a published rule. */
+  /**
+   * Chains whose token-create routes through the payer-funded 3-step (prepare →
+   * fund → execute), mirroring `createAccount`. Hedera = real HTS TokenCreate
+   * (admin/supply = the per-entity DKG slot-pubkey KeyList; treasury = the
+   * entity's own account; `0.0.X` token id is network-assigned, resolved from the
+   * receipt via the threaded `createTxId`). Cardano/Solana/Polkadot = the
+   * AUTHORITY entity (the entity IS the policy/mint/Assets-admin multisig — same
+   * address as an account; the asset MINT itself is a later operate-tab payer
+   * call). XRPL/Stellar token = an ISSUER ACCOUNT (reuses the account preparer) +
+   * issuer flags set at finalize: XRPL relays the funding Payment then finalizes
+   * (issuer-flag AccountSets + SignerListSet + disable-master); Stellar relays the
+   * CreateAccount then finalizes (SetOptions install incl. issuer setFlags +
+   * master lock). Every OTHER chain (EVM) stays on the legacy synchronous path.
+   */
+  static PAYER_FUNDED_TOKEN_CHAINS = /* @__PURE__ */ new Set([
+    "hedera",
+    "cardano",
+    "solana",
+    "polkadot",
+    "xrpl",
+    "stellar"
+  ]);
+  /**
+   * PREPARE half of the payer-funded token-create flow.
+   *
+   * POSTs `/api/v3/baas/entities/prepare-create` with `entityType: 'token'`. The cluster
+   * runs the per-entity DKG, builds the payer-funded create (Hedera: TokenCreate
+   * keyed by the slot-pubkey KeyList with the entity account as treasury;
+   * Cardano/Solana/Polkadot: funds/provisions the authority multisig), and returns
+   * the prepared blob. The prepared `transactionId` is the `createTxId` for
+   * execute (Hedera).
+   */
+  async prepareCreateToken(req) {
+    return this.http.post("/api/v3/baas/entities/prepare-create", {
+      entityType: "token",
+      ...req
+    });
+  }
+  /**
+   * EXECUTE half of the payer-funded token-create flow.
+   *
+   * POSTs `/api/v3/baas/entities/execute-create` with `entityType: 'token'`. For Hedera,
+   * pass `createTxId` (the prepared create's `transactionId`) so the validator
+   * resolves the network-assigned `0.0.X` token id from the receipt and stamps
+   * `chainAccounts.hedera`. For the authority-entity chains (cardano/solana/
+   * polkadot) execute just verifies the binding and echoes the stamped authority
+   * address (no `createTxId` needed).
+   */
+  async executeCreateToken(req) {
+    const { createTxId, signedFundingBlob, ...rest } = req;
+    return this.http.post("/api/v3/baas/entities/execute-create", {
+      ...rest,
+      ...createTxId !== void 0 ? { createTxId } : {},
+      ...signedFundingBlob !== void 0 ? { signedFundingBlob } : {},
+      entityType: "token"
+    });
+  }
+  /**
+   * Create a canonical token entity bound to a published rule.
+   *
+   * Dispatches by `chain` (mirrors `createAccount`):
+   *  - **Hedera / Cardano / Solana / Polkadot** = payer-funded 3-step (prepare →
+   *    caller funds via `fundWith` → execute). Hedera resolves the network-assigned
+   *    `0.0.X` token id from the receipt (threads `createTxId`); the authority-
+   *    entity chains verify/echo the stamped authority address. `fundWith` is
+   *    REQUIRED; to drive the steps manually call `prepareCreateToken` /
+   *    `executeCreateToken` directly.
+   *  - **XRPL / Stellar** = payer-funded too (account-model issuer): `fundWith`
+   *    REQUIRED; the caller's signed funding blob is RELAYED to the validator,
+   *    which submits it then finalizes the issuer multisig (master-locked). NO
+   *    issuer flags are set at create — issuer auth flags / DefaultRipple / clawback
+   *    are an operate-tab, rules-validated concern.
+   *  - **EVM / other** = legacy synchronous `POST /api/v3/baas/entities/createToken`
+   *    (payer-funded-only fields ignored) until it migrates.
+   */
   async createToken(req) {
-    return this.http.post("/api/entities/createToken", req);
+    if (_EntitiesClient.PAYER_FUNDED_TOKEN_CHAINS.has(req.chain)) {
+      const { fundWith, ...prepReq } = req;
+      const prep = await this.prepareCreateToken(prepReq);
+      if (!fundWith) {
+        throw new Error(
+          `createToken(${req.chain}): pass fundWith (sign+submit the prepared create tx), or call prepareCreateToken/executeCreateToken directly`
+        );
+      }
+      const funded = await fundWith(prep.prepared, {
+        address: prep.address,
+        reserveRequirement: prep.reserveRequirement
+      });
+      return this.executeCreateToken({
+        entityId: prep.entityId,
+        chain: req.chain,
+        securityMode: req.securityMode,
+        signedFundingBlob: _EntitiesClient.FUNDING_BLOB_RELAY_CHAINS.has(req.chain) ? funded?.signedFundingBlob : void 0,
+        createTxId: req.chain === "hedera" ? prep.prepared?.[0]?.transactionId : void 0
+      });
+    }
+    const {
+      fundWith: _ignoredFundWith,
+      payerAccountId: _ignoredPayer,
+      securityMode: _ignoredSecurityMode,
+      ...legacyReq
+    } = req;
+    return this.http.post("/api/v3/baas/entities/createToken", legacyReq);
   }
-  /** Create a canonical account entity bound to a published rule. */
+  /**
+   * PREPARE half of the payer-funded account-create flow.
+   *
+   * POSTs `/api/v3/baas/entities/prepare-create`. The cluster runs the per-entity DKG
+   * (persists the binding, submits nothing on-chain) and returns the unsigned
+   * payer-funding `Payment`(s) the caller signs + submits with their own wallet.
+   */
+  async prepareCreateAccount(req) {
+    return this.http.post("/api/v3/baas/entities/prepare-create", {
+      entityType: "account",
+      ...req
+    });
+  }
+  /**
+   * EXECUTE half of the payer-funded account-create flow.
+   *
+   * POSTs `/api/v3/baas/entities/execute-create`. The entity already exists (its DKG
+   * ran during prepare); pass `signedFundingBlob` for the validator to submit
+   * the payer's signed funding `Payment` (XRPL only), or omit it when the caller
+   * already submitted the funding tx themselves (then execute just finalizes /
+   * verifies).
+   *
+   * `createTxId` is the HEDERA thread: a Hedera AccountCreate gets its
+   * network-assigned `0.0.X` id only from the on-chain receipt after the payer
+   * submits. The caller threads the prepared create's `transactionId` (from
+   * `prepared[0].transactionId`) back here so the validator resolves the id from
+   * the receipt server-side. Ignored for non-Hedera chains.
+   */
+  async executeCreateAccount(req) {
+    const { createTxId, ...rest } = req;
+    return this.http.post("/api/v3/baas/entities/execute-create", {
+      ...rest,
+      ...createTxId !== void 0 ? { createTxId } : {}
+    });
+  }
+  /**
+   * Chains whose account-create routes through the payer-funded 3-step
+   * (prepare → fund → execute). All are ledgers where the validators never pay:
+   * XRPL funds a reserve; Bitcoin funds a P2WSH UTXO; Cardano funds a
+   * native-script enterprise address above min-UTXO; Polkadot funds a
+   * pallet_multisig SS58 above the existential deposit; Solana funds a Squads
+   * multisig PDA (deterministic from the createKey) via a payer-paid
+   * `multisigCreateV2` — the payer's submission IS the create (no separate
+   * finalizer). Hedera is create-WITH-KEY: the payer submits an AccountCreate
+   * whose controlling key is the per-entity DKG slot-pubkey KeyList, so the
+   * payer's submit IS the create; its `0.0.X` id is network-assigned (resolved
+   * from the receipt at execute-create via the threaded `createTxId`). Stellar is
+   * account-MODEL (like XRPL): the payer funds the entity's slot-0 `G...` master
+   * via a CreateAccount, the validator RELAYS the signed funding blob, then
+   * execute-create finalizes on-chain (threshold-signs a SetOptions installing
+   * the validator chain-key multisig + locking the master). EVM stays on the
+   * legacy synchronous create until it migrates.
+   */
+  static PAYER_FUNDED_CREATE_CHAINS = /* @__PURE__ */ new Set([
+    "xrpl",
+    "bitcoin",
+    "cardano",
+    "polkadot",
+    "solana",
+    "hedera",
+    "stellar"
+  ]);
+  /**
+   * Chains whose execute-create RELAYS the payer's signed funding blob for the
+   * validator to submit (then finalizes on-chain). Both are account-model ledgers
+   * with a validator-side finalize step: XRPL (SignerListSet + disable-master),
+   * Stellar (SetOptions install + master lock). Every OTHER payer-funded chain
+   * has the PAYER submit the funding tx directly with their own wallet — their
+   * execute-create REJECTS a non-undefined `signedFundingBlob` (400), so the blob
+   * is omitted for them.
+   */
+  static FUNDING_BLOB_RELAY_CHAINS = /* @__PURE__ */ new Set(["xrpl", "stellar"]);
+  /**
+   * Create a canonical account entity bound to a published rule.
+   *
+   * Dispatches by `chain`:
+   *  - **XRPL / Stellar / Bitcoin / Cardano / Polkadot / Solana / Hedera** =
+   *    payer-funded 3-step (prepare → fund → execute). The cluster runs the
+   *    per-entity DKG and returns the unsigned payer-funding tx(s); the
+   *    caller-supplied `fundWith` callback signs + submits (or just signs) the
+   *    funding tx with their OWN wallet — the SDK never holds the customer's chain
+   *    key nor opens a network connection — then `executeCreateAccount` finalizes
+   *    (XRPL + Stellar finalize on-chain after relaying the funding blob; the
+   *    deterministic ledgers + Solana verify/stamp the binding; Hedera resolves
+   *    the network-assigned id from the receipt). `fundWith` is REQUIRED on these
+   *    chains; to drive the steps manually call `prepareCreateAccount` /
+   *    `executeCreateAccount` directly.
+   *  - **other chains** (EVM) = legacy synchronous create — a single
+   *    `POST /api/v3/baas/entities/createAccount`, unchanged from pre-3.9.0. These chains
+   *    migrate to the payer-funded flow in a later phase; until then the
+   *    payer-funded-only fields (`fundWith` / `payerAccountId` / `securityMode`)
+   *    are ignored.
+   */
   async createAccount(req) {
-    return this.http.post("/api/entities/createAccount", req);
+    if (_EntitiesClient.PAYER_FUNDED_CREATE_CHAINS.has(req.chain)) {
+      const { fundWith, ...prepReq } = req;
+      const prep = await this.prepareCreateAccount(prepReq);
+      if (!fundWith) {
+        throw new Error(
+          `createAccount(${req.chain}): pass fundWith (sign+submit the prepared funding tx), or call prepareCreateAccount/executeCreateAccount directly`
+        );
+      }
+      const funded = await fundWith(prep.prepared, {
+        address: prep.address,
+        reserveRequirement: prep.reserveRequirement
+      });
+      return this.executeCreateAccount({
+        entityId: prep.entityId,
+        chain: req.chain,
+        securityMode: req.securityMode,
+        signedFundingBlob: _EntitiesClient.FUNDING_BLOB_RELAY_CHAINS.has(req.chain) ? funded?.signedFundingBlob : void 0,
+        createTxId: req.chain === "hedera" ? prep.prepared?.[0]?.transactionId : void 0
+      });
+    }
+    const {
+      fundWith: _ignoredFundWith,
+      payerAccountId: _ignoredPayer,
+      securityMode: _ignoredSecurityMode,
+      ...legacyReq
+    } = req;
+    return this.http.post("/api/v3/baas/entities/createAccount", legacyReq);
+  }
+  /**
+   * PREPARE half of the payer-funded topic-create flow (Hedera).
+   *
+   * POSTs `/api/v3/baas/entities/prepare-create` with `entityType: 'topic'`. The cluster
+   * runs the per-entity DKG (persists the binding), builds the payer-funded
+   * TopicCreate keyed by the slot-pubkey KeyList, attaches the validator admin
+   * threshold sig, and returns the prepared blob for the caller to add the fee
+   * sig + submit. The prepared `transactionId` is the `createTxId` for execute.
+   */
+  async prepareCreateTopic(req) {
+    return this.http.post("/api/v3/baas/entities/prepare-create", {
+      entityType: "topic",
+      ...req
+    });
+  }
+  /**
+   * EXECUTE half of the payer-funded topic-create flow (Hedera).
+   *
+   * POSTs `/api/v3/baas/entities/execute-create` with `entityType: 'topic'`. The topic
+   * already exists once the payer submitted the create tx; pass `createTxId` (the
+   * prepared create's `transactionId`) so the validator resolves the network-
+   * assigned `0.0.X` topic id from the receipt and stamps `chainAccounts.hedera`.
+   */
+  async executeCreateTopic(req) {
+    return this.http.post("/api/v3/baas/entities/execute-create", {
+      ...req,
+      entityType: "topic"
+    });
   }
-  /** Create a canonical topic entity bound to a published rule. */
+  /**
+   * Create a canonical topic entity bound to a published rule.
+   *
+   * Dispatches by `chain`:
+   *  - **Hedera** = payer-funded 3-step (prepare → caller submits the TopicCreate
+   *    via `fundWith` → execute resolves the `0.0.X` topic id from the receipt).
+   *    `fundWith` is REQUIRED; to drive the steps manually call
+   *    `prepareCreateTopic` / `executeCreateTopic` directly.
+   *  - **other chains** = legacy synchronous `POST /api/v3/baas/entities/createTopic`
+   *    (topics are a Hedera primitive; the legacy path is unchanged).
+   */
   async createTopic(req) {
-    return this.http.post("/api/entities/createTopic", req);
+    if (req.chain === "hedera") {
+      const { fundWith, ...prepReq } = req;
+      const prep = await this.prepareCreateTopic(prepReq);
+      if (!fundWith) {
+        throw new Error(
+          "createTopic(hedera): pass fundWith (sign+submit the prepared TopicCreate), or call prepareCreateTopic/executeCreateTopic directly"
+        );
+      }
+      await fundWith(prep.prepared, {
+        address: prep.address,
+        reserveRequirement: prep.reserveRequirement
+      });
+      const createTxId = prep.prepared?.[0]?.transactionId;
+      if (!createTxId) {
+        throw new Error(
+          "createTopic(hedera): prepared TopicCreate carries no transactionId \u2014 cannot resolve the topic id from the receipt"
+        );
+      }
+      return this.executeCreateTopic({
+        entityId: prep.entityId,
+        chain: req.chain,
+        createTxId,
+        securityMode: req.securityMode
+      });
+    }
+    const {
+      fundWith: _ignoredFundWith,
+      payerAccountId: _ignoredPayer,
+      securityMode: _ignoredSecurityMode,
+      ...legacyReq
+    } = req;
+    return this.http.post("/api/v3/baas/entities/createTopic", legacyReq);
   }
   /** Create a canonical agent entity bound to a published rule. */
   async createAgent(req) {
-    return this.http.post("/api/entities/createAgent", req);
+    return this.http.post("/api/v3/baas/entities/createAgent", req);
   }
   /**
    * Mega-helper: build a token rule with a launchpad ModuleEntry attached,
@@ -4633,15 +5019,15 @@ var EntitiesClient = class {
    * round-trip.
    */
   async launchpad(req) {
-    return this.http.post("/api/entities/launchpad", req);
+    return this.http.post("/api/v3/baas/entities/launchpad", req);
   }
   /** Fetch an entity by its canonical `entityId`. */
   async get(entityId) {
-    return this.http.get(`/api/entities/${encodePathParam(entityId)}`);
+    return this.http.get(`/api/v3/baas/entities/${encodePathParam(entityId)}`);
   }
   /** List entities owned by the authenticated wallet, optionally filtered by type. */
   async listByOwner(filter) {
-    const path = filter?.type ? `/api/entities?type=${encodeURIComponent(filter.type)}` : "/api/entities";
+    const path = filter?.type ? `/api/v3/baas/entities?type=${encodeURIComponent(filter.type)}` : "/api/v3/baas/entities";
     return this.http.get(path);
   }
 };
@@ -4654,6 +5040,13 @@ var BaasClient = class _BaasClient {
   timeout;
   allowInsecure;
   http;
+  /**
+   * Validator-routed HTTP client for the `/api/v3/transactions/*` prepare/execute
+   * surface — a SIBLING of `/host`, NOT under the `pathPrefix`. Rooted at the
+   * raw gateway/ingress origin (`hostUrl`) so transactions reach the validator
+   * even when BaaS traffic is gateway-routed at `/host/*`.
+   */
+  txHttp;
   /** Last HTTP error (for getHttpHealth) */
   lastHttpError;
   /**
@@ -4682,6 +5075,14 @@ var BaasClient = class _BaasClient {
   rules;
   /** Canonical entity authoring surface (token/account/topic/agent + launchpad). */
   entities;
+  /**
+   * Validator-routed transaction prepare/execute (sovereignty model). The
+   * prepare endpoints accept an explicit `payerAccountId` for the session-less
+   * payer path, OR carry the web3-auth session token for the JWT-wallet payer
+   * path (kept in sync with the main client's token — see {@link authenticate}).
+   * Targets `/api/v3/transactions/*`, a sibling of the `/host` BaaS surface.
+   */
+  transactions;
   constructor(config) {
     this.allowInsecure = config.allowInsecure ?? false;
     this.hostUrl = validateUrl2(config.hostUrl, this.allowInsecure);
@@ -4695,7 +5096,12 @@ var BaasClient = class _BaasClient {
       timeout: this.timeout,
       // Transparent session refresh: on a 401, re-run the challenge-response
       // with the retained signer and retry once. No-op until authenticate() has
-      // been called (authContext set). Excludes /api/auth/* (see http client).
+      // been called (authContext set). Excludes /api/v3/{,baas/}auth/* (see http client).
+      onUnauthorized: () => this.reauthenticate()
+    });
+    this.txHttp = createHttpClient({
+      baseUrl: `${this.hostUrl.replace(/\/$/, "")}/api/v3/transactions`,
+      timeout: this.timeout,
       onUnauthorized: () => this.reauthenticate()
     });
     const getAppId = () => this.requireAppId();
@@ -4708,6 +5114,7 @@ var BaasClient = class _BaasClient {
     this.customerSession = new CustomerSessionClient(baseUrlWithPrefix, this.timeout);
     this.rules = new RulesClient(this.http);
     this.entities = new EntitiesClient(this.http);
+    this.transactions = new TransactionsClient(this.txHttp);
   }
   /**
    * Connect to the Smart Engines BaaS via cluster auto-discovery.
@@ -4835,7 +5242,7 @@ var BaasClient = class _BaasClient {
     this.authContext = options;
     let challenge;
     try {
-      challenge = await this.http.post("/api/auth/challenge", {
+      challenge = await this.http.post("/api/v3/baas/auth/challenge", {
         chain,
         walletAddress,
         appId: this.appId
@@ -4846,7 +5253,7 @@ var BaasClient = class _BaasClient {
     const signature = await signFn(challenge.message);
     let result;
     try {
-      result = await this.http.post("/api/auth/verify", {
+      result = await this.http.post("/api/v3/baas/auth/verify", {
         challengeId: challenge.challengeId,
         signature,
         publicKey
@@ -4855,6 +5262,7 @@ var BaasClient = class _BaasClient {
       throw asBaasError(err);
     }
     this.http.setAuthToken(result.token);
+    this.txHttp.setAuthToken(result.token);
     return result;
   }
   /**
@@ -4862,30 +5270,31 @@ var BaasClient = class _BaasClient {
    * session token. Invoked by the http client's `onUnauthorized` hook when a
    * request 401s because the token expired — so long-lived clients keep working
    * without the caller re-implementing refresh. No-op if {@link authenticate}
-   * was never called. The `/api/auth/*` calls below are excluded from the http
+   * was never called. The `/api/v3/baas/auth/*` calls below are excluded from the http
    * client's 401-retry path, so this can never recurse.
    */
   async reauthenticate() {
     const ctx = this.authContext;
     if (!ctx) return;
-    const challenge = await this.http.post("/api/auth/challenge", {
+    const challenge = await this.http.post("/api/v3/baas/auth/challenge", {
       chain: ctx.chain,
       walletAddress: ctx.walletAddress,
       appId: this.appId
     });
     const signature = await ctx.signFn(challenge.message);
-    const result = await this.http.post("/api/auth/verify", {
+    const result = await this.http.post("/api/v3/baas/auth/verify", {
       challengeId: challenge.challengeId,
       signature,
       publicKey: ctx.publicKey
     });
     this.http.setAuthToken(result.token);
+    this.txHttp.setAuthToken(result.token);
   }
   /** Validate the current session */
   async validateSession() {
     this.requireAuth();
     try {
-      return await this.http.get("/api/auth/session");
+      return await this.http.get("/api/v3/baas/auth/session");
     } catch (err) {
       throw asBaasError(err);
     }
@@ -4894,11 +5303,12 @@ var BaasClient = class _BaasClient {
   async logout() {
     if (this.http.getAuthToken()) {
       try {
-        await this.http.post("/api/auth/logout", {});
+        await this.http.post("/api/v3/baas/auth/logout", {});
       } catch {
       }
     }
     this.http.setAuthToken(void 0);
+    this.txHttp.setAuthToken(void 0);
   }
   // ========== HTTP Helpers ==========
   requireAuth() {